Example 21 with AuthorityInformationAccess
use of com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess in project xipki by xipki.
the class BaseOcspStatusAction method extractOcspUrls.
public static List<String> extractOcspUrls(AuthorityInformationAccess aia) throws CertificateEncodingException {
AccessDescription[] accessDescriptions = aia.getAccessDescriptions();
List<AccessDescription> ocspAccessDescriptions = new LinkedList<>();
for (AccessDescription accessDescription : accessDescriptions) {
if (accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp)) {
ocspAccessDescriptions.add(accessDescription);
}
}
final int n = ocspAccessDescriptions.size();
List<String> ocspUris = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
GeneralName accessLocation = ocspAccessDescriptions.get(i).getAccessLocation();
if (accessLocation.getTagNo() == GeneralName.uniformResourceIdentifier) {
String ocspUri = ((ASN1String) accessLocation.getName()).getString();
ocspUris.add(ocspUri);
}
}
return ocspUris;
}
Also used :
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
ArrayList(java.util.ArrayList)
ASN1String(org.bouncycastle.asn1.ASN1String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1String(org.bouncycastle.asn1.ASN1String)
LinkedList(java.util.LinkedList)
Example 22 with AuthorityInformationAccess
use of com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess in project xipki by xipki.
the class ExtensionsChecker method checkAia.
private static void checkAia(StringBuilder failureMsg, AuthorityInformationAccess aia, ASN1ObjectIdentifier accessMethod, Set<String> expectedUris) {
String typeDesc;
if (X509ObjectIdentifiers.id_ad_ocsp.equals(accessMethod)) {
typeDesc = "OCSP";
} else if (X509ObjectIdentifiers.id_ad_caIssuers.equals(accessMethod)) {
typeDesc = "caIssuer";
} else {
typeDesc = accessMethod.getId();
}
List<AccessDescription> isAccessDescriptions = new LinkedList<>();
for (AccessDescription accessDescription : aia.getAccessDescriptions()) {
if (accessMethod.equals(accessDescription.getAccessMethod())) {
isAccessDescriptions.add(accessDescription);
}
}
int size = isAccessDescriptions.size();
if (size != expectedUris.size()) {
addViolation(failureMsg, "number of AIA " + typeDesc + " URIs", size, expectedUris.size());
return;
}
Set<String> isUris = new HashSet<>();
for (int i = 0; i < size; i++) {
GeneralName isAccessLocation = isAccessDescriptions.get(i).getAccessLocation();
if (isAccessLocation.getTagNo() != GeneralName.uniformResourceIdentifier) {
addViolation(failureMsg, "tag of accessLocation of AIA ", isAccessLocation.getTagNo(), GeneralName.uniformResourceIdentifier);
} else {
String isOcspUri = ((ASN1String) isAccessLocation.getName()).getString();
isUris.add(isOcspUri);
}
}
Set<String> diffs = strInBnotInA(expectedUris, isUris);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append(typeDesc).append(" URIs ").append(diffs.toString());
failureMsg.append(" are present but not expected; ");
}
diffs = strInBnotInA(isUris, expectedUris);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append(typeDesc).append(" URIs ").append(diffs.toString());
failureMsg.append(" are absent but are required; ");
}
}
Also used :
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1String(org.bouncycastle.asn1.ASN1String)
LinkedList(java.util.LinkedList)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
HashSet(java.util.HashSet)
Example 23 with AuthorityInformationAccess
use of com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess in project xipki by xipki.
the class IdentifiedCertprofile method getExtensions.
/**
* Get the extensions.
*
* @param requestedSubject
* Subject requested subject. Must not be {@code null}.
* @param grantedSubject
* Granted subject. Must not be {@code null}.
* @param requestedExtensions
* Extensions requested by the requestor. Could be {@code null}.
* @param publicKeyInfo
* Subject public key. Must not be {@code null}.
* @param publicCaInfo
* CA information. Must not be {@code null}.
* @param crlSignerCert
* CRL signer certificate. Could be {@code null}.
* @param notBefore
* NotBefore. Must not be {@code null}.
* @param notAfter
* NotAfter. Must not be {@code null}.
* @return the extensions of the certificate to be issued.
*/
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Cert crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
notNull(publicKeyInfo, "publicKeyInfo");
ExtensionValues values = new ExtensionValues();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
// CTLog extension will be processed by the CA
controls.remove(Extn.id_SCTs);
Map<ASN1ObjectIdentifier, Extension> requestedExtns = new HashMap<>();
// remove the request extensions which are not permitted in the request
if (requestedExtensions != null) {
ASN1ObjectIdentifier[] oids = requestedExtensions.getExtensionOIDs();
for (ASN1ObjectIdentifier m : oids) {
ExtensionControl control = controls.get(m);
if (control == null || control.isRequest()) {
requestedExtns.put(m, requestedExtensions.getExtension(m));
}
}
}
// SubjectKeyIdentifier
ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
ExtensionControl extControl = controls.remove(extType);
if (extControl != null) {
SubjectKeyIdentifier value = certprofile.getSubjectKeyIdentifier(publicKeyInfo);
addExtension(values, extType, value, extControl);
}
// Authority key identifier
extType = Extension.authorityKeyIdentifier;
extControl = controls.remove(extType);
if (extControl != null) {
AuthorityKeyIdentifier value = null;
if (certprofile.useIssuerAndSerialInAki()) {
GeneralNames x509CaIssuer = new GeneralNames(new GeneralName(publicCaInfo.getIssuer()));
value = new AuthorityKeyIdentifier(x509CaIssuer, publicCaInfo.getSerialNumber());
} else {
byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
if (ikiValue != null) {
value = new AuthorityKeyIdentifier(ikiValue);
}
}
addExtension(values, extType, value, extControl);
}
// IssuerAltName
extType = Extension.issuerAlternativeName;
extControl = controls.remove(extType);
if (extControl != null) {
GeneralNames value = publicCaInfo.getSubjectAltName();
addExtension(values, extType, value, extControl);
}
// AuthorityInfoAccess
extType = Extension.authorityInfoAccess;
extControl = controls.remove(extType);
CaUris caUris = publicCaInfo.getCaUris();
if (extControl != null) {
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
List<String> caIssuers = null;
if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
caIssuers = caUris.getCacertUris();
assertAllUrisHasProtocol(caIssuers, aiaControl.getCaIssuersProtocols());
}
List<String> ocspUris = null;
if (aiaControl != null && aiaControl.isIncludesOcsp()) {
ocspUris = caUris.getOcspUris();
assertAllUrisHasProtocol(ocspUris, aiaControl.getOcspProtocols());
}
AuthorityInformationAccess value = null;
if (CollectionUtil.isNotEmpty(caIssuers) || CollectionUtil.isNotEmpty(ocspUris)) {
value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
}
addExtension(values, extType, value, extControl);
}
if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
X500Name crlSignerSubject = (crlSignerCert == null) ? null : crlSignerCert.getSubject();
X500Name x500CaPrincipal = publicCaInfo.getSubject();
// CRLDistributionPoints
extType = Extension.cRLDistributionPoints;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getCrlDpControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(uris, x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
// FreshestCRL
extType = Extension.freshestCRL;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getDeltaCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getFreshestCrlControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
}
// BasicConstraints
extType = Extension.basicConstraints;
extControl = controls.remove(extType);
if (extControl != null) {
BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
addExtension(values, extType, value, extControl);
}
// KeyUsage
extType = Extension.keyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
Set<KeyUsage> usages = new HashSet<>();
Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
for (KeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getKeyUsage());
}
}
// the optional KeyUsage will only be set if requested explicitly
addRequestedKeyusage(usages, requestedExtns, usageOccs);
org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
addExtension(values, extType, value, extControl);
}
// ExtendedKeyUsage
extType = Extension.extendedKeyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
List<ASN1ObjectIdentifier> usages = new LinkedList<>();
Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
for (ExtKeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getExtKeyUsage());
}
}
// the optional ExtKeyUsage will only be set if requested explicitly
addRequestedExtKeyusage(usages, requestedExtns, usageOccs);
if (extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
}
if (!extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
extControl = new ExtensionControl(true, extControl.isRequired(), extControl.isRequest());
}
ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
addExtension(values, extType, value, extControl);
}
// ocsp-nocheck
extType = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
extControl = controls.remove(extType);
if (extControl != null) {
// the extension ocsp-nocheck will only be set if requested explicitly
addExtension(values, extType, DERNull.INSTANCE, extControl);
}
// SubjectInfoAccess
extType = Extension.subjectInfoAccess;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Sequence value = createSubjectInfoAccess(requestedExtns, certprofile.getSubjectInfoAccessModes());
addExtension(values, extType, value, extControl);
}
// CertificatePolicies
extType = Extension.certificatePolicies;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Encodable value = certprofile.getCertificatePolicies();
addExtension(values, extType, value, extControl);
}
ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtns, notBefore, notAfter, publicCaInfo);
Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
for (ASN1ObjectIdentifier type : extTypes) {
extControl = controls.get(type);
ExtensionValue value = subvalues.getExtensionValue(type);
if (value == null && extControl.isRequest()) {
Extension reqExt = requestedExtns.get(type);
if (reqExt != null) {
value = new ExtensionValue(extControl.isCritical(), reqExt.getParsedValue());
}
}
if (value != null) {
addExtension(values, type, value, extControl);
controls.remove(type);
}
}
Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
for (Entry<ASN1ObjectIdentifier, ExtensionControl> entry : controls.entrySet()) {
if (entry.getValue().isRequired()) {
unprocessedExtTypes.add(entry.getKey());
}
}
if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) {
throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(unprocessedExtTypes));
}
// Check the SubjectAltNames
if (certprofile.getCertDomain() == CertDomain.CABForumBR && getCertLevel() == CertLevel.EndEntity) {
// Make sure that the commonName included in SubjectAltName
String commonName = X509Util.getCommonName(grantedSubject);
boolean commonNameInSan = commonName == null;
// No private IP address is permitted
GeneralName[] genNames = GeneralNames.getInstance(values.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames();
for (GeneralName m : genNames) {
if (GeneralName.dNSName == m.getTagNo()) {
String domain = DERIA5String.getInstance(m.getName()).getString();
if (!commonNameInSan && domain.equals(commonName)) {
commonNameInSan = true;
}
if (domain.indexOf('_') != -1) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
if (!ExtensionSpec.isValidPublicDomain(domain)) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
} else if (GeneralName.iPAddress == m.getTagNo()) {
byte[] octets = DEROctetString.getInstance(m.getName()).getOctets();
if (octets.length == 4) {
// IPv4 address
if (!commonNameInSan) {
String ipAddressText = (0xFF & octets[0]) + "." + (0xFF & octets[1]) + "." + (0xFF & octets[2]) + "." + (0xFF & octets[3]);
if (ipAddressText.equals(commonName)) {
commonNameInSan = true;
}
}
// if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
// throw new BadCertTemplateException(
// "invalid IPv4Address " + ipAddressText);
// }
} else if (octets.length == 8) {
// IPv6 address
if (!commonNameInSan) {
// get the number of ":"
List<Integer> positions = new ArrayList<>(7);
int n = commonName.length();
for (int i = 0; i < n; i++) {
if (commonName.charAt(i) == ':') {
positions.add(i);
}
}
if (positions.size() == 7) {
String[] blocks = new String[8];
blocks[0] = commonName.substring(0, positions.get(0));
for (int i = 0; i < 6; i++) {
blocks[i + 1] = commonName.substring(positions.get(i) + 1, positions.get(i + 1));
}
blocks[7] = commonName.substring(positions.get(6) + 1);
byte[] commonNameBytes = new byte[16];
for (int i = 0; i < 8; i++) {
String block = blocks[i];
int blen = block.length();
if (blen == 1 | blen == 2) {
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block, 16);
} else if (blen == 3 | blen == 4) {
commonNameBytes[i * 2] = (byte) Integer.parseInt(block.substring(0, blen - 2), 16);
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block.substring(blen - 2), 16);
} else if (blen != 0) {
throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
}
}
if (Arrays.equals(commonNameBytes, octets)) {
commonNameInSan = true;
}
}
}
} else {
throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
}
}
}
if (!commonNameInSan) {
throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
}
}
return values;
}
Also used :
KeyUsage(org.xipki.security.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
BigInteger(java.math.BigInteger)
CaUris(org.xipki.ca.api.CaUris)
Example 24 with AuthorityInformationAccess
use of com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess in project keystore-explorer by kaikramer.
the class X509Ext method getAuthorityInformationAccessStringValue.
private static String getAuthorityInformationAccessStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* AuthorityInfoAccessSyntax ::= ASN1Sequence SIZE (1..MAX) OF
* AccessDescription
*
* AccessDescription ::= ASN1Sequence { accessMethod OBJECT IDENTIFIER,
* accessLocation GeneralName }
*/
// @formatter:on
StringBuilder sb = new StringBuilder();
AuthorityInformationAccess authorityInfoAccess = AuthorityInformationAccess.getInstance(value);
int accessDesc = 0;
for (AccessDescription accessDescription : authorityInfoAccess.getAccessDescriptions()) {
accessDesc++;
// Convert OID to access method
ASN1ObjectIdentifier accessMethod = accessDescription.getAccessMethod();
AccessMethodType accessMethodType = AccessMethodType.resolveOid(accessMethod.getId());
String accessMethodStr = null;
if (accessMethodType != null) {
accessMethodStr = accessMethodType.friendly();
} else {
// Unrecognised Access Method OID
accessMethodStr = ObjectIdUtil.toString(accessMethod);
}
GeneralName accessLocation = accessDescription.getAccessLocation();
String accessLocationStr = GeneralNameUtil.toString(accessLocation);
sb.append(MessageFormat.format(res.getString("AuthorityInformationAccess"), accessDesc));
sb.append(NEWLINE);
sb.append(INDENT);
sb.append(MessageFormat.format(res.getString("AccessMethod"), accessMethodStr));
sb.append(NEWLINE);
sb.append(INDENT);
sb.append(res.getString("AccessLocation"));
sb.append(NEWLINE);
sb.append(INDENT.toString(2));
sb.append(accessLocationStr);
sb.append(NEWLINE);
}
return sb.toString();
}
Also used :
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERGeneralString(org.bouncycastle.asn1.DERGeneralString)
ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
ASN1BitString(org.bouncycastle.asn1.ASN1BitString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
ASN1BMPString(org.bouncycastle.asn1.ASN1BMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1PrintableString(org.bouncycastle.asn1.ASN1PrintableString)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 25 with AuthorityInformationAccess
use of com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess in project keystore-explorer by kaikramer.
the class DAuthorityInformationAccess method okPressed.
private void okPressed() {
List<AccessDescription> accessDescriptions = jadAccessDescriptions.getAccessDescriptions();
if (accessDescriptions.isEmpty()) {
JOptionPane.showMessageDialog(this, res.getString("DAuthorityInformationAccess.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (AccessDescription accessDescription : accessDescriptions) {
vec.add(accessDescription);
}
AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(new DERSequence(vec));
try {
value = authorityInformationAccess.getEncoded(ASN1Encoding.DER);
} catch (IOException e) {
DError.displayError(this, e);
return;
}
closeDialog();
}
Also used :
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
DERSequence(org.bouncycastle.asn1.DERSequence)
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
IOException(java.io.IOException)
Aggregations
AuthorityInformationAccess (org.bouncycastle.asn1.x509.AuthorityInformationAccess)22
AccessDescription (org.bouncycastle.asn1.x509.AccessDescription)19
GeneralName (org.bouncycastle.asn1.x509.GeneralName)14
DERIA5String (org.bouncycastle.asn1.DERIA5String)9
IOException (java.io.IOException)8
ArrayList (java.util.ArrayList)8
DEROctetString (org.bouncycastle.asn1.DEROctetString)7
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)5
X500Name (org.bouncycastle.asn1.x500.X500Name)5
BigInteger (java.math.BigInteger)4
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)4
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)4
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)3
ASN1String (org.bouncycastle.asn1.ASN1String)3
DERSequence (org.bouncycastle.asn1.DERSequence)3
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)3
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)3
AccessDescription (com.github.zhenwei.core.asn1.x509.AccessDescription)2
AuthorityInformationAccess (com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess)2
