Search in sources :

Example 56 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project oxTrust by GluuFederation.

the class UserSerializer method serializeUserExtension.

protected void serializeUserExtension(Map.Entry<String, JsonNode> rootNodeEntry, ObjectMapper mapper, User user, JsonGenerator jsonGenerator) throws Exception {
    Extension extension = user.getExtension(rootNodeEntry.getKey());
    Map<String, Object> list = new HashMap<String, Object>();
    boolean enclosingWritten = false;
    for (Map.Entry<String, Extension.Field> extEntry : extension.getFields().entrySet()) {
        if (attributes != null && attributes.size() > 0) {
            for (String attribute : attributes) {
                attribute = FilterUtil.stripScim2Schema(attribute);
                if (extEntry.getKey().equalsIgnoreCase(attribute)) {
                    if (!enclosingWritten) {
                        jsonGenerator.writeFieldName(rootNodeEntry.getKey());
                        enclosingWritten = true;
                    }
                    break;
                }
            }
        } else {
            if (!enclosingWritten) {
                jsonGenerator.writeFieldName(rootNodeEntry.getKey());
                enclosingWritten = true;
            }
        }
        if (enclosingWritten) {
            GluuAttribute gluuAttribute = attributeService.getAttributeByName(extEntry.getKey());
            GluuAttributeDataType attributeDataType = gluuAttribute.getDataType();
            if ((gluuAttribute.getOxMultivaluedAttribute() != null) && gluuAttribute.getOxMultivaluedAttribute().equals(OxMultivalued.TRUE)) {
                if (attributeDataType.equals(GluuAttributeDataType.STRING) || attributeDataType.equals(GluuAttributeDataType.PHOTO)) {
                    List<String> stringList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), String[].class));
                    list.put(extEntry.getKey(), stringList);
                } else if (attributeDataType.equals(GluuAttributeDataType.DATE)) {
                    List<Date> dateList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), Date[].class));
                    List<String> stringList = new ArrayList<String>();
                    DateTimeFormatter dateTimeFormatter = ISODateTimeFormat.dateTime().withZoneUTC();
                    for (Date date : dateList) {
                        String dateString = dateTimeFormatter.print(date.getTime());
                        stringList.add(dateString);
                    }
                    list.put(extEntry.getKey(), stringList);
                } else if (attributeDataType.equals(GluuAttributeDataType.NUMERIC)) {
                    List<BigDecimal> numberList = Arrays.asList(mapper.readValue(extEntry.getValue().getValue(), BigDecimal[].class));
                    list.put(extEntry.getKey(), numberList);
                }
            } else {
                list.put(extEntry.getKey(), extEntry.getValue().getValue());
            }
        }
    }
    if (enclosingWritten) {
        jsonGenerator.writeObject(list);
    }
}
Also used : HashMap(java.util.HashMap) GluuAttributeDataType(org.xdi.model.GluuAttributeDataType) Date(java.util.Date) BigDecimal(java.math.BigDecimal) GluuAttribute(org.xdi.model.GluuAttribute) Extension(org.gluu.oxtrust.model.scim2.Extension) ArrayList(java.util.ArrayList) List(java.util.List) HashMap(java.util.HashMap) Map(java.util.Map) DateTimeFormatter(org.joda.time.format.DateTimeFormatter)

Example 57 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project qpid-broker-j by apache.

the class TlsResourceBuilder method createCertificate.

private static X509Certificate createCertificate(final KeyPair keyPair, final KeyCertificatePair ca, final String dn, final ValidityPeriod validityPeriod, final Extension... extensions) throws CertificateException {
    try {
        final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(ca.getCertificate(), generateSerialNumber(), new Date(validityPeriod.getFrom().toEpochMilli()), new Date(validityPeriod.getTo().toEpochMilli()), new X500Name(RFC4519Style.INSTANCE, dn), keyPair.getPublic());
        builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
        for (Extension e : extensions) {
            builder.addExtension(e);
        }
        return buildX509Certificate(builder, ca.getPrivateKey());
    } catch (OperatorException | IOException e) {
        throw new CertificateException(e);
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) Date(java.util.Date) OperatorException(org.bouncycastle.operator.OperatorException)

Example 58 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project qpid-broker-j by apache.

the class TlsResourceBuilder method createDistributionPointExtension.

private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException {
    try {
        final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
        final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
        final DistributionPoint[] points = new DistributionPoint[] { new DistributionPoint(pointName, null, null) };
        return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
    } catch (IOException e) {
        throw new CertificateException(e);
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) CertificateException(java.security.cert.CertificateException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 59 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project Spark by igniterealtime.

the class SparkTrustManager method validatePath.

/**
 * Validate certificate path
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
    }
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();
        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
Also used : X509CRL(java.security.cert.X509CRL) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertificateRevokedException(java.security.cert.CertificateRevokedException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CertPathValidator(java.security.cert.CertPathValidator) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath)

Example 60 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class X509Util method extractSki.

public static byte[] extractSki(org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException {
    ParamUtil.requireNonNull("cert", cert);
    Extension encodedSkiValue = cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectKeyIdentifier);
    if (encodedSkiValue == null) {
        return null;
    }
    try {
        return ASN1OctetString.getInstance(encodedSkiValue.getParsedValue()).getOctets();
    } catch (IllegalArgumentException ex) {
        throw new CertificateEncodingException("invalid extension SubjectKeyIdentifier: " + ex.getMessage());
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) CertificateEncodingException(java.security.cert.CertificateEncodingException)

Aggregations

IOException (java.io.IOException)133 Extension (org.bouncycastle.asn1.x509.Extension)131 X509Certificate (java.security.cert.X509Certificate)80 ArrayList (java.util.ArrayList)78 Enumeration (java.util.Enumeration)75 Extensions (org.bouncycastle.asn1.x509.Extensions)70 BigInteger (java.math.BigInteger)62 CertPathValidatorException (java.security.cert.CertPathValidatorException)60 DEROctetString (org.bouncycastle.asn1.DEROctetString)59 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)58 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)57 GeneralSecurityException (java.security.GeneralSecurityException)55 List (java.util.List)55 HashSet (java.util.HashSet)54 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)51 CertificateExpiredException (java.security.cert.CertificateExpiredException)47 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)47 CertPathBuilderException (java.security.cert.CertPathBuilderException)45 Set (java.util.Set)45 GeneralName (org.bouncycastle.asn1.x509.GeneralName)44