000022925 - Retrieve the userNotice's explicitText in visibleString type within a PolicyQualifier of Certificate Policies extension

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022925
Applies ToCert-J

Here is the ASN.1 definition:

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
        policyQualifierId  PolicyQualifierId,
        qualifier          ANY DEFINED BY policyQualifierId }

   -- policyQualifierIds for Internet policy qualifiers

   id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
   id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }

   PolicyQualifierId ::=
        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )

   Qualifier ::= CHOICE {
        cPSuri           CPSuri,
        userNotice       UserNotice }

   CPSuri ::= IA5String


   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        ia5String        IA5String      (SIZE (1..200)),
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }

IssueRetrieve the userNotice's explicitText in visibleString type within a PolicyQualifier of Certificate Policies extension
Even though Cert-J provides the APIs to parse a certificate's certificate policy extension down to the Qualifier part, the actual Qualifier value can only be retrieved as a whole in a byte[] form as opposed to letting user drill down to further levels within the Qualifer.
Resolution

The workaround solution is to use Crypto-J's ASN1 parser to parse to the lowest level, and then use the Mozilla/Netscape LDAP library's BERVisibleString class to get the value since Crypto-J doesn't have a VisibleStringContainer. (The Mozilla/Netscape LDAP library is included with Cert-J, prebuilt/ldapjdk/ldapjdk.jar.)

See solution code below:

import netscape.ldap.ber.stream.BERElement;
import netscape.ldap.ber.stream.BERVisibleString;

CertPolicies policies = (CertPolicies) exts.getExtensionByType(X509V3Extension.CERT_POLICIES);
int count = policies.getPoliciesCount();

for (int i = 0; i < count; i++)
{
    PolicyQualifiers qualifiers = policies.getPolicyQualifiers(i);
    int qCount = qualifiers.getQualifiersCount();
    for (int j=0; j < qCount; j++)
    {
        byte[] qualifier = qualifiers.getQualifier(j);

        if (Arrays.equals(qualifierOID, IdQtUnoticeOID))
        {
            SequenceContainer seqContainer =
                new SequenceContainer(ASN1.NO_SPECIAL);
            EndContainer endContainer = new EndContainer();
            EncodedContainer encContent = new EncodedContainer(ASN1.ANY | ASN1.OPTIONAL, false, 0, null, 0, 0);
            ASN1Container[] asn1Def = {
                seqContainer,
                encContent,
                endContainer
            };
            ASN1.berDecode(qualifier, 0, asn1Def);

            ByteArrayInputStream iStream = new ByteArrayInputStream(encContent.data, encContent.dataOffset, encContent.dataLen);
            int[] innerBytesRead = new int[1];
            BERElement explicitText = BERElement.getElement(null, iStream, innerBytesRead);
            if (explicitText.getType() == BERElement.VISIBLESTRING)
            {
                System.out.println("explicitText visibleString value: " + ((BERVisibleString)explicitText).getValue());
            }

        } /* end if qualifier OID is id-qt-unotice */
    } /* end looping for qualifers */
} /* end looping for cert policies */

Legacy Article IDa34313

Attachments

    Outcomes