Search in sources :

Example 41 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project module-ballerina-http by ballerina-platform.

the class OCSPVerifier method getAIALocations.

/**
 * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the
 * URL of the OCSP endpoint if one is available.
 *
 * @param cert is the certificate
 * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint.
 * @throws CertificateVerificationException if any error occurs while retrieving authority access points from the
 * certificate.
 */
public static List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException {
    // Gets the DER-encoded OCTET string for the extension value for Authority information access points.
    byte[] aiaExtensionValue = cert.getExtensionValue(Extension.authorityInfoAccess.getId());
    if (aiaExtensionValue == null) {
        throw new CertificateVerificationException("Certificate doesn't have Authority Information Access points");
    }
    AuthorityInformationAccess authorityInformationAccess;
    ASN1InputStream asn1InputStream = null;
    try {
        DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(aiaExtensionValue)).readObject());
        asn1InputStream = new ASN1InputStream(oct.getOctets());
        authorityInformationAccess = AuthorityInformationAccess.getInstance(asn1InputStream.readObject());
    } catch (IOException e) {
        throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e);
    } finally {
        try {
            if (asn1InputStream != null) {
                asn1InputStream.close();
            }
        } catch (IOException e) {
            LOG.error("Cannot close ASN1InputStream", e);
        }
    }
    List<String> ocspUrlList = new ArrayList<>();
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {
        GeneralName gn = accessDescription.getAccessLocation();
        if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
            DERIA5String str = DERIA5String.getInstance(gn.getName());
            String accessLocation = str.getString();
            ocspUrlList.add(accessLocation);
        }
    }
    if (ocspUrlList.isEmpty()) {
        throw new CertificateVerificationException("Cannot get OCSP urls from certificate");
    }
    return ocspUrlList;
}
Also used : AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) ArrayList(java.util.ArrayList) IOException(java.io.IOException) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) CertificateVerificationException(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException) ByteArrayInputStream(java.io.ByteArrayInputStream) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) GeneralName(org.bouncycastle.asn1.x509.GeneralName)

Example 42 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project zm-mailbox by Zimbra.

the class CertUtil method printCRLDistributionPoints.

private void printCRLDistributionPoints(PrintStream outStream) throws Exception {
    outStream.format("X509v3 CRL Distribution Points: \n");
    // 2.5.29.31
    String extOid = X509Extension.cRLDistributionPoints.getId();
    byte[] extVal = cert.getExtensionValue(extOid);
    if (extVal == null) {
        return;
    }
    /* http://download.oracle.com/javase/6/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
         *
           The ASN.1 definition for this is:

             Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

             Extension  ::=  SEQUENCE  {
                 extnId        OBJECT IDENTIFIER,
                 critical      BOOLEAN DEFAULT FALSE,
                 extnValue     OCTET STRING
                               -- contains a DER encoding of a value
                               -- of the type registered for use with
                               -- the extnId object identifier value
             }
         */
    byte[] extnValue = DEROctetString.getInstance(ASN1Primitive.fromByteArray(extVal)).getOctets();
    CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(ASN1Primitive.fromByteArray(extnValue));
    DistributionPoint[] distPoints = crlDistPoint.getDistributionPoints();
    for (DistributionPoint distPoint : distPoints) {
        DistributionPointName distPointName = distPoint.getDistributionPoint();
        int type = distPointName.getType();
        if (DistributionPointName.FULL_NAME == type) {
            outStream.format("Full Name: \n");
            GeneralNames generalNames = GeneralNames.getInstance(distPointName.getName());
            GeneralName[] names = generalNames.getNames();
            for (GeneralName generalname : names) {
                int tag = generalname.getTagNo();
                if (GeneralName.uniformResourceIdentifier == tag) {
                    ASN1Encodable name = generalname.getName();
                    DERIA5String str = DERIA5String.getInstance(name);
                    String value = str.getString();
                    outStream.format("    %s\n", value);
                } else {
                    outStream.format("tag %d not yet implemented", tag);
                }
            }
        } else {
            outStream.format("type %d not yet implemented", type);
        }
    }
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 43 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project zm-mailbox by Zimbra.

the class CertUtil method getSubjectAttr.

private String getSubjectAttr(String needAttrName, String needAttrOid) {
    String subjectDN = getSubjectDN();
    try {
        LdapName dn = new LdapName(subjectDN);
        List<Rdn> rdns = dn.getRdns();
        for (Rdn rdn : rdns) {
            String type = rdn.getType();
            boolean isOid = type.contains(".");
            boolean matched = (isOid ? type.equals(needAttrOid) : type.equals(needAttrName));
            if (matched) {
                Object value = rdn.getValue();
                if (value == null) {
                    continue;
                }
                if (isOid) {
                    byte[] bytes = (byte[]) value;
                    ASN1InputStream decoder = null;
                    try {
                        decoder = new ASN1InputStream(bytes);
                        ASN1Encodable encoded = decoder.readObject();
                        DERIA5String str = DERIA5String.getInstance(encoded);
                        return str.getString();
                    } catch (IOException e) {
                        ZimbraLog.account.warn(LOG_PREFIX + "unable to decode " + type, e);
                    } finally {
                        ByteUtil.closeStream(decoder);
                    }
                } else {
                    return value.toString();
                }
            }
        }
    } catch (InvalidNameException e) {
        ZimbraLog.account.warn(LOG_PREFIX + "Invalid subject dn value" + subjectDN, e);
    }
    return null;
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) DERIA5String(org.bouncycastle.asn1.DERIA5String) InvalidNameException(javax.naming.InvalidNameException) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) IOException(java.io.IOException) Rdn(javax.naming.ldap.Rdn) LdapName(javax.naming.ldap.LdapName)

Example 44 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by yahoo.

the class ZTSInstanceRegister method generateInstanceRegisterInfo.

private static InstanceRegisterInformation generateInstanceRegisterInfo(final String domainName, final String serviceName, PrivateKey privateKey, final String serviceToken, final String csrDn, final String csrDomain) {
    if (domainName == null || serviceName == null) {
        throw new IllegalArgumentException("Principal's Domain and Service must be specified");
    }
    if (csrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // Athenz uses lower case for all elements, so let's
    // generate our dn which will be based on our service name
    final String domain = domainName.toLowerCase();
    final String service = serviceName.toLowerCase();
    final String cn = domain + "." + service;
    String dn = "cn=" + cn;
    if (csrDn != null) {
        dn = dn.concat(",").concat(csrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    final String hostName = service + '.' + domain.replace('.', '-') + '.' + csrDomain;
    final String instanceUri = "athenz://instanceid/" + domain + "/" + service;
    GeneralName[] sanArray = new GeneralName[2];
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
    sanArray[1] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(instanceUri));
    String csr;
    try {
        csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
    }
    return new InstanceRegisterInformation().setCsr(csr).setProvider("sys.auth.zts").setDomain(domain).setService(service).setAttestationData(serviceToken);
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 45 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by yahoo.

the class ZTSClient method generateInstanceRefreshRequest.

/**
 * Generate a Instance Refresh request that could be sent to ZTS to
 * request a TLS certificate for a service.
 * @param principalDomain name of the principal's domain
 * @param principalService name of the principal's service
 * @param privateKey private key for the service identity for the caller
 * @param csrDn string identifying the dn for the csr without the cn component
 * @param csrDomain string identifying the dns domain for generating SAN fields
 * @param expiryTime number of seconds to request certificate to be valid for
 * @return InstanceRefreshRequest object
 */
public static InstanceRefreshRequest generateInstanceRefreshRequest(final String principalDomain, final String principalService, PrivateKey privateKey, final String csrDn, final String csrDomain, int expiryTime) {
    if (principalDomain == null || principalService == null) {
        throw new IllegalArgumentException("Principal's Domain and Service must be specified");
    }
    if (csrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // Athenz uses lower case for all elements, so let's
    // generate our dn which will be based on our service name
    final String domain = principalDomain.toLowerCase();
    final String service = principalService.toLowerCase();
    final String cn = domain + "." + service;
    String dn = "cn=" + cn;
    if (csrDn != null) {
        dn = dn.concat(",").concat(csrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    GeneralName[] sanArray = new GeneralName[2];
    final String hostName = service + '.' + domain.replace('.', '-') + '.' + csrDomain;
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
    final String spiffeUri = SPIFFE_URI + domain + SPIFFE_COMP_SERVICE + service;
    sanArray[1] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
    String csr;
    try {
        csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    return new InstanceRefreshRequest().setCsr(csr).setExpiryTime(expiryTime);
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Aggregations

DERIA5String (org.bouncycastle.asn1.DERIA5String)80 IOException (java.io.IOException)55 GeneralName (org.bouncycastle.asn1.x509.GeneralName)29 DEROctetString (org.bouncycastle.asn1.DEROctetString)22 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)21 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)15 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)14 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)14 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)12 DERBitString (org.bouncycastle.asn1.DERBitString)12 SignatureException (java.security.SignatureException)10 ArrayList (java.util.ArrayList)10 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)10 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)10 HashSet (java.util.HashSet)9 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)9 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)9 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8