Example 51 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project xipki by xipki.
the class IdentifiedCertprofile method getExtensions.
/**
* Get the extensions.
*
* @param requestedSubject
* Subject requested subject. Must not be {@code null}.
* @param grantedSubject
* Granted subject. Must not be {@code null}.
* @param requestedExtensions
* Extensions requested by the requestor. Could be {@code null}.
* @param publicKeyInfo
* Subject public key. Must not be {@code null}.
* @param publicCaInfo
* CA information. Must not be {@code null}.
* @param crlSignerCert
* CRL signer certificate. Could be {@code null}.
* @param notBefore
* NotBefore. Must not be {@code null}.
* @param notAfter
* NotAfter. Must not be {@code null}.
* @return the extensions of the certificate to be issued.
*/
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Cert crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
notNull(publicKeyInfo, "publicKeyInfo");
ExtensionValues values = new ExtensionValues();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
// CTLog extension will be processed by the CA
controls.remove(Extn.id_SCTs);
Map<ASN1ObjectIdentifier, Extension> requestedExtns = new HashMap<>();
// remove the request extensions which are not permitted in the request
if (requestedExtensions != null) {
ASN1ObjectIdentifier[] oids = requestedExtensions.getExtensionOIDs();
for (ASN1ObjectIdentifier m : oids) {
ExtensionControl control = controls.get(m);
if (control == null || control.isRequest()) {
requestedExtns.put(m, requestedExtensions.getExtension(m));
}
}
}
// SubjectKeyIdentifier
ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
ExtensionControl extControl = controls.remove(extType);
if (extControl != null) {
SubjectKeyIdentifier value = certprofile.getSubjectKeyIdentifier(publicKeyInfo);
addExtension(values, extType, value, extControl);
}
// Authority key identifier
extType = Extension.authorityKeyIdentifier;
extControl = controls.remove(extType);
if (extControl != null) {
AuthorityKeyIdentifier value = null;
if (certprofile.useIssuerAndSerialInAki()) {
GeneralNames x509CaIssuer = new GeneralNames(new GeneralName(publicCaInfo.getIssuer()));
value = new AuthorityKeyIdentifier(x509CaIssuer, publicCaInfo.getSerialNumber());
} else {
byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
if (ikiValue != null) {
value = new AuthorityKeyIdentifier(ikiValue);
}
}
addExtension(values, extType, value, extControl);
}
// IssuerAltName
extType = Extension.issuerAlternativeName;
extControl = controls.remove(extType);
if (extControl != null) {
GeneralNames value = publicCaInfo.getSubjectAltName();
addExtension(values, extType, value, extControl);
}
// AuthorityInfoAccess
extType = Extension.authorityInfoAccess;
extControl = controls.remove(extType);
CaUris caUris = publicCaInfo.getCaUris();
if (extControl != null) {
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
List<String> caIssuers = null;
if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
caIssuers = caUris.getCacertUris();
assertAllUrisHasProtocol(caIssuers, aiaControl.getCaIssuersProtocols());
}
List<String> ocspUris = null;
if (aiaControl != null && aiaControl.isIncludesOcsp()) {
ocspUris = caUris.getOcspUris();
assertAllUrisHasProtocol(ocspUris, aiaControl.getOcspProtocols());
}
AuthorityInformationAccess value = null;
if (CollectionUtil.isNotEmpty(caIssuers) || CollectionUtil.isNotEmpty(ocspUris)) {
value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
}
addExtension(values, extType, value, extControl);
}
if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
X500Name crlSignerSubject = (crlSignerCert == null) ? null : crlSignerCert.getSubject();
X500Name x500CaPrincipal = publicCaInfo.getSubject();
// CRLDistributionPoints
extType = Extension.cRLDistributionPoints;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getCrlDpControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(uris, x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
// FreshestCRL
extType = Extension.freshestCRL;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getDeltaCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getFreshestCrlControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
}
// BasicConstraints
extType = Extension.basicConstraints;
extControl = controls.remove(extType);
if (extControl != null) {
BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
addExtension(values, extType, value, extControl);
}
// KeyUsage
extType = Extension.keyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
Set<KeyUsage> usages = new HashSet<>();
Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
for (KeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getKeyUsage());
}
}
// the optional KeyUsage will only be set if requested explicitly
addRequestedKeyusage(usages, requestedExtns, usageOccs);
org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
addExtension(values, extType, value, extControl);
}
// ExtendedKeyUsage
extType = Extension.extendedKeyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
List<ASN1ObjectIdentifier> usages = new LinkedList<>();
Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
for (ExtKeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getExtKeyUsage());
}
}
// the optional ExtKeyUsage will only be set if requested explicitly
addRequestedExtKeyusage(usages, requestedExtns, usageOccs);
if (extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
}
if (!extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
extControl = new ExtensionControl(true, extControl.isRequired(), extControl.isRequest());
}
ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
addExtension(values, extType, value, extControl);
}
// ocsp-nocheck
extType = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
extControl = controls.remove(extType);
if (extControl != null) {
// the extension ocsp-nocheck will only be set if requested explicitly
addExtension(values, extType, DERNull.INSTANCE, extControl);
}
// SubjectInfoAccess
extType = Extension.subjectInfoAccess;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Sequence value = createSubjectInfoAccess(requestedExtns, certprofile.getSubjectInfoAccessModes());
addExtension(values, extType, value, extControl);
}
// CertificatePolicies
extType = Extension.certificatePolicies;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Encodable value = certprofile.getCertificatePolicies();
addExtension(values, extType, value, extControl);
}
ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtns, notBefore, notAfter, publicCaInfo);
Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
for (ASN1ObjectIdentifier type : extTypes) {
extControl = controls.get(type);
ExtensionValue value = subvalues.getExtensionValue(type);
if (value == null && extControl.isRequest()) {
Extension reqExt = requestedExtns.get(type);
if (reqExt != null) {
value = new ExtensionValue(extControl.isCritical(), reqExt.getParsedValue());
}
}
if (value != null) {
addExtension(values, type, value, extControl);
controls.remove(type);
}
}
Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
for (Entry<ASN1ObjectIdentifier, ExtensionControl> entry : controls.entrySet()) {
if (entry.getValue().isRequired()) {
unprocessedExtTypes.add(entry.getKey());
}
}
if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) {
throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(unprocessedExtTypes));
}
// Check the SubjectAltNames
if (certprofile.getCertDomain() == CertDomain.CABForumBR && getCertLevel() == CertLevel.EndEntity) {
// Make sure that the commonName included in SubjectAltName
String commonName = X509Util.getCommonName(grantedSubject);
boolean commonNameInSan = commonName == null;
// No private IP address is permitted
GeneralName[] genNames = GeneralNames.getInstance(values.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames();
for (GeneralName m : genNames) {
if (GeneralName.dNSName == m.getTagNo()) {
String domain = DERIA5String.getInstance(m.getName()).getString();
if (!commonNameInSan && domain.equals(commonName)) {
commonNameInSan = true;
}
if (domain.indexOf('_') != -1) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
if (!ExtensionSpec.isValidPublicDomain(domain)) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
} else if (GeneralName.iPAddress == m.getTagNo()) {
byte[] octets = DEROctetString.getInstance(m.getName()).getOctets();
if (octets.length == 4) {
// IPv4 address
if (!commonNameInSan) {
String ipAddressText = (0xFF & octets[0]) + "." + (0xFF & octets[1]) + "." + (0xFF & octets[2]) + "." + (0xFF & octets[3]);
if (ipAddressText.equals(commonName)) {
commonNameInSan = true;
}
}
// if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
// throw new BadCertTemplateException(
// "invalid IPv4Address " + ipAddressText);
// }
} else if (octets.length == 8) {
// IPv6 address
if (!commonNameInSan) {
// get the number of ":"
List<Integer> positions = new ArrayList<>(7);
int n = commonName.length();
for (int i = 0; i < n; i++) {
if (commonName.charAt(i) == ':') {
positions.add(i);
}
}
if (positions.size() == 7) {
String[] blocks = new String[8];
blocks[0] = commonName.substring(0, positions.get(0));
for (int i = 0; i < 6; i++) {
blocks[i + 1] = commonName.substring(positions.get(i) + 1, positions.get(i + 1));
}
blocks[7] = commonName.substring(positions.get(6) + 1);
byte[] commonNameBytes = new byte[16];
for (int i = 0; i < 8; i++) {
String block = blocks[i];
int blen = block.length();
if (blen == 1 | blen == 2) {
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block, 16);
} else if (blen == 3 | blen == 4) {
commonNameBytes[i * 2] = (byte) Integer.parseInt(block.substring(0, blen - 2), 16);
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block.substring(blen - 2), 16);
} else if (blen != 0) {
throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
}
}
if (Arrays.equals(commonNameBytes, octets)) {
commonNameInSan = true;
}
}
}
} else {
throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
}
}
}
if (!commonNameInSan) {
throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
}
}
return values;
}
Also used :
KeyUsage(org.xipki.security.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
BigInteger(java.math.BigInteger)
CaUris(org.xipki.ca.api.CaUris)
Example 52 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project keystore-explorer by kaikramer.
the class X509Ext method getAuthorityKeyIdentifierStringValue.
private static String getAuthorityKeyIdentifierStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* AuthorityKeyIdentifier ::= ASN1Sequence {
* keyIdentifier [0] KeyIdentifier OPTIONAL,
* authorityCertIssuer [1] GeneralNames OPTIONAL,
* authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL
* }
*
* KeyIdentifier ::= OCTET STRING
*
* GeneralNames ::= ASN1Sequence SIZE (1..MAX) OF GeneralName
*
* CertificateSerialNumber ::= ASN1Integer
*/
// @formatter:on
StringBuilder sb = new StringBuilder();
AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value);
byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
BigInteger certificateSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
if (keyIdentifier != null) {
// Optional
// Output as a hex string
sb.append(MessageFormat.format(res.getString("AuthorityKeyIdentifier"), HexUtil.getHexString(keyIdentifier)));
sb.append(NEWLINE);
}
if (authorityCertIssuer != null) {
// Optional
sb.append(res.getString("CertificateIssuer"));
sb.append(NEWLINE);
for (GeneralName generalName : authorityCertIssuer.getNames()) {
sb.append(INDENT);
sb.append(GeneralNameUtil.toString(generalName));
sb.append(NEWLINE);
}
}
if (certificateSerialNumber != null) {
// Optional
// Output as an integer
sb.append(MessageFormat.format(res.getString("CertificateSerialNumber"), HexUtil.getHexString(certificateSerialNumber)));
sb.append(NEWLINE);
}
return sb.toString();
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Example 53 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project keystore-explorer by kaikramer.
the class X509ExtensionSetUpdater method updateAKI.
private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid, PublicKey newIssuerPublicKey, X500Name newIssuerCertName, BigInteger newIssuerSerialNumber) throws CryptoException, IOException {
// extract old AKI data
byte[] extensionValue = X509Ext.unwrapExtension(extensionSet.getExtensionValue(extensionOid));
AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(extensionValue);
byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
// generate new values
byte[] newKeyIdentifier = new KeyIdentifierGenerator(newIssuerPublicKey).generate160BitHashId();
GeneralNames newCertIssuer = new GeneralNames(new GeneralName[] { new GeneralName(newIssuerCertName) });
// create new AKI object with same components as before
if ((keyIdentifier != null) && (authorityCertSerialNumber == null)) {
authorityKeyIdentifier = new AuthorityKeyIdentifier(newKeyIdentifier);
} else if (keyIdentifier == null) {
authorityKeyIdentifier = new AuthorityKeyIdentifier(newCertIssuer, newIssuerSerialNumber);
} else {
authorityKeyIdentifier = new AuthorityKeyIdentifier(newKeyIdentifier, newCertIssuer, newIssuerSerialNumber);
}
// encode extension value
byte[] encodedValue = X509Ext.wrapInOctetString(authorityKeyIdentifier.getEncoded(ASN1Encoding.DER));
// update
extensionSet.addExtension(extensionOid, extensionSet.isCritical(extensionOid), encodedValue);
}
Also used :
KeyIdentifierGenerator(org.kse.crypto.publickey.KeyIdentifierGenerator)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Example 54 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project keystore-explorer by kaikramer.
the class DAuthorityKeyIdentifier method okPressed.
private void okPressed() {
byte[] keyIdentifier = jkiKeyIdentifier.getKeyIdentifier();
GeneralNames authorityCertIssuer = jgnAuthorityCertIssuer.getGeneralNames();
BigInteger authorityCertSerialNumber = null;
String authorityCertSerialNumberStr = jtfAuthorityCertSerialNumber.getText().trim();
if (authorityCertSerialNumberStr.length() != 0) {
try {
authorityCertSerialNumber = new BigInteger(authorityCertSerialNumberStr);
if (authorityCertSerialNumber.compareTo(BigInteger.ONE) < 0) {
JOptionPane.showMessageDialog(this, res.getString("DAuthorityKeyIdentifier.AuthorityCertSerialNumberNonZero" + ".message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
} catch (NumberFormatException ex) {
JOptionPane.showMessageDialog(this, res.getString("DAuthorityKeyIdentifier.AuthorityCertSerialNumberNotInteger" + ".message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
}
// serial number are required
if ((keyIdentifier == null) && ((authorityCertIssuer.getNames().length == 0) || (authorityCertSerialNumber == null))) {
JOptionPane.showMessageDialog(this, res.getString("DAuthorityKeyIdentifier.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
AuthorityKeyIdentifier authorityKeyIdentifier;
if ((keyIdentifier != null) && (authorityCertSerialNumber == null)) {
// only key identifier
authorityKeyIdentifier = new AuthorityKeyIdentifier(keyIdentifier);
} else if (keyIdentifier == null) {
// only issuer / serial
authorityKeyIdentifier = new AuthorityKeyIdentifier(authorityCertIssuer, authorityCertSerialNumber);
} else {
// both
authorityKeyIdentifier = new AuthorityKeyIdentifier(keyIdentifier, authorityCertIssuer, authorityCertSerialNumber);
}
try {
value = authorityKeyIdentifier.getEncoded(ASN1Encoding.DER);
} catch (IOException e) {
DError.displayError(this, e);
return;
}
closeDialog();
}
Also used :
JGeneralNames(org.kse.gui.crypto.generalname.JGeneralNames)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
IOException(java.io.IOException)
Example 55 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project xipki by xipki.
the class ComplexProfileConfDemo method certprofileEeComplex.
// method certprofileQc
private static void certprofileEeComplex(String destFilename) throws Exception {
X509ProfileType profile = getBaseProfile("certprofile ee-complex", CertLevel.EndEntity, "5y", true, false);
// Subject
Subject subject = profile.getSubject();
subject.setKeepRdnOrder(false);
List<RdnType> rdnControls = subject.getRdns();
rdnControls.add(createRdn(DN.CN, 1, 1));
rdnControls.add(createRdn(DN.C, 1, 1));
rdnControls.add(createRdn(DN.O, 1, 1));
rdnControls.add(createRdn(DN.OU, 0, 1));
rdnControls.add(createRdn(DN.SN, 0, 1, REGEX_SN, null, null));
rdnControls.add(createRdn(DN.dateOfBirth, 0, 1));
rdnControls.add(createRdn(DN.postalAddress, 0, 1));
rdnControls.add(createRdn(DN.userid, 1, 1));
rdnControls.add(createRdn(DN.jurisdictionOfIncorporationCountryName, 1, 1));
rdnControls.add(createRdn(DN.jurisdictionOfIncorporationLocalityName, 1, 1));
rdnControls.add(createRdn(DN.jurisdictionOfIncorporationStateOrProvinceName, 1, 1));
rdnControls.add(createRdn(Extn.id_extension_admission, 0, 99));
// Extensions
// Extensions - general
List<ExtensionType> list = profile.getExtensions();
// Extensions - controls
list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null));
list.add(createExtension(Extension.cRLDistributionPoints, false, false, null));
list.add(createExtension(Extension.freshestCRL, false, false, null));
// Extensions - basicConstraints
list.add(createExtension(Extension.basicConstraints, true, false));
// Extensions - AuthorityInfoAccess
list.add(createExtension(Extension.authorityInfoAccess, true, false));
last(list).setAuthorityInfoAccess(createAuthorityInfoAccess());
// Extensions - AuthorityKeyIdentifier
list.add(createExtension(Extension.authorityKeyIdentifier, true, false));
last(list).setAuthorityKeyIdentifier(createAKIwithSerialAndSerial());
// Extensions - keyUsage
list.add(createExtension(Extension.keyUsage, true, true));
last(list).setKeyUsage(createKeyUsage(new KeyUsage[] { KeyUsage.digitalSignature, KeyUsage.dataEncipherment, KeyUsage.keyEncipherment }, null));
// Extensions - extenedKeyUsage
list.add(createExtension(Extension.extendedKeyUsage, true, false));
last(list).setExtendedKeyUsage(createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.XKU.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.XKU.id_kp_clientAuth }));
// Extension - subjectDirectoryAttributes
list.add(createExtension(Extension.subjectDirectoryAttributes, true, false));
SubjectDirectoryAttributs subjectDirAttrType = new SubjectDirectoryAttributs();
last(list).setSubjectDirectoryAttributs(subjectDirAttrType);
List<DescribableOid> attrTypes = subjectDirAttrType.getTypes();
attrTypes.add(createOidType(DN.countryOfCitizenship));
attrTypes.add(createOidType(DN.countryOfResidence));
attrTypes.add(createOidType(DN.gender));
attrTypes.add(createOidType(DN.dateOfBirth));
attrTypes.add(createOidType(DN.placeOfBirth));
// Extensions - tlsFeature
list.add(createExtension(Extn.id_pe_tlsfeature, true, true));
last(list).setTlsFeature(createTlsFeature(TlsExtensionType.STATUS_REQUEST, TlsExtensionType.CLIENT_CERTIFICATE_URL));
// Extension - Admission
list.add(createExtension(Extn.id_extension_admission, true, false));
AdmissionSyntax admissionSyntax = new AdmissionSyntax();
last(list).setAdmissionSyntax(admissionSyntax);
admissionSyntax.setAdmissionAuthority(new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 1")).getEncoded());
AdmissionsType admissions = new AdmissionsType();
admissions.setAdmissionAuthority(new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 2")).getEncoded());
NamingAuthorityType namingAuthorityL2 = new NamingAuthorityType();
namingAuthorityL2.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5")));
namingAuthorityL2.setUrl("http://naming-authority-level2.myorg.org");
namingAuthorityL2.setText("namingAuthrityText level 2");
admissions.setNamingAuthority(namingAuthorityL2);
admissionSyntax.getContentsOfAdmissions().add(admissions);
ProfessionInfoType pi = new ProfessionInfoType();
admissions.getProfessionInfos().add(pi);
pi.getProfessionOids().add(createOidType(new ASN1ObjectIdentifier("1.2.3.4"), "demo oid"));
pi.getProfessionItems().add("demo item");
NamingAuthorityType namingAuthorityL3 = new NamingAuthorityType();
namingAuthorityL3.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5")));
namingAuthorityL3.setUrl("http://naming-authority-level3.myorg.org");
namingAuthorityL3.setText("namingAuthrityText level 3");
pi.setNamingAuthority(namingAuthorityL3);
pi.setAddProfessionInfo(new byte[] { 1, 2, 3, 4 });
RegistrationNumber regNum = new RegistrationNumber();
pi.setRegistrationNumber(regNum);
regNum.setRegex("a*b");
// restriction
list.add(createExtension(Extn.id_extension_restriction, true, false));
last(list).setRestriction(createRestriction(DirectoryStringType.utf8String, "demo restriction"));
// additionalInformation
list.add(createExtension(Extn.id_extension_additionalInformation, true, false));
last(list).setAdditionalInformation(createAdditionalInformation(DirectoryStringType.utf8String, "demo additional information"));
// validationModel
list.add(createExtension(Extn.id_extension_validityModel, true, false));
last(list).setValidityModel(createValidityModel(createOidType(new ASN1ObjectIdentifier("1.3.6.1.4.1.8301.3.5.1"), "chain")));
// privateKeyUsagePeriod
list.add(createExtension(Extension.privateKeyUsagePeriod, true, false));
last(list).setPrivateKeyUsagePeriod(createPrivateKeyUsagePeriod("3y"));
// QcStatements
list.add(createExtension(Extension.qCStatements, true, false));
last(list).setQcStatements(createQcStatements(true));
// biometricInfo
list.add(createExtension(Extension.biometricInfo, true, false));
last(list).setBiometricInfo(createBiometricInfo());
// SubjectAltName
list.add(createExtension(Extension.subjectAlternativeName, true, true));
GeneralNameType gn = new GeneralNameType();
last(list).setSubjectAltName(gn);
gn.addTags(GeneralNameTag.rfc822Name, GeneralNameTag.DNSName, GeneralNameTag.directoryName, GeneralNameTag.ediPartyName, GeneralNameTag.uniformResourceIdentifier, GeneralNameTag.IPAddress, GeneralNameTag.registeredID);
gn.addOtherNames(createOidType(new ASN1ObjectIdentifier("1.2.3.1")), createOidType(new ASN1ObjectIdentifier("1.2.3.2")));
// SubjectInfoAccess
list.add(createExtension(Extension.subjectInfoAccess, true, false));
SubjectInfoAccess subjectInfoAccess = new SubjectInfoAccess();
last(list).setSubjectInfoAccess(subjectInfoAccess);
List<ASN1ObjectIdentifier> accessMethods = new LinkedList<>();
accessMethods.add(Extn.id_ad_caRepository);
for (int i = 0; i < 10; i++) {
accessMethods.add(new ASN1ObjectIdentifier("2.3.4." + (i + 1)));
}
for (ASN1ObjectIdentifier accessMethod : accessMethods) {
SubjectInfoAccess.Access access = new SubjectInfoAccess.Access();
subjectInfoAccess.getAccesses().add(access);
access.setAccessMethod(createOidType(accessMethod));
GeneralNameType accessLocation = new GeneralNameType();
access.setAccessLocation(accessLocation);
accessLocation.addTags(GeneralNameTag.rfc822Name, GeneralNameTag.DNSName, GeneralNameTag.directoryName, GeneralNameTag.ediPartyName, GeneralNameTag.uniformResourceIdentifier, GeneralNameTag.IPAddress, GeneralNameTag.registeredID);
accessLocation.addOtherNames(createOidType(new ASN1ObjectIdentifier("1.2.3.1")), createOidType(new ASN1ObjectIdentifier("1.2.3.2")));
}
marshall(profile, destFilename, true);
}
Also used :
KeyUsage(org.xipki.security.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
AdmissionsType(org.xipki.ca.certprofile.xijson.conf.AdmissionSyntax.AdmissionsType)
ProfessionInfoType(org.xipki.ca.certprofile.xijson.conf.AdmissionSyntax.ProfessionInfoType)
RegistrationNumber(org.xipki.ca.certprofile.xijson.conf.AdmissionSyntax.RegistrationNumber)
RdnType(org.xipki.ca.certprofile.xijson.conf.Subject.RdnType)
TlsExtensionType(org.xipki.security.TlsExtensionType)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
DescribableOid(org.xipki.ca.certprofile.xijson.conf.Describable.DescribableOid)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
NamingAuthorityType(org.xipki.ca.certprofile.xijson.conf.AdmissionSyntax.NamingAuthorityType)
Aggregations
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)49
BigInteger (java.math.BigInteger)24
X509Certificate (java.security.cert.X509Certificate)21
IOException (java.io.IOException)17
GeneralName (org.bouncycastle.asn1.x509.GeneralName)16
Test (org.junit.Test)16
SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)15
Date (java.util.Date)14
X500Name (org.bouncycastle.asn1.x500.X500Name)13
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)13
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)13
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)10
DEROctetString (org.bouncycastle.asn1.DEROctetString)9
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)8
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)8
ContentSigner (org.bouncycastle.operator.ContentSigner)8
HashSet (java.util.HashSet)7
Extension (org.bouncycastle.asn1.x509.Extension)7
