Example 6 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project robovm by robovm.
the class RFC3280CertPathUtilities method processCRLB2.
/**
* If the complete CRL includes an issuing distribution point (IDP) CRL
* extension check the following:
* <p/>
* (i) If the distribution point name is present in the IDP CRL extension
* and the distribution field is present in the DP, then verify that one of
* the names in the IDP matches one of the names in the DP. If the
* distribution point name is present in the IDP CRL extension and the
* distribution field is omitted from the DP, then verify that one of the
* names in the IDP matches one of the names in the cRLIssuer field of the
* DP.
* </p>
* <p/>
* (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL
* extension, verify that the certificate does not include the basic
* constraints extension with the cA boolean asserted.
* </p>
* <p/>
* (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL
* extension, verify that the certificate includes the basic constraints
* extension with the cA boolean asserted.
* </p>
* <p/>
* (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
* </p>
*
* @param dp The distribution point.
* @param cert The certificate.
* @param crl The CRL.
* @throws AnnotatedException if one of the conditions is not met or an error occurs.
*/
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
IssuingDistributionPoint idp = null;
try {
idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
// distribution point name is present
if (idp != null) {
if (idp.getDistributionPoint() != null) {
// make list of names
DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
List names = new ArrayList();
if (dpName.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
names.add(genNames[j]);
}
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
ASN1EncodableVector vec = new ASN1EncodableVector();
try {
Enumeration e = ASN1Sequence.getInstance(ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded())).getObjects();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
} catch (IOException e) {
throw new AnnotatedException("Could not read CRL issuer.", e);
}
vec.add(dpName.getName());
names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec))));
}
boolean matches = false;
// of the names in the DP.
if (dp.getDistributionPoint() != null) {
dpName = dp.getDistributionPoint();
GeneralName[] genNames = null;
if (dpName.getType() == DistributionPointName.FULL_NAME) {
genNames = GeneralNames.getInstance(dpName.getName()).getNames();
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
if (dp.getCRLIssuer() != null) {
genNames = dp.getCRLIssuer().getNames();
} else {
genNames = new GeneralName[1];
try {
genNames[0] = new GeneralName(new X509Name((ASN1Sequence) ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded())));
} catch (IOException e) {
throw new AnnotatedException("Could not read certificate issuer.", e);
}
}
for (int j = 0; j < genNames.length; j++) {
Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
ASN1EncodableVector vec = new ASN1EncodableVector();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
vec.add(dpName.getName());
genNames[j] = new GeneralName(new X509Name(new DERSequence(vec)));
}
}
if (genNames != null) {
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
} else // verify that one of the names in
// the IDP matches one of the names in the cRLIssuer field of
// the DP
{
if (dp.getCRLIssuer() == null) {
throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
}
GeneralName[] genNames = dp.getCRLIssuer().getNames();
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
}
}
BasicConstraints bc = null;
try {
bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
} catch (Exception e) {
throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
}
if (cert instanceof X509Certificate) {
// (b) (2) (ii)
if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
throw new AnnotatedException("CA Cert CRL only contains user certificates.");
}
// (b) (2) (iii)
if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
throw new AnnotatedException("End CRL only contains CA certificates.");
}
}
// (b) (2) (iv)
if (idp.onlyContainsAttributeCerts()) {
throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
}
}
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
Enumeration(java.util.Enumeration)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(org.bouncycastle.asn1.DERSequence)
X509Name(org.bouncycastle.asn1.x509.X509Name)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 7 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project qpid-broker-j by apache.
the class TlsResourceBuilder method createDistributionPointExtension.
private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException {
try {
final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
final DistributionPoint[] points = new DistributionPoint[] { new DistributionPoint(pointName, null, null) };
return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
} catch (IOException e) {
throw new CertificateException(e);
}
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
CertificateException(java.security.cert.CertificateException)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
IOException(java.io.IOException)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Example 8 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project certmgr by hdecarne.
the class CRLDistributionPointsController method init.
/**
* Initialize the dialog with existing extension data.
*
* @param data The extension data to use.
* @param expertMode Whether to run in expert mode ({@code true}) or not ({@code false}).
* @return This controller.
*/
public CRLDistributionPointsController init(CRLDistributionPointsExtensionData data, boolean expertMode) {
init(expertMode);
this.ctlCritical.setSelected(data.getCritical());
ObservableList<GeneralName> nameItems = this.ctlNames.getItems();
for (DistributionPoint distributionPoint : data) {
DistributionPointName distributionPointName = distributionPoint.getName();
if (distributionPointName != null) {
GeneralNames names = distributionPointName.getFullName();
if (names != null) {
for (GeneralName name : names) {
nameItems.add(name);
}
}
break;
}
}
return this;
}
Also used :
GeneralNames(de.carne.certmgr.certs.x509.GeneralNames)
DistributionPointName(de.carne.certmgr.certs.x509.DistributionPointName)
GeneralName(de.carne.certmgr.certs.x509.GeneralName)
DistributionPoint(de.carne.certmgr.certs.x509.DistributionPoint)
Example 9 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project certmgr by hdecarne.
the class CRLDistributionPointsController method validateAndGetDistributionPoint.
private DistributionPoint validateAndGetDistributionPoint() throws ValidationException {
GeneralNames names = new GeneralNames();
int nameCount = 0;
for (GeneralName name : this.ctlNames.getItems()) {
names.addName(name);
nameCount++;
}
InputValidator.isTrue(nameCount > 0, CRLDistributionPointsI18N::strMessageNoNames);
return new DistributionPoint(new DistributionPointName(names));
}
Also used :
GeneralNames(de.carne.certmgr.certs.x509.GeneralNames)
DistributionPointName(de.carne.certmgr.certs.x509.DistributionPointName)
GeneralName(de.carne.certmgr.certs.x509.GeneralName)
DistributionPoint(de.carne.certmgr.certs.x509.DistributionPoint)
DistributionPoint(de.carne.certmgr.certs.x509.DistributionPoint)
Example 10 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project Spark by igniterealtime.
the class SparkTrustManager method loadCRL.
public Collection<X509CRL> loadCRL(X509Certificate[] chain) throws IOException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, CRLException {
// for each certificate in chain
for (X509Certificate cert : chain) {
if (cert.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) {
ASN1Primitive primitive = JcaX509ExtensionUtils.parseExtensionValue(cert.getExtensionValue(Extension.cRLDistributionPoints.getId()));
// extract distribution point extension
CRLDistPoint distPoint = CRLDistPoint.getInstance(primitive);
DistributionPoint[] dp = distPoint.getDistributionPoints();
// each distribution point extension can hold number of distribution points
for (DistributionPoint d : dp) {
DistributionPointName dpName = d.getDistributionPoint();
// Look for URIs in fullName
if (dpName != null && dpName.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
// Look for an URI
for (GeneralName genName : genNames) {
// extract url
URL url = new URL(genName.getName().toString());
try {
// download from Internet to the collection
crlCollection.add(downloadCRL(url));
} catch (CertificateException | CRLException e) {
throw new CRLException("Couldn't download CRL");
}
}
}
}
} else {
Log.warning("Certificate " + cert.getSubjectX500Principal().getName() + " have no CRLs");
}
// parameters for cert store is collection type, using collection with crl create parameters
CollectionCertStoreParameters params = new CollectionCertStoreParameters(crlCollection);
// this parameters are next used for creation of certificate store with crls
crlStore = CertStore.getInstance("Collection", params);
}
return crlCollection;
}
Also used :
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
URL(java.net.URL)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Aggregations
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)30
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)29
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)27
IOException (java.io.IOException)22
ArrayList (java.util.ArrayList)19
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)19
DERIA5String (org.bouncycastle.asn1.DERIA5String)18
CertPathValidatorException (java.security.cert.CertPathValidatorException)16
GeneralSecurityException (java.security.GeneralSecurityException)13
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)11
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)11
DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)11
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)11
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)11
CertPathBuilderException (java.security.cert.CertPathBuilderException)10
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)9
CertStoreException (java.security.cert.CertStoreException)8
