Search in sources :

Example 96 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.

the class RevocationUtilities method getDeltaCRLs.

/**
 * Fetches delta CRLs according to RFC 3280 section 5.2.4.
 *
 * @param validityDate The date for which the delta CRLs must be valid.
 * @param completeCRL  The complete CRL the delta CRL is for.
 * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
 * @throws AnnotatedException if an exception occurs while picking the delta CRLs.
 */
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<PKIXCRLStore> pkixCrlStores) throws AnnotatedException {
    X509CRLSelector baseDeltaSelect = new X509CRLSelector();
    // 5.2.4 (a)
    try {
        baseDeltaSelect.addIssuerName(completeCRL.getIssuerX500Principal().getEncoded());
    } catch (IOException e) {
        throw new AnnotatedException("cannot extract issuer from CRL.", e);
    }
    BigInteger completeCRLNumber = null;
    try {
        ASN1Primitive derObject = RevocationUtilities.getExtensionValue(completeCRL, Extension.cRLNumber);
        if (derObject != null) {
            completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue();
        }
    } catch (Exception e) {
        throw new AnnotatedException("cannot extract CRL number extension from CRL", e);
    }
    // 5.2.4 (b)
    byte[] idp;
    try {
        idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
    } catch (Exception e) {
        throw new AnnotatedException("issuing distribution point extension value could not be read", e);
    }
    // 5.2.4 (d)
    baseDeltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
    PKIXCRLStoreSelector.Builder selBuilder = new PKIXCRLStoreSelector.Builder(baseDeltaSelect);
    selBuilder.setIssuingDistributionPoint(idp);
    selBuilder.setIssuingDistributionPointEnabled(true);
    // 5.2.4 (c)
    selBuilder.setMaxBaseCRLNumber(completeCRLNumber);
    PKIXCRLStoreSelector deltaSelect = selBuilder.build();
    // find delta CRLs
    Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
    Set result = new HashSet();
    for (Iterator it = temp.iterator(); it.hasNext(); ) {
        X509CRL crl = (X509CRL) it.next();
        if (isDeltaCRL(crl)) {
            result.add(crl);
        }
    }
    return result;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) X509CRL(java.security.cert.X509CRL) IOException(java.io.IOException) PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector) CertPathValidatorException(java.security.cert.CertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CRLException(java.security.cert.CRLException) StoreException(com.github.zhenwei.core.util.StoreException) IOException(java.io.IOException) Iterator(java.util.Iterator) BigInteger(java.math.BigInteger) ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive) X509CRLSelector(java.security.cert.X509CRLSelector) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet)

Example 97 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.

the class RevocationUtilities method getCertStatus.

protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    boolean isIndirect;
    try {
        isIndirect = isIndirectCRL(crl);
    } catch (CRLException exception) {
        throw new AnnotatedException("Failed check for indirect CRL.", exception);
    }
    X509Certificate x509Cert = (X509Certificate) cert;
    X500Name x509CertIssuer = getIssuer(x509Cert);
    if (!isIndirect) {
        X500Name crlIssuer = getIssuer(crl);
        if (!x509CertIssuer.equals(crlIssuer)) {
            return;
        }
    }
    X509CRLEntry crl_entry = crl.getRevokedCertificate(x509Cert.getSerialNumber());
    if (null == crl_entry) {
        return;
    }
    if (isIndirect) {
        X500Principal certificateIssuer = crl_entry.getCertificateIssuer();
        X500Name expectedCertIssuer;
        if (null == certificateIssuer) {
            expectedCertIssuer = getIssuer(crl);
        } else {
            expectedCertIssuer = getX500Name(certificateIssuer);
        }
        if (!x509CertIssuer.equals(expectedCertIssuer)) {
            return;
        }
    }
    int reasonCodeValue = CRLReason.unspecified;
    if (crl_entry.hasExtensions()) {
        try {
            ASN1Primitive extValue = RevocationUtilities.getExtensionValue(crl_entry, Extension.reasonCode);
            ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(extValue);
            if (null != reasonCode) {
                reasonCodeValue = reasonCode.intValueExact();
            }
        } catch (Exception e) {
            throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
        }
    }
    Date revocationDate = crl_entry.getRevocationDate();
    if (validDate.before(revocationDate)) {
        switch(reasonCodeValue) {
            case CRLReason.unspecified:
            case CRLReason.keyCompromise:
            case CRLReason.cACompromise:
            case CRLReason.aACompromise:
                break;
            default:
                return;
        }
    }
    // (i) or (j)
    certStatus.setCertStatus(reasonCodeValue);
    certStatus.setRevocationDate(revocationDate);
}
Also used : X509CRLEntry(java.security.cert.X509CRLEntry) ASN1Enumerated(com.github.zhenwei.core.asn1.ASN1Enumerated) X500Principal(javax.security.auth.x500.X500Principal) X500Name(com.github.zhenwei.core.asn1.x500.X500Name) CRLException(java.security.cert.CRLException) ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CRLException(java.security.cert.CRLException) StoreException(com.github.zhenwei.core.util.StoreException) IOException(java.io.IOException) Date(java.util.Date)

Example 98 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.

the class JceITSPublicEncryptionKey method getKey.

public PublicKey getKey() {
    BasePublicEncryptionKey baseKey = encryptionKey.getBasePublicEncryptionKey();
    X9ECParameters params;
    switch(baseKey.getChoice()) {
        case BasePublicEncryptionKey.eciesNistP256:
            params = NISTNamedCurves.getByOID(SECObjectIdentifiers.secp256r1);
            break;
        case BasePublicEncryptionKey.eciesBrainpoolP256r1:
            params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP256r1);
            break;
        default:
            throw new IllegalStateException("unknown key type");
    }
    ASN1Encodable pviCurvePoint = encryptionKey.getBasePublicEncryptionKey().getValue();
    final EccCurvePoint itsPoint;
    if (pviCurvePoint instanceof EccCurvePoint) {
        itsPoint = (EccCurvePoint) baseKey.getValue();
    } else {
        throw new IllegalStateException("extension to public verification key not supported");
    }
    ECCurve curve = params.getCurve();
    byte[] key;
    if (itsPoint instanceof EccP256CurvePoint) {
        key = itsPoint.getEncodedPoint();
    } else if (itsPoint instanceof EccP384CurvePoint) {
        key = itsPoint.getEncodedPoint();
    } else {
        throw new IllegalStateException("unknown key type");
    }
    ECPoint point = curve.decodePoint(key).normalize();
    try {
        KeyFactory keyFactory = helper.createKeyFactory("EC");
        ECParameterSpec spec = EC5Util.convertToSpec(params);
        java.security.spec.ECPoint jPoint = EC5Util.convertPoint(point);
        return keyFactory.generatePublic(new ECPublicKeySpec(jPoint, spec));
    } catch (Exception e) {
        throw new IllegalStateException(e.getMessage(), e);
    }
}
Also used : X9ECParameters(com.github.zhenwei.core.asn1.x9.X9ECParameters) EccCurvePoint(com.github.zhenwei.pkix.util.oer.its.EccCurvePoint) ECPoint(com.github.zhenwei.core.math.ec.ECPoint) ECPublicKeySpec(java.security.spec.ECPublicKeySpec) ECParameterSpec(java.security.spec.ECParameterSpec) BasePublicEncryptionKey(com.github.zhenwei.pkix.util.oer.its.BasePublicEncryptionKey) ECCurve(com.github.zhenwei.core.math.ec.ECCurve) EccP256CurvePoint(com.github.zhenwei.pkix.util.oer.its.EccP256CurvePoint) EccP384CurvePoint(com.github.zhenwei.pkix.util.oer.its.EccP384CurvePoint) ASN1Encodable(com.github.zhenwei.core.asn1.ASN1Encodable) KeyFactory(java.security.KeyFactory)

Example 99 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.

the class RFC3280CertPathUtilities method processCRLB1.

/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches
 * cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension
 * with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error occurs.
 */
protected static void processCRLB1(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    ASN1Primitive idp = RevocationUtilities.getExtensionValue(crl, Extension.issuingDistributionPoint);
    boolean isIndirect = false;
    if (idp != null) {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) {
            isIndirect = true;
        }
    }
    byte[] issuerBytes;
    issuerBytes = crl.getIssuerX500Principal().getEncoded();
    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null) {
        GeneralName[] genNames = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++) {
            if (genNames[j].getTagNo() == GeneralName.directoryName) {
                try {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes)) {
                        matchIssuer = true;
                    }
                } catch (IOException e) {
                    throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect) {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer) {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    } else {
        if (crl.getIssuerX500Principal().equals(((X509Certificate) cert).getIssuerX500Principal())) {
            matchIssuer = true;
        }
    }
    if (!matchIssuer) {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
Also used : GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName) IOException(java.io.IOException) ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)

Example 100 with Extension

use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.

the class BcITSPublicVerificationKey method getKey.

public AsymmetricKeyParameter getKey() {
    X9ECParameters params;
    ASN1ObjectIdentifier curveID;
    switch(verificationKey.getChoice()) {
        case PublicVerificationKey.ecdsaNistP256:
            curveID = SECObjectIdentifiers.secp256r1;
            params = NISTNamedCurves.getByOID(SECObjectIdentifiers.secp256r1);
            break;
        case PublicVerificationKey.ecdsaBrainpoolP256r1:
            curveID = TeleTrusTObjectIdentifiers.brainpoolP256r1;
            params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP256r1);
            break;
        case PublicVerificationKey.ecdsaBrainpoolP384r1:
            curveID = TeleTrusTObjectIdentifiers.brainpoolP384r1;
            params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP384r1);
            break;
        default:
            throw new IllegalStateException("unknown key type");
    }
    ECCurve curve = params.getCurve();
    ASN1Encodable pviCurvePoint = verificationKey.getCurvePoint();
    final EccCurvePoint itsPoint;
    if (pviCurvePoint instanceof EccCurvePoint) {
        itsPoint = (EccCurvePoint) verificationKey.getCurvePoint();
    } else {
        throw new IllegalStateException("extension to public verification key not supported");
    }
    byte[] key;
    if (itsPoint instanceof EccP256CurvePoint) {
        key = itsPoint.getEncodedPoint();
    } else if (itsPoint instanceof EccP384CurvePoint) {
        key = itsPoint.getEncodedPoint();
    } else {
        throw new IllegalStateException("unknown key type");
    }
    ECPoint point = curve.decodePoint(key).normalize();
    return new ECPublicKeyParameters(point, new ECNamedDomainParameters(curveID, params));
}
Also used : X9ECParameters(com.github.zhenwei.core.asn1.x9.X9ECParameters) ECCurve(com.github.zhenwei.core.math.ec.ECCurve) EccCurvePoint(com.github.zhenwei.pkix.util.oer.its.EccCurvePoint) ECNamedDomainParameters(com.github.zhenwei.core.crypto.params.ECNamedDomainParameters) EccP256CurvePoint(com.github.zhenwei.pkix.util.oer.its.EccP256CurvePoint) EccP384CurvePoint(com.github.zhenwei.pkix.util.oer.its.EccP384CurvePoint) ASN1Encodable(com.github.zhenwei.core.asn1.ASN1Encodable) ECPoint(com.github.zhenwei.core.math.ec.ECPoint) ECPublicKeyParameters(com.github.zhenwei.core.crypto.params.ECPublicKeyParameters) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)

Aggregations

IOException (java.io.IOException)125 Extension (org.bouncycastle.asn1.x509.Extension)123 X509Certificate (java.security.cert.X509Certificate)78 ArrayList (java.util.ArrayList)75 Enumeration (java.util.Enumeration)73 Extensions (org.bouncycastle.asn1.x509.Extensions)64 CertPathValidatorException (java.security.cert.CertPathValidatorException)60 BigInteger (java.math.BigInteger)56 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)56 List (java.util.List)55 HashSet (java.util.HashSet)54 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)54 DEROctetString (org.bouncycastle.asn1.DEROctetString)54 GeneralSecurityException (java.security.GeneralSecurityException)51 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)50 CertificateExpiredException (java.security.cert.CertificateExpiredException)47 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)47 CertPathBuilderException (java.security.cert.CertPathBuilderException)45 Set (java.util.Set)44 GeneralName (org.bouncycastle.asn1.x509.GeneralName)40