📄 certtools.java
字号:
Iterator iter = emails.iterator(); while (iter.hasNext()) { GeneralName gn = new GeneralName(1, new DERIA5String((String)iter.next())); vec.add(gn); } } ArrayList dns = CertTools.getPartsFromDN(altName, CertTools.DNS); if (!dns.isEmpty()) { Iterator iter = dns.iterator(); while (iter.hasNext()) { GeneralName gn = new GeneralName(2, new DERIA5String((String)iter.next())); vec.add(gn); } } String directoryName = getDirectoryStringFromAltName(altName); if (directoryName != null) { X509Name x509DirectoryName = new X509Name(directoryName); GeneralName gn = new GeneralName(4, x509DirectoryName); vec.add(gn); } ArrayList uri = CertTools.getPartsFromDN(altName, CertTools.URI); if (!uri.isEmpty()) { Iterator iter = uri.iterator(); while (iter.hasNext()) { GeneralName gn = new GeneralName(6, new DERIA5String((String)iter.next())); vec.add(gn); } } uri = CertTools.getPartsFromDN(altName, CertTools.URI1); if (!uri.isEmpty()) { Iterator iter = uri.iterator(); while (iter.hasNext()) { GeneralName gn = new GeneralName(6, new DERIA5String((String)iter.next())); vec.add(gn); } } uri = CertTools.getPartsFromDN(altName, CertTools.URI2); if (!uri.isEmpty()) { Iterator iter = uri.iterator(); while (iter.hasNext()) { GeneralName gn = new GeneralName(6, new DERIA5String((String)iter.next())); vec.add(gn); } } ArrayList ipstr = CertTools.getPartsFromDN(altName, CertTools.IPADDR); if (!ipstr.isEmpty()) { Iterator iter = ipstr.iterator(); while (iter.hasNext()) { byte[] ipoctets = StringTools.ipStringToOctets((String)iter.next()); GeneralName gn = new GeneralName(7, new DEROctetString(ipoctets)); vec.add(gn); } } // UPN is an OtherName ArrayList upn = CertTools.getPartsFromDN(altName, CertTools.UPN); if (!upn.isEmpty()) { Iterator iter = upn.iterator(); while (iter.hasNext()) { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERObjectIdentifier(CertTools.UPN_OBJECTID)); v.add(new DERTaggedObject(true, 0, new DERUTF8String((String)iter.next()))); //GeneralName gn = new GeneralName(new DERSequence(v), 0); DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v)); vec.add(gn); } } ArrayList guid = CertTools.getPartsFromDN(altName, CertTools.GUID); if (!guid.isEmpty()) { Iterator iter = guid.iterator(); while (iter.hasNext()) { ASN1EncodableVector v = new ASN1EncodableVector(); byte[] guidbytes = Hex.decode((String)iter.next()); if (guidbytes != null) { v.add(new DERObjectIdentifier(CertTools.GUID_OBJECTID)); v.add(new DERTaggedObject(true, 0, new DEROctetString(guidbytes))); DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v)); vec.add(gn); } else { log.error("Cannot decode hexadecimal guid: "+guid); } } } // To support custom OIDs in altNames, they must be added as an OtherName ArrayList customoids = CertTools.getCustomOids(altName); if (!customoids.isEmpty()) { Iterator iter = customoids.iterator(); while (iter.hasNext()) { String oid = (String)iter.next(); ArrayList oidval = CertTools.getPartsFromDN(altName, oid); if (!oidval.isEmpty()) { Iterator valiter = oidval.iterator(); while (valiter.hasNext()) { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERObjectIdentifier(oid)); v.add(new DERTaggedObject(true, 0, new DERUTF8String((String)valiter.next()))); DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v)); vec.add(gn); } } } } GeneralNames ret = null; if (vec.size() > 0) { ret = new GeneralNames(new DERSequence(vec)); } return ret; } /** * GeneralName ::= CHOICE { * otherName [0] OtherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER} * * @param tag the no tag 0-8 * @param value the DEREncodable value as returned by GeneralName.getName() * @return String in form rfc822Name=<email> or uri=<uri> etc * @throws IOException * @see #getSubjectAlternativeName */ public static String getGeneralNameString(int tag, DEREncodable value) throws IOException { String ret = null; switch (tag) { case 0: ASN1Sequence seq = getAltnameSequence(value.getDERObject().getEncoded()); String upn = getUPNStringFromSequence(seq); // OtherName can be something else besides UPN if (upn != null) { ret = CertTools.UPN+"="+upn; } break; case 1: ret = CertTools.EMAIL+"=" + DERIA5String.getInstance(value).getString(); break; case 2: ret = CertTools.DNS+"=" + DERIA5String.getInstance(value).getString(); break; case 3: // SubjectAltName of type x400Address not supported break; case 4: // SubjectAltName of type directoryName not supported break; case 5: // SubjectAltName of type ediPartyName not supported break; case 6: ret = CertTools.URI+"=" + DERIA5String.getInstance(value).getString(); break; case 7: // SubjectAltName of type iPAddr not supported break; default: // SubjectAltName of unknown type break; } return ret; } /** * Check the certificate with CA certificate. * * @param certificate cert to verify * @param caCertPath collection of X509Certificate * @return true if verified OK, false if not */ public static boolean verify(X509Certificate certificate, Collection caCertPath) throws Exception { try { ArrayList certlist = new ArrayList(); // Create CertPath certlist.add(certificate); // Add other certs... CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); java.security.cert.CertPath cp = cf.generateCertPath(certlist); // Create TrustAnchor. Since EJBCA use BouncyCastle provider, we assume // certificate already in correct order X509Certificate[] cac = (X509Certificate[]) caCertPath.toArray(new X509Certificate[] {}); java.security.cert.TrustAnchor anchor = new java.security.cert. TrustAnchor(cac[0], null); // Set the PKIX parameters java.security.cert.PKIXParameters params = new java.security.cert.PKIXParameters(java.util.Collections.singleton(anchor)); params.setRevocationEnabled(false); java.security.cert.CertPathValidator cpv = java.security.cert. CertPathValidator.getInstance("PKIX", "BC"); java.security.cert.PKIXCertPathValidatorResult result = (java.security.cert.PKIXCertPathValidatorResult) cpv.validate(cp, params); log.debug("Certificate verify result: " + result.toString()); } catch (java.security.cert.CertPathValidatorException cpve) { throw new Exception("Invalid certificate or certificate not issued by specified CA: " + cpve.getMessage()); } catch (Exception e) { throw new Exception("Error checking certificate chain: " + e.getMessage()); } return true; } /** * Return the CRL distribution point URL form a certificate. */ public static URL getCrlDistributionPoint(X509Certificate certificate) throws CertificateParsingException { try { DERObject obj = getExtensionValue(certificate, X509Extensions .CRLDistributionPoints.getId()); if (obj == null) { return null; } ASN1Sequence distributionPoints = (ASN1Sequence) obj; for (int i = 0; i < distributionPoints.size(); i++) { ASN1Sequence distrPoint = (ASN1Sequence) distributionPoints.getObjectAt(i); for (int j = 0; j < distrPoint.size(); j++) { ASN1TaggedObject tagged = (ASN1TaggedObject) distrPoint.getObjectAt(j); if (tagged.getTagNo() == 0) { String url = getStringFromGeneralNames(tagged.getObject()); if (url != null) { return new URL(url); } } } } } catch (Exception e) { log.error("Error parsing CrlDistributionPoint", e); throw new CertificateParsingException(e.toString()); } return null; } /** Returns OCSP URL that is inside AuthorithInformationAccess extension, or null. * * @param cert * @return * @throws CertificateParsingException */ public static String getAuthorityInformationAccessOcspUrl(X509Certificate cert) throws CertificateParsingException { try { DERObject obj = getExtensionValue(cert, X509Extensions.AuthorityInfoAccess.getId()); if (obj == null) { return null; } AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(obj); AccessDescription[] ad = aia.getAccessDescriptions(); if ( (ad == null) || (ad.length < 1) ) { return null; } if (!ad[0].getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod)) { return null; } GeneralName gn = ad[0].getAccessLocation(); if (gn.getTagNo() != 6) { return null; } DERIA5String str = DERIA5String.getInstance(gn.getDERObject()); return str.getString(); } catch (Exception e) { log.error("Error parsing AuthorityInformationAccess", e); throw new CertificateParsingException(e.toString()); } } /** * Return an Extension DERObject from a certificate */ protected static DERObject getExtensionValue(X509Certificate cert, String oid) throws IOException { if (cert == null) { return null; } byte[] bytes = cert.getExtensionValue(oid); if (bytes == null) { return null; } ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(bytes)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); return aIn.readObject(); } //getExtensionValue private static String getStringFromGeneralNames(DERObject names) { ASN1Sequence namesSequence = ASN1Sequence.getInstance((ASN1TaggedObject)names, false); if (namesSequence.size() == 0) { return null; } DERTaggedObject taggedObject = (DERTaggedObject)namesSequence.getObjectAt(0); return new String(ASN1OctetString.getInstance(taggedObject, false).getOctets()); } //getStringFromGeneralNames /** * Generate SHA1 fingerprint in string representation. * * @param ba Byte array containing DER encoded X509Certificate. * * @return String containing hex format of SHA1 fingerprint. */ public static String getCertFingerprintAsString(byte[] ba) { try { X509Certificate cert = getCertfromB⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -