Gervase Markham wrote:
> I've been feeling my way around the JSS API. The "Using JSS" document,
> the FAQ and the test code are (just) enough to get going. But I've come
> across several points where the API seems really low-level. I was
> wondering if I've missed something?
>
> I can go through the following long chain to find out about a cert,
> knowing the nickname:
>
> CryptoManager.initialize(dbdir);
> CryptoManager cm = CryptoManager.getInstance();
> X509Certificate x509Cert = cm.findCertByNickname(nickname);
> Certificate cert =
> (Certificate)ASN1Util.decode(Certificate.getTemplate(),
> x509Cert.getEncoded());
> CertificateInfo info = cert.getInfo();
>
> (Phew!)
>
>
note there can be multiple certs with the same nickname it is better to use
cm.findCertsByNickname(nickname);
> 1) Then, I can get the Subject with:
>
> Name subject = info.getSubject();
>
> This Name class seems to have ways of adding each of the individual
> components of the Name (O, OU, CN etc.) but not ways of getting them
> individually as Strings. Have I missed something?
>
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkix/primitive/Name.html
>
> 2) There don't seem to be any useful constants for the obvious values
> for some of the calls. So I can call:
>
> OBJECT_IDENTIFIER sigalg = info.getSignatureAlgId().getOID();
>
> but I then have to compare it like this:
>
> if (!sigalg.toString().equals("{1 2 840 113549 1 1 5}"))
>
import org.mozilla.jss.crypto.SignatureAlgorithm;
if (!sigalg.toString().equals(SignatureAlgorithm.RSASignatureWithSHA1Digest.toOID()))
> 3) I seem to be left entirely on my own when attempting to look at
> Extensions:
>
> SEQUENCE extensions = info.getExtensions();
> for (int i = 0; i < extensions.size(); i++) {
> Extension ext = (Extension)extensions.elementAt(i);
> String extId = ext.getExtnId();
> OCTET_STRING value = ext.getExtnValue();
> }
>
>
> What am I supposed to do with that OCTET_STRING? Do manual ASN.1
> decoding on it according to my supposed knowledge of the internals of
> this particular Extension?
>
at this time yes.
> Can anyone give me some guidance?
>
>
Did you look at isExtensionPresent or getExtension?
http://mxr.mozilla.org/security/ident?i=isExtensionPresent
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/CertificateInfo.java#294
I made a bug
JSS needs support for known x.509 v3 certificate extensions
also if you I am not sure what info you want and maybe you can add that
to the bug, but
here is code to list the critical and non-critical extensions, but
converting the JSS
certificate to java.security.cert.X509Ceritificate
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new
ByteArrayInputStream(x509Cert.getEncoded());
java.security.cert.X509Certificate jdkCert =
(java.security.cert.X509Certificate)
cf.generateCertificate(bais);
bais.close();
System.out.println("SN " + jdkCert.getSerialNumber());
/* non critical extensions */
Set nonCritSet = jdkCert.getNonCriticalExtensionOIDs();
if (nonCritSet != null && !nonCritSet.isEmpty()) {
for (Iterator i = nonCritSet.iterator(); i.hasNext();) {
String oid = (String)i.next();
System.out.println(oid);
}
} else { System.out.println("no non Critical Extensions"); }
/* critical extensions */
Set critSet = jdkCert.getCriticalExtensionOIDs();
if (critSet != null && !critSet.isEmpty()) {
System.out.println("Set of critical extensions:");
for (Iterator i = critSet.iterator(); i.hasNext();) {
String oid = (String)i.next();
System.out.println(oid);
}
} else { System.out.println("no Critical Extensions"); }
-glen
> Thanks :-)
>
> Gerv
> _______________________________________________
> dev-tech-crypto mailing list
>
dev-tech-crypto@list...
>
https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@list...
https://lists.mozilla.org/listinfo/dev-tech-crypto
opensubscriber is not affiliated with the authors of this message nor responsible for its content.
Delicious
Digg
reddit
Facebook
StumbleUpon
