Search in sources :

Example 36 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project certmgr by hdecarne.

the class ExtendedKeyUsageController method onApply.

@SuppressWarnings("unused")
private void onApply(ActionEvent evt) {
    boolean critical = this.ctlCritical.isSelected();
    Set<ExtendedKeyUsage> usages = new HashSet<>();
    if (this.ctlAnyUsage.isSelected()) {
        usages.add(ExtendedKeyUsage.ANY);
    } else {
        for (ExtendedKeyUsage usage : this.ctlUsages.getSelectionModel().getSelectedItems()) {
            usages.add(usage);
        }
    }
    this.extensionDataResult = new ExtendedKeyUsageExtensionData(critical, usages);
}
Also used : ExtendedKeyUsageExtensionData(de.carne.certmgr.certs.x509.ExtendedKeyUsageExtensionData) ExtendedKeyUsage(de.carne.certmgr.certs.x509.ExtendedKeyUsage) HashSet(java.util.HashSet)

Example 37 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project certmgr by hdecarne.

the class ExtendedKeyUsageController method init.

/**
 * Initialize the dialog.
 *
 * @param expertMode Whether to run in expert mode ({@code true}) or not ({@code false}).
 * @return This controller.
 */
public ExtendedKeyUsageController init(boolean expertMode) {
    this.ctlCritical.setSelected(ExtendedKeyUsageExtensionData.CRITICAL_DEFAULT);
    ObservableList<ExtendedKeyUsage> usageItems = this.ctlUsages.getItems();
    for (ExtendedKeyUsage usage : ExtendedKeyUsage.instances()) {
        if (!ExtendedKeyUsage.ANY.equals(usage)) {
            usageItems.add(usage);
        }
    }
    usageItems.sort((o1, o2) -> o1.name().compareTo(o2.name()));
    this.ctlUsages.getSelectionModel().setSelectionMode(SelectionMode.MULTIPLE);
    this.ctlAnyUsage.setSelected(false);
    return this;
}
Also used : ExtendedKeyUsage(de.carne.certmgr.certs.x509.ExtendedKeyUsage)

Example 38 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project Spark by igniterealtime.

the class IdentityController method createSelfSignedCertificate.

public X509Certificate createSelfSignedCertificate(KeyPair keyPair) throws CertIOException, OperatorCreationException, CertificateException {
    long serial = System.currentTimeMillis();
    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
    X500Name name = new X500Name(createX500NameString());
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(name, BigInteger.valueOf(serial), new Date(System.currentTimeMillis() - 1000000000), new Date(System.currentTimeMillis() + 1000000000), name, keyInfo);
    certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
    certBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
    JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
    ContentSigner signer = csBuilder.build(keyPair.getPrivate());
    X509CertificateHolder certHolder = certBuilder.build(signer);
    return new JcaX509CertificateConverter().getCertificate(certHolder);
}
Also used : X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) Date(java.util.Date)

Example 39 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.

the class IdentifiedCertprofile method getExtensions.

/**
 * Get the extensions.
 *
 * @param requestedSubject
 *          Subject requested subject. Must not be {@code null}.
 * @param grantedSubject
 *          Granted subject. Must not be {@code null}.
 * @param requestedExtensions
 *          Extensions requested by the requestor. Could be {@code null}.
 * @param publicKeyInfo
 *          Subject public key. Must not be {@code null}.
 * @param publicCaInfo
 *          CA information. Must not be {@code null}.
 * @param crlSignerCert
 *          CRL signer certificate. Could be {@code null}.
 * @param notBefore
 *          NotBefore. Must not be {@code null}.
 * @param notAfter
 *          NotAfter. Must not be {@code null}.
 * @return the extensions of the certificate to be issued.
 */
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Cert crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
    notNull(publicKeyInfo, "publicKeyInfo");
    ExtensionValues values = new ExtensionValues();
    Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
    // CTLog extension will be processed by the CA
    controls.remove(Extn.id_SCTs);
    Map<ASN1ObjectIdentifier, Extension> requestedExtns = new HashMap<>();
    // remove the request extensions which are not permitted in the request
    if (requestedExtensions != null) {
        ASN1ObjectIdentifier[] oids = requestedExtensions.getExtensionOIDs();
        for (ASN1ObjectIdentifier m : oids) {
            ExtensionControl control = controls.get(m);
            if (control == null || control.isRequest()) {
                requestedExtns.put(m, requestedExtensions.getExtension(m));
            }
        }
    }
    // SubjectKeyIdentifier
    ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
    ExtensionControl extControl = controls.remove(extType);
    if (extControl != null) {
        SubjectKeyIdentifier value = certprofile.getSubjectKeyIdentifier(publicKeyInfo);
        addExtension(values, extType, value, extControl);
    }
    // Authority key identifier
    extType = Extension.authorityKeyIdentifier;
    extControl = controls.remove(extType);
    if (extControl != null) {
        AuthorityKeyIdentifier value = null;
        if (certprofile.useIssuerAndSerialInAki()) {
            GeneralNames x509CaIssuer = new GeneralNames(new GeneralName(publicCaInfo.getIssuer()));
            value = new AuthorityKeyIdentifier(x509CaIssuer, publicCaInfo.getSerialNumber());
        } else {
            byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
            if (ikiValue != null) {
                value = new AuthorityKeyIdentifier(ikiValue);
            }
        }
        addExtension(values, extType, value, extControl);
    }
    // IssuerAltName
    extType = Extension.issuerAlternativeName;
    extControl = controls.remove(extType);
    if (extControl != null) {
        GeneralNames value = publicCaInfo.getSubjectAltName();
        addExtension(values, extType, value, extControl);
    }
    // AuthorityInfoAccess
    extType = Extension.authorityInfoAccess;
    extControl = controls.remove(extType);
    CaUris caUris = publicCaInfo.getCaUris();
    if (extControl != null) {
        AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
        List<String> caIssuers = null;
        if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
            caIssuers = caUris.getCacertUris();
            assertAllUrisHasProtocol(caIssuers, aiaControl.getCaIssuersProtocols());
        }
        List<String> ocspUris = null;
        if (aiaControl != null && aiaControl.isIncludesOcsp()) {
            ocspUris = caUris.getOcspUris();
            assertAllUrisHasProtocol(ocspUris, aiaControl.getOcspProtocols());
        }
        AuthorityInformationAccess value = null;
        if (CollectionUtil.isNotEmpty(caIssuers) || CollectionUtil.isNotEmpty(ocspUris)) {
            value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
        }
        addExtension(values, extType, value, extControl);
    }
    if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
        X500Name crlSignerSubject = (crlSignerCert == null) ? null : crlSignerCert.getSubject();
        X500Name x500CaPrincipal = publicCaInfo.getSubject();
        // CRLDistributionPoints
        extType = Extension.cRLDistributionPoints;
        extControl = controls.remove(extType);
        if (extControl != null) {
            CRLDistPoint value = null;
            List<String> uris = caUris.getCrlUris();
            if (CollectionUtil.isNotEmpty(uris)) {
                CrlDistributionPointsControl control = certprofile.getCrlDpControl();
                Set<String> protocols = control == null ? null : control.getProtocols();
                assertAllUrisHasProtocol(uris, protocols);
                value = CaUtil.createCrlDistributionPoints(uris, x500CaPrincipal, crlSignerSubject);
            }
            addExtension(values, extType, value, extControl);
        }
        // FreshestCRL
        extType = Extension.freshestCRL;
        extControl = controls.remove(extType);
        if (extControl != null) {
            CRLDistPoint value = null;
            List<String> uris = caUris.getDeltaCrlUris();
            if (CollectionUtil.isNotEmpty(uris)) {
                CrlDistributionPointsControl control = certprofile.getFreshestCrlControl();
                Set<String> protocols = control == null ? null : control.getProtocols();
                assertAllUrisHasProtocol(uris, protocols);
                value = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
            }
            addExtension(values, extType, value, extControl);
        }
    }
    // BasicConstraints
    extType = Extension.basicConstraints;
    extControl = controls.remove(extType);
    if (extControl != null) {
        BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
        addExtension(values, extType, value, extControl);
    }
    // KeyUsage
    extType = Extension.keyUsage;
    extControl = controls.remove(extType);
    if (extControl != null) {
        Set<KeyUsage> usages = new HashSet<>();
        Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
        for (KeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getKeyUsage());
            }
        }
        // the optional KeyUsage will only be set if requested explicitly
        addRequestedKeyusage(usages, requestedExtns, usageOccs);
        org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
        addExtension(values, extType, value, extControl);
    }
    // ExtendedKeyUsage
    extType = Extension.extendedKeyUsage;
    extControl = controls.remove(extType);
    if (extControl != null) {
        List<ASN1ObjectIdentifier> usages = new LinkedList<>();
        Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
        for (ExtKeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getExtKeyUsage());
            }
        }
        // the optional ExtKeyUsage will only be set if requested explicitly
        addRequestedExtKeyusage(usages, requestedExtns, usageOccs);
        if (extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
            extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
        }
        if (!extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
            extControl = new ExtensionControl(true, extControl.isRequired(), extControl.isRequest());
        }
        ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
        addExtension(values, extType, value, extControl);
    }
    // ocsp-nocheck
    extType = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
    extControl = controls.remove(extType);
    if (extControl != null) {
        // the extension ocsp-nocheck will only be set if requested explicitly
        addExtension(values, extType, DERNull.INSTANCE, extControl);
    }
    // SubjectInfoAccess
    extType = Extension.subjectInfoAccess;
    extControl = controls.remove(extType);
    if (extControl != null) {
        ASN1Sequence value = createSubjectInfoAccess(requestedExtns, certprofile.getSubjectInfoAccessModes());
        addExtension(values, extType, value, extControl);
    }
    // CertificatePolicies
    extType = Extension.certificatePolicies;
    extControl = controls.remove(extType);
    if (extControl != null) {
        ASN1Encodable value = certprofile.getCertificatePolicies();
        addExtension(values, extType, value, extControl);
    }
    ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtns, notBefore, notAfter, publicCaInfo);
    Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
    for (ASN1ObjectIdentifier type : extTypes) {
        extControl = controls.get(type);
        ExtensionValue value = subvalues.getExtensionValue(type);
        if (value == null && extControl.isRequest()) {
            Extension reqExt = requestedExtns.get(type);
            if (reqExt != null) {
                value = new ExtensionValue(extControl.isCritical(), reqExt.getParsedValue());
            }
        }
        if (value != null) {
            addExtension(values, type, value, extControl);
            controls.remove(type);
        }
    }
    Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
    for (Entry<ASN1ObjectIdentifier, ExtensionControl> entry : controls.entrySet()) {
        if (entry.getValue().isRequired()) {
            unprocessedExtTypes.add(entry.getKey());
        }
    }
    if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) {
        throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(unprocessedExtTypes));
    }
    // Check the SubjectAltNames
    if (certprofile.getCertDomain() == CertDomain.CABForumBR && getCertLevel() == CertLevel.EndEntity) {
        // Make sure that the commonName included in SubjectAltName
        String commonName = X509Util.getCommonName(grantedSubject);
        boolean commonNameInSan = commonName == null;
        // No private IP address is permitted
        GeneralName[] genNames = GeneralNames.getInstance(values.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames();
        for (GeneralName m : genNames) {
            if (GeneralName.dNSName == m.getTagNo()) {
                String domain = DERIA5String.getInstance(m.getName()).getString();
                if (!commonNameInSan && domain.equals(commonName)) {
                    commonNameInSan = true;
                }
                if (domain.indexOf('_') != -1) {
                    throw new BadCertTemplateException("invalid DNSName " + domain);
                }
                if (!ExtensionSpec.isValidPublicDomain(domain)) {
                    throw new BadCertTemplateException("invalid DNSName " + domain);
                }
            } else if (GeneralName.iPAddress == m.getTagNo()) {
                byte[] octets = DEROctetString.getInstance(m.getName()).getOctets();
                if (octets.length == 4) {
                    // IPv4 address
                    if (!commonNameInSan) {
                        String ipAddressText = (0xFF & octets[0]) + "." + (0xFF & octets[1]) + "." + (0xFF & octets[2]) + "." + (0xFF & octets[3]);
                        if (ipAddressText.equals(commonName)) {
                            commonNameInSan = true;
                        }
                    }
                // if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
                // throw new BadCertTemplateException(
                // "invalid IPv4Address " + ipAddressText);
                // }
                } else if (octets.length == 8) {
                    // IPv6 address
                    if (!commonNameInSan) {
                        // get the number of ":"
                        List<Integer> positions = new ArrayList<>(7);
                        int n = commonName.length();
                        for (int i = 0; i < n; i++) {
                            if (commonName.charAt(i) == ':') {
                                positions.add(i);
                            }
                        }
                        if (positions.size() == 7) {
                            String[] blocks = new String[8];
                            blocks[0] = commonName.substring(0, positions.get(0));
                            for (int i = 0; i < 6; i++) {
                                blocks[i + 1] = commonName.substring(positions.get(i) + 1, positions.get(i + 1));
                            }
                            blocks[7] = commonName.substring(positions.get(6) + 1);
                            byte[] commonNameBytes = new byte[16];
                            for (int i = 0; i < 8; i++) {
                                String block = blocks[i];
                                int blen = block.length();
                                if (blen == 1 | blen == 2) {
                                    commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block, 16);
                                } else if (blen == 3 | blen == 4) {
                                    commonNameBytes[i * 2] = (byte) Integer.parseInt(block.substring(0, blen - 2), 16);
                                    commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block.substring(blen - 2), 16);
                                } else if (blen != 0) {
                                    throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
                                }
                            }
                            if (Arrays.equals(commonNameBytes, octets)) {
                                commonNameInSan = true;
                            }
                        }
                    }
                } else {
                    throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
                }
            }
        }
        if (!commonNameInSan) {
            throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
        }
    }
    return values;
}
Also used : KeyUsage(org.xipki.security.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) BigInteger(java.math.BigInteger) CaUris(org.xipki.ca.api.CaUris)

Example 40 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project keystore-explorer by kaikramer.

the class X509Ext method getExtendedKeyUsageStringValue.

private static String getExtendedKeyUsageStringValue(byte[] value) {
    // @formatter:off
    /*
		 * ExtendedKeyUsage ::= ASN1Sequence SIZE (1..MAX) OF KeyPurposeId
		 *
		 * KeyPurposeId ::= OBJECT IDENTIFIER
		 */
    // @formatter:on
    StringBuilder sb = new StringBuilder();
    ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(value);
    for (KeyPurposeId keyPurposeId : extendedKeyUsage.getUsages()) {
        String oid = keyPurposeId.getId();
        ExtendedKeyUsageType type = ExtendedKeyUsageType.resolveOid(oid);
        if (type != null) {
            sb.append(type.friendly());
        } else {
            // Unrecognised key purpose ID
            sb.append(oid);
        }
        sb.append(NEWLINE);
    }
    return sb.toString();
}
Also used : KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) DERBitString(org.bouncycastle.asn1.DERBitString) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERGeneralString(org.bouncycastle.asn1.DERGeneralString) ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) ASN1BitString(org.bouncycastle.asn1.ASN1BitString) DEROctetString(org.bouncycastle.asn1.DEROctetString) ASN1BMPString(org.bouncycastle.asn1.ASN1BMPString) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1PrintableString(org.bouncycastle.asn1.ASN1PrintableString) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Aggregations

ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)35 KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)24 KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)21 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)19 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)18 X500Name (org.bouncycastle.asn1.x500.X500Name)17 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17 ContentSigner (org.bouncycastle.operator.ContentSigner)17 Date (java.util.Date)16 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)14 X509Certificate (java.security.cert.X509Certificate)13 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12 DEROctetString (org.bouncycastle.asn1.DEROctetString)11 Extension (org.bouncycastle.asn1.x509.Extension)11 GeneralName (org.bouncycastle.asn1.x509.GeneralName)11 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)10 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)9 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8