nl.open.jwtdependency.org.bouncycastle.x509.AttributeCertificateHolder Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of java-jwt-nodependencies Show documentation
Show all versions of java-jwt-nodependencies Show documentation
This is a drop in replacement for the auth0 java-jwt library (see https://github.com/auth0/java-jwt). This jar makes sure there are no external dependencies (e.g. fasterXml, Apacha Commons) needed. This is useful when deploying to an application server (e.g. tomcat with Alfreso or Pega).
The newest version!
package org.bouncycastle.x509;
import java.io.IOException;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.Principal;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.Holder;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.bouncycastle.asn1.x509.ObjectDigestInfo;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.Selector;
/**
* The Holder object.
*
*
* Holder ::= SEQUENCE {
* baseCertificateID [0] IssuerSerial OPTIONAL,
* -- the issuer and serial number of
* -- the holder's Public Key Certificate
* entityName [1] GeneralNames OPTIONAL,
* -- the name of the claimant or role
* objectDigestInfo [2] ObjectDigestInfo OPTIONAL
* -- used to directly authenticate the holder,
* -- for example, an executable
* }
*
* @deprecated use org.bouncycastle.cert.AttributeCertificateHolder
*/
public class AttributeCertificateHolder
implements CertSelector, Selector
{
final Holder holder;
AttributeCertificateHolder(ASN1Sequence seq)
{
holder = Holder.getInstance(seq);
}
public AttributeCertificateHolder(X509Principal issuerName,
BigInteger serialNumber)
{
holder = new org.bouncycastle.asn1.x509.Holder(new IssuerSerial(
GeneralNames.getInstance(new DERSequence(new GeneralName(issuerName))),
new ASN1Integer(serialNumber)));
}
public AttributeCertificateHolder(X500Principal issuerName,
BigInteger serialNumber)
{
this(X509Util.convertPrincipal(issuerName), serialNumber);
}
public AttributeCertificateHolder(X509Certificate cert)
throws CertificateParsingException
{
X509Principal name;
try
{
name = PrincipalUtil.getIssuerX509Principal(cert);
}
catch (Exception e)
{
throw new CertificateParsingException(e.getMessage());
}
holder = new Holder(new IssuerSerial(generateGeneralNames(name),
new ASN1Integer(cert.getSerialNumber())));
}
public AttributeCertificateHolder(X509Principal principal)
{
holder = new Holder(generateGeneralNames(principal));
}
public AttributeCertificateHolder(X500Principal principal)
{
this(X509Util.convertPrincipal(principal));
}
/**
* Constructs a holder for v2 attribute certificates with a hash value for
* some type of object.
*
* digestedObjectType can be one of the following:
*
* - 0 - publicKey - A hash of the public key of the holder must be
* passed.
*
- 1 - publicKeyCert - A hash of the public key certificate of the
* holder must be passed.
*
- 2 - otherObjectDigest - A hash of some other object type must be
* passed.
otherObjectTypeID must not be empty.
*
*
* This cannot be used if a v1 attribute certificate is used.
*
* @param digestedObjectType The digest object type.
* @param digestAlgorithm The algorithm identifier for the hash.
* @param otherObjectTypeID The object type ID if
* digestedObjectType is
* otherObjectDigest.
* @param objectDigest The hash value.
*/
public AttributeCertificateHolder(int digestedObjectType,
String digestAlgorithm, String otherObjectTypeID, byte[] objectDigest)
{
holder = new Holder(new ObjectDigestInfo(digestedObjectType,
new ASN1ObjectIdentifier(otherObjectTypeID), new AlgorithmIdentifier(new ASN1ObjectIdentifier(digestAlgorithm)), Arrays
.clone(objectDigest)));
}
/**
* Returns the digest object type if an object digest info is used.
*
*
* - 0 - publicKey - A hash of the public key of the holder must be
* passed.
*
- 1 - publicKeyCert - A hash of the public key certificate of the
* holder must be passed.
*
- 2 - otherObjectDigest - A hash of some other object type must be
* passed.
otherObjectTypeID must not be empty.
*
*
* @return The digest object type or -1 if no object digest info is set.
*/
public int getDigestedObjectType()
{
if (holder.getObjectDigestInfo() != null)
{
return holder.getObjectDigestInfo().getDigestedObjectType()
.getValue().intValue();
}
return -1;
}
/**
* Returns the other object type ID if an object digest info is used.
*
* @return The other object type ID or null if no object
* digest info is set.
*/
public String getDigestAlgorithm()
{
if (holder.getObjectDigestInfo() != null)
{
return holder.getObjectDigestInfo().getDigestAlgorithm().getAlgorithm()
.getId();
}
return null;
}
/**
* Returns the hash if an object digest info is used.
*
* @return The hash or null if no object digest info is set.
*/
public byte[] getObjectDigest()
{
if (holder.getObjectDigestInfo() != null)
{
return holder.getObjectDigestInfo().getObjectDigest().getBytes();
}
return null;
}
/**
* Returns the digest algorithm ID if an object digest info is used.
*
* @return The digest algorithm ID or null if no object
* digest info is set.
*/
public String getOtherObjectTypeID()
{
if (holder.getObjectDigestInfo() != null)
{
holder.getObjectDigestInfo().getOtherObjectTypeID().getId();
}
return null;
}
private GeneralNames generateGeneralNames(X509Principal principal)
{
return GeneralNames.getInstance(new DERSequence(new GeneralName(principal)));
}
private boolean matchesDN(X509Principal subject, GeneralNames targets)
{
GeneralName[] names = targets.getNames();
for (int i = 0; i != names.length; i++)
{
GeneralName gn = names[i];
if (gn.getTagNo() == GeneralName.directoryName)
{
try
{
if (new X509Principal(((ASN1Encodable)gn.getName()).toASN1Primitive()
.getEncoded()).equals(subject))
{
return true;
}
}
catch (IOException e)
{
}
}
}
return false;
}
private Object[] getNames(GeneralName[] names)
{
List l = new ArrayList(names.length);
for (int i = 0; i != names.length; i++)
{
if (names[i].getTagNo() == GeneralName.directoryName)
{
try
{
l.add(new X500Principal(
((ASN1Encodable)names[i].getName()).toASN1Primitive().getEncoded()));
}
catch (IOException e)
{
throw new RuntimeException("badly formed Name object");
}
}
}
return l.toArray(new Object[l.size()]);
}
private Principal[] getPrincipals(GeneralNames names)
{
Object[] p = this.getNames(names.getNames());
List l = new ArrayList();
for (int i = 0; i != p.length; i++)
{
if (p[i] instanceof Principal)
{
l.add(p[i]);
}
}
return (Principal[])l.toArray(new Principal[l.size()]);
}
/**
* Return any principal objects inside the attribute certificate holder
* entity names field.
*
* @return an array of Principal objects (usually X500Principal), null if no
* entity names field is set.
*/
public Principal[] getEntityNames()
{
if (holder.getEntityName() != null)
{
return getPrincipals(holder.getEntityName());
}
return null;
}
/**
* Return the principals associated with the issuer attached to this holder
*
* @return an array of principals, null if no BaseCertificateID is set.
*/
public Principal[] getIssuer()
{
if (holder.getBaseCertificateID() != null)
{
return getPrincipals(holder.getBaseCertificateID().getIssuer());
}
return null;
}
/**
* Return the serial number associated with the issuer attached to this
* holder.
*
* @return the certificate serial number, null if no BaseCertificateID is
* set.
*/
public BigInteger getSerialNumber()
{
if (holder.getBaseCertificateID() != null)
{
return holder.getBaseCertificateID().getSerial().getValue();
}
return null;
}
public Object clone()
{
return new AttributeCertificateHolder((ASN1Sequence)holder
.toASN1Primitive());
}
public boolean match(Certificate cert)
{
if (!(cert instanceof X509Certificate))
{
return false;
}
X509Certificate x509Cert = (X509Certificate)cert;
try
{
if (holder.getBaseCertificateID() != null)
{
return holder.getBaseCertificateID().getSerial().getValue().equals(x509Cert.getSerialNumber())
&& matchesDN(PrincipalUtil.getIssuerX509Principal(x509Cert), holder.getBaseCertificateID().getIssuer());
}
if (holder.getEntityName() != null)
{
if (matchesDN(PrincipalUtil.getSubjectX509Principal(x509Cert),
holder.getEntityName()))
{
return true;
}
}
if (holder.getObjectDigestInfo() != null)
{
MessageDigest md = null;
try
{
md = MessageDigest.getInstance(getDigestAlgorithm(), "BC");
}
catch (Exception e)
{
return false;
}
switch (getDigestedObjectType())
{
case ObjectDigestInfo.publicKey:
// TODO: DSA Dss-parms
md.update(cert.getPublicKey().getEncoded());
break;
case ObjectDigestInfo.publicKeyCert:
md.update(cert.getEncoded());
break;
}
if (!Arrays.areEqual(md.digest(), getObjectDigest()))
{
return false;
}
}
}
catch (CertificateEncodingException e)
{
return false;
}
return false;
}
public boolean equals(Object obj)
{
if (obj == this)
{
return true;
}
if (!(obj instanceof AttributeCertificateHolder))
{
return false;
}
AttributeCertificateHolder other = (AttributeCertificateHolder)obj;
return this.holder.equals(other.holder);
}
public int hashCode()
{
return this.holder.hashCode();
}
public boolean match(Object obj)
{
if (!(obj instanceof X509Certificate))
{
return false;
}
return match((Certificate)obj);
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy