SiGa/siga-common/src/main/java/ee/openeid/siga/common/util/CertificateUtil.java at bd92c4ab00e2590fe6fdc015569925575253b911 · open-eid/SiGa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package ee.openeid.siga.common.util;

import ee.openeid.siga.common.exception.InvalidCertificateException;
import ee.openeid.siga.common.exception.TechnicalException;
import ee.openeid.siga.common.model.KeyUsageType;
import eu.europa.esig.dss.utils.Utils;
import lombok.experimental.UtilityClass;
import lombok.extern.slf4j.Slf4j;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.stream.Stream;

@Slf4j
@UtilityClass
public class CertificateUtil {

    public static X509Certificate createX509Certificate(byte[] certificate) {
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X509");
            return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certificate));
        } catch (Exception e) {
            throw new InvalidCertificateException("Invalid signing certificate");
        }
    }

    public static boolean isCertificateActive(X509Certificate certificate) {
        if (certificate.getNotAfter() == null) {
            return false;
        }
        Date currentDate = new Date();
        return certificate.getNotAfter().after(currentDate) && certificate.getNotBefore().before(currentDate);
    }

    public static boolean isSigningCertificate(X509Certificate certificate) {
        if (certificate.getKeyUsage() == null || certificate.getKeyUsage().length < 2) {
            return false;
        }
        return certificate.getKeyUsage()[KeyUsageType.NON_REPUDIATION];
    }


    public static boolean hasProhibitedPolicies(X509Certificate certificate, List<String> policies) {
        return getPolicyOidStringsAsStream(certificate).anyMatch(policies::contains);
    }

    static Stream<String> getPolicyOidStringsAsStream(X509Certificate certificate) {
        return Optional
                .ofNullable(getCertificatePoliciesIfPresent(certificate))
                .map(CertificatePolicies::getPolicyInformation)
                .stream()
                .flatMap(Stream::of)
                .flatMap(policy -> Optional.ofNullable(policy)
                    .map(PolicyInformation::getPolicyIdentifier)
                    .map(ASN1ObjectIdentifier::getId)
                    .stream());
    }

    private static CertificatePolicies getCertificatePoliciesIfPresent(X509Certificate certificate) {
        byte[] extensionValue = certificate.getExtensionValue(Extension.certificatePolicies.getId());
        if (Utils.isArrayEmpty(extensionValue)) {
            return null;
        }
        return parseCertificatePolicies(extensionValue);
    }

    private static CertificatePolicies parseCertificatePolicies(byte[] extensionValue) {
        try {
            return CertificatePolicies.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue));
        } catch (IOException e) {
            log.error(e.getMessage());
            throw new TechnicalException("Could not parse certificate extension value");
        }
    }
}