Example 21 with ASN1ObjectIdentifier
use of com.github.zhenwei.core.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeSignatureAlgorithmMismatch.
/**
* Tests the behavior when trying to decode a certificate with a mismatch in
* the signature algorithm between the TBSCertificate and Certificate
* sequences.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeSignatureAlgorithmMismatch() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1OctetString());
new X509Certificate(valueSequence.encode());
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger)
DN(com.unboundid.ldap.sdk.DN)
ASN1GeneralizedTime(com.unboundid.asn1.ASN1GeneralizedTime)
ASN1Integer(com.unboundid.asn1.ASN1Integer)
OID(com.unboundid.util.OID)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Element(com.unboundid.asn1.ASN1Element)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
ASN1Null(com.unboundid.asn1.ASN1Null)
Test(org.testng.annotations.Test)
Example 22 with ASN1ObjectIdentifier
use of com.github.zhenwei.core.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testValidCertificateWithECKeyAllOptionalElements.
/**
* Tests a valid X.509 certificate with an elliptic curve public key and all
* optional elements, including all supported types of extensions (and an
* unsupported type of extension).
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCertificateWithECKeyAllOptionalElements() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final EllipticCurvePublicKey publicKey = new EllipticCurvePublicKey(BigInteger.valueOf(1234567890L), BigInteger.valueOf(9876543210L));
final boolean[] issuerUniqueIDBits = { true, false, true, false, true };
final boolean[] subjectUniqueIDBits = { false, true, false, true, false };
X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(987654321L), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[256]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1ObjectIdentifier(NamedCurve.SECP256R1.getOID()), publicKey.encode(), publicKey, new ASN1BitString(issuerUniqueIDBits), new ASN1BitString(subjectUniqueIDBits), new X509CertificateExtension(new OID("1.2.3.4"), true, "foo".getBytes("UTF-8")), new AuthorityKeyIdentifierExtension(false, new ASN1OctetString("authority-key-identifier"), null, null), new BasicConstraintsExtension(false, false, null), new CRLDistributionPointsExtension(false, Collections.singletonList(new CRLDistributionPoint(new GeneralNamesBuilder().addDNSName("crl.example.com").build(), null, null))), new ExtendedKeyUsageExtension(false, Arrays.asList(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID(), ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID())), new IssuerAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("issuer.example.com").build()), new KeyUsageExtension(false, true, true, true, true, true, true, true, true, true), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()), new SubjectKeyIdentifierExtension(false, new ASN1OctetString("subject-key-identifier")));
assertNotNull(c.getX509CertificateBytes());
c = new X509Certificate(c.encode().encode());
assertNotNull(c.getVersion());
assertEquals(c.getVersion(), X509CertificateVersion.V3);
assertNotNull(c.getSerialNumber());
assertEquals(c.getSerialNumber(), BigInteger.valueOf(987654321L));
assertNotNull(c.getSignatureAlgorithmOID());
assertEquals(c.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID());
assertNotNull(c.getSignatureAlgorithmName());
assertEquals(c.getSignatureAlgorithmName(), "SHA-256 with ECDSA");
assertNotNull(c.getSignatureAlgorithmNameOrOID());
assertEquals(c.getSignatureAlgorithmNameOrOID(), "SHA-256 with ECDSA");
assertNotNull(c.getSignatureAlgorithmParameters());
assertNotNull(c.getIssuerDN());
assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
// NOTE: For some moronic reasons, certificates tend to use UTCTime instead
// of generalized time when encoding notBefore and notAfter values, despite
// the spec allowing either one, and despite UTCTime only supporting a
// two-digit year and no sub-second component. So we can't check for
// exact equivalence of the notBefore and notAfter values. Instead, just
// make sure that the values are within 2000 milliseconds of the expected
// value.
assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
assertNotNull(c.getNotBeforeDate());
assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
assertNotNull(c.getNotAfterDate());
assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
assertNotNull(c.getSubjectDN());
assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
assertNotNull(c.getPublicKeyAlgorithmOID());
assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
assertNotNull(c.getPublicKeyAlgorithmName());
assertEquals(c.getPublicKeyAlgorithmName(), "EC");
assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "EC");
assertNotNull(c.getPublicKeyAlgorithmParameters());
assertEquals(c.getPublicKeyAlgorithmParameters().decodeAsObjectIdentifier().getOID(), NamedCurve.SECP256R1.getOID());
assertNotNull(c.getEncodedPublicKey());
assertNotNull(c.getDecodedPublicKey());
assertTrue(c.getDecodedPublicKey() instanceof EllipticCurvePublicKey);
assertNotNull(c.getIssuerUniqueID());
assertTrue(Arrays.equals(c.getIssuerUniqueID().getBits(), issuerUniqueIDBits));
assertNotNull(c.getSubjectUniqueID());
assertTrue(Arrays.equals(c.getSubjectUniqueID().getBits(), subjectUniqueIDBits));
final List<X509CertificateExtension> extensions = c.getExtensions();
assertNotNull(extensions);
assertFalse(extensions.isEmpty());
assertEquals(extensions.size(), 9);
assertEquals(extensions.get(0).getOID(), new OID("1.2.3.4"));
assertTrue(extensions.get(1) instanceof AuthorityKeyIdentifierExtension);
assertTrue(extensions.get(2) instanceof BasicConstraintsExtension);
assertTrue(extensions.get(3) instanceof CRLDistributionPointsExtension);
assertTrue(extensions.get(4) instanceof ExtendedKeyUsageExtension);
assertTrue(extensions.get(5) instanceof IssuerAlternativeNameExtension);
assertTrue(extensions.get(6) instanceof KeyUsageExtension);
assertTrue(extensions.get(7) instanceof SubjectAlternativeNameExtension);
assertTrue(extensions.get(8) instanceof SubjectKeyIdentifierExtension);
assertNotNull(c.getSignatureValue());
assertNotNull(c.toString());
assertNotNull(c.toPEM());
assertFalse(c.toPEM().isEmpty());
assertNotNull(c.toPEMString());
assertNotNull(c.getX509CertificateBytes());
assertNotNull(c.getSHA1Fingerprint());
assertNotNull(c.getSHA256Fingerprint());
assertNotNull(c.toCertificate());
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
DN(com.unboundid.ldap.sdk.DN)
OID(com.unboundid.util.OID)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
Date(java.util.Date)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
ASN1Null(com.unboundid.asn1.ASN1Null)
Test(org.testng.annotations.Test)
Example 23 with ASN1ObjectIdentifier
use of com.github.zhenwei.core.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeSignatureAlgorithmElementNotSequence.
/**
* Tests the behavior when trying to decode a certificate with a signature
* algorithm element that is not a valid sequence.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeSignatureAlgorithmElementNotSequence() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1OctetString("not a valid sequence"), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
ASN1UTCTime(com.unboundid.asn1.ASN1UTCTime)
ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger)
DN(com.unboundid.ldap.sdk.DN)
ASN1Integer(com.unboundid.asn1.ASN1Integer)
OID(com.unboundid.util.OID)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Element(com.unboundid.asn1.ASN1Element)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
ASN1Null(com.unboundid.asn1.ASN1Null)
Test(org.testng.annotations.Test)
Example 24 with ASN1ObjectIdentifier
use of com.github.zhenwei.core.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class CRLDistributionPoint method encode.
/**
* Encodes this CRL distribution point to an ASN.1 element.
*
* @return The encoded CRL distribution point.
*
* @throws CertException If a problem is encountered while encoding this
* CRL distribution point.
*/
@NotNull()
ASN1Element encode() throws CertException {
final ArrayList<ASN1Element> elements = new ArrayList<>(3);
ASN1Element distributionPointElement = null;
if (fullName != null) {
distributionPointElement = new ASN1Element(TYPE_FULL_NAME, fullName.encode().getValue());
} else if (nameRelativeToCRLIssuer != null) {
final Schema schema;
try {
schema = Schema.getDefaultStandardSchema();
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CRL_DP_ENCODE_CANNOT_GET_SCHEMA.get(toString(), String.valueOf(nameRelativeToCRLIssuer), StaticUtils.getExceptionMessage(e)), e);
}
final String[] names = nameRelativeToCRLIssuer.getAttributeNames();
final String[] values = nameRelativeToCRLIssuer.getAttributeValues();
final ArrayList<ASN1Element> rdnElements = new ArrayList<>(names.length);
for (int i = 0; i < names.length; i++) {
final AttributeTypeDefinition at = schema.getAttributeType(names[i]);
if (at == null) {
throw new CertException(ERR_CRL_DP_ENCODE_UNKNOWN_ATTR_TYPE.get(toString(), String.valueOf(nameRelativeToCRLIssuer), names[i]));
}
try {
rdnElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(at.getOID()), new ASN1UTF8String(values[i])));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CRL_DP_ENCODE_ERROR.get(toString(), String.valueOf(nameRelativeToCRLIssuer), StaticUtils.getExceptionMessage(e)), e);
}
}
distributionPointElement = new ASN1Set(TYPE_NAME_RELATIVE_TO_CRL_ISSUER, rdnElements);
}
if (distributionPointElement != null) {
elements.add(new ASN1Element(TYPE_DISTRIBUTION_POINT, distributionPointElement.encode()));
}
if (!revocationReasons.equals(EnumSet.allOf(CRLDistributionPointRevocationReason.class))) {
elements.add(CRLDistributionPointRevocationReason.toBitString(TYPE_REASONS, revocationReasons));
}
if (crlIssuer != null) {
elements.add(new ASN1Element(TYPE_CRL_ISSUER, crlIssuer.encode().getValue()));
}
return new ASN1Sequence(elements);
}
Also used :
AttributeTypeDefinition(com.unboundid.ldap.sdk.schema.AttributeTypeDefinition)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Set(com.unboundid.asn1.ASN1Set)
ASN1UTF8String(com.unboundid.asn1.ASN1UTF8String)
ASN1Element(com.unboundid.asn1.ASN1Element)
Schema(com.unboundid.ldap.sdk.schema.Schema)
ArrayList(java.util.ArrayList)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
NotNull(com.unboundid.util.NotNull)
Example 25 with ASN1ObjectIdentifier
use of com.github.zhenwei.core.asn1.ASN1ObjectIdentifier in project OpenUnison by TremoloSecurity.
the class UpnExtractor method loadNTPrincipal.
private String loadNTPrincipal(X509Certificate[] certs) throws CertificateParsingException, IOException {
X509Certificate cert = certs[0];
Collection<List<?>> subjectAlternativeNames = cert.getSubjectAlternativeNames();
if (subjectAlternativeNames != null && !subjectAlternativeNames.isEmpty()) {
for (List<?> subjectAltName : subjectAlternativeNames) {
if (((Integer) subjectAltName.get(0)) == GeneralName.otherName) {
ASN1InputStream asn1Input = new ASN1InputStream((byte[]) subjectAltName.get(1));
ASN1Primitive derObject = asn1Input.readObject();
DLSequence seq = (DLSequence) derObject;
ASN1ObjectIdentifier id = ASN1ObjectIdentifier.getInstance(seq.getObjectAt(0));
if (id.getId().equals("1.3.6.1.4.1.311.20.2.3")) {
ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1);
DERUTF8String str = null;
while (str == null) {
if (obj.getObject() instanceof DERTaggedObject) {
obj = (ASN1TaggedObject) obj.getObject();
} else if (obj.getObject() instanceof DERUTF8String) {
str = (DERUTF8String) obj.getObject();
} else {
asn1Input.close();
return null;
}
}
asn1Input.close();
return str.getString();
}
}
}
}
return null;
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DLSequence(org.bouncycastle.asn1.DLSequence)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
List(java.util.List)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
X509Certificate(java.security.cert.X509Certificate)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Aggregations
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)545
IOException (java.io.IOException)161
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)126
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)87
DEROctetString (org.bouncycastle.asn1.DEROctetString)87
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)73
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)71
Enumeration (java.util.Enumeration)70
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)70
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)69
ArrayList (java.util.ArrayList)65
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)64
BigInteger (java.math.BigInteger)60
DERSequence (org.bouncycastle.asn1.DERSequence)60
HashSet (java.util.HashSet)57
DERIA5String (org.bouncycastle.asn1.DERIA5String)52
X500Name (org.bouncycastle.asn1.x500.X500Name)52
X509Certificate (java.security.cert.X509Certificate)50
AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)47
Extension (org.bouncycastle.asn1.x509.Extension)46
