Example 81 with GeneralName
use of com.github.zhenwei.core.asn1.x509.GeneralName in project credhub by cloudfoundry-incubator.
the class CertificateReaderTest method returnsParametersCorrectly.
@Test
public void returnsParametersCorrectly() {
final String distinguishedName = "O=test-org, ST=Jupiter, C=MilkyWay, CN=test-common-name, OU=test-org-unit, L=Europa";
final GeneralNames generalNames = new GeneralNames(new GeneralName(GeneralName.dNSName, "SolarSystem"));
CertificateReader certificateReader = new CertificateReader(CertificateStringConstants.BIG_TEST_CERT);
assertThat(certificateReader.getAlternativeNames(), equalTo(generalNames));
assertThat(asList(certificateReader.getExtendedKeyUsage().getUsages()), containsInAnyOrder(KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth));
assertThat(certificateReader.getKeyUsage().hasUsages(KeyUsage.digitalSignature), equalTo(true));
assertThat(certificateReader.getSubjectName().toString(), equalTo(distinguishedName));
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Test(org.junit.Test)
Example 82 with GeneralName
use of com.github.zhenwei.core.asn1.x509.GeneralName in project jruby-openssl by jruby.
the class OCSPRequest method verify.
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(IRubyObject[] args) {
Ruby runtime = getRuntime();
ThreadContext context = runtime.getCurrentContext();
int flags = 0;
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int((RubyFixnum) args[2]);
}
IRubyObject certificates = args[0];
IRubyObject store = args[1];
OCSPReq bcOCSPReq = getBCOCSPReq();
if (bcOCSPReq == null) {
throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
}
if (!bcOCSPReq.isSigned()) {
return RubyBoolean.newBoolean(runtime, ret);
}
GeneralName genName = bcOCSPReq.getRequestorName();
if (genName.getTagNo() != 4) {
return RubyBoolean.newBoolean(runtime, ret);
}
X500Name genX500Name = X500Name.getInstance(genName.getName());
X509StoreContext storeContext = null;
JcaContentVerifierProviderBuilder jcacvpb = new JcaContentVerifierProviderBuilder();
jcacvpb.setProvider("BC");
try {
java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, ret);
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0))
flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY));
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey signerPubKey = signer.getPublicKey();
ContentVerifierProvider cvp = jcacvpb.build(signerPubKey);
ret = bcOCSPReq.isSignatureValid(cvp);
if (!ret) {
return RubyBoolean.newBoolean(runtime, ret);
}
}
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) {
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil);
} else {
RubyArray certs = RubyArray.newEmptyArray(runtime);
ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts();
if (bcCerts != null) {
Iterator<ASN1Encodable> it = bcCerts.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert)));
}
}
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs);
}
storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST"));
ret = storeContext.verify(context).isTrue();
if (!ret)
return RubyBoolean.newBoolean(runtime, false);
}
} catch (Exception e) {
debugStackTrace(e);
throw newOCSPError(runtime, e);
}
return RubyBoolean.newBoolean(getRuntime(), ret);
}
Also used :
RubyArray(org.jruby.RubyArray)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
Ruby(org.jruby.Ruby)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
ThreadContext(org.jruby.runtime.ThreadContext)
RubyFixnum(org.jruby.RubyFixnum)
RaiseException(org.jruby.exceptions.RaiseException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 83 with GeneralName
use of com.github.zhenwei.core.asn1.x509.GeneralName in project xipki by xipki.
the class XmlX509Certprofile method createRequestedSubjectAltNames.
private GeneralNames createRequestedSubjectAltNames(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions) throws BadCertTemplateException {
ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
if (extValue == null && subjectToSubjectAltNameModes == null) {
return null;
}
GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
return reqNames;
}
List<GeneralName> grantedNames = new LinkedList<>();
// copy the required attributes of Subject
if (subjectToSubjectAltNameModes != null) {
for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
RDN[] rdns = grantedSubject.getRDNs(attrType);
if (rdns == null) {
rdns = requestedSubject.getRDNs(attrType);
}
if (rdns == null) {
continue;
}
for (RDN rdn : rdns) {
String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
switch(tag) {
case rfc822Name:
case dNSName:
case uniformResourceIdentifier:
case iPAddress:
case directoryName:
case registeredID:
grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
break;
default:
throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
}
// end switch (tag)
}
}
}
// copy the requested SubjectAltName entries
if (reqNames != null) {
GeneralName[] reqL = reqNames.getNames();
for (int i = 0; i < reqL.length; i++) {
grantedNames.add(X509CertprofileUtil.createGeneralName(reqL[i], subjectAltNameModes));
}
}
return grantedNames.isEmpty() ? null : new GeneralNames(grantedNames.toArray(new GeneralName[0]));
}
Also used :
GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
LinkedList(java.util.LinkedList)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
RDN(org.bouncycastle.asn1.x500.RDN)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 84 with GeneralName
use of com.github.zhenwei.core.asn1.x509.GeneralName in project xipki by xipki.
the class CmpRequestor method signAndSend.
protected PkiResponse signAndSend(PKIMessage request, RequestResponseDebug debug) throws CmpRequestorException {
ParamUtil.requireNonNull("request", request);
PKIMessage tmpRequest = (signRequest) ? sign(request) : request;
byte[] encodedRequest;
try {
encodedRequest = tmpRequest.getEncoded();
} catch (IOException ex) {
LOG.error("could not encode the PKI request {}", tmpRequest);
throw new CmpRequestorException(ex.getMessage(), ex);
}
RequestResponsePair reqResp = null;
if (debug != null) {
reqResp = new RequestResponsePair();
debug.add(reqResp);
if (debug.saveRequest()) {
reqResp.setRequest(encodedRequest);
}
}
byte[] encodedResponse;
try {
encodedResponse = send(encodedRequest);
} catch (IOException ex) {
LOG.error("could not send the PKI request {} to server", tmpRequest);
throw new CmpRequestorException("TRANSPORT_ERROR", ex);
}
if (reqResp != null && debug.saveResponse()) {
reqResp.setResponse(encodedResponse);
}
GeneralPKIMessage response;
try {
response = new GeneralPKIMessage(encodedResponse);
} catch (IOException ex) {
LOG.error("could not decode the received PKI message: {}", Hex.encode(encodedResponse));
throw new CmpRequestorException(ex.getMessage(), ex);
}
PKIHeader reqHeader = request.getHeader();
PKIHeader respHeader = response.getHeader();
ASN1OctetString tid = reqHeader.getTransactionID();
ASN1OctetString respTid = respHeader.getTransactionID();
if (!tid.equals(respTid)) {
LOG.warn("Response contains different tid ({}) than requested {}", respTid, tid);
throw new CmpRequestorException("Response contains differnt tid than the request");
}
ASN1OctetString senderNonce = reqHeader.getSenderNonce();
ASN1OctetString respRecipientNonce = respHeader.getRecipNonce();
if (!senderNonce.equals(respRecipientNonce)) {
LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", tid, respRecipientNonce, senderNonce);
throw new CmpRequestorException("Response contains differnt tid than the request");
}
GeneralName rec = respHeader.getRecipient();
if (!sender.equals(rec)) {
LOG.warn("tid={}: unknown CMP requestor '{}'", tid, rec);
}
PkiResponse ret = new PkiResponse(response);
if (response.hasProtection()) {
try {
ProtectionVerificationResult verifyProtection = verifyProtection(Hex.encode(tid.getOctets()), response);
ret.setProtectionVerificationResult(verifyProtection);
} catch (InvalidKeyException | OperatorCreationException | CMPException ex) {
throw new CmpRequestorException(ex.getMessage(), ex);
}
} else if (signRequest) {
PKIBody respBody = response.getBody();
int bodyType = respBody.getType();
if (bodyType != PKIBody.TYPE_ERROR) {
throw new CmpRequestorException("response is not signed");
}
}
return ret;
}
Also used :
ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage)
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage)
RequestResponsePair(org.xipki.common.RequestResponsePair)
PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
PkiResponse(org.xipki.cmp.PkiResponse)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult)
IOException(java.io.IOException)
InvalidKeyException(java.security.InvalidKeyException)
GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage)
CMPException(org.bouncycastle.cert.cmp.CMPException)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Example 85 with GeneralName
use of com.github.zhenwei.core.asn1.x509.GeneralName in project xipki by xipki.
the class X509CmpRequestor method parse.
private RevokeCertResultType parse(PkiResponse response, List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException {
ParamUtil.requireNonNull("response", response);
checkProtection(response);
PKIBody respBody = response.getPkiMessage().getBody();
int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new PkiErrorException(content.getPKIStatusInfo());
} else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
}
RevRepContent content = RevRepContent.getInstance(respBody.getContent());
PKIStatusInfo[] statuses = content.getStatus();
if (statuses == null || statuses.length != reqEntries.size()) {
int statusesLen = 0;
if (statuses != null) {
statusesLen = statuses.length;
}
throw new CmpRequestorException(String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size()));
}
CertId[] revCerts = content.getRevCerts();
RevokeCertResultType result = new RevokeCertResultType();
for (int i = 0; i < statuses.length; i++) {
PKIStatusInfo statusInfo = statuses[i];
int status = statusInfo.getStatus().intValue();
IssuerSerialEntry re = reqEntries.get(i);
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
PKIFreeText text = statusInfo.getStatusString();
String statusString = (text == null) ? null : text.getStringAt(0).getString();
ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString);
result.addResultEntry(resultEntry);
continue;
}
CertId certId = null;
if (revCerts != null) {
for (CertId entry : revCerts) {
if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) {
certId = entry;
break;
}
}
}
if (certId == null) {
LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber()));
certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber());
continue;
}
ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId);
result.addResultEntry(resultEntry);
}
return result;
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
CertId(org.bouncycastle.asn1.crmf.CertId)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
IssuerSerialEntry(org.xipki.ca.client.api.dto.IssuerSerialEntry)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
Aggregations
GeneralName (org.bouncycastle.asn1.x509.GeneralName)238
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)117
IOException (java.io.IOException)112
ArrayList (java.util.ArrayList)76
X500Name (org.bouncycastle.asn1.x500.X500Name)56
DERIA5String (org.bouncycastle.asn1.DERIA5String)53
X509Certificate (java.security.cert.X509Certificate)52
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)48
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)47
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)42
BigInteger (java.math.BigInteger)40
List (java.util.List)40
ContentSigner (org.bouncycastle.operator.ContentSigner)40
DEROctetString (org.bouncycastle.asn1.DEROctetString)37
Date (java.util.Date)31
X500Principal (javax.security.auth.x500.X500Principal)31
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)31
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)30
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)29
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)29
