Search in sources :

Example 71 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionIssuerAltNames.

// method checkExtensionSubjectInfoAccess
private void checkExtensionIssuerAltNames(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
    Extension caSubjectAltExtension = issuerInfo.getBcCert().getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName);
    if (caSubjectAltExtension == null) {
        failureMsg.append("issuerAlternativeName is present but expected 'none'; ");
        return;
    }
    byte[] caSubjectAltExtensionValue = caSubjectAltExtension.getExtnValue().getOctets();
    if (!Arrays.equals(caSubjectAltExtensionValue, extensionValue)) {
        addViolation(failureMsg, "issuerAltNames", hex(extensionValue), hex(caSubjectAltExtensionValue));
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension)

Example 72 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensions.

// constructor
public List<ValidationIssue> checkExtensions(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions, X500Name requestedSubject) {
    ParamUtil.requireNonNull("cert", cert);
    ParamUtil.requireNonNull("issuerInfo", issuerInfo);
    X509Certificate jceCert;
    try {
        jceCert = X509Util.toX509Cert(cert);
    } catch (CertificateException ex) {
        throw new IllegalArgumentException("invalid cert: " + ex.getMessage());
    }
    List<ValidationIssue> result = new LinkedList<>();
    // detect the list of extension types in certificate
    Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions);
    Extensions extensions = cert.getTBSCertificate().getExtensions();
    ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
    if (oids == null) {
        ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
        result.add(issue);
        issue.setFailureMessage("no extension is present");
        return result;
    }
    List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
    for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
        if (!certExtTypes.contains(extType)) {
            ValidationIssue issue = createExtensionIssue(extType);
            result.add(issue);
            issue.setFailureMessage("extension is absent but is required");
        }
    }
    Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
    for (ASN1ObjectIdentifier oid : certExtTypes) {
        ValidationIssue issue = createExtensionIssue(oid);
        result.add(issue);
        if (!presentExtenionTypes.contains(oid)) {
            issue.setFailureMessage("extension is present but is not permitted");
            continue;
        }
        Extension ext = extensions.getExtension(oid);
        StringBuilder failureMsg = new StringBuilder();
        ExtensionControl extControl = extensionControls.get(oid);
        if (extControl.isCritical() != ext.isCritical()) {
            addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical());
        }
        byte[] extensionValue = ext.getExtnValue().getOctets();
        try {
            if (Extension.authorityKeyIdentifier.equals(oid)) {
                // AuthorityKeyIdentifier
                checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.subjectKeyIdentifier.equals(oid)) {
                // SubjectKeyIdentifier
                checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo());
            } else if (Extension.keyUsage.equals(oid)) {
                // KeyUsage
                checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl);
            } else if (Extension.certificatePolicies.equals(oid)) {
                // CertificatePolicies
                checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.policyMappings.equals(oid)) {
                // Policy Mappings
                checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.subjectAlternativeName.equals(oid)) {
                // SubjectAltName
                checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject);
            } else if (Extension.subjectDirectoryAttributes.equals(oid)) {
                // SubjectDirectoryAttributes
                checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.issuerAlternativeName.equals(oid)) {
                // IssuerAltName
                checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.basicConstraints.equals(oid)) {
                // Basic Constraints
                checkExtensionBasicConstraints(failureMsg, extensionValue);
            } else if (Extension.nameConstraints.equals(oid)) {
                // Name Constraints
                checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl);
            } else if (Extension.policyConstraints.equals(oid)) {
                // PolicyConstrains
                checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.extendedKeyUsage.equals(oid)) {
                // ExtendedKeyUsage
                checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.cRLDistributionPoints.equals(oid)) {
                // CRL Distribution Points
                checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.inhibitAnyPolicy.equals(oid)) {
                // Inhibit anyPolicy
                checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl);
            } else if (Extension.freshestCRL.equals(oid)) {
                // Freshest CRL
                checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.authorityInfoAccess.equals(oid)) {
                // Authority Information Access
                checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.subjectInfoAccess.equals(oid)) {
                // SubjectInfoAccess
                checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) {
                // Admission
                checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) {
                // ocsp-nocheck
                checkExtensionOcspNocheck(failureMsg, extensionValue);
            } else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) {
                // restriction
                checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) {
                // additionalInformation
                checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) {
                // validityModel
                checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.privateKeyUsagePeriod.equals(oid)) {
                // privateKeyUsagePeriod
                checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter());
            } else if (Extension.qCStatements.equals(oid)) {
                // qCStatements
                checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.biometricInfo.equals(oid)) {
                // biometricInfo
                checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) {
                // tlsFeature
                checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) {
                // authorizationTemplate
                checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl);
            } else {
                byte[] expected;
                if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) {
                    // SMIMECapabilities
                    expected = smimeCapabilities.getValue();
                } else {
                    expected = getExpectedExtValue(oid, requestedExtensions, extControl);
                }
                if (!Arrays.equals(expected, extensionValue)) {
                    addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
                }
            }
            if (failureMsg.length() > 0) {
                issue.setFailureMessage(failureMsg.toString());
            }
        } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) {
            LOG.debug("extension value does not have correct syntax", ex);
            issue.setFailureMessage("extension value does not have correct syntax");
        }
    }
    return result;
}
Also used : CertificateException(java.security.cert.CertificateException) Extensions(org.bouncycastle.asn1.x509.Extensions) ValidationIssue(org.xipki.common.qa.ValidationIssue) X509Certificate(java.security.cert.X509Certificate) LinkedList(java.util.LinkedList) Extension(org.bouncycastle.asn1.x509.Extension) ExtensionControl(org.xipki.ca.api.profile.ExtensionControl) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 73 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class IdentifiedX509Certprofile method getExtensions.

/**
 * TODO.
 * @param requestedSubject
 *          Subject requested subject. Must not be {@code null}.
 * @param grantedSubject
 *          Granted subject. Must not be {@code null}.
 * @param requestedExtensions
 *          Extensions requested by the requestor. Could be {@code null}.
 * @param publicKeyInfo
 *          Subject public key. Must not be {@code null}.
 * @param publicCaInfo
 *          CA information. Must not be {@code null}.
 * @param crlSignerCert
 *          CRL signer certificate. Could be {@code null}.
 * @param notBefore
 *          NotBefore. Must not be {@code null}.
 * @param notAfter
 *          NotAfter. Must not be {@code null}.
 * @param caInfo
 *          CA information.
 * @return the extensions of the certificate to be issued.
 */
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Certificate crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
    ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
    ExtensionValues values = new ExtensionValues();
    Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
    Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>();
    Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>();
    if (requestedExtensions != null) {
        Extension reqExtension = requestedExtensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
        if (reqExtension != null) {
            ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue());
            neededExtTypes.addAll(ee.getNeedExtensions());
            wantedExtTypes.addAll(ee.getWantExtensions());
        }
        for (ASN1ObjectIdentifier oid : neededExtTypes) {
            if (wantedExtTypes.contains(oid)) {
                wantedExtTypes.remove(oid);
            }
            if (!controls.containsKey(oid)) {
                throw new BadCertTemplateException("could not add needed extension " + oid.getId());
            }
        }
    }
    // SubjectKeyIdentifier
    ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
    ExtensionControl extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes();
        byte[] skiValue = HashAlgo.SHA1.hash(encodedSpki);
        SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue);
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // Authority key identifier
    extType = Extension.authorityKeyIdentifier;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
        AuthorityKeyIdentifier value = null;
        if (ikiValue != null) {
            if (certprofile.includesIssuerAndSerialInAki()) {
                GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject()));
                value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber());
            } else {
                value = new AuthorityKeyIdentifier(ikiValue);
            }
        }
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // IssuerAltName
    extType = Extension.issuerAlternativeName;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        GeneralNames value = publicCaInfo.getSubjectAltName();
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // AuthorityInfoAccess
    extType = Extension.authorityInfoAccess;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
        List<String> caIssuers = null;
        if (aiaControl == null || aiaControl.isIncludesCaIssuers()) {
            caIssuers = publicCaInfo.getCaCertUris();
        }
        List<String> ocspUris = null;
        if (aiaControl == null || aiaControl.isIncludesOcsp()) {
            ocspUris = publicCaInfo.getOcspUris();
        }
        if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) {
            AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
            addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
        }
    }
    if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
        X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded());
        X500Name x500CaPrincipal = publicCaInfo.getX500Subject();
        // CRLDistributionPoints
        extType = Extension.cRLDistributionPoints;
        extControl = controls.remove(extType);
        if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
            if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) {
                CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject);
                addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
            }
        }
        // FreshestCRL
        extType = Extension.freshestCRL;
        extControl = controls.remove(extType);
        if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
            if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) {
                CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
                addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
            }
        }
    }
    // BasicConstraints
    extType = Extension.basicConstraints;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // KeyUsage
    extType = Extension.keyUsage;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        Set<KeyUsage> usages = new HashSet<>();
        Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
        for (KeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getKeyUsage());
            }
        }
        // the optional KeyUsage will only be set if requested explicitly
        if (requestedExtensions != null && extControl.isRequest()) {
            addRequestedKeyusage(usages, requestedExtensions, usageOccs);
        }
        org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // ExtendedKeyUsage
    extType = Extension.extendedKeyUsage;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        List<ASN1ObjectIdentifier> usages = new LinkedList<>();
        Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
        for (ExtKeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getExtKeyUsage());
            }
        }
        // the optional ExtKeyUsage will only be set if requested explicitly
        if (requestedExtensions != null && extControl.isRequest()) {
            addRequestedExtKeyusage(usages, requestedExtensions, usageOccs);
        }
        if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) {
            extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
        }
        ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // ocsp-nocheck
    extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        // the extension ocsp-nocheck will only be set if requested explicitly
        DERNull value = DERNull.INSTANCE;
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // SubjectInfoAccess
    extType = Extension.subjectInfoAccess;
    extControl = controls.remove(extType);
    if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
        ASN1Sequence value = null;
        if (requestedExtensions != null && extControl.isRequest()) {
            value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes());
        }
        addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
    }
    // remove extensions that are not required frrom the list
    List<ASN1ObjectIdentifier> listToRm = null;
    for (ASN1ObjectIdentifier extnType : controls.keySet()) {
        ExtensionControl ctrl = controls.get(extnType);
        if (ctrl.isRequired()) {
            continue;
        }
        if (neededExtTypes.contains(extnType) || wantedExtTypes.contains(extnType)) {
            continue;
        }
        if (listToRm == null) {
            listToRm = new LinkedList<>();
        }
        listToRm.add(extnType);
    }
    if (listToRm != null) {
        for (ASN1ObjectIdentifier extnType : listToRm) {
            controls.remove(extnType);
        }
    }
    ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter, publicCaInfo);
    Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
    for (ASN1ObjectIdentifier type : extTypes) {
        extControl = controls.remove(type);
        boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes);
        if (addMe) {
            ExtensionValue value = null;
            if (requestedExtensions != null && extControl.isRequest()) {
                Extension reqExt = requestedExtensions.getExtension(type);
                if (reqExt != null) {
                    value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue());
                }
            }
            if (value == null) {
                value = subvalues.getExtensionValue(type);
            }
            addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes);
        }
    }
    Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
    for (ASN1ObjectIdentifier type : controls.keySet()) {
        if (controls.get(type).isRequired()) {
            unprocessedExtTypes.add(type);
        }
    }
    if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) {
        throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes));
    }
    if (CollectionUtil.isNonEmpty(neededExtTypes)) {
        throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes));
    }
    return values;
}
Also used : AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess) AuthorityInfoAccessControl(org.xipki.ca.api.profile.x509.AuthorityInfoAccessControl) HashMap(java.util.HashMap) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.xipki.security.KeyUsage) KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl) ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) ExtensionValue(org.xipki.ca.api.profile.ExtensionValue) DERNull(org.bouncycastle.asn1.DERNull) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ExtensionControl(org.xipki.ca.api.profile.ExtensionControl) ExtensionValues(org.xipki.ca.api.profile.ExtensionValues) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) HashSet(java.util.HashSet) ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) LinkedList(java.util.LinkedList) Extension(org.bouncycastle.asn1.x509.Extension) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) ExtensionExistence(org.xipki.security.ExtensionExistence) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 74 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class IdentifiedX509Certprofile method addRequestedExtKeyusage.

// method addRequestedKeyusage
private static void addRequestedExtKeyusage(List<ASN1ObjectIdentifier> usages, Extensions requestedExtensions, Set<ExtKeyUsageControl> usageOccs) {
    Extension extension = requestedExtensions.getExtension(Extension.extendedKeyUsage);
    if (extension == null) {
        return;
    }
    ExtendedKeyUsage reqKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue());
    for (ExtKeyUsageControl k : usageOccs) {
        if (k.isRequired()) {
            continue;
        }
        if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) {
            usages.add(k.getExtKeyUsage());
        }
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Example 75 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project xipki by xipki.

the class ScepUtil method generateRequest.

public static PKCS10CertificationRequest generateRequest(PrivateKey privatekey, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name subjectDn, String challengePassword, List<Extension> extensions) throws OperatorCreationException {
    requireNonNull("privatekey", privatekey);
    requireNonNull("subjectPublicKeyInfo", subjectPublicKeyInfo);
    requireNonNull("subjectDn", subjectDn);
    Map<ASN1ObjectIdentifier, ASN1Encodable> attributes = new HashMap<ASN1ObjectIdentifier, ASN1Encodable>();
    if (challengePassword != null && !challengePassword.isEmpty()) {
        DERPrintableString asn1Pwd = new DERPrintableString(challengePassword);
        attributes.put(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, asn1Pwd);
    }
    if (extensions != null && !extensions.isEmpty()) {
        Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0]));
        attributes.put(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, asn1Extensions);
    }
    return generateRequest(privatekey, subjectPublicKeyInfo, subjectDn, attributes);
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) HashMap(java.util.HashMap) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) Extensions(org.bouncycastle.asn1.x509.Extensions) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

IOException (java.io.IOException)133 Extension (org.bouncycastle.asn1.x509.Extension)131 X509Certificate (java.security.cert.X509Certificate)80 ArrayList (java.util.ArrayList)78 Enumeration (java.util.Enumeration)75 Extensions (org.bouncycastle.asn1.x509.Extensions)70 BigInteger (java.math.BigInteger)62 CertPathValidatorException (java.security.cert.CertPathValidatorException)60 DEROctetString (org.bouncycastle.asn1.DEROctetString)59 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)58 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)57 GeneralSecurityException (java.security.GeneralSecurityException)55 List (java.util.List)55 HashSet (java.util.HashSet)54 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)51 CertificateExpiredException (java.security.cert.CertificateExpiredException)47 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)47 CertPathBuilderException (java.security.cert.CertPathBuilderException)45 Set (java.util.Set)45 GeneralName (org.bouncycastle.asn1.x509.GeneralName)44