use of com.github.zhenwei.core.asn1.x509.Extension in project oxTrust by GluuFederation.
the class UserSerializer method serializeUserExtension.
protected void serializeUserExtension(Map.Entry<String, JsonNode> rootNodeEntry, ObjectMapper mapper, User user, JsonGenerator jsonGenerator) throws Exception {
Extension extension = user.getExtension(rootNodeEntry.getKey());
Map<String, Object> list = new HashMap<String, Object>();
boolean enclosingWritten = false;
for (Map.Entry<String, Extension.Field> extEntry : extension.getFields().entrySet()) {
if (attributes != null && attributes.size() > 0) {
for (String attribute : attributes) {
attribute = FilterUtil.stripScim2Schema(attribute);
if (extEntry.getKey().equalsIgnoreCase(attribute)) {
if (!enclosingWritten) {
jsonGenerator.writeFieldName(rootNodeEntry.getKey());
enclosingWritten = true;
}
break;
}
}
} else {
if (!enclosingWritten) {
jsonGenerator.writeFieldName(rootNodeEntry.getKey());
enclosingWritten = true;
}
}
if (enclosingWritten) {
GluuAttribute gluuAttribute = attributeService.getAttributeByName(extEntry.getKey());
GluuAttributeDataType attributeDataType = gluuAttribute.getDataType();
if ((gluuAttribute.getOxMultivaluedAttribute() != null) && gluuAttribute.getOxMultivaluedAttribute().equals(OxMultivalued.TRUE)) {
if (attributeDataType.equals(GluuAttributeDataType.STRING) || attributeDataType.equals(GluuAttributeDataType.PHOTO)) {
List<String> stringList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), String[].class));
list.put(extEntry.getKey(), stringList);
} else if (attributeDataType.equals(GluuAttributeDataType.DATE)) {
List<Date> dateList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), Date[].class));
List<String> stringList = new ArrayList<String>();
DateTimeFormatter dateTimeFormatter = ISODateTimeFormat.dateTime().withZoneUTC();
for (Date date : dateList) {
String dateString = dateTimeFormatter.print(date.getTime());
stringList.add(dateString);
}
list.put(extEntry.getKey(), stringList);
} else if (attributeDataType.equals(GluuAttributeDataType.NUMERIC)) {
List<BigDecimal> numberList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), BigDecimal[].class));
list.put(extEntry.getKey(), numberList);
}
} else {
list.put(extEntry.getKey(), extEntry.getValue().getValue());
}
}
}
if (enclosingWritten) {
jsonGenerator.writeObject(list);
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project qpid-broker-j by apache.
the class TlsResourceBuilder method createCertificate.
private static X509Certificate createCertificate(final KeyPair keyPair, final KeyCertificatePair ca, final String dn, final ValidityPeriod validityPeriod, final Extension... extensions) throws CertificateException {
try {
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(ca.getCertificate(), generateSerialNumber(), new Date(validityPeriod.getFrom().toEpochMilli()), new Date(validityPeriod.getTo().toEpochMilli()), new X500Name(RFC4519Style.INSTANCE, dn), keyPair.getPublic());
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
for (Extension e : extensions) {
builder.addExtension(e);
}
return buildX509Certificate(builder, ca.getPrivateKey());
} catch (OperatorException | IOException e) {
throw new CertificateException(e);
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project qpid-broker-j by apache.
the class TlsResourceBuilder method createDistributionPointExtension.
private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException {
try {
final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
final DistributionPoint[] points = new DistributionPoint[] { new DistributionPoint(pointName, null, null) };
return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
} catch (IOException e) {
throw new CertificateException(e);
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project Spark by igniterealtime.
the class SparkTrustManager method validatePath.
/**
* Validate certificate path
*
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws InvalidAlgorithmParameterException
* @throws CertPathValidatorException
* @throws CertPathBuilderException
* @throws CertificateException
*/
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
// PKIX algorithm is defined in rfc3280
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
// set last certificate (often root CA) from chain for CertSelector so trust store must contain it
certSelector.setCertificate(chain[chain.length - 1]);
// checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
// chain)
certSelector.setCertificateValid(null);
// create parameters using trustStore as source of Trust Anchors and using X509CertSelector
PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
// will use PKIXRevocationChecker (or nothing if revocation mechanisms are
// disabled) instead of the default revocation checker
parameters.setRevocationEnabled(false);
// certificates from blacklist will be rejected
if (acceptRevoked == false) {
// OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
// is enabled then in case of network issues revocation checking is omitted
if (allowSoftFail) {
checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
// check OCSP, CRL serve as backup
if (checkOCSP && checkCRL) {
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
} else if (!checkOCSP && checkCRL) {
// check only CRL, if CRL fail then there is no fallback to OCSP
checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
}
}
try {
CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
CertPath certPath = pathResult.getCertPath();
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("certificate path failed: Trusted CA is NULL");
}
// this extension is last certificate: root CA
for (int i = 0; i < chain.length - 1; i++) {
checkBasicConstraints(chain[i]);
}
} catch (CertificateRevokedException e) {
Log.warning("Certificate was revoked", e);
for (X509Certificate cert : chain) {
for (X509CRL crl : crlCollection) {
if (crl.isRevoked(cert)) {
try {
addToBlackList(cert);
} catch (IOException | HeadlessException | InvalidNameException e1) {
Log.error("Couldn't move to the blacklist", e1);
}
break;
}
}
}
throw new CertificateException("Certificate was revoked");
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class X509Util method extractSki.
public static byte[] extractSki(org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException {
ParamUtil.requireNonNull("cert", cert);
Extension encodedSkiValue = cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectKeyIdentifier);
if (encodedSkiValue == null) {
return null;
}
try {
return ASN1OctetString.getInstance(encodedSkiValue.getParsedValue()).getOctets();
} catch (IllegalArgumentException ex) {
throw new CertificateEncodingException("invalid extension SubjectKeyIdentifier: " + ex.getMessage());
}
}
Aggregations