Java Code Examples for java.security.cert.X509Certificate#getCriticalExtensionOIDs()
The following examples show how to use
java.security.cert.X509Certificate#getCriticalExtensionOIDs() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: Signature.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
private static PublicKey getPublicKeyFromCert(Certificate cert)
throws InvalidKeyException {
// If the certificate is of type X509Certificate,
// we should check whether it has a Key Usage
// extension marked as critical.
//if (cert instanceof java.security.cert.X509Certificate) {
if (cert instanceof X509Certificate) {
// Check whether the cert has a key usage extension
// marked as a critical extension.
// The OID for KeyUsage extension is 2.5.29.15.
X509Certificate c = (X509Certificate)cert;
Set<String> critSet = c.getCriticalExtensionOIDs();
if (critSet != null && !critSet.isEmpty()
&& critSet.contains("2.5.29.15")) {
boolean[] keyUsageInfo = c.getKeyUsage();
// keyUsageInfo[0] is for digitalSignature.
if ((keyUsageInfo != null) && (keyUsageInfo[0] == false))
throw new InvalidKeyException("Wrong key usage");
}
}
return cert.getPublicKey();
}
Example 2
| Source File: Signature.java From Bytecoder with Apache License 2.0 | 6 votes |
|
private static PublicKey getPublicKeyFromCert(Certificate cert)
throws InvalidKeyException {
// If the certificate is of type X509Certificate,
// we should check whether it has a Key Usage
// extension marked as critical.
//if (cert instanceof java.security.cert.X509Certificate) {
if (cert instanceof X509Certificate) {
// Check whether the cert has a key usage extension
// marked as a critical extension.
// The OID for KeyUsage extension is 2.5.29.15.
X509Certificate c = (X509Certificate)cert;
Set<String> critSet = c.getCriticalExtensionOIDs();
if (critSet != null && !critSet.isEmpty()
&& critSet.contains("2.5.29.15")) {
boolean[] keyUsageInfo = c.getKeyUsage();
// keyUsageInfo[0] is for digitalSignature.
if ((keyUsageInfo != null) && (keyUsageInfo[0] == false))
throw new InvalidKeyException("Wrong key usage");
}
}
return cert.getPublicKey();
}
Example 3
| Source File: Signature.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
|
private static PublicKey getPublicKeyFromCert(Certificate cert)
throws InvalidKeyException {
// If the certificate is of type X509Certificate,
// we should check whether it has a Key Usage
// extension marked as critical.
//if (cert instanceof java.security.cert.X509Certificate) {
if (cert instanceof X509Certificate) {
// Check whether the cert has a key usage extension
// marked as a critical extension.
// The OID for KeyUsage extension is 2.5.29.15.
X509Certificate c = (X509Certificate)cert;
Set<String> critSet = c.getCriticalExtensionOIDs();
if (critSet != null && !critSet.isEmpty()
&& critSet.contains("2.5.29.15")) {
boolean[] keyUsageInfo = c.getKeyUsage();
// keyUsageInfo[0] is for digitalSignature.
if ((keyUsageInfo != null) && (keyUsageInfo[0] == false))
throw new InvalidKeyException("Wrong key usage");
}
}
return cert.getPublicKey();
}
Example 4
| Source File: X509CredentialsAuthenticationHandler.java From springboot-shiro-cas-mybatis with MIT License | 5 votes |
|
/**
* Checks if critical extension oids contain the extension oid.
*
* @param certificate the certificate
* @param extensionOid the extension oid
* @return true, if critical
*/
private boolean isCritical(final X509Certificate certificate, final String extensionOid) {
final Set<String> criticalOids = certificate.getCriticalExtensionOIDs();
if (criticalOids == null || criticalOids.isEmpty()) {
return false;
}
return criticalOids.contains(extensionOid);
}
Example 5
| Source File: X509CredentialsAuthenticationHandler.java From cas4.0.x-server-wechat with Apache License 2.0 | 5 votes |
|
private boolean isCritical(final X509Certificate certificate, final String extensionOid) {
final Set<String> criticalOids = certificate.getCriticalExtensionOIDs();
if (criticalOids == null || criticalOids.isEmpty()) {
return false;
}
return criticalOids.contains(extensionOid);
}
Example 6
| Source File: CertificateValidationUtil.java From opc-ua-stack with Apache License 2.0 | 5 votes |
|
public static void validateApplicationCertificateUsage(X509Certificate certificate) throws UaException {
Set<String> criticalExtensions = certificate.getCriticalExtensionOIDs();
if (criticalExtensions == null) criticalExtensions = new HashSet<>();
if (criticalExtensions.contains(KEY_USAGE_OID)) {
boolean[] keyUsage = certificate.getKeyUsage();
boolean digitalSignature = keyUsage[0];
boolean nonRepudiation = keyUsage[1];
boolean keyEncipherment = keyUsage[2];
boolean dataEncipherment = keyUsage[3];
if (!digitalSignature) {
throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed,
"required KeyUsage 'digitalSignature' not found");
}
if (!nonRepudiation) {
throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed,
"required KeyUsage 'nonRepudiation' not found");
}
if (!keyEncipherment) {
throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed,
"required KeyUsage 'keyEncipherment' not found");
}
if (!dataEncipherment) {
throw new UaException(StatusCodes.Bad_CertificateUseNotAllowed,
"required KeyUsage 'dataEncipherment' not found");
}
}
}
Example 7
| Source File: PKIXMasterCertPathValidator.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
|
/**
* Validates a certification path consisting exclusively of
* <code>X509Certificate</code>s using the specified
* <code>PKIXCertPathChecker</code>s. It is assumed that the
* <code>PKIXCertPathChecker</code>s
* have been initialized with any input parameters they may need.
*
* @param cpOriginal the original X509 CertPath passed in by the user
* @param reversedCertList the reversed X509 CertPath (as a List)
* @param certPathCheckers the PKIXCertPathCheckers
* @throws CertPathValidatorException if cert path does not validate
*/
static void validate(CertPath cpOriginal,
List<X509Certificate> reversedCertList,
List<PKIXCertPathChecker> certPathCheckers)
throws CertPathValidatorException
{
// we actually process reversedCertList, but we keep cpOriginal because
// we need to return the original certPath when we throw an exception.
// we will also need to modify the index appropriately when we
// throw an exception.
int cpSize = reversedCertList.size();
if (debug != null) {
debug.println("--------------------------------------------------"
+ "------------");
debug.println("Executing PKIX certification path validation "
+ "algorithm.");
}
for (int i = 0; i < cpSize; i++) {
/* The basic loop algorithm is that we get the
* current certificate, we verify the current certificate using
* information from the previous certificate and from the state,
* and we modify the state for the next loop by setting the
* current certificate of this loop to be the previous certificate
* of the next loop. The state is initialized during first loop.
*/
if (debug != null)
debug.println("Checking cert" + (i+1) + " ...");
X509Certificate currCert = reversedCertList.get(i);
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
}
if (debug != null && !unresCritExts.isEmpty()) {
debug.println("Set of critical extensions:");
for (String oid : unresCritExts) {
debug.println(oid);
}
}
for (int j = 0; j < certPathCheckers.size(); j++) {
PKIXCertPathChecker currChecker = certPathCheckers.get(j);
if (debug != null) {
debug.println("-Using checker" + (j + 1) + " ... [" +
currChecker.getClass().getName() + "]");
}
if (i == 0)
currChecker.init(false);
try {
currChecker.check(currCert, unresCritExts);
if (debug != null) {
debug.println("-checker" + (j + 1) +
" validation succeeded");
}
} catch (CertPathValidatorException cpve) {
throw new CertPathValidatorException(cpve.getMessage(),
cpve.getCause(), cpOriginal, cpSize - (i + 1),
cpve.getReason());
}
}
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " +
"critical extension(s)", null, cpOriginal, cpSize-(i+1),
PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
if (debug != null)
debug.println("\ncert" + (i+1) + " validation succeeded.\n");
}
if (debug != null) {
debug.println("Cert path validation succeeded. (PKIX validation "
+ "algorithm)");
debug.println("-------------------------------------------------"
+ "-------------");
}
}
Example 8
| Source File: CertificateInfo.java From certificate-transparency-java with Apache License 2.0 | 4 votes |
|
public static boolean isPreCertificate(Certificate certificate) {
X509Certificate x509PreCertificate = (X509Certificate) certificate;
return (x509PreCertificate.getCriticalExtensionOIDs() != null)
&& x509PreCertificate.getCriticalExtensionOIDs().contains(POISON_EXTENSION_OID);
}
Example 9
| Source File: PKIXMasterCertPathValidator.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
|
/**
* Validates a certification path consisting exclusively of
* <code>X509Certificate</code>s using the specified
* <code>PKIXCertPathChecker</code>s. It is assumed that the
* <code>PKIXCertPathChecker</code>s
* have been initialized with any input parameters they may need.
*
* @param cpOriginal the original X509 CertPath passed in by the user
* @param reversedCertList the reversed X509 CertPath (as a List)
* @param certPathCheckers the PKIXCertPathCheckers
* @throws CertPathValidatorException if cert path does not validate
*/
static void validate(CertPath cpOriginal,
List<X509Certificate> reversedCertList,
List<PKIXCertPathChecker> certPathCheckers)
throws CertPathValidatorException
{
// we actually process reversedCertList, but we keep cpOriginal because
// we need to return the original certPath when we throw an exception.
// we will also need to modify the index appropriately when we
// throw an exception.
int cpSize = reversedCertList.size();
if (debug != null) {
debug.println("--------------------------------------------------"
+ "------------");
debug.println("Executing PKIX certification path validation "
+ "algorithm.");
}
for (int i = 0; i < cpSize; i++) {
/* The basic loop algorithm is that we get the
* current certificate, we verify the current certificate using
* information from the previous certificate and from the state,
* and we modify the state for the next loop by setting the
* current certificate of this loop to be the previous certificate
* of the next loop. The state is initialized during first loop.
*/
if (debug != null)
debug.println("Checking cert" + (i+1) + " ...");
X509Certificate currCert = reversedCertList.get(i);
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
}
if (debug != null && !unresCritExts.isEmpty()) {
debug.println("Set of critical extensions:");
for (String oid : unresCritExts) {
debug.println(oid);
}
}
for (int j = 0; j < certPathCheckers.size(); j++) {
PKIXCertPathChecker currChecker = certPathCheckers.get(j);
if (debug != null) {
debug.println("-Using checker" + (j + 1) + " ... [" +
currChecker.getClass().getName() + "]");
}
if (i == 0)
currChecker.init(false);
try {
currChecker.check(currCert, unresCritExts);
if (debug != null) {
debug.println("-checker" + (j + 1) +
" validation succeeded");
}
} catch (CertPathValidatorException cpve) {
throw new CertPathValidatorException(cpve.getMessage(),
cpve.getCause(), cpOriginal, cpSize - (i + 1),
cpve.getReason());
}
}
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " +
"critical extension(s)", null, cpOriginal, cpSize-(i+1),
PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
if (debug != null)
debug.println("\ncert" + (i+1) + " validation succeeded.\n");
}
if (debug != null) {
debug.println("Cert path validation succeeded. (PKIX validation "
+ "algorithm)");
debug.println("-------------------------------------------------"
+ "-------------");
}
}
