Search in sources :

Example 1 with CRLReason

use of com.github.zhenwei.core.asn1.x509.CRLReason in project XobotOS by xamarin.

the class X509CRLEntryObject method toString.

public String toString() {
    StringBuffer buf = new StringBuffer();
    String nl = System.getProperty("line.separator");
    buf.append("      userCertificate: ").append(this.getSerialNumber()).append(nl);
    buf.append("       revocationDate: ").append(this.getRevocationDate()).append(nl);
    buf.append("       certificateIssuer: ").append(this.getCertificateIssuer()).append(nl);
    X509Extensions extensions = c.getExtensions();
    if (extensions != null) {
        Enumeration e = extensions.oids();
        if (e.hasMoreElements()) {
            buf.append("   crlEntryExtensions:").append(nl);
            while (e.hasMoreElements()) {
                DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
                X509Extension ext = extensions.getExtension(oid);
                if (ext.getValue() != null) {
                    byte[] octs = ext.getValue().getOctets();
                    ASN1InputStream dIn = new ASN1InputStream(octs);
                    buf.append("                       critical(").append(ext.isCritical()).append(") ");
                    try {
                        if (oid.equals(X509Extensions.ReasonCode)) {
                            buf.append(new CRLReason(DEREnumerated.getInstance(dIn.readObject()))).append(nl);
                        } else if (oid.equals(X509Extensions.CertificateIssuer)) {
                            buf.append("Certificate issuer: ").append(new GeneralNames((ASN1Sequence) dIn.readObject())).append(nl);
                        } else {
                            buf.append(oid.getId());
                            buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
                        }
                    } catch (Exception ex) {
                        buf.append(oid.getId());
                        buf.append(" value = ").append("*****").append(nl);
                    }
                } else {
                    buf.append(nl);
                }
            }
        }
    }
    return buf.toString();
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) Enumeration(java.util.Enumeration) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509Extension(org.bouncycastle.asn1.x509.X509Extension) X509Extensions(org.bouncycastle.asn1.x509.X509Extensions) CRLReason(org.bouncycastle.asn1.x509.CRLReason) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) IOException(java.io.IOException) CRLException(java.security.cert.CRLException)

Example 2 with CRLReason

use of com.github.zhenwei.core.asn1.x509.CRLReason in project xipki by xipki.

the class ImportCrl method importEntries.

private void importEntries(Connection conn, int caId) throws DataAccessException, ImportCrlException {
    AtomicLong maxId = new AtomicLong(datasource.getMax(conn, "CERT", "ID"));
    // import the revoked information
    Set<? extends X509CRLEntry> revokedCertList = crl.getRevokedCertificates();
    if (revokedCertList != null) {
        for (X509CRLEntry c : revokedCertList) {
            X500Principal issuer = c.getCertificateIssuer();
            BigInteger serial = c.getSerialNumber();
            if (issuer != null) {
                if (!x500PrincipalCaSubject.equals(issuer)) {
                    throw new ImportCrlException("invalid CRLEntry for certificate number " + serial);
                }
            }
            Date rt = c.getRevocationDate();
            Date rit = null;
            byte[] extnValue = c.getExtensionValue(Extension.invalidityDate.getId());
            if (extnValue != null) {
                extnValue = extractCoreValue(extnValue);
                ASN1GeneralizedTime genTime = DERGeneralizedTime.getInstance(extnValue);
                try {
                    rit = genTime.getDate();
                } catch (ParseException ex) {
                    throw new ImportCrlException(ex.getMessage(), ex);
                }
                if (rt.equals(rit)) {
                    rit = null;
                }
            }
            CrlReason reason = CrlReason.fromReason(c.getRevocationReason());
            String sql = null;
            try {
                if (reason == CrlReason.REMOVE_FROM_CRL) {
                    if (!isDeltaCrl) {
                        LOG.warn("ignore CRL entry with reason removeFromCRL in non-Delta CRL");
                    }
                    // delete the entry
                    sql = SQL_DELETE_CERT;
                    psDeleteCert.setInt(1, caId);
                    psDeleteCert.setString(2, serial.toString(16));
                    psDeleteCert.executeUpdate();
                    continue;
                }
                Long id = getId(caId, serial);
                PreparedStatement ps;
                int offset = 1;
                if (id == null) {
                    sql = SQL_INSERT_CERT_REV;
                    id = maxId.incrementAndGet();
                    ps = psInsertCertRev;
                    ps.setLong(offset++, id);
                    ps.setInt(offset++, caId);
                    ps.setString(offset++, serial.toString(16));
                } else {
                    sql = SQL_UPDATE_CERT_REV;
                    ps = psUpdateCertRev;
                }
                ps.setInt(offset++, 1);
                ps.setInt(offset++, reason.getCode());
                ps.setLong(offset++, rt.getTime() / 1000);
                if (rit != null) {
                    ps.setLong(offset++, rit.getTime() / 1000);
                } else {
                    ps.setNull(offset++, Types.BIGINT);
                }
                ps.setLong(offset++, System.currentTimeMillis() / 1000);
                if (ps == psUpdateCertRev) {
                    ps.setLong(offset++, id);
                }
                ps.executeUpdate();
            } catch (SQLException ex) {
                throw datasource.translate(sql, ex);
            }
        }
    }
    // import the certificates
    // extract the certificate
    byte[] extnValue = crl.getExtensionValue(ObjectIdentifiers.id_xipki_ext_crlCertset.getId());
    if (extnValue != null) {
        extnValue = extractCoreValue(extnValue);
        ASN1Set asn1Set = DERSet.getInstance(extnValue);
        final int n = asn1Set.size();
        for (int i = 0; i < n; i++) {
            ASN1Encodable asn1 = asn1Set.getObjectAt(i);
            ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
            BigInteger serialNumber = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue();
            Certificate cert = null;
            String profileName = null;
            final int size = seq.size();
            for (int j = 1; j < size; j++) {
                ASN1TaggedObject taggedObj = DERTaggedObject.getInstance(seq.getObjectAt(j));
                int tagNo = taggedObj.getTagNo();
                switch(tagNo) {
                    case 0:
                        cert = Certificate.getInstance(taggedObj.getObject());
                        break;
                    case 1:
                        profileName = DERUTF8String.getInstance(taggedObj.getObject()).getString();
                        break;
                    default:
                        break;
                }
            }
            if (cert == null) {
                continue;
            }
            if (!caSubject.equals(cert.getIssuer())) {
                LOG.warn("issuer not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
                continue;
            }
            if (!serialNumber.equals(cert.getSerialNumber().getValue())) {
                LOG.warn("serialNumber not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
                continue;
            }
            String certLogId = "(issuer='" + cert.getIssuer() + "', serialNumber=" + cert.getSerialNumber() + ")";
            addCertificate(maxId, caId, cert, profileName, certLogId);
        }
    } else {
        // cert dirs
        File certsDir = new File(certsDirName);
        if (!certsDir.exists()) {
            LOG.warn("the folder {} does not exist, ignore it", certsDirName);
            return;
        }
        if (!certsDir.isDirectory()) {
            LOG.warn("the path {} does not point to a folder, ignore it", certsDirName);
            return;
        }
        if (!certsDir.canRead()) {
            LOG.warn("the folder {} must not be read, ignore it", certsDirName);
            return;
        }
        File[] certFiles = certsDir.listFiles(new FilenameFilter() {

            @Override
            public boolean accept(File dir, String name) {
                return name.endsWith(".der") || name.endsWith(".crt");
            }
        });
        if (certFiles == null || certFiles.length == 0) {
            return;
        }
        for (File certFile : certFiles) {
            Certificate cert;
            try {
                byte[] encoded = IoUtil.read(certFile);
                cert = Certificate.getInstance(encoded);
            } catch (IllegalArgumentException | IOException ex) {
                LOG.warn("could not parse certificate {}, ignore it", certFile.getPath());
                continue;
            }
            String certLogId = "(file " + certFile.getName() + ")";
            addCertificate(maxId, caId, cert, null, certLogId);
        }
    }
}
Also used : SQLException(java.sql.SQLException) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) FilenameFilter(java.io.FilenameFilter) X509CRLEntry(java.security.cert.X509CRLEntry) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) PreparedStatement(java.sql.PreparedStatement) IOException(java.io.IOException) Date(java.util.Date) AtomicLong(java.util.concurrent.atomic.AtomicLong) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1Set(org.bouncycastle.asn1.ASN1Set) AtomicLong(java.util.concurrent.atomic.AtomicLong) X500Principal(javax.security.auth.x500.X500Principal) BigInteger(java.math.BigInteger) ParseException(java.text.ParseException) File(java.io.File) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)

Example 3 with CRLReason

use of com.github.zhenwei.core.asn1.x509.CRLReason in project xipki by xipki.

the class OcspQa method checkSingleCert.

// method checkOcsp
private List<ValidationIssue> checkSingleCert(int index, SingleResp singleResp, IssuerHash issuerHash, OcspCertStatus expectedStatus, byte[] encodedCert, Date expectedRevTime, boolean extendedRevoke, Occurrence nextupdateOccurrence, Occurrence certhashOccurrence, ASN1ObjectIdentifier certhashAlg) {
    if (expectedStatus == OcspCertStatus.unknown || expectedStatus == OcspCertStatus.issuerUnknown) {
        certhashOccurrence = Occurrence.forbidden;
    }
    List<ValidationIssue> issues = new LinkedList<>();
    // issuer hash
    ValidationIssue issue = new ValidationIssue("OCSP.RESPONSE." + index + ".ISSUER", "certificate issuer");
    issues.add(issue);
    CertificateID certId = singleResp.getCertID();
    HashAlgo hashAlgo = HashAlgo.getInstance(certId.getHashAlgOID());
    if (hashAlgo == null) {
        issue.setFailureMessage("unknown hash algorithm " + certId.getHashAlgOID().getId());
    } else {
        if (!issuerHash.match(hashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash())) {
            issue.setFailureMessage("issuer not match");
        }
    }
    // status
    issue = new ValidationIssue("OCSP.RESPONSE." + index + ".STATUS", "certificate status");
    issues.add(issue);
    CertificateStatus singleCertStatus = singleResp.getCertStatus();
    OcspCertStatus status = null;
    Long revTimeSec = null;
    if (singleCertStatus == null) {
        status = OcspCertStatus.good;
    } else if (singleCertStatus instanceof RevokedStatus) {
        RevokedStatus revStatus = (RevokedStatus) singleCertStatus;
        revTimeSec = revStatus.getRevocationTime().getTime() / 1000;
        if (revStatus.hasRevocationReason()) {
            int reason = revStatus.getRevocationReason();
            if (extendedRevoke && reason == CrlReason.CERTIFICATE_HOLD.getCode() && revTimeSec == 0) {
                status = OcspCertStatus.unknown;
                revTimeSec = null;
            } else {
                CrlReason revocationReason = CrlReason.forReasonCode(reason);
                switch(revocationReason) {
                    case UNSPECIFIED:
                        status = OcspCertStatus.unspecified;
                        break;
                    case KEY_COMPROMISE:
                        status = OcspCertStatus.keyCompromise;
                        break;
                    case CA_COMPROMISE:
                        status = OcspCertStatus.cACompromise;
                        break;
                    case AFFILIATION_CHANGED:
                        status = OcspCertStatus.affiliationChanged;
                        break;
                    case SUPERSEDED:
                        status = OcspCertStatus.superseded;
                        break;
                    case CERTIFICATE_HOLD:
                        status = OcspCertStatus.certificateHold;
                        break;
                    case REMOVE_FROM_CRL:
                        status = OcspCertStatus.removeFromCRL;
                        break;
                    case PRIVILEGE_WITHDRAWN:
                        status = OcspCertStatus.privilegeWithdrawn;
                        break;
                    case AA_COMPROMISE:
                        status = OcspCertStatus.aACompromise;
                        break;
                    case CESSATION_OF_OPERATION:
                        status = OcspCertStatus.cessationOfOperation;
                        break;
                    default:
                        issue.setFailureMessage("should not reach here, unknown CRLReason " + revocationReason);
                        break;
                }
            }
        // end if
        } else {
            status = OcspCertStatus.rev_noreason;
        }
    // end if (revStatus.hasRevocationReason())
    } else if (singleCertStatus instanceof UnknownStatus) {
        status = extendedRevoke ? OcspCertStatus.issuerUnknown : OcspCertStatus.unknown;
    } else {
        issue.setFailureMessage("unknown certstatus: " + singleCertStatus.getClass().getName());
    }
    if (!issue.isFailed() && expectedStatus != status) {
        issue.setFailureMessage("is='" + status + "', but expected='" + expectedStatus + "'");
    }
    // revocation time
    issue = new ValidationIssue("OCSP.RESPONSE." + index + ".REVTIME", "certificate time");
    issues.add(issue);
    if (expectedRevTime != null) {
        if (revTimeSec == null) {
            issue.setFailureMessage("is='null', but expected='" + formatTime(expectedRevTime) + "'");
        } else if (revTimeSec != expectedRevTime.getTime() / 1000) {
            issue.setFailureMessage("is='" + formatTime(new Date(revTimeSec * 1000)) + "', but expected='" + formatTime(expectedRevTime) + "'");
        }
    }
    // nextUpdate
    Date nextUpdate = singleResp.getNextUpdate();
    issue = checkOccurrence("OCSP.RESPONSE." + index + ".NEXTUPDATE", nextUpdate, nextupdateOccurrence);
    issues.add(issue);
    Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
    issue = checkOccurrence("OCSP.RESPONSE." + index + ".CERTHASH", extension, certhashOccurrence);
    issues.add(issue);
    if (extension != null) {
        ASN1Encodable extensionValue = extension.getParsedValue();
        CertHash certHash = CertHash.getInstance(extensionValue);
        ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm();
        if (certhashAlg != null) {
            // certHash algorithm
            issue = new ValidationIssue("OCSP.RESPONSE." + index + ".CHASH.ALG", "certhash algorithm");
            issues.add(issue);
            ASN1ObjectIdentifier is = certHash.getHashAlgorithm().getAlgorithm();
            if (!certhashAlg.equals(is)) {
                issue.setFailureMessage("is '" + is.getId() + "', but expected '" + certhashAlg.getId() + "'");
            }
        }
        byte[] hashValue = certHash.getCertificateHash();
        if (encodedCert != null) {
            issue = new ValidationIssue("OCSP.RESPONSE." + index + ".CHASH.VALIDITY", "certhash validity");
            issues.add(issue);
            try {
                MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId());
                byte[] expectedHashValue = md.digest(encodedCert);
                if (!Arrays.equals(expectedHashValue, hashValue)) {
                    issue.setFailureMessage("certhash does not match the requested certificate");
                }
            } catch (NoSuchAlgorithmException ex) {
                issue.setFailureMessage("NoSuchAlgorithm " + hashAlgOid.getId());
            }
        }
    // end if(encodedCert != null)
    }
    return issues;
}
Also used : CertHash(org.bouncycastle.asn1.isismtt.ocsp.CertHash) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) HashAlgo(org.xipki.security.HashAlgo) CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ValidationIssue(org.xipki.common.qa.ValidationIssue) LinkedList(java.util.LinkedList) Date(java.util.Date) UnknownStatus(org.bouncycastle.cert.ocsp.UnknownStatus) Extension(org.bouncycastle.asn1.x509.Extension) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) MessageDigest(java.security.MessageDigest) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 4 with CRLReason

use of com.github.zhenwei.core.asn1.x509.CRLReason in project candlepin by candlepin.

the class X509CRLStreamWriter method add.

/**
 * Create an entry to be added to the CRL.
 *
 * @param serial
 * @param date
 * @param reason
 * @throws IOException if an entry fails to generate
 */
@SuppressWarnings({ "unchecked", "rawtypes" })
public void add(BigInteger serial, Date date, int reason) throws IOException {
    if (locked) {
        throw new IllegalStateException("Cannot add to a locked stream.");
    }
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(new ASN1Integer(serial));
    v.add(new Time(date));
    CRLReason crlReason = CRLReason.getInstance(new ASN1Enumerated(reason));
    ExtensionsGenerator generator = new ExtensionsGenerator();
    generator.addExtension(Extension.reasonCode, false, crlReason);
    v.add(generator.generate());
    newEntries.add(new DERSequence(v));
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) ASN1Enumerated(org.bouncycastle.asn1.ASN1Enumerated) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) DERUTCTime(org.bouncycastle.asn1.DERUTCTime) Time(org.bouncycastle.asn1.x509.Time) ASN1UTCTime(org.bouncycastle.asn1.ASN1UTCTime) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CRLReason(org.bouncycastle.asn1.x509.CRLReason) ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)

Example 5 with CRLReason

use of com.github.zhenwei.core.asn1.x509.CRLReason in project jruby-openssl by jruby.

the class X509Extension method value.

@JRubyMethod
public RubyString value(final ThreadContext context) {
    if (this.value instanceof RubyString) {
        // return the same as set
        return (RubyString) this.value;
    }
    final Ruby runtime = context.runtime;
    final String oid = getRealObjectID().getId();
    try {
        if (oid.equals("2.5.29.19")) {
            // basicConstraints
            ASN1Sequence seq2 = (ASN1Sequence) ASN1.readObject(getRealValueEncoded());
            final ByteList val = new ByteList(32);
            if (seq2.size() > 0) {
                val.append(CA_);
                ASN1Encodable obj0 = seq2.getObjectAt(0);
                final boolean bool = ((ASN1Boolean) obj0).isTrue();
                val.append(bool ? TRUE : FALSE);
            }
            if (seq2.size() > 1) {
                val.append(", pathlen:".getBytes());
                val.append(seq2.getObjectAt(1).toString().getBytes());
            }
            return runtime.newString(val);
        }
        if (oid.equals("2.5.29.15")) {
            // keyUsage
            final byte[] enc = getRealValueEncoded();
            byte b3 = 0;
            byte b2 = enc[2];
            if (enc.length > 3)
                b3 = enc[3];
            final ByteList val = new ByteList(64);
            byte[] sep = NULL;
            if ((b2 & (byte) 128) != 0) {
                val.append(sep);
                val.append(Decipher_Only);
                sep = SEP;
            }
            if ((b3 & (byte) 128) != 0) {
                val.append(sep);
                val.append(Digital_Signature);
                sep = SEP;
            }
            if ((b3 & (byte) 64) != 0) {
                val.append(sep);
                val.append(Non_Repudiation);
                sep = SEP;
            }
            if ((b3 & (byte) 32) != 0) {
                val.append(sep);
                val.append(Key_Encipherment);
                sep = SEP;
            }
            if ((b3 & (byte) 16) != 0) {
                val.append(sep);
                val.append(Data_Encipherment);
                sep = SEP;
            }
            if ((b3 & (byte) 8) != 0) {
                val.append(sep);
                val.append(Key_Agreement);
                sep = SEP;
            }
            if ((b3 & (byte) 4) != 0) {
                val.append(sep);
                val.append(Certificate_Sign);
                sep = SEP;
            }
            if ((b3 & (byte) 2) != 0) {
                val.append(sep);
                val.append(CRL_Sign);
                sep = SEP;
            }
            if ((b3 & (byte) 1) != 0) {
                // sep = SEP;
                val.append(sep);
                // sep = SEP;
                val.append(Encipher_Only);
            }
            return runtime.newString(val);
        }
        if (oid.equals("2.16.840.1.113730.1.1")) {
            // nsCertType
            final byte b0 = getRealValueEncoded()[0];
            final ByteList val = new ByteList(64);
            byte[] sep = NULL;
            if ((b0 & (byte) 128) != 0) {
                val.append(sep);
                val.append(SSL_Client);
                sep = SEP;
            }
            if ((b0 & (byte) 64) != 0) {
                val.append(sep);
                val.append(SSL_Server);
                sep = SEP;
            }
            if ((b0 & (byte) 32) != 0) {
                val.append(sep);
                val.append(SMIME);
                sep = SEP;
            }
            if ((b0 & (byte) 16) != 0) {
                val.append(sep);
                val.append(Object_Signing);
                sep = SEP;
            }
            if ((b0 & (byte) 8) != 0) {
                val.append(sep);
                val.append(Unused);
                sep = SEP;
            }
            if ((b0 & (byte) 4) != 0) {
                val.append(sep);
                val.append(SSL_CA);
                sep = SEP;
            }
            if ((b0 & (byte) 2) != 0) {
                val.append(sep);
                val.append(SMIME_CA);
                sep = SEP;
            }
            if ((b0 & (byte) 1) != 0) {
                val.append(sep);
                val.append(Object_Signing_CA);
            }
            return runtime.newString(val);
        }
        if (oid.equals("2.5.29.14")) {
            // subjectKeyIdentifier
            ASN1Encodable value = getRealValue();
            if (value instanceof ASN1OctetString) {
                byte[] octets = ((ASN1OctetString) value).getOctets();
                if (octets.length > 0 && octets[0] == BERTags.OCTET_STRING) {
                    // read nested octets
                    value = ASN1.readObject(octets);
                }
            }
            return runtime.newString(hexBytes(keyidBytes(value.toASN1Primitive()), 0));
        }
        if (oid.equals("2.5.29.35")) {
            // authorityKeyIdentifier
            ASN1Encodable value = getRealValue();
            if (value instanceof ASN1OctetString) {
                value = ASN1.readObject(((ASN1OctetString) value).getOctets());
            }
            final ByteList val = new ByteList(72);
            if (value instanceof ASN1Sequence) {
                final ASN1Sequence seq = (ASN1Sequence) value;
                final int size = seq.size();
                if (size == 0)
                    return RubyString.newEmptyString(runtime);
                for (int i = 0; i < size; i++) {
                    final ASN1Encodable enc = seq.getObjectAt(i);
                    if (enc instanceof ASN1TaggedObject) {
                        ASN1Primitive obj = ((ASN1TaggedObject) enc).getObject();
                        switch(((ASN1TaggedObject) enc).getTagNo()) {
                            case 0:
                                ASN1Primitive keyid = obj;
                                val.append(keyid_);
                                hexBytes(keyidBytes(keyid), val);
                                break;
                            case 1:
                                GeneralName name;
                                if (obj instanceof ASN1Sequence) {
                                    // GeneralNames -> toASN1Primitive()
                                    GeneralName[] names = GeneralNames.getInstance(obj).getNames();
                                    name = names.length > 0 ? names[0] : null;
                                } else {
                                    name = GeneralName.getInstance(obj);
                                }
                                if (name != null)
                                    formatGeneralName(name, val, true);
                                break;
                            case // serial
                            2:
                                val.append(new byte[] { 's', 'e', 'r', 'i', 'a', 'l', ':' });
                                if (obj instanceof ASN1Integer) {
                                    hexBytes(((ASN1Integer) obj).getValue().toByteArray(), val);
                                } else {
                                    hexBytes(((ASN1OctetString) obj).getOctets(), val);
                                }
                                break;
                        }
                    } else if (size == 1) {
                        ASN1Primitive keyid = enc.toASN1Primitive();
                        hexBytes(keyidBytes(keyid), val);
                    }
                    val.append('\n');
                }
                return runtime.newString(val);
            }
            hexBytes(keyidBytes(value.toASN1Primitive()), val).append('\n');
            return runtime.newString(val);
        }
        if (oid.equals("2.5.29.21")) {
            // CRLReason
            final IRubyObject value = getValue(runtime);
            switch(RubyNumeric.fix2int(value)) {
                case 0:
                    return runtime.newString(new ByteList(Unspecified));
                case 1:
                    return RubyString.newString(runtime, "Key Compromise");
                case 2:
                    return RubyString.newString(runtime, "CA Compromise");
                case 3:
                    return RubyString.newString(runtime, "Affiliation Changed");
                case 4:
                    return RubyString.newString(runtime, "Superseded");
                case 5:
                    return RubyString.newString(runtime, "Cessation Of Operation");
                case 6:
                    return RubyString.newString(runtime, "Certificate Hold");
                case 8:
                    return RubyString.newString(runtime, "Remove From CRL");
                case 9:
                    return RubyString.newString(runtime, "Privilege Withdrawn");
                default:
                    return runtime.newString(new ByteList(Unspecified));
            }
        }
        if (oid.equals("2.5.29.17") || oid.equals("2.5.29.18")) {
            // subjectAltName || issuerAltName
            try {
                ASN1Encodable value = getRealValue();
                final ByteList val = new ByteList(64);
                if (value instanceof ASN1TaggedObject) {
                    formatGeneralName(GeneralName.getInstance(value), val, false);
                    return runtime.newString(val);
                }
                if (value instanceof GeneralName) {
                    formatGeneralName((GeneralName) value, val, false);
                    return runtime.newString(val);
                }
                if (value instanceof ASN1OctetString) {
                    // decoded octets will end up as an ASN1Sequence instance :
                    value = ASN1.readObject(((ASN1OctetString) value).getOctets());
                }
                if (value instanceof ASN1TaggedObject) {
                    // DERTaggedObject (issuerAltName wrapping)
                    formatGeneralName(GeneralName.getInstance(value), val, false);
                    return runtime.newString(val);
                }
                final GeneralName[] names = GeneralNames.getInstance(value).getNames();
                for (int i = 0; i < names.length; i++) {
                    boolean other = formatGeneralName(names[i], val, false);
                    if (i < names.length - 1) {
                        if (other)
                            val.append(';');
                        else
                            val.append(',').append(' ');
                    }
                }
                return runtime.newString(val);
            } catch (IllegalArgumentException e) {
                debugStackTrace(runtime, e);
                return rawValueAsString(context);
            }
        }
        if (oid.equals("2.5.29.37")) {
            // extendedKeyUsage
            final ByteList val = new ByteList(64);
            if (this.value instanceof ASN1Sequence) {
                // opt "short" path
                final ASN1Sequence seq = (ASN1Sequence) this.value;
                final int size = seq.size();
                for (int i = 0; i < size; i++) {
                    ASN1Encodable o = seq.getObjectAt(i);
                    String name = o.toString();
                    Integer nid = ASN1.oid2nid(runtime, new ASN1ObjectIdentifier(name));
                    if (nid != null)
                        name = ASN1.nid2ln(runtime, nid);
                    if (name == null)
                        name = o.toString();
                    val.append(ByteList.plain(name));
                    if (i < size - 1)
                        val.append(',').append(' ');
                }
                return runtime.newString(val);
            }
            final IRubyObject value = getValue(runtime);
            if (value instanceof RubyArray) {
                final RubyArray arr = (RubyArray) value;
                final int size = arr.size();
                for (int i = 0; i < size; i++) {
                    IRubyObject entry = arr.eltInternal(i);
                    if ("ObjectId".equals(entry.getMetaClass().getBaseName())) {
                        entry = entry.callMethod(context, "ln");
                    } else if (entry.respondsTo("value")) {
                        entry = entry.callMethod(context, "value");
                    }
                    val.append(entry.asString().getByteList());
                    if (i < size - 1)
                        val.append(',').append(' ');
                }
            }
            return runtime.newString(val);
        }
        return rawValueAsString(context);
    } catch (IOException e) {
        debugStackTrace(runtime, e);
        throw newExtensionError(runtime, e);
    }
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ByteList(org.jruby.util.ByteList) RubyArray(org.jruby.RubyArray) RubyString(org.jruby.RubyString) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) DEROctetString(org.bouncycastle.asn1.DEROctetString) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) RubyString(org.jruby.RubyString) ASN1String(org.bouncycastle.asn1.ASN1String) DERUniversalString(org.bouncycastle.asn1.DERUniversalString) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) IRubyObject(org.jruby.runtime.builtin.IRubyObject) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ASN1Boolean(org.bouncycastle.asn1.ASN1Boolean) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Ruby(org.jruby.Ruby) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) JRubyMethod(org.jruby.anno.JRubyMethod)

Aggregations

Date (java.util.Date)8 CrlReason (org.xipki.security.CrlReason)7 IOException (java.io.IOException)6 BigInteger (java.math.BigInteger)6 CRLReason (org.bouncycastle.asn1.x509.CRLReason)6 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)5 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)4 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)4 OperationException (org.xipki.ca.api.OperationException)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 X509Certificate (java.security.cert.X509Certificate)3 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)3 X500Name (org.bouncycastle.asn1.x500.X500Name)3 Extension (org.bouncycastle.asn1.x509.Extension)3 Extensions (org.bouncycastle.asn1.x509.Extensions)3 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)2 DERSequence (com.github.zhenwei.core.asn1.DERSequence)2 EOFException (java.io.EOFException)2 MessageDigest (java.security.MessageDigest)2