use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class ExtensionsChecker method checkExtensionBiometricInfo.
// method checkExtensionQcStatements
private void checkExtensionBiometricInfo(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
BiometricInfoOption conf = certProfile.getBiometricInfo();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable extInRequest = null;
if (requestedExtensions != null) {
extInRequest = requestedExtensions.getExtensionParsedValue(Extension.biometricInfo);
}
if (extInRequest == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence extValueInReq = ASN1Sequence.getInstance(extInRequest);
final int expSize = extValueInReq.size();
ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
final int isSize = extValue.size();
if (isSize != expSize) {
addViolation(failureMsg, "number of biometricData", isSize, expSize);
return;
}
for (int i = 0; i < expSize; i++) {
BiometricData isData = BiometricData.getInstance(extValue.getObjectAt(i));
BiometricData expData = BiometricData.getInstance(extValueInReq.getObjectAt(i));
TypeOfBiometricData isType = isData.getTypeOfBiometricData();
TypeOfBiometricData expType = expData.getTypeOfBiometricData();
if (!isType.equals(expType)) {
String isStr = isType.isPredefined() ? Integer.toString(isType.getPredefinedBiometricType()) : isType.getBiometricDataOid().getId();
String expStr = expType.isPredefined() ? Integer.toString(expType.getPredefinedBiometricType()) : expType.getBiometricDataOid().getId();
addViolation(failureMsg, "biometricData[" + i + "].typeOfBiometricData", isStr, expStr);
}
ASN1ObjectIdentifier is = isData.getHashAlgorithm().getAlgorithm();
ASN1ObjectIdentifier exp = expData.getHashAlgorithm().getAlgorithm();
if (!is.equals(exp)) {
addViolation(failureMsg, "biometricData[" + i + "].hashAlgorithm", is.getId(), exp.getId());
}
ASN1Encodable isHashAlgoParam = isData.getHashAlgorithm().getParameters();
if (isHashAlgoParam == null) {
failureMsg.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present' but expected 'absent'; ");
} else {
try {
byte[] isBytes = isHashAlgoParam.toASN1Primitive().getEncoded();
if (!Arrays.equals(isBytes, DER_NULL)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash.parameters", hex(isBytes), hex(DER_NULL));
}
} catch (IOException ex) {
failureMsg.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
}
}
byte[] isBytes = isData.getBiometricDataHash().getOctets();
byte[] expBytes = expData.getBiometricDataHash().getOctets();
if (!Arrays.equals(isBytes, expBytes)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash", hex(isBytes), hex(expBytes));
}
DERIA5String str = isData.getSourceDataUri();
String isSourceDataUri = (str == null) ? null : str.getString();
String expSourceDataUri = null;
if (conf.getSourceDataUriOccurrence() != TripleState.FORBIDDEN) {
str = expData.getSourceDataUri();
expSourceDataUri = (str == null) ? null : str.getString();
}
if (expSourceDataUri == null) {
if (isSourceDataUri != null) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", "present", "absent");
}
} else {
if (isSourceDataUri == null) {
failureMsg.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
failureMsg.append(" but expected 'present'; ");
} else if (!isSourceDataUri.equals(expSourceDataUri)) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", isSourceDataUri, expSourceDataUri);
}
}
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectInfoAccess.
private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable requestExtValue = null;
if (requestedExtensions != null) {
requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
}
if (requestExtValue == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
int size = requestSeq.size();
if (certSeq.size() != size) {
addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
return;
}
for (int i = 0; i < size; i++) {
AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
if (generalNameModes == null) {
failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
continue;
}
AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
if (!bo) {
addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
continue;
}
GeneralName accessLocation;
try {
accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
} catch (BadCertTemplateException ex) {
failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
continue;
}
GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
if (!certAccessLocation.equals(accessLocation)) {
failureMsg.append("accessLocation does not match the requested one; ");
}
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class ExtensionsChecker method checkExtensionAdmission.
// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
AdmissionSyntaxOption conf = certProfile.getAdmission();
ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
if (conf == null) {
byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
List<List<String>> reqRegNumsList = null;
if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
Extension extension = requestedExtensions.getExtension(type);
if (extension == null) {
failureMsg.append("no Admission extension is contained in the request;");
return;
}
Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
final int n = reqAdmissions.length;
reqRegNumsList = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
Admissions reqAdmission = reqAdmissions[i];
ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
List<String> reqNums = new ArrayList<>(reqPis.length);
reqRegNumsList.add(reqNums);
for (ProfessionInfo reqPi : reqPis) {
String reqNum = reqPi.getRegistrationNumber();
reqNums.add(reqNum);
}
}
}
try {
byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
}
} catch (IOException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("IOException while computing the expected extension value;");
return;
} catch (BadCertTemplateException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("BadCertTemplateException while computing the expected extension value;");
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class ExtensionsChecker method checkExtensionTlsFeature.
// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QaTlsFeature conf = tlsFeature;
if (conf == null) {
byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
Set<String> isFeatures = new HashSet<>();
ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
final int n = seq.size();
for (int i = 0; i < n; i++) {
ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
isFeatures.add(asn1Feature.getPositiveValue().toString());
}
Set<String> expFeatures = new HashSet<>();
for (Integer m : conf.getFeatures()) {
expFeatures.add(m.toString());
}
Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(isFeatures, expFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.
the class ExtensionsChecker method checkExtensionExtendedKeyUsage.
// method checkExtensionKeyUsage
private void checkExtensionExtendedKeyUsage(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Set<String> isUsages = new HashSet<>();
org.bouncycastle.asn1.x509.ExtendedKeyUsage keyusage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extensionValue);
KeyPurposeId[] usages = keyusage.getUsages();
if (usages != null) {
for (KeyPurposeId usage : usages) {
isUsages.add(usage.getId());
}
}
Set<String> expectedUsages = new HashSet<>();
Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true);
if (requiredExtKeyusage != null) {
for (ExtKeyUsageControl usage : requiredExtKeyusage) {
expectedUsages.add(usage.getExtKeyUsage().getId());
}
}
Set<ExtKeyUsageControl> optionalExtKeyusage = getExtKeyusage(false);
if (requestedExtensions != null && extControl.isRequest() && CollectionUtil.isNonEmpty(optionalExtKeyusage)) {
Extension extension = requestedExtensions.getExtension(Extension.extendedKeyUsage);
if (extension != null) {
org.bouncycastle.asn1.x509.ExtendedKeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extension.getParsedValue());
for (ExtKeyUsageControl k : optionalExtKeyusage) {
if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) {
expectedUsages.add(k.getExtKeyUsage().getId());
}
}
}
}
if (CollectionUtil.isEmpty(expectedUsages)) {
byte[] constantExtValue = getConstantExtensionValue(Extension.keyUsage);
if (constantExtValue != null) {
expectedUsages = getExtKeyUsage(constantExtValue);
}
}
Set<String> diffs = strInBnotInA(expectedUsages, isUsages);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("usages ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(isUsages, expectedUsages);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("usages ").append(diffs.toString()).append(" are absent but are required; ");
}
}
Aggregations