/** * {@inheritDoc} */ protected Collection<X509CertSelector> getRecipientSelectors() { X509CertSelector keyEncSelector = new X509CertSelector(); keyEncSelector.setKeyUsage(new boolean[] {false, false, true}); X509CertSelector dataEncSelector = new X509CertSelector(); dataEncSelector.setKeyUsage(new boolean[] {false, false, false, true}); X509CertSelector caSelector = new X509CertSelector(); caSelector.setBasicConstraints(0); return Arrays.asList(keyEncSelector, dataEncSelector, caSelector); } }
private static X509Certificate selectIssuerCertificate(CertStore store) { X509CertSelector signingSelector = new X509CertSelector(); boolean[] keyUsage = new boolean[9]; signingSelector.setKeyUsage(keyUsage); signingSelector.setBasicConstraints(0); X509Certificate issuer; try { LOGGER.debug("Selecting certificate with basicConstraints"); Collection<? extends Certificate> certs = store.getCertificates(signingSelector); if (certs.size() > 0) { issuer = (X509Certificate) certs.iterator().next(); } else { throw new RuntimeException("No suitable certificate for verification"); } } catch (CertStoreException e) { throw new RuntimeException(e); } return issuer; }
private static X509Certificate selectMessageVerifier(CertStore store) { X509CertSelector signingSelector = new X509CertSelector(); boolean[] keyUsage = new boolean[9]; keyUsage[DIGITAL_SIGNATURE] = true; signingSelector.setKeyUsage(keyUsage); try { LOGGER.debug("Selecting certificate with digitalSignature keyUsage"); Collection<? extends Certificate> certs = store.getCertificates(signingSelector); if (certs.size() > 0) { return (X509Certificate) certs.iterator().next(); } else { LOGGER.debug("No certificates found. Falling back to CA certificate"); keyUsage = new boolean[9]; signingSelector.setKeyUsage(keyUsage); signingSelector.setBasicConstraints(0); certs = store.getCertificates(signingSelector); if (certs.size() > 0) { return (X509Certificate) certs.iterator().next(); } else { throw new RuntimeException("No suitable certificate for verification"); } } } catch (CertStoreException e) { throw new RuntimeException(e); } }
boolean[] keyUsage = new boolean[9]; keyUsage[KEY_ENCIPHERMENT] = true; signingSelector.setKeyUsage(keyUsage); keyUsage = new boolean[9]; keyUsage[DATA_ENCIPHERMENT] = true; signingSelector.setKeyUsage(keyUsage); signingSelector.setKeyUsage(keyUsage); signingSelector.setBasicConstraints(0);
/** * {@inheritDoc} */ protected Collection<X509CertSelector> getSignerSelectors() { X509CertSelector digSigSelector = new X509CertSelector(); digSigSelector.setBasicConstraints(-2); digSigSelector.setKeyUsage(new boolean[] {true}); X509CertSelector caSelector = new X509CertSelector(); caSelector.setBasicConstraints(0); return Arrays.asList(digSigSelector, caSelector); }
/** * {@inheritDoc} */ protected Collection<X509CertSelector> getSignerSelectors() { X509CertSelector digSigSelector = new X509CertSelector(); digSigSelector.setBasicConstraints(-2); digSigSelector.setKeyUsage(new boolean[] { true }); X509CertSelector caSelector = new X509CertSelector(); caSelector.setBasicConstraints(0); return Arrays.asList(digSigSelector, caSelector); }
keyEncSelector.setKeyUsage(new boolean[] { digitalSignature, nonRepudiation, dataEncSelector.setKeyUsage(new boolean[] { digitalSignature, nonRepudiation,
x509CertSelector.setKeyUsage( keyUsage );
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
private KSPrivateKeyEntry findPrivateKey(X509Cert.KeyUsage keyUsage) { logger.debug("Searching key by usage: " + keyUsage.name()); List<DSSPrivateKeyEntry> keys = getPrivateKeyEntries(); X509CertSelector selector = new X509CertSelector(); selector.setKeyUsage(getUsageBitArray(keyUsage)); // TODO: Test this! for (DSSPrivateKeyEntry key : keys) { if (selector.match(key.getCertificate().getCertificate())) { if (label == null || ((KSPrivateKeyEntry) key).getAlias().contains(label)) { logger.debug("... Found key by keyUsage. Key encryption algorithm:" + key.getEncryptionAlgorithm().getName()); return (KSPrivateKeyEntry) key; } } } throw new TechnicalException("Error getting private key entry!"); }
private void init(String fileName, String password, X509Cert.KeyUsage keyUsage, String alias) { logger.info("Using PKCS#12 signature token from file: " + fileName); try { signatureTokenConnection = new Pkcs12SignatureToken(fileName, password); } catch (IOException e) { throw new DigiDoc4JException(e.getMessage()); } if (alias != null) { logger.debug("Searching key with alias: " + alias); keyEntry = signatureTokenConnection.getKey(alias, password); } else { logger.debug("Searching key by usage: " + keyUsage.name()); List<DSSPrivateKeyEntry> keys = signatureTokenConnection.getKeys(); X509CertSelector selector = new X509CertSelector(); selector.setKeyUsage(getUsageBitArray(keyUsage)); // TODO: Test this! for (DSSPrivateKeyEntry key : keys) { if (selector.match(key.getCertificate().getCertificate())) { keyEntry = (KSPrivateKeyEntry) key; break; } } } if (keyEntry == null && signatureTokenConnection.getKeys().size() > 0) keyEntry = (KSPrivateKeyEntry)signatureTokenConnection.getKeys().get(0); }