Glen Beasley wrote:
> Gervase Markham wrote:
>
>> I've been feeling my way around the JSS API. The "Using JSS" document,
>> the FAQ and the test code are (just) enough to get going. But I've come
>> across several points where the API seems really low-level. I was
>> wondering if I've missed something?
>>
>> I can go through the following long chain to find out about a cert,
>> knowing the nickname:
>>
>> CryptoManager.initialize(dbdir);
>> CryptoManager cm = CryptoManager.getInstance();
>> X509Certificate x509Cert = cm.findCertByNickname(nickname);
>> Certificate cert =
>> (Certificate)ASN1Util.decode(Certificate.getTemplate(),
>> x509Cert.getEncoded());
>> CertificateInfo info = cert.getInfo();
>>
>> (Phew!)
>>
>>
>>
> note there can be multiple certs with the same nickname it is better to use
> cm.findCertsByNickname(nickname);
>
>
>> 1) Then, I can get the Subject with:
>>
>> Name subject = info.getSubject();
>>
>> This Name class seems to have ways of adding each of the individual
>> components of the Name (O, OU, CN etc.) but not ways of getting them
>> individually as Strings. Have I missed something?
>> http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkix/primitive/Name.html
>>
>> 2) There don't seem to be any useful constants for the obvious values
>> for some of the calls. So I can call:
>>
>> OBJECT_IDENTIFIER sigalg = info.getSignatureAlgId().getOID();
>>
>> but I then have to compare it like this:
>>
>> if (!sigalg.toString().equals("{1 2 840 113549 1 1 5}"))
>>
>>
>
> import org.mozilla.jss.crypto.SignatureAlgorithm;
>
> if
> (!sigalg.toString().equals(SignatureAlgorithm.RSASignatureWithSHA1Digest.toOID()))
>
>
>
>> 3) I seem to be left entirely on my own when attempting to look at
>> Extensions:
>>
>> SEQUENCE extensions = info.getExtensions();
>> for (int i = 0; i < extensions.size(); i++) {
>> Extension ext = (Extension)extensions.elementAt(i);
>> String extId = ext.getExtnId();
>> OCTET_STRING value = ext.getExtnValue();
>> }
>>
>>
>>
>
>
>> What am I supposed to do with that OCTET_STRING? Do manual ASN.1
>> decoding on it according to my supposed knowledge of the internals of
>> this particular Extension?
>>
>>
> at this time yes.
>
>> Can anyone give me some guidance?
>>
>>
>>
> Did you look at isExtensionPresent or getExtension?
> http://mxr.mozilla.org/security/ident?i=isExtensionPresent
> http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/CertificateInfo.java#294
>
> I made a bug
> JSS needs support for known x.509 v3 certificate extension
>
The bug: https://bugzilla.mozilla.org/show_bug.cgi?id=378233
Also in my first reply I made a mistake. JSS will tell you if the
extension is critical or not.
SEQUENCE extensions = info.getExtensions();
for (int i = 0; i < extensions.size(); i++) {
Extension ext = (Extension)extensions.elementAt(i);
OBJECT_IDENTIFIER oid = ext.getExtnId();
OCTET_STRING value = ext.getExtnValue();
System.out.println("Extension " + oid.toString());
if (ext.getCritical()) {
System.out.println("Critical extension");
} else {
System.out.println("not a Critical extension");
}
}
>
>
> -glen
>
>
>
>
>> Thanks :-)
>>
>> Gerv
>> _______________________________________________
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
>>
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
