📄 certtools.java
字号:
/** * Gets subject or issuer DN in the format we are sure about (BouncyCastle),supporting UTF8. * * @param cert X509Certificate * @param which 1 = subjectDN, anything else = issuerDN * * @return String containing the DN. */ private static String getDN(Certificate cert, int which) { //log.debug(">getDN("+which+")"); String ret = null; if (cert == null) { return null; } if (cert instanceof X509Certificate) { // cert.getType=X.509 try { CertificateFactory cf = CertTools.getCertificateFactory(); X509Certificate x509cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(cert.getEncoded())); //log.debug("Created certificate of class: " + x509cert.getClass().getName()); String dn = null; if (which == 1) { dn = x509cert.getSubjectDN().toString(); } else { dn = x509cert.getIssuerDN().toString(); } ret = stringToBCDNString(dn); } catch (CertificateException ce) { log.error("CertificateException: ", ce); return null; } } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { ReferenceField rf = null; if (which == 1) { rf = cvccert.getCVCertificate().getCertificateBody().getHolderReference(); } else { rf = cvccert.getCVCertificate().getCertificateBody().getAuthorityReference(); } if (rf != null) { // Construct a "fake" DN which can be used in EJBCA // Use only mnemonic and country, since sequence is more of a serialnumber than a DN part String dn = "";// if (rf.getSequence() != null) {// dn += "SERIALNUMBER="+rf.getSequence();// } if (rf.getMnemonic() != null) { if (StringUtils.isNotEmpty(dn)) dn += ", "; dn += "CN="+rf.getMnemonic(); } if (rf.getCountry() != null) { if (StringUtils.isNotEmpty(dn)) dn += ", "; dn += "C="+rf.getCountry(); } ret = stringToBCDNString(dn); } } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); return null; } } //log.debug("<getDN("+which+"):"+dn); return ret; } // getDN /** * Gets Serial number of the certificate. * * @param cert Certificate * * @return BigInteger containing the certificate serialNumber. Can be 0 for CVC certificates with alphanumering serialnumbers if the sequence does not contain any number characters at all. */ public static BigInteger getSerialNumber(Certificate cert) { BigInteger ret = null; if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getSerialNumber(); } else if (StringUtils.equals(cert.getType(), "CVC")) { // For CVC certificates the sequence field of the HolderReference is kind of a serial number, // but if can be alphanumeric which means it can not be made into a BigInteger CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { String sequence = cvccert.getCVCertificate().getCertificateBody().getHolderReference().getSequence(); try { if (NumberUtils.isNumber(sequence)) { ret = NumberUtils.createBigInteger(sequence); } else { log.error("getSerialNumber: Sequence is not a numeric string, trying to get sequence part."); StringBuffer buf = new StringBuffer(); for (int i = 0; i < sequence.length(); i++) { char c = sequence.charAt(i); if (CharUtils.isAsciiNumeric(c)) { buf.append(c); } } if (buf.length() > 0) { ret = NumberUtils.createBigInteger(buf.toString()); } else { log.error("getSerialNumber: Sequence does not contain a numeric string, returning 0."); ret = BigInteger.valueOf(0); } } } catch (NumberFormatException e) { // If we can't make the sequence into a serial number big integer, set it to 0 log.error("getSerialNumber: NumberFormatException for sequence: "+sequence, e); ret = BigInteger.valueOf(0); } } catch (NoSuchFieldException e) { log.error("getSerialNumber: NoSuchFieldException: ", e); ret = BigInteger.valueOf(0); } } else { throw new IllegalArgumentException("getSerialNumber: Certificate of type "+cert.getType()+" is not implemented"); } return ret; } /** * Gets Serial number of the certificate as a string. For X509 Certificate this means a HEX encoded BigInteger, and for CVC certificate is * means the sequence field of the holder reference. * * @param cert Certificate * * @return String to be displayed */ public static String getSerialNumberAsString(Certificate cert) { String ret = null; if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getSerialNumber().toString(16).toUpperCase(); } else if (StringUtils.equals(cert.getType(), "CVC")) { // For CVC certificates the sequence field of the HolderReference is kind of a serial number, // but if can be alphanumeric which means it can not be made into a BigInteger CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { ret = cvccert.getCVCertificate().getCertificateBody().getHolderReference().getSequence(); } catch (NoSuchFieldException e) { log.error("getSerialNumber: NoSuchFieldException: ", e); ret = "N/A"; } } else { throw new IllegalArgumentException("getSerialNumber: Certificate of type "+cert.getType()+" is not implemented"); } return ret; } /** * Gets the signature value (the raw signature bits) from the certificate. * For an X509 certificate this is the ASN.1 definition which is: * signature BIT STRING * * @param cert Certificate * * @return byte[] containing the certificate signature bits, if cert is null a byte[] of size 0 is returned. */ public static byte[] getSignature(Certificate cert) { byte[] ret = null; if (cert == null) { ret = new byte[0]; } else { if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getSignature(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { ret = cvccert.getCVCertificate().getSignature(); } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); return null; } } } return ret; } /** * Gets issuer DN for CRL in the format we are sure about (BouncyCastle),supporting UTF8. * * @param crl X509RL * * @return String containing the DN. */ public static String getIssuerDN(X509CRL crl) { //log.debug(">getIssuerDN(crl)"); String dn = null; try { CertificateFactory cf = CertTools.getCertificateFactory(); X509CRL x509crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(crl.getEncoded())); //log.debug("Created certificate of class: " + x509crl.getClass().getName()); dn = x509crl.getIssuerDN().toString(); } catch (CRLException ce) { log.error("CRLException: ", ce); return null; } //log.debug("<getIssuerDN(crl):"+dn); return stringToBCDNString(dn); } // getIssuerDN public static Date getNotBefore(Certificate cert) { Date ret = null; if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getNotBefore(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { ret = cvccert.getCVCertificate().getCertificateBody().getValidFrom(); } catch (NoSuchFieldException e) { // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so) log.debug("NoSuchFieldException: "+ e.getMessage()); return null; } } return ret; } public static Date getNotAfter(Certificate cert) { Date ret = null; if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getNotAfter(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate)cert; try { ret = cvccert.getCVCertificate().getCertificateBody().getValidTo(); } catch (NoSuchFieldException e) { // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so) log.debug("NoSuchFieldException: "+ e.getMessage()); return null; } } return ret; } public static CertificateFactory getCertificateFactory(String provider) { String prov = provider; if (provider == null) { prov = "BC"; } try { return CertificateFactory.getInstance("X.509", prov); } catch (NoSuchProviderException nspe) { log.error("NoSuchProvider: ", nspe); } catch (CertificateException ce) { log.error("CertificateException: ", ce); } return null; } public static CertificateFactory getCertificateFactory() { return getCertificateFactory("BC"); } public static synchronized void removeBCProvider() { Security.removeProvider("BC"); // Also remove the CVC provider Security.removeProvider("CVC"); } public static synchronized void installBCProvider() { // Also install the CVC provider try { Security.addProvider(new CVCProvider()); } catch (Exception e) { log.info("CVC provider can not be installed, CVC certificate will not work: ", e); } // A flag that ensures that we install the parameters for implcitlyCA only when we have installed a new provider boolean installImplicitlyCA = false; if (Security.addProvider(new BouncyCastleProvider()) < 0) { // If already installed, remove so we can handle redeploy // Nope, we ignore re-deploy on this level, because it can happen // that the BC-provider is uninstalled, in just the second another // thread tries to use the provider, and then that request will fail. if (developmentProviderInstallation) { removeBCProvider(); if (Security.addProvider(new BouncyCastleProvider()) < 0) { log.error("Cannot even install BC provider again!"); } else { installImplicitlyCA = true; } } } else { installImplicitlyCA = true; } if (installImplicitlyCA) { // Install EC parameters for implicitlyCA encoding of EC keys, we have default curve parameters if no new ones have been given. // The parameters are only used if implicitlyCA is used for generating keys, or verifying certs checkImplicitParams(); ECCurve curve = new ECCurve.Fp( new BigInteger(IMPLICITLYCA_Q), // q new BigInteger(IMPLICITLYCA_A, 16), // a new BigInteger(IMPLICITLYCA_B, 16)); // b org.bouncycastle.jce.spec.ECParameterSpec implicitSpec = new org.bouncycastle.jce.spec.ECParameterSpec( curve, curve.decodePoint(Hex.decode(IMPLICITLYCA_G)), // G new BigInteger(IMPLICITLYCA_N)); // n ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); if (config != null) { config.setParameter(ConfigurableProvider.EC_IMPLICITLY_CA, implicitSpec); } else { log.error("Can not get ConfigurableProvider, implicitlyCA EC parameters NOT set!"); } } // 2007-05-25 // Finally we must configure SERIALNUMBER behavior in BC >=1.36 to be the same⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -