use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.
the class X509CaCmpResponderImpl method processP10cr.
// method processCertReqMessages
/**
* handle the PKI body with the choice {@code p10cr}<br/>
* Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate
* profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within
* PKIHeader.generalInfo
*/
private PKIBody processP10cr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) {
// verify the POP first
CertResponse certResp;
ASN1Integer certReqId = new ASN1Integer(-1);
boolean certGenerated = false;
X509Ca ca = getCa();
if (!securityFactory.verifyPopo(p10cr, getCmpControl().getPopoAlgoValidator())) {
LOG.warn("could not validate POP for the pkcs#10 requst");
certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP");
} else {
CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo();
Extensions extensions = CaUtil.getExtensions(certTemp);
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo());
String certprofileName = null;
Date notBefore = null;
Date notAfter = null;
if (keyvalues != null) {
certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERTPROFILE);
String str = keyvalues.value(CmpUtf8Pairs.KEY_NOTBEFORE);
if (str != null) {
notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
}
str = keyvalues.value(CmpUtf8Pairs.KEY_NOTAFTER);
if (str != null) {
notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
}
}
if (certprofileName == null) {
certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null);
} else {
certprofileName = certprofileName.toLowerCase();
if (!requestor.isCertProfilePermitted(certprofileName)) {
String msg = "certprofile " + certprofileName + " is not allowed";
certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg);
} else {
CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName);
certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, tid, false, request, cmpControl, msgId, event).get(0);
certGenerated = true;
}
}
}
CMPCertificate[] caPubs = null;
if (certGenerated && cmpControl.isSendCaCert()) {
caPubs = new CMPCertificate[] { ca.getCaInfo().getCertInCmpFormat() };
}
CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[] { certResp });
return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage);
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionBiometricInfo.
// method checkExtensionQcStatements
private void checkExtensionBiometricInfo(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
BiometricInfoOption conf = certProfile.getBiometricInfo();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable extInRequest = null;
if (requestedExtensions != null) {
extInRequest = requestedExtensions.getExtensionParsedValue(Extension.biometricInfo);
}
if (extInRequest == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence extValueInReq = ASN1Sequence.getInstance(extInRequest);
final int expSize = extValueInReq.size();
ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
final int isSize = extValue.size();
if (isSize != expSize) {
addViolation(failureMsg, "number of biometricData", isSize, expSize);
return;
}
for (int i = 0; i < expSize; i++) {
BiometricData isData = BiometricData.getInstance(extValue.getObjectAt(i));
BiometricData expData = BiometricData.getInstance(extValueInReq.getObjectAt(i));
TypeOfBiometricData isType = isData.getTypeOfBiometricData();
TypeOfBiometricData expType = expData.getTypeOfBiometricData();
if (!isType.equals(expType)) {
String isStr = isType.isPredefined() ? Integer.toString(isType.getPredefinedBiometricType()) : isType.getBiometricDataOid().getId();
String expStr = expType.isPredefined() ? Integer.toString(expType.getPredefinedBiometricType()) : expType.getBiometricDataOid().getId();
addViolation(failureMsg, "biometricData[" + i + "].typeOfBiometricData", isStr, expStr);
}
ASN1ObjectIdentifier is = isData.getHashAlgorithm().getAlgorithm();
ASN1ObjectIdentifier exp = expData.getHashAlgorithm().getAlgorithm();
if (!is.equals(exp)) {
addViolation(failureMsg, "biometricData[" + i + "].hashAlgorithm", is.getId(), exp.getId());
}
ASN1Encodable isHashAlgoParam = isData.getHashAlgorithm().getParameters();
if (isHashAlgoParam == null) {
failureMsg.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present' but expected 'absent'; ");
} else {
try {
byte[] isBytes = isHashAlgoParam.toASN1Primitive().getEncoded();
if (!Arrays.equals(isBytes, DER_NULL)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash.parameters", hex(isBytes), hex(DER_NULL));
}
} catch (IOException ex) {
failureMsg.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
}
}
byte[] isBytes = isData.getBiometricDataHash().getOctets();
byte[] expBytes = expData.getBiometricDataHash().getOctets();
if (!Arrays.equals(isBytes, expBytes)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash", hex(isBytes), hex(expBytes));
}
DERIA5String str = isData.getSourceDataUri();
String isSourceDataUri = (str == null) ? null : str.getString();
String expSourceDataUri = null;
if (conf.getSourceDataUriOccurrence() != TripleState.FORBIDDEN) {
str = expData.getSourceDataUri();
expSourceDataUri = (str == null) ? null : str.getString();
}
if (expSourceDataUri == null) {
if (isSourceDataUri != null) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", "present", "absent");
}
} else {
if (isSourceDataUri == null) {
failureMsg.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
failureMsg.append(" but expected 'present'; ");
} else if (!isSourceDataUri.equals(expSourceDataUri)) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", isSourceDataUri, expSourceDataUri);
}
}
}
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectInfoAccess.
private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable requestExtValue = null;
if (requestedExtensions != null) {
requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
}
if (requestExtValue == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
int size = requestSeq.size();
if (certSeq.size() != size) {
addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
return;
}
for (int i = 0; i < size; i++) {
AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
if (generalNameModes == null) {
failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
continue;
}
AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
if (!bo) {
addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
continue;
}
GeneralName accessLocation;
try {
accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
} catch (BadCertTemplateException ex) {
failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
continue;
}
GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
if (!certAccessLocation.equals(accessLocation)) {
failureMsg.append("accessLocation does not match the requested one; ");
}
}
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionAdmission.
// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
AdmissionSyntaxOption conf = certProfile.getAdmission();
ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
if (conf == null) {
byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
List<List<String>> reqRegNumsList = null;
if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
Extension extension = requestedExtensions.getExtension(type);
if (extension == null) {
failureMsg.append("no Admission extension is contained in the request;");
return;
}
Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
final int n = reqAdmissions.length;
reqRegNumsList = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
Admissions reqAdmission = reqAdmissions[i];
ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
List<String> reqNums = new ArrayList<>(reqPis.length);
reqRegNumsList.add(reqNums);
for (ProfessionInfo reqPi : reqPis) {
String reqNum = reqPi.getRegistrationNumber();
reqNums.add(reqNum);
}
}
}
try {
byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
}
} catch (IOException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("IOException while computing the expected extension value;");
return;
} catch (BadCertTemplateException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("BadCertTemplateException while computing the expected extension value;");
}
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionTlsFeature.
// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QaTlsFeature conf = tlsFeature;
if (conf == null) {
byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
Set<String> isFeatures = new HashSet<>();
ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
final int n = seq.size();
for (int i = 0; i < n; i++) {
ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
isFeatures.add(asn1Feature.getPositiveValue().toString());
}
Set<String> expFeatures = new HashSet<>();
for (Integer m : conf.getFeatures()) {
expFeatures.add(m.toString());
}
Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(isFeatures, expFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
}
}
Aggregations