Search in sources :

Example 46 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class X509CaCmpResponderImpl method processP10cr.

// method processCertReqMessages
/**
 * handle the PKI body with the choice {@code p10cr}<br/>
 * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate
 * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within
 * PKIHeader.generalInfo
 */
private PKIBody processP10cr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) {
    // verify the POP first
    CertResponse certResp;
    ASN1Integer certReqId = new ASN1Integer(-1);
    boolean certGenerated = false;
    X509Ca ca = getCa();
    if (!securityFactory.verifyPopo(p10cr, getCmpControl().getPopoAlgoValidator())) {
        LOG.warn("could not validate POP for the pkcs#10 requst");
        certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP");
    } else {
        CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo();
        Extensions extensions = CaUtil.getExtensions(certTemp);
        X500Name subject = certTemp.getSubject();
        SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
        CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo());
        String certprofileName = null;
        Date notBefore = null;
        Date notAfter = null;
        if (keyvalues != null) {
            certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERTPROFILE);
            String str = keyvalues.value(CmpUtf8Pairs.KEY_NOTBEFORE);
            if (str != null) {
                notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
            }
            str = keyvalues.value(CmpUtf8Pairs.KEY_NOTAFTER);
            if (str != null) {
                notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
            }
        }
        if (certprofileName == null) {
            certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null);
        } else {
            certprofileName = certprofileName.toLowerCase();
            if (!requestor.isCertProfilePermitted(certprofileName)) {
                String msg = "certprofile " + certprofileName + " is not allowed";
                certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg);
            } else {
                CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName);
                certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, tid, false, request, cmpControl, msgId, event).get(0);
                certGenerated = true;
            }
        }
    }
    CMPCertificate[] caPubs = null;
    if (certGenerated && cmpControl.isSendCaCert()) {
        caPubs = new CMPCertificate[] { ca.getCaInfo().getCertInCmpFormat() };
    }
    CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[] { certResp });
    return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage);
}
Also used : PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) CmpUtf8Pairs(org.xipki.cmp.CmpUtf8Pairs) CertResponse(org.bouncycastle.asn1.cmp.CertResponse) X509Ca(org.xipki.ca.server.impl.X509Ca) CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) CertTemplateData(org.xipki.ca.server.impl.CertTemplateData) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)

Example 47 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionBiometricInfo.

// method checkExtensionQcStatements
private void checkExtensionBiometricInfo(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    BiometricInfoOption conf = certProfile.getBiometricInfo();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable extInRequest = null;
    if (requestedExtensions != null) {
        extInRequest = requestedExtensions.getExtensionParsedValue(Extension.biometricInfo);
    }
    if (extInRequest == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence extValueInReq = ASN1Sequence.getInstance(extInRequest);
    final int expSize = extValueInReq.size();
    ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
    final int isSize = extValue.size();
    if (isSize != expSize) {
        addViolation(failureMsg, "number of biometricData", isSize, expSize);
        return;
    }
    for (int i = 0; i < expSize; i++) {
        BiometricData isData = BiometricData.getInstance(extValue.getObjectAt(i));
        BiometricData expData = BiometricData.getInstance(extValueInReq.getObjectAt(i));
        TypeOfBiometricData isType = isData.getTypeOfBiometricData();
        TypeOfBiometricData expType = expData.getTypeOfBiometricData();
        if (!isType.equals(expType)) {
            String isStr = isType.isPredefined() ? Integer.toString(isType.getPredefinedBiometricType()) : isType.getBiometricDataOid().getId();
            String expStr = expType.isPredefined() ? Integer.toString(expType.getPredefinedBiometricType()) : expType.getBiometricDataOid().getId();
            addViolation(failureMsg, "biometricData[" + i + "].typeOfBiometricData", isStr, expStr);
        }
        ASN1ObjectIdentifier is = isData.getHashAlgorithm().getAlgorithm();
        ASN1ObjectIdentifier exp = expData.getHashAlgorithm().getAlgorithm();
        if (!is.equals(exp)) {
            addViolation(failureMsg, "biometricData[" + i + "].hashAlgorithm", is.getId(), exp.getId());
        }
        ASN1Encodable isHashAlgoParam = isData.getHashAlgorithm().getParameters();
        if (isHashAlgoParam == null) {
            failureMsg.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present' but expected 'absent'; ");
        } else {
            try {
                byte[] isBytes = isHashAlgoParam.toASN1Primitive().getEncoded();
                if (!Arrays.equals(isBytes, DER_NULL)) {
                    addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash.parameters", hex(isBytes), hex(DER_NULL));
                }
            } catch (IOException ex) {
                failureMsg.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
            }
        }
        byte[] isBytes = isData.getBiometricDataHash().getOctets();
        byte[] expBytes = expData.getBiometricDataHash().getOctets();
        if (!Arrays.equals(isBytes, expBytes)) {
            addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash", hex(isBytes), hex(expBytes));
        }
        DERIA5String str = isData.getSourceDataUri();
        String isSourceDataUri = (str == null) ? null : str.getString();
        String expSourceDataUri = null;
        if (conf.getSourceDataUriOccurrence() != TripleState.FORBIDDEN) {
            str = expData.getSourceDataUri();
            expSourceDataUri = (str == null) ? null : str.getString();
        }
        if (expSourceDataUri == null) {
            if (isSourceDataUri != null) {
                addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", "present", "absent");
            }
        } else {
            if (isSourceDataUri == null) {
                failureMsg.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
                failureMsg.append(" but expected 'present'; ");
            } else if (!isSourceDataUri.equals(expSourceDataUri)) {
                addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", isSourceDataUri, expSourceDataUri);
            }
        }
    }
}
Also used : BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERIA5String(org.bouncycastle.asn1.DERIA5String) BiometricInfoOption(org.xipki.ca.certprofile.BiometricInfoOption) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 48 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectInfoAccess.

private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable requestExtValue = null;
    if (requestedExtensions != null) {
        requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
    }
    if (requestExtValue == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
    ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
    int size = requestSeq.size();
    if (certSeq.size() != size) {
        addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
        return;
    }
    for (int i = 0; i < size; i++) {
        AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
        ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
        Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
        if (generalNameModes == null) {
            failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
            continue;
        }
        AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
        ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
        boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
        if (!bo) {
            addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
            continue;
        }
        GeneralName accessLocation;
        try {
            accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
            continue;
        }
        GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
        if (!certAccessLocation.equals(accessLocation)) {
            failureMsg.append("accessLocation does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) Set(java.util.Set) HashSet(java.util.HashSet) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 49 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionAdmission.

// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    AdmissionSyntaxOption conf = certProfile.getAdmission();
    ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    List<List<String>> reqRegNumsList = null;
    if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
        Extension extension = requestedExtensions.getExtension(type);
        if (extension == null) {
            failureMsg.append("no Admission extension is contained in the request;");
            return;
        }
        Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
        final int n = reqAdmissions.length;
        reqRegNumsList = new ArrayList<>(n);
        for (int i = 0; i < n; i++) {
            Admissions reqAdmission = reqAdmissions[i];
            ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
            List<String> reqNums = new ArrayList<>(reqPis.length);
            reqRegNumsList.add(reqNums);
            for (ProfessionInfo reqPi : reqPis) {
                String reqNum = reqPi.getRegistrationNumber();
                reqNums.add(reqNum);
            }
        }
    }
    try {
        byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
        }
    } catch (IOException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("IOException while computing the expected extension value;");
        return;
    } catch (BadCertTemplateException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("BadCertTemplateException while computing the expected extension value;");
    }
}
Also used : AdmissionSyntaxOption(org.xipki.ca.certprofile.commonpki.AdmissionSyntaxOption) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) Extension(org.bouncycastle.asn1.x509.Extension) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions) ArrayList(java.util.ArrayList) List(java.util.List) LinkedList(java.util.LinkedList) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)

Example 50 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionTlsFeature.

// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QaTlsFeature conf = tlsFeature;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    Set<String> isFeatures = new HashSet<>();
    ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
    final int n = seq.size();
    for (int i = 0; i < n; i++) {
        ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
        isFeatures.add(asn1Feature.getPositiveValue().toString());
    }
    Set<String> expFeatures = new HashSet<>();
    for (Integer m : conf.getFeatures()) {
        expFeatures.add(m.toString());
    }
    Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
    }
    diffs = strInBnotInA(isFeatures, expFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
    }
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) QaTlsFeature(org.xipki.ca.qa.internal.QaTlsFeature) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) HashSet(java.util.HashSet)

Aggregations

Extensions (org.bouncycastle.asn1.x509.Extensions)113 Extension (org.bouncycastle.asn1.x509.Extension)89 IOException (java.io.IOException)72 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)67 Enumeration (java.util.Enumeration)57 HashSet (java.util.HashSet)49 DEROctetString (org.bouncycastle.asn1.DEROctetString)49 X500Name (org.bouncycastle.asn1.x500.X500Name)46 BigInteger (java.math.BigInteger)45 Set (java.util.Set)36 X509Certificate (java.security.cert.X509Certificate)35 Date (java.util.Date)35 GeneralName (org.bouncycastle.asn1.x509.GeneralName)35 ContentSigner (org.bouncycastle.operator.ContentSigner)32 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)29 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)28 ArrayList (java.util.ArrayList)28 CertificateException (java.security.cert.CertificateException)27 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)27 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)27