Example 91 with GeneralNames
use of com.github.zhenwei.core.asn1.x509.GeneralNames in project LinLong-Java by zhenwei1108.
the class X509CRLHolder method init.
private void init(CertificateList x509CRL) {
this.x509CRL = x509CRL;
this.extensions = x509CRL.getTBSCertList().getExtensions();
this.isIndirect = isIndirectCRL(extensions);
this.issuerName = new GeneralNames(new GeneralName(x509CRL.getIssuer()));
}
Also used :
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
Example 92 with GeneralNames
use of com.github.zhenwei.core.asn1.x509.GeneralNames in project LinLong-Java by zhenwei1108.
the class AttributeCertificateIssuer method getNames.
public X500Name[] getNames() {
GeneralNames name;
if (form instanceof V2Form) {
name = ((V2Form) form).getIssuerName();
} else {
name = (GeneralNames) form;
}
GeneralName[] names = name.getNames();
List l = new ArrayList(names.length);
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == GeneralName.directoryName) {
l.add(X500Name.getInstance(names[i].getName()));
}
}
return (X500Name[]) l.toArray(new X500Name[l.size()]);
}
Also used :
V2Form(com.github.zhenwei.core.asn1.x509.V2Form)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
Example 93 with GeneralNames
use of com.github.zhenwei.core.asn1.x509.GeneralNames in project LinLong-Java by zhenwei1108.
the class ESSCertIDv2 method toASN1Primitive.
/**
* <pre>
* ESSCertIDv2 ::= SEQUENCE {
* hashAlgorithm AlgorithmIdentifier
* DEFAULT {algorithm id-sha256},
* certHash Hash,
* issuerSerial IssuerSerial OPTIONAL
* }
*
* Hash ::= OCTET STRING
*
* IssuerSerial ::= SEQUENCE {
* issuer GeneralNames,
* serialNumber CertificateSerialNumber
* }
* </pre>
*/
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector v = new ASN1EncodableVector(3);
if (!hashAlgorithm.equals(DEFAULT_ALG_ID)) {
v.add(hashAlgorithm);
}
v.add(new DEROctetString(certHash).toASN1Primitive());
if (issuerSerial != null) {
v.add(issuerSerial);
}
return new DERSequence(v);
}
Also used :
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
DEROctetString(com.github.zhenwei.core.asn1.DEROctetString)
Example 94 with GeneralNames
use of com.github.zhenwei.core.asn1.x509.GeneralNames in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCertBC.
protected static void processCertBC(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator, boolean isForCRLCheck) throws CertPathValidatorException {
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certs.get(index);
int n = certs.size();
// i as defined in the algorithm description
int i = n - index;
// checking.
if (!(CertPathValidatorUtilities.isSelfIssued(cert) && ((i < n) || isForCRLCheck))) {
X500Name principal = PrincipalUtils.getSubjectPrincipal(cert);
ASN1Sequence dns;
try {
dns = ASN1Sequence.getInstance(principal);
} catch (Exception e) {
throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e, certPath, index);
}
try {
nameConstraintValidator.checkPermittedDN(dns);
nameConstraintValidator.checkExcludedDN(dns);
} catch (PKIXNameConstraintValidatorException e) {
throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath, index);
}
GeneralNames altName = null;
try {
altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME));
} catch (Exception e) {
throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e, certPath, index);
}
RDN[] emails = X500Name.getInstance(dns).getRDNs(BCStyle.EmailAddress);
for (int eI = 0; eI != emails.length; eI++) {
// TODO: this should take into account multi-valued RDNs
String email = ((ASN1String) emails[eI].getFirst().getValue()).getString();
GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email);
try {
nameConstraintValidator.checkPermitted(emailAsGeneralName);
nameConstraintValidator.checkExcluded(emailAsGeneralName);
} catch (PKIXNameConstraintValidatorException ex) {
throw new CertPathValidatorException("Subtree check for certificate subject alternative email failed.", ex, certPath, index);
}
}
if (altName != null) {
GeneralName[] genNames = null;
try {
genNames = altName.getNames();
} catch (Exception e) {
throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e, certPath, index);
}
for (int j = 0; j < genNames.length; j++) {
try {
nameConstraintValidator.checkPermitted(genNames[j]);
nameConstraintValidator.checkExcluded(genNames[j]);
} catch (PKIXNameConstraintValidatorException e) {
throw new CertPathValidatorException("Subtree check for certificate subject alternative name failed.", e, certPath, index);
}
}
}
}
}
Also used :
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
ASN1String(com.github.zhenwei.core.asn1.ASN1String)
X509Certificate(java.security.cert.X509Certificate)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
List(java.util.List)
ArrayList(java.util.ArrayList)
ASN1String(com.github.zhenwei.core.asn1.ASN1String)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
RDN(com.github.zhenwei.core.asn1.x500.RDN)
Example 95 with GeneralNames
use of com.github.zhenwei.core.asn1.x509.GeneralNames in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method checkCRLs.
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param validityDate The date when the certificate revocation status should be checked.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param certPathCerts The certificates of the certification path to be checked.
* @throws CertPathValidatorException if the certificate is revoked or the status cannot be
* checked or some error occurs.
*/
protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException {
if (paramsPKIX.isRevocationEnabled()) {
// check if revocation is available
if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) {
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("CRL distribution point extension could not be read.", e);
}
List crlStores = new ArrayList();
try {
crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validityDate, helper));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
PKIXExtendedParameters.Builder bldr = new PKIXExtendedParameters.Builder(paramsPKIX);
for (Iterator it = crlStores.iterator(); it.hasNext(); ) {
bldr.addCRLStore((PKIXCRLStore) crlStores);
}
paramsPKIX = bldr.build();
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
AnnotatedException lastException = null;
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new ExtCertPathValidatorException("Distribution points could not be read.", e);
}
try {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
}
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
X500Name issuer;
try {
issuer = PrincipalUtils.getEncodedIssuerPrincipal(attrCert);
} catch (Exception e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound) {
throw new ExtCertPathValidatorException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
String message = "Attribute certificate revocation after " + certStatus.getRevocationDate();
message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus.getCertStatus()];
throw new CertPathValidatorException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new CertPathValidatorException("Attribute certificate status could not be determined.");
}
} else {
if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) {
throw new CertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
}
Also used :
CertPathBuilder(java.security.cert.CertPathBuilder)
ArrayList(java.util.ArrayList)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
IOException(java.io.IOException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
NoSuchProviderException(java.security.NoSuchProviderException)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
Aggregations
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)140
GeneralName (org.bouncycastle.asn1.x509.GeneralName)124
IOException (java.io.IOException)68
X509Certificate (java.security.cert.X509Certificate)46
X500Name (org.bouncycastle.asn1.x500.X500Name)45
ContentSigner (org.bouncycastle.operator.ContentSigner)41
ArrayList (java.util.ArrayList)40
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)40
BigInteger (java.math.BigInteger)33
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)32
List (java.util.List)27
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)27
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)27
Date (java.util.Date)26
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)26
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)25
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)23
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)23
X500Principal (javax.security.auth.x500.X500Principal)22
DERIA5String (org.bouncycastle.asn1.DERIA5String)20
