Example 36 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project keystore-explorer by kaikramer.
the class X509Ext method getIssuingDistributionPointStringValue.
private static String getIssuingDistributionPointStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* IssuingDistributionPoint ::= ASN1Sequence {
* distributionPoint [0] DistributionPointName OPTIONAL,
* onlyContainsUserCerts [1] ASN1Boolean DEFAULT FALSE,
* onlyContainsCACerts [2] ASN1Boolean DEFAULT FALSE,
* onlySomeReasons [3] ReasonFlags OPTIONAL,
* indirectCRL [4] ASN1Boolean DEFAULT FALSE,
* onlyContainsAttributeCerts [5] ASN1Boolean DEFAULT FALSE }
*/
// @formatter:on
/*
* Getting any DEFAULTS returns a false ASN1Boolean when no value
* present which saves the bother of a null check
*/
StringBuilder sb = new StringBuilder();
IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(value);
DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint();
if (distributionPointName != null) {
// Optional
sb.append(getDistributionPointNameString(distributionPointName, ""));
}
boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts();
sb.append(MessageFormat.format(res.getString("OnlyContainsUserCerts"), onlyContainsUserCerts));
sb.append(NEWLINE);
boolean onlyContainsCaCerts = issuingDistributionPoint.onlyContainsCACerts();
sb.append(MessageFormat.format(res.getString("OnlyContainsCaCerts"), onlyContainsCaCerts));
sb.append(NEWLINE);
ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons();
if (onlySomeReasons != null) {
// Optional
sb.append(res.getString("OnlySomeReasons"));
sb.append(NEWLINE);
String[] reasonFlags = getReasonFlagsStrings(onlySomeReasons);
for (String reasonFlag : reasonFlags) {
sb.append(INDENT);
sb.append(reasonFlag);
sb.append(NEWLINE);
}
}
boolean indirectCrl = issuingDistributionPoint.isIndirectCRL();
sb.append(MessageFormat.format(res.getString("IndirectCrl"), indirectCrl));
sb.append(NEWLINE);
boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts();
sb.append(MessageFormat.format(res.getString("OnlyContainsAttributeCerts"), onlyContainsAttributeCerts));
sb.append(NEWLINE);
return sb.toString();
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
ReasonFlags(org.bouncycastle.asn1.x509.ReasonFlags)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERGeneralString(org.bouncycastle.asn1.DERGeneralString)
ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
ASN1BitString(org.bouncycastle.asn1.ASN1BitString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
ASN1BMPString(org.bouncycastle.asn1.ASN1BMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1PrintableString(org.bouncycastle.asn1.ASN1PrintableString)
Example 37 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project keystore-explorer by kaikramer.
the class DDistributionPointsChooser method populate.
private void populate(DistributionPoint distributionPoint) {
if (distributionPoint != null) {
DistributionPointName dist = distributionPoint.getDistributionPoint();
if (dist != null) {
GeneralNames generalNames = GeneralNames.getInstance(dist.getName());
jgnDistributionPointFullName.setGeneralNames(generalNames);
}
GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
if (cRLIssuer != null) {
jgnDistributionPointCrlIssuer.setGeneralNames(cRLIssuer);
}
ReasonFlags reasonFlags = distributionPoint.getReasons();
if (reasonFlags != null) {
DERBitString reasonFlagsBitString = (DERBitString) reasonFlags.toASN1Primitive();
int reasonFlagsInt = reasonFlagsBitString.intValue();
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.keyCompromise)) {
jcbKeyCompromise.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cACompromise)) {
jcbCACompromise.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.affiliationChanged)) {
jcbAffiliationChanged.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.superseded)) {
jcbSuperseded.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cessationOfOperation)) {
jcbCessationOfOperation.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.certificateHold)) {
jcbCertificateHold.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.privilegeWithdrawn)) {
jcbPrivilegeWithdrawn.setSelected(true);
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.aACompromise)) {
jcbAACompromise.setSelected(true);
}
}
}
}
Also used :
JGeneralNames(org.kse.gui.crypto.generalname.JGeneralNames)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
ReasonFlags(org.bouncycastle.asn1.x509.ReasonFlags)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DERBitString(org.bouncycastle.asn1.DERBitString)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 38 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project signer by demoiselle.
the class BasicCertificate method getCRLDistributionPoint.
/**
* @return A list of ulrs that inform the location of the certificate revocation lists
* @throws IOException exception
*/
public List<String> getCRLDistributionPoint() throws IOException {
List<String> crlUrls = new ArrayList<>();
ASN1Primitive primitive = getExtensionValue(Extension.cRLDistributionPoints.getId());
if (primitive == null) {
return null;
}
CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(primitive);
DistributionPoint[] distributionPoints = crlDistPoint.getDistributionPoints();
for (DistributionPoint distributionPoint : distributionPoints) {
DistributionPointName dpn = distributionPoint.getDistributionPoint();
// Look for URIs in fullName
if (dpn != null) {
if (dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
for (GeneralName genName : genNames) {
if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) {
String url = DERIA5String.getInstance(genName.getName()).getString();
crlUrls.add(url);
logger.debug("Adicionando a url {}", url);
}
}
}
}
}
return crlUrls;
}
Also used :
ArrayList(java.util.ArrayList)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Example 39 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project keycloak by keycloak.
the class CRLUtils method getCRLDistributionPoints.
/**
* Retrieves a list of CRL distribution points from CRLDP v3 certificate extension
* See <a href="www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-cchain-and-verify-clr-with-bouncy-castle/">CRL validation</a>
* @param cert
* @return
* @throws IOException
*/
public static List<String> getCRLDistributionPoints(X509Certificate cert) throws IOException {
byte[] data = cert.getExtensionValue(CRL_DISTRIBUTION_POINTS_OID);
if (data == null) {
return Collections.emptyList();
}
List<String> distributionPointUrls = new LinkedList<>();
DEROctetString octetString;
try (ASN1InputStream crldpExtensionInputStream = new ASN1InputStream(new ByteArrayInputStream(data))) {
octetString = (DEROctetString) crldpExtensionInputStream.readObject();
}
byte[] octets = octetString.getOctets();
CRLDistPoint crlDP;
try (ASN1InputStream crldpInputStream = new ASN1InputStream(new ByteArrayInputStream(octets))) {
crlDP = CRLDistPoint.getInstance(crldpInputStream.readObject());
}
for (DistributionPoint dp : crlDP.getDistributionPoints()) {
DistributionPointName dpn = dp.getDistributionPoint();
if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] names = GeneralNames.getInstance(dpn.getName()).getNames();
for (GeneralName gn : names) {
if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
String url = DERIA5String.getInstance(gn.getName()).getString();
distributionPointUrls.add(url);
}
}
}
}
return distributionPointUrls;
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
LinkedList(java.util.LinkedList)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 40 with DistributionPointName
use of com.github.zhenwei.core.asn1.x509.DistributionPointName in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLB2.
/**
* If the complete CRL includes an issuing distribution point (IDP) CRL extension check the
* following:
* <p>
* (i) If the distribution point name is present in the IDP CRL extension and the distribution
* field is present in the DP, then verify that one of the names in the IDP matches one of the
* names in the DP. If the distribution point name is present in the IDP CRL extension and the
* distribution field is omitted from the DP, then verify that one of the names in the IDP matches
* one of the names in the cRLIssuer field of the DP.
* </p>
* <p>
* (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the
* certificate does not include the basic constraints extension with the cA boolean asserted.
* </p>
* <p>
* (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the
* certificate includes the basic constraints extension with the cA boolean asserted.
* </p>
* <p>
* (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
* </p>
*
* @param dp The distribution point.
* @param cert The certificate.
* @param crl The CRL.
* @throws AnnotatedException if one of the conditions is not met or an error occurs.
*/
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
IssuingDistributionPoint idp = null;
try {
idp = IssuingDistributionPoint.getInstance(RevocationUtilities.getExtensionValue(crl, Extension.issuingDistributionPoint));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
// distribution point name is present
if (idp != null) {
if (idp.getDistributionPoint() != null) {
// make list of names
DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
List names = new ArrayList();
if (dpName.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
names.add(genNames[j]);
}
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
ASN1EncodableVector vec = new ASN1EncodableVector();
try {
Enumeration e = ASN1Sequence.getInstance(crl.getIssuerX500Principal().getEncoded()).getObjects();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
} catch (Exception e) {
throw new AnnotatedException("Could not read CRL issuer.", e);
}
vec.add(dpName.getName());
names.add(new GeneralName(X500Name.getInstance(new DERSequence(vec))));
}
boolean matches = false;
// of the names in the DP.
if (dp.getDistributionPoint() != null) {
dpName = dp.getDistributionPoint();
GeneralName[] genNames = null;
if (dpName.getType() == DistributionPointName.FULL_NAME) {
genNames = GeneralNames.getInstance(dpName.getName()).getNames();
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
if (dp.getCRLIssuer() != null) {
genNames = dp.getCRLIssuer().getNames();
} else {
genNames = new GeneralName[1];
try {
genNames[0] = new GeneralName(X500Name.getInstance(((X509Certificate) cert).getIssuerX500Principal().getEncoded()));
} catch (Exception e) {
throw new AnnotatedException("Could not read certificate issuer.", e);
}
}
for (int j = 0; j < genNames.length; j++) {
Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
ASN1EncodableVector vec = new ASN1EncodableVector();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
vec.add(dpName.getName());
genNames[j] = new GeneralName(X500Name.getInstance(new DERSequence(vec)));
}
}
if (genNames != null) {
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
} else // verify that one of the names in
// the IDP matches one of the names in the cRLIssuer field of
// the DP
{
if (dp.getCRLIssuer() == null) {
throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
}
GeneralName[] genNames = dp.getCRLIssuer().getNames();
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
}
}
BasicConstraints bc = null;
try {
bc = BasicConstraints.getInstance(RevocationUtilities.getExtensionValue((X509Extension) cert, Extension.basicConstraints));
} catch (Exception e) {
throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
}
if (cert instanceof X509Certificate) {
// (b) (2) (ii)
if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
throw new AnnotatedException("CA Cert CRL only contains user certificates.");
}
// (b) (2) (iii)
if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
throw new AnnotatedException("End CRL only contains CA certificates.");
}
}
// (b) (2) (iv)
if (idp.onlyContainsAttributeCerts()) {
throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
}
}
}
Also used :
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
Enumeration(java.util.Enumeration)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
ArrayList(java.util.ArrayList)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
IOException(java.io.IOException)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
ArrayList(java.util.ArrayList)
List(java.util.List)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)
Aggregations
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)30
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)29
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)27
IOException (java.io.IOException)22
ArrayList (java.util.ArrayList)19
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)19
DERIA5String (org.bouncycastle.asn1.DERIA5String)18
CertPathValidatorException (java.security.cert.CertPathValidatorException)16
GeneralSecurityException (java.security.GeneralSecurityException)13
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)11
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)11
DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)11
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)11
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)11
CertPathBuilderException (java.security.cert.CertPathBuilderException)10
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)9
CertStoreException (java.security.cert.CertStoreException)8
