Gervase Markham wrote: > I've been feeling my way around the JSS API. The "Using JSS" document, > the FAQ and the test code are (just) enough to get going. But I've come > across several points where the API seems really low-level. I was > wondering if I've missed something? > > I can go through the following long chain to find out about a cert, > knowing the nickname: > > CryptoManager.initialize(dbdir); > CryptoManager cm = CryptoManager.getInstance(); > X509Certificate x509Cert = cm.findCertByNickname(nickname); > Certificate cert = > (Certificate)ASN1Util.decode(Certificate.getTemplate(), > x509Cert.getEncoded()); > CertificateInfo info = cert.getInfo(); > > (Phew!) > > note there can be multiple certs with the same nickname it is better to use cm.findCertsByNickname(nickname);
> 1) Then, I can get the Subject with: > > Name subject = info.getSubject(); > > This Name class seems to have ways of adding each of the individual > components of the Name (O, OU, CN etc.) but not ways of getting them > individually as Strings. Have I missed something? > http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkix/primitive/Name.html > > 2) There don't seem to be any useful constants for the obvious values > for some of the calls. So I can call: > > OBJECT_IDENTIFIER sigalg = info.getSignatureAlgId().getOID(); > > but I then have to compare it like this: > > if (!sigalg.toString().equals("{1 2 840 113549 1 1 5}")) > import org.mozilla.jss.crypto.SignatureAlgorithm; if (!sigalg.toString().equals(SignatureAlgorithm.RSASignatureWithSHA1Digest.toOID())) > 3) I seem to be left entirely on my own when attempting to look at > Extensions: > > SEQUENCE extensions = info.getExtensions(); > for (int i = 0; i < extensions.size(); i++) { > Extension ext = (Extension)extensions.elementAt(i); > String extId = ext.getExtnId(); > OCTET_STRING value = ext.getExtnValue(); > } > > > What am I supposed to do with that OCTET_STRING? Do manual ASN.1 > decoding on it according to my supposed knowledge of the internals of > this particular Extension? > at this time yes. > Can anyone give me some guidance? > > Did you look at isExtensionPresent or getExtension? http://mxr.mozilla.org/security/ident?i=isExtensionPresent http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/CertificateInfo.java#294 I made a bug JSS needs support for known x.509 v3 certificate extensions also if you I am not sure what info you want and maybe you can add that to the bug, but here is code to list the critical and non-critical extensions, but converting the JSS certificate to java.security.cert.X509Ceritificate CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(x509Cert.getEncoded()); java.security.cert.X509Certificate jdkCert = (java.security.cert.X509Certificate) cf.generateCertificate(bais); bais.close(); System.out.println("SN " + jdkCert.getSerialNumber()); /* non critical extensions */ Set nonCritSet = jdkCert.getNonCriticalExtensionOIDs(); if (nonCritSet != null && !nonCritSet.isEmpty()) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String)i.next(); System.out.println(oid); } } else { System.out.println("no non Critical Extensions"); } /* critical extensions */ Set critSet = jdkCert.getCriticalExtensionOIDs(); if (critSet != null && !critSet.isEmpty()) { System.out.println("Set of critical extensions:"); for (Iterator i = critSet.iterator(); i.hasNext();) { String oid = (String)i.next(); System.out.println(oid); } } else { System.out.println("no Critical Extensions"); } -glen > Thanks :-) > > Gerv > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto