Search in sources :

Example 1 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project robovm by robovm.

the class PolicyInformation method toASN1Primitive.

/* 
     * PolicyInformation ::= SEQUENCE {
     *      policyIdentifier   CertPolicyId,
     *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
     *              PolicyQualifierInfo OPTIONAL }
     */
public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(policyIdentifier);
    if (policyQualifiers != null) {
        v.add(policyQualifiers);
    }
    return new DERSequence(v);
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 2 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project robovm by robovm.

the class RFC3280CertPathUtilities method prepareCertB.

protected static PKIXPolicyNode prepareCertB(CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    int n = certs.size();
    // i as defined in the algorithm description
    int i = n - index;
    // (b)
    //
    ASN1Sequence pm = null;
    try {
        pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.POLICY_MAPPINGS));
    } catch (AnnotatedException ex) {
        throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, index);
    }
    PKIXPolicyNode _validPolicyTree = validPolicyTree;
    if (pm != null) {
        ASN1Sequence mappings = (ASN1Sequence) pm;
        Map m_idp = new HashMap();
        Set s_idp = new HashSet();
        for (int j = 0; j < mappings.size(); j++) {
            ASN1Sequence mapping = (ASN1Sequence) mappings.getObjectAt(j);
            String id_p = ((DERObjectIdentifier) mapping.getObjectAt(0)).getId();
            String sd_p = ((DERObjectIdentifier) mapping.getObjectAt(1)).getId();
            Set tmp;
            if (!m_idp.containsKey(id_p)) {
                tmp = new HashSet();
                tmp.add(sd_p);
                m_idp.put(id_p, tmp);
                s_idp.add(id_p);
            } else {
                tmp = (Set) m_idp.get(id_p);
                tmp.add(sd_p);
            }
        }
        Iterator it_idp = s_idp.iterator();
        while (it_idp.hasNext()) {
            String id_p = (String) it_idp.next();
            //
            if (policyMapping > 0) {
                boolean idp_found = false;
                Iterator nodes_i = policyNodes[i].iterator();
                while (nodes_i.hasNext()) {
                    PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                    if (node.getValidPolicy().equals(id_p)) {
                        idp_found = true;
                        node.expectedPolicies = (Set) m_idp.get(id_p);
                        break;
                    }
                }
                if (!idp_found) {
                    nodes_i = policyNodes[i].iterator();
                    while (nodes_i.hasNext()) {
                        PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                        if (RFC3280CertPathUtilities.ANY_POLICY.equals(node.getValidPolicy())) {
                            Set pq = null;
                            ASN1Sequence policies = null;
                            try {
                                policies = (ASN1Sequence) CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                            } catch (AnnotatedException e) {
                                throw new ExtCertPathValidatorException("Certificate policies extension could not be decoded.", e, certPath, index);
                            }
                            Enumeration e = policies.getObjects();
                            while (e.hasMoreElements()) {
                                PolicyInformation pinfo = null;
                                try {
                                    pinfo = PolicyInformation.getInstance(e.nextElement());
                                } catch (Exception ex) {
                                    throw new CertPathValidatorException("Policy information could not be decoded.", ex, certPath, index);
                                }
                                if (RFC3280CertPathUtilities.ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) {
                                    try {
                                        pq = CertPathValidatorUtilities.getQualifierSet(pinfo.getPolicyQualifiers());
                                    } catch (CertPathValidatorException ex) {
                                        throw new ExtCertPathValidatorException("Policy qualifier info set could not be decoded.", ex, certPath, index);
                                    }
                                    break;
                                }
                            }
                            boolean ci = false;
                            if (cert.getCriticalExtensionOIDs() != null) {
                                ci = cert.getCriticalExtensionOIDs().contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                            }
                            PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
                            if (RFC3280CertPathUtilities.ANY_POLICY.equals(p_node.getValidPolicy())) {
                                PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set) m_idp.get(id_p), p_node, pq, id_p, ci);
                                p_node.addChild(c_node);
                                policyNodes[i].add(c_node);
                            }
                            break;
                        }
                    }
                }
            //
            // (2)
            //
            } else if (policyMapping <= 0) {
                Iterator nodes_i = policyNodes[i].iterator();
                while (nodes_i.hasNext()) {
                    PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                    if (node.getValidPolicy().equals(id_p)) {
                        PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
                        p_node.removeChild(node);
                        nodes_i.remove();
                        for (int k = (i - 1); k >= 0; k--) {
                            List nodes = policyNodes[k];
                            for (int l = 0; l < nodes.size(); l++) {
                                PKIXPolicyNode node2 = (PKIXPolicyNode) nodes.get(l);
                                if (!node2.hasChildren()) {
                                    _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, node2);
                                    if (_validPolicyTree == null) {
                                        break;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    return _validPolicyTree;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Enumeration(java.util.Enumeration) HashMap(java.util.HashMap) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) ArrayList(java.util.ArrayList) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap) HashSet(java.util.HashSet)

Example 3 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project robovm by robovm.

the class RFC3280CertPathUtilities method processCertD.

protected static PKIXPolicyNode processCertD(CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    int n = certs.size();
    // i as defined in the algorithm description
    int i = n - index;
    //
    // (d) policy Information checking against initial policy and
    // policy mapping
    //
    ASN1Sequence certPolicies = null;
    try {
        certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES));
    } catch (AnnotatedException e) {
        throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index);
    }
    if (certPolicies != null && validPolicyTree != null) {
        //
        // (d) (1)
        //
        Enumeration e = certPolicies.getObjects();
        Set pols = new HashSet();
        while (e.hasMoreElements()) {
            PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
            DERObjectIdentifier pOid = pInfo.getPolicyIdentifier();
            pols.add(pOid.getId());
            if (!RFC3280CertPathUtilities.ANY_POLICY.equals(pOid.getId())) {
                Set pq = null;
                try {
                    pq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers());
                } catch (CertPathValidatorException ex) {
                    throw new ExtCertPathValidatorException("Policy qualifier info set could not be build.", ex, certPath, index);
                }
                boolean match = CertPathValidatorUtilities.processCertD1i(i, policyNodes, pOid, pq);
                if (!match) {
                    CertPathValidatorUtilities.processCertD1ii(i, policyNodes, pOid, pq);
                }
            }
        }
        if (acceptablePolicies.isEmpty() || acceptablePolicies.contains(RFC3280CertPathUtilities.ANY_POLICY)) {
            acceptablePolicies.clear();
            acceptablePolicies.addAll(pols);
        } else {
            Iterator it = acceptablePolicies.iterator();
            Set t1 = new HashSet();
            while (it.hasNext()) {
                Object o = it.next();
                if (pols.contains(o)) {
                    t1.add(o);
                }
            }
            acceptablePolicies.clear();
            acceptablePolicies.addAll(t1);
        }
        //
        if ((inhibitAnyPolicy > 0) || ((i < n) && CertPathValidatorUtilities.isSelfIssued(cert))) {
            e = certPolicies.getObjects();
            while (e.hasMoreElements()) {
                PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
                if (RFC3280CertPathUtilities.ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) {
                    Set _apq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers());
                    List _nodes = policyNodes[i - 1];
                    for (int k = 0; k < _nodes.size(); k++) {
                        PKIXPolicyNode _node = (PKIXPolicyNode) _nodes.get(k);
                        Iterator _policySetIter = _node.getExpectedPolicies().iterator();
                        while (_policySetIter.hasNext()) {
                            Object _tmp = _policySetIter.next();
                            String _policy;
                            if (_tmp instanceof String) {
                                _policy = (String) _tmp;
                            } else if (_tmp instanceof DERObjectIdentifier) {
                                _policy = ((DERObjectIdentifier) _tmp).getId();
                            } else {
                                continue;
                            }
                            boolean _found = false;
                            Iterator _childrenIter = _node.getChildren();
                            while (_childrenIter.hasNext()) {
                                PKIXPolicyNode _child = (PKIXPolicyNode) _childrenIter.next();
                                if (_policy.equals(_child.getValidPolicy())) {
                                    _found = true;
                                }
                            }
                            if (!_found) {
                                Set _newChildExpectedPolicies = new HashSet();
                                _newChildExpectedPolicies.add(_policy);
                                PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false);
                                _node.addChild(_newChild);
                                policyNodes[i].add(_newChild);
                            }
                        }
                    }
                    break;
                }
            }
        }
        PKIXPolicyNode _validPolicyTree = validPolicyTree;
        //
        for (int j = (i - 1); j >= 0; j--) {
            List nodes = policyNodes[j];
            for (int k = 0; k < nodes.size(); k++) {
                PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k);
                if (!node.hasChildren()) {
                    _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, node);
                    if (_validPolicyTree == null) {
                        break;
                    }
                }
            }
        }
        //
        // d (4)
        //
        Set criticalExtensionOids = cert.getCriticalExtensionOIDs();
        if (criticalExtensionOids != null) {
            boolean critical = criticalExtensionOids.contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
            List nodes = policyNodes[i];
            for (int j = 0; j < nodes.size(); j++) {
                PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(j);
                node.setCritical(critical);
            }
        }
        return _validPolicyTree;
    }
    return null;
}
Also used : Enumeration(java.util.Enumeration) Set(java.util.Set) HashSet(java.util.HashSet) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) ArrayList(java.util.ArrayList) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) HashSet(java.util.HashSet)

Example 4 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project robovm by robovm.

the class X509CertSelector method match.

/**
     * Returns whether the specified certificate matches all the criteria
     * collected in this instance.
     *
     * @param certificate
     *            the certificate to check.
     * @return {@code true} if the certificate matches all the criteria,
     *         otherwise {@code false}.
     */
public boolean match(Certificate certificate) {
    if (!(certificate instanceof X509Certificate)) {
        return false;
    }
    X509Certificate cert = (X509Certificate) certificate;
    if ((certificateEquals != null) && !certificateEquals.equals(cert)) {
        return false;
    }
    if ((serialNumber != null) && !serialNumber.equals(cert.getSerialNumber())) {
        return false;
    }
    if ((issuer != null) && !issuer.equals(cert.getIssuerX500Principal())) {
        return false;
    }
    if ((subject != null) && !subject.equals(cert.getSubjectX500Principal())) {
        return false;
    }
    if ((subjectKeyIdentifier != null) && !Arrays.equals(subjectKeyIdentifier, // are taken from rfc 3280 (http://www.ietf.org/rfc/rfc3280.txt)
    getExtensionValue(cert, "2.5.29.14"))) {
        return false;
    }
    if ((authorityKeyIdentifier != null) && !Arrays.equals(authorityKeyIdentifier, getExtensionValue(cert, "2.5.29.35"))) {
        return false;
    }
    if (certificateValid != null) {
        try {
            cert.checkValidity(certificateValid);
        } catch (CertificateExpiredException e) {
            return false;
        } catch (CertificateNotYetValidException e) {
            return false;
        }
    }
    if (privateKeyValid != null) {
        try {
            byte[] bytes = getExtensionValue(cert, "2.5.29.16");
            if (bytes == null) {
                return false;
            }
            PrivateKeyUsagePeriod pkup = (PrivateKeyUsagePeriod) PrivateKeyUsagePeriod.ASN1.decode(bytes);
            Date notBefore = pkup.getNotBefore();
            Date notAfter = pkup.getNotAfter();
            if ((notBefore == null) && (notAfter == null)) {
                return false;
            }
            if ((notBefore != null) && notBefore.compareTo(privateKeyValid) > 0) {
                return false;
            }
            if ((notAfter != null) && notAfter.compareTo(privateKeyValid) < 0) {
                return false;
            }
        } catch (IOException e) {
            return false;
        }
    }
    if (subjectPublicKeyAlgID != null) {
        try {
            byte[] encoding = cert.getPublicKey().getEncoded();
            AlgorithmIdentifier ai = ((SubjectPublicKeyInfo) SubjectPublicKeyInfo.ASN1.decode(encoding)).getAlgorithmIdentifier();
            if (!subjectPublicKeyAlgID.equals(ai.getAlgorithm())) {
                return false;
            }
        } catch (IOException e) {
            e.printStackTrace();
            return false;
        }
    }
    if (subjectPublicKey != null) {
        if (!Arrays.equals(subjectPublicKey, cert.getPublicKey().getEncoded())) {
            return false;
        }
    }
    if (keyUsage != null) {
        boolean[] ku = cert.getKeyUsage();
        if (ku != null) {
            int i = 0;
            int min_length = (ku.length < keyUsage.length) ? ku.length : keyUsage.length;
            for (; i < min_length; i++) {
                if (keyUsage[i] && !ku[i]) {
                    // but certificate does not.
                    return false;
                }
            }
            for (; i < keyUsage.length; i++) {
                if (keyUsage[i]) {
                    return false;
                }
            }
        }
    }
    if (extendedKeyUsage != null) {
        try {
            List keyUsage = cert.getExtendedKeyUsage();
            if (keyUsage != null) {
                if (!keyUsage.containsAll(extendedKeyUsage)) {
                    return false;
                }
            }
        } catch (CertificateParsingException e) {
            return false;
        }
    }
    if (pathLen != -1) {
        int p_len = cert.getBasicConstraints();
        if ((pathLen < 0) && (p_len >= 0)) {
            // need end-entity but got CA
            return false;
        }
        if ((pathLen > 0) && (pathLen > p_len)) {
            // allowed _pathLen is small
            return false;
        }
    }
    if (subjectAltNames != null) {
        PASSED: try {
            byte[] bytes = getExtensionValue(cert, "2.5.29.17");
            if (bytes == null) {
                return false;
            }
            List<GeneralName> sans = ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames();
            if ((sans == null) || (sans.size() == 0)) {
                return false;
            }
            boolean[][] map = new boolean[9][];
            // initialize the check map
            for (int i = 0; i < 9; i++) {
                map[i] = (subjectAltNames[i] == null) ? EmptyArray.BOOLEAN : new boolean[subjectAltNames[i].size()];
            }
            for (GeneralName name : sans) {
                int tag = name.getTag();
                for (int i = 0; i < map[tag].length; i++) {
                    if (subjectAltNames[tag].get(i).equals(name)) {
                        if (!matchAllNames) {
                            break PASSED;
                        }
                        map[tag][i] = true;
                    }
                }
            }
            if (!matchAllNames) {
                // there was not any match
                return false;
            }
            // else check the map
            for (int tag = 0; tag < 9; tag++) {
                for (int name = 0; name < map[tag].length; name++) {
                    if (!map[tag][name]) {
                        return false;
                    }
                }
            }
        } catch (IOException e) {
            e.printStackTrace();
            return false;
        }
    }
    if (nameConstraints != null) {
        if (!nameConstraints.isAcceptable(cert)) {
            return false;
        }
    }
    if (policies != null) {
        byte[] bytes = getExtensionValue(cert, "2.5.29.32");
        if (bytes == null) {
            return false;
        }
        if (policies.size() == 0) {
            // one policy in it.
            return true;
        }
        PASSED: try {
            List<PolicyInformation> policyInformations = ((CertificatePolicies) CertificatePolicies.ASN1.decode(bytes)).getPolicyInformations();
            for (PolicyInformation policyInformation : policyInformations) {
                if (policies.contains(policyInformation.getPolicyIdentifier())) {
                    break PASSED;
                }
            }
            return false;
        } catch (IOException e) {
            // the extension is invalid
            return false;
        }
    }
    if (pathToNames != null) {
        byte[] bytes = getExtensionValue(cert, "2.5.29.30");
        if (bytes != null) {
            NameConstraints nameConstraints;
            try {
                nameConstraints = (NameConstraints) NameConstraints.ASN1.decode(bytes);
            } catch (IOException e) {
                // the extension is invalid;
                return false;
            }
            if (!nameConstraints.isAcceptable(pathToNames)) {
                return false;
            }
        }
    }
    return true;
}
Also used : NameConstraints(org.apache.harmony.security.x509.NameConstraints) PolicyInformation(org.apache.harmony.security.x509.PolicyInformation) IOException(java.io.IOException) SubjectPublicKeyInfo(org.apache.harmony.security.x509.SubjectPublicKeyInfo) Date(java.util.Date) AlgorithmIdentifier(org.apache.harmony.security.x509.AlgorithmIdentifier) ArrayList(java.util.ArrayList) List(java.util.List) GeneralName(org.apache.harmony.security.x509.GeneralName) PrivateKeyUsagePeriod(org.apache.harmony.security.x509.PrivateKeyUsagePeriod)

Example 5 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project XobotOS by xamarin.

the class PolicyInformation method toASN1Object.

/* 
     * PolicyInformation ::= SEQUENCE {
     *      policyIdentifier   CertPolicyId,
     *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
     *              PolicyQualifierInfo OPTIONAL }
     */
public DERObject toASN1Object() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(policyIdentifier);
    if (policyQualifiers != null) {
        v.add(policyQualifiers);
    }
    return new DERSequence(v);
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Aggregations

ArrayList (java.util.ArrayList)10 IOException (java.io.IOException)8 CertPathValidatorException (java.security.cert.CertPathValidatorException)8 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)8 PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)8 HashSet (java.util.HashSet)7 Enumeration (java.util.Enumeration)6 Iterator (java.util.Iterator)6 List (java.util.List)6 Set (java.util.Set)6 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)6 GeneralSecurityException (java.security.GeneralSecurityException)4 X509Certificate (java.security.cert.X509Certificate)4 DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)4 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)4 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)4 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)4 DERObject (org.bouncycastle.asn1.DERObject)3 PolicyInformation (sun.security.x509.PolicyInformation)3 CertPathBuilderException (java.security.cert.CertPathBuilderException)2