Example 31 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project xipki by xipki.
the class ExtensionsChecker method checkExtensionDeltaCrlDistributionPoints.
// method checkExtensionCrlDistributionPoints
private void checkExtensionDeltaCrlDistributionPoints(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue);
DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints();
if (isDistributionPoints == null) {
addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", 0, 1);
return;
} else {
int len = isDistributionPoints.length;
if (len != 1) {
addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", len, 1);
return;
}
}
Set<String> isCrlUrls = new HashSet<>();
for (DistributionPoint entry : isDistributionPoints) {
int asn1Type = entry.getDistributionPoint().getType();
if (asn1Type != DistributionPointName.FULL_NAME) {
addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints (deltaCRL)", asn1Type, DistributionPointName.FULL_NAME);
continue;
}
GeneralNames isDistributionPointNames = GeneralNames.getInstance(entry.getDistributionPoint().getName());
GeneralName[] names = isDistributionPointNames.getNames();
for (int i = 0; i < names.length; i++) {
GeneralName name = names[i];
if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
addViolation(failureMsg, "tag of deltaCRL URL", name.getTagNo(), GeneralName.uniformResourceIdentifier);
} else {
String uri = ((ASN1String) name.getName()).getString();
isCrlUrls.add(uri);
}
}
Set<String> expCrlUrls = issuerInfo.getCrlUrls();
Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("deltaCRL URLs ").append(diffs).append(" are present but not expected; ");
}
diffs = strInBnotInA(isCrlUrls, expCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("deltaCRL URLs ").append(diffs).append(" are absent but are required; ");
}
}
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1String(org.bouncycastle.asn1.ASN1String)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
HashSet(java.util.HashSet)
Example 32 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project xipki by xipki.
the class IdentifiedCertprofile method getExtensions.
/**
* Get the extensions.
*
* @param requestedSubject
* Subject requested subject. Must not be {@code null}.
* @param grantedSubject
* Granted subject. Must not be {@code null}.
* @param requestedExtensions
* Extensions requested by the requestor. Could be {@code null}.
* @param publicKeyInfo
* Subject public key. Must not be {@code null}.
* @param publicCaInfo
* CA information. Must not be {@code null}.
* @param crlSignerCert
* CRL signer certificate. Could be {@code null}.
* @param notBefore
* NotBefore. Must not be {@code null}.
* @param notAfter
* NotAfter. Must not be {@code null}.
* @return the extensions of the certificate to be issued.
*/
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Cert crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
notNull(publicKeyInfo, "publicKeyInfo");
ExtensionValues values = new ExtensionValues();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
// CTLog extension will be processed by the CA
controls.remove(Extn.id_SCTs);
Map<ASN1ObjectIdentifier, Extension> requestedExtns = new HashMap<>();
// remove the request extensions which are not permitted in the request
if (requestedExtensions != null) {
ASN1ObjectIdentifier[] oids = requestedExtensions.getExtensionOIDs();
for (ASN1ObjectIdentifier m : oids) {
ExtensionControl control = controls.get(m);
if (control == null || control.isRequest()) {
requestedExtns.put(m, requestedExtensions.getExtension(m));
}
}
}
// SubjectKeyIdentifier
ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
ExtensionControl extControl = controls.remove(extType);
if (extControl != null) {
SubjectKeyIdentifier value = certprofile.getSubjectKeyIdentifier(publicKeyInfo);
addExtension(values, extType, value, extControl);
}
// Authority key identifier
extType = Extension.authorityKeyIdentifier;
extControl = controls.remove(extType);
if (extControl != null) {
AuthorityKeyIdentifier value = null;
if (certprofile.useIssuerAndSerialInAki()) {
GeneralNames x509CaIssuer = new GeneralNames(new GeneralName(publicCaInfo.getIssuer()));
value = new AuthorityKeyIdentifier(x509CaIssuer, publicCaInfo.getSerialNumber());
} else {
byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
if (ikiValue != null) {
value = new AuthorityKeyIdentifier(ikiValue);
}
}
addExtension(values, extType, value, extControl);
}
// IssuerAltName
extType = Extension.issuerAlternativeName;
extControl = controls.remove(extType);
if (extControl != null) {
GeneralNames value = publicCaInfo.getSubjectAltName();
addExtension(values, extType, value, extControl);
}
// AuthorityInfoAccess
extType = Extension.authorityInfoAccess;
extControl = controls.remove(extType);
CaUris caUris = publicCaInfo.getCaUris();
if (extControl != null) {
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
List<String> caIssuers = null;
if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
caIssuers = caUris.getCacertUris();
assertAllUrisHasProtocol(caIssuers, aiaControl.getCaIssuersProtocols());
}
List<String> ocspUris = null;
if (aiaControl != null && aiaControl.isIncludesOcsp()) {
ocspUris = caUris.getOcspUris();
assertAllUrisHasProtocol(ocspUris, aiaControl.getOcspProtocols());
}
AuthorityInformationAccess value = null;
if (CollectionUtil.isNotEmpty(caIssuers) || CollectionUtil.isNotEmpty(ocspUris)) {
value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
}
addExtension(values, extType, value, extControl);
}
if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
X500Name crlSignerSubject = (crlSignerCert == null) ? null : crlSignerCert.getSubject();
X500Name x500CaPrincipal = publicCaInfo.getSubject();
// CRLDistributionPoints
extType = Extension.cRLDistributionPoints;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getCrlDpControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(uris, x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
// FreshestCRL
extType = Extension.freshestCRL;
extControl = controls.remove(extType);
if (extControl != null) {
CRLDistPoint value = null;
List<String> uris = caUris.getDeltaCrlUris();
if (CollectionUtil.isNotEmpty(uris)) {
CrlDistributionPointsControl control = certprofile.getFreshestCrlControl();
Set<String> protocols = control == null ? null : control.getProtocols();
assertAllUrisHasProtocol(uris, protocols);
value = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
}
addExtension(values, extType, value, extControl);
}
}
// BasicConstraints
extType = Extension.basicConstraints;
extControl = controls.remove(extType);
if (extControl != null) {
BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
addExtension(values, extType, value, extControl);
}
// KeyUsage
extType = Extension.keyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
Set<KeyUsage> usages = new HashSet<>();
Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
for (KeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getKeyUsage());
}
}
// the optional KeyUsage will only be set if requested explicitly
addRequestedKeyusage(usages, requestedExtns, usageOccs);
org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
addExtension(values, extType, value, extControl);
}
// ExtendedKeyUsage
extType = Extension.extendedKeyUsage;
extControl = controls.remove(extType);
if (extControl != null) {
List<ASN1ObjectIdentifier> usages = new LinkedList<>();
Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
for (ExtKeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getExtKeyUsage());
}
}
// the optional ExtKeyUsage will only be set if requested explicitly
addRequestedExtKeyusage(usages, requestedExtns, usageOccs);
if (extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
}
if (!extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
extControl = new ExtensionControl(true, extControl.isRequired(), extControl.isRequest());
}
ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
addExtension(values, extType, value, extControl);
}
// ocsp-nocheck
extType = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
extControl = controls.remove(extType);
if (extControl != null) {
// the extension ocsp-nocheck will only be set if requested explicitly
addExtension(values, extType, DERNull.INSTANCE, extControl);
}
// SubjectInfoAccess
extType = Extension.subjectInfoAccess;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Sequence value = createSubjectInfoAccess(requestedExtns, certprofile.getSubjectInfoAccessModes());
addExtension(values, extType, value, extControl);
}
// CertificatePolicies
extType = Extension.certificatePolicies;
extControl = controls.remove(extType);
if (extControl != null) {
ASN1Encodable value = certprofile.getCertificatePolicies();
addExtension(values, extType, value, extControl);
}
ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtns, notBefore, notAfter, publicCaInfo);
Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
for (ASN1ObjectIdentifier type : extTypes) {
extControl = controls.get(type);
ExtensionValue value = subvalues.getExtensionValue(type);
if (value == null && extControl.isRequest()) {
Extension reqExt = requestedExtns.get(type);
if (reqExt != null) {
value = new ExtensionValue(extControl.isCritical(), reqExt.getParsedValue());
}
}
if (value != null) {
addExtension(values, type, value, extControl);
controls.remove(type);
}
}
Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
for (Entry<ASN1ObjectIdentifier, ExtensionControl> entry : controls.entrySet()) {
if (entry.getValue().isRequired()) {
unprocessedExtTypes.add(entry.getKey());
}
}
if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) {
throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(unprocessedExtTypes));
}
// Check the SubjectAltNames
if (certprofile.getCertDomain() == CertDomain.CABForumBR && getCertLevel() == CertLevel.EndEntity) {
// Make sure that the commonName included in SubjectAltName
String commonName = X509Util.getCommonName(grantedSubject);
boolean commonNameInSan = commonName == null;
// No private IP address is permitted
GeneralName[] genNames = GeneralNames.getInstance(values.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames();
for (GeneralName m : genNames) {
if (GeneralName.dNSName == m.getTagNo()) {
String domain = DERIA5String.getInstance(m.getName()).getString();
if (!commonNameInSan && domain.equals(commonName)) {
commonNameInSan = true;
}
if (domain.indexOf('_') != -1) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
if (!ExtensionSpec.isValidPublicDomain(domain)) {
throw new BadCertTemplateException("invalid DNSName " + domain);
}
} else if (GeneralName.iPAddress == m.getTagNo()) {
byte[] octets = DEROctetString.getInstance(m.getName()).getOctets();
if (octets.length == 4) {
// IPv4 address
if (!commonNameInSan) {
String ipAddressText = (0xFF & octets[0]) + "." + (0xFF & octets[1]) + "." + (0xFF & octets[2]) + "." + (0xFF & octets[3]);
if (ipAddressText.equals(commonName)) {
commonNameInSan = true;
}
}
// if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
// throw new BadCertTemplateException(
// "invalid IPv4Address " + ipAddressText);
// }
} else if (octets.length == 8) {
// IPv6 address
if (!commonNameInSan) {
// get the number of ":"
List<Integer> positions = new ArrayList<>(7);
int n = commonName.length();
for (int i = 0; i < n; i++) {
if (commonName.charAt(i) == ':') {
positions.add(i);
}
}
if (positions.size() == 7) {
String[] blocks = new String[8];
blocks[0] = commonName.substring(0, positions.get(0));
for (int i = 0; i < 6; i++) {
blocks[i + 1] = commonName.substring(positions.get(i) + 1, positions.get(i + 1));
}
blocks[7] = commonName.substring(positions.get(6) + 1);
byte[] commonNameBytes = new byte[16];
for (int i = 0; i < 8; i++) {
String block = blocks[i];
int blen = block.length();
if (blen == 1 | blen == 2) {
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block, 16);
} else if (blen == 3 | blen == 4) {
commonNameBytes[i * 2] = (byte) Integer.parseInt(block.substring(0, blen - 2), 16);
commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block.substring(blen - 2), 16);
} else if (blen != 0) {
throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
}
}
if (Arrays.equals(commonNameBytes, octets)) {
commonNameInSan = true;
}
}
}
} else {
throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
}
}
}
if (!commonNameInSan) {
throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
}
}
return values;
}
Also used :
KeyUsage(org.xipki.security.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
BigInteger(java.math.BigInteger)
CaUris(org.xipki.ca.api.CaUris)
Example 33 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project keystore-explorer by kaikramer.
the class X509Ext method getCrlDistributionPointsStringValue.
private static String getCrlDistributionPointsStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* CRLDistPointSyntax ::= ASN1Sequence SIZE (1..MAX) OF
* DistributionPoint
*/
// @formatter:on
StringBuilder sb = new StringBuilder();
CRLDistPoint crlDistributionPoints = CRLDistPoint.getInstance(value);
int distPoint = 0;
for (DistributionPoint distributionPoint : crlDistributionPoints.getDistributionPoints()) {
distPoint++;
sb.append(MessageFormat.format(res.getString("CrlDistributionPoint"), distPoint));
sb.append(NEWLINE);
sb.append(getDistributionPointString(distributionPoint, INDENT.toString(1)));
}
return sb.toString();
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 34 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project signer by demoiselle.
the class BasicCertificate method getCRLDistributionPoint.
/**
* @return A list of ulrs that inform the location of the certificate revocation lists
* @throws IOException exception
*/
public List<String> getCRLDistributionPoint() throws IOException {
List<String> crlUrls = new ArrayList<>();
ASN1Primitive primitive = getExtensionValue(Extension.cRLDistributionPoints.getId());
if (primitive == null) {
return null;
}
CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(primitive);
DistributionPoint[] distributionPoints = crlDistPoint.getDistributionPoints();
for (DistributionPoint distributionPoint : distributionPoints) {
DistributionPointName dpn = distributionPoint.getDistributionPoint();
// Look for URIs in fullName
if (dpn != null) {
if (dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
for (GeneralName genName : genNames) {
if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) {
String url = DERIA5String.getInstance(genName.getName()).getString();
crlUrls.add(url);
logger.debug("Adicionando a url {}", url);
}
}
}
}
}
return crlUrls;
}
Also used :
ArrayList(java.util.ArrayList)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Example 35 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project pri-fidoiot by secure-device-onboard.
the class OnDieCertSignatureFunction method checkRevocations.
/**
* Checks for revocations.
*
* @param certificateList list of certificates containing revocations
* @return true if revocation check failed
*/
public boolean checkRevocations(Certificate[] certificateList) {
try {
OnDieCertificateManager certManager = Config.getWorker(OnDieCertificateManager.class);
CertificateFactory certificateFactory = CertificateFactory.getInstance(StandardCryptoService.X509_ALG_NAME);
for (Certificate cert : certificateList) {
X509Certificate x509cert = (X509Certificate) cert;
X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
if (cdp != null) {
DistributionPoint[] distPoints = cdp.getDistributionPoints();
for (DistributionPoint dp : distPoints) {
GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
for (GeneralName generalName : generalNames) {
String name = generalName.toString();
byte[] crlBytes = certManager.getCertificate(name.substring(name.indexOf("http")));
if (crlBytes == null) {
// + x509cert.getIssuerX500Principal().getName());
return false;
} else {
CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
if (crl.isRevoked(cert)) {
return false;
}
}
}
}
}
}
} catch (IOException | CertificateException | CRLException ex) {
return false;
}
return true;
}
Also used :
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
OnDieCertificateManager(org.fidoalliance.fdo.protocol.db.OnDieCertificateManager)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRL(java.security.cert.CRL)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)34
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)30
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
IOException (java.io.IOException)24
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)22
ArrayList (java.util.ArrayList)17
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)15
DERIA5String (org.bouncycastle.asn1.DERIA5String)14
CertPathValidatorException (java.security.cert.CertPathValidatorException)13
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)11
GeneralSecurityException (java.security.GeneralSecurityException)11
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)11
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)10
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)10
CRLException (java.security.cert.CRLException)10
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)10
DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)9
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9
CertStoreException (java.security.cert.CertStoreException)8
HashSet (java.util.HashSet)7
