Examples with GeneralSubtree com.github.zhenwei.core.asn1.x509.GeneralSubtree used on opensource projects

Example 1 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project robovm by robovm.

the class RFC3280CertPathUtilities method prepareNextCertG.

protected static void prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    //
    // (g) handle the name constraints extension
    //
    NameConstraints nc = null;
    try {
        ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.NAME_CONSTRAINTS));
        if (ncSeq != null) {
            nc = NameConstraints.getInstance(ncSeq);
        }
    } catch (Exception e) {
        throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, index);
    }
    if (nc != null) {
        //
        // (g) (1) permitted subtrees
        //
        GeneralSubtree[] permitted = nc.getPermittedSubtrees();
        if (permitted != null) {
            try {
                nameConstraintValidator.intersectPermittedSubtree(permitted);
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
        //
        // (g) (2) excluded subtrees
        //
        GeneralSubtree[] excluded = nc.getExcludedSubtrees();
        if (excluded != null) {
            for (int i = 0; i != excluded.length; i++) try {
                nameConstraintValidator.addExcludedSubtree(excluded[i]);
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
    }
}

Example 2 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project robovm by robovm.

the class TestKeyStore method createCertificate.

private static X509Certificate createCertificate(PublicKey publicKey, PrivateKey privateKey, X500Principal subject, X500Principal issuer, int keyUsage, boolean ca, List<KeyPurposeId> extendedKeyUsages, List<Boolean> criticalExtendedKeyUsages, List<GeneralName> subjectAltNames, List<GeneralSubtree> permittedNameConstraints, List<GeneralSubtree> excludedNameConstraints) throws Exception {
    // Note that there is no way to programmatically make a
    // Certificate using java.* or javax.* APIs. The
    // CertificateFactory interface assumes you want to read
    // in a stream of bytes, typically the X.509 factory would
    // allow ASN.1 DER encoded bytes and optionally some PEM
    // formats. Here we use Bouncy Castle's
    // X509V3CertificateGenerator and related classes.
    long millisPerDay = 24 * 60 * 60 * 1000;
    long now = System.currentTimeMillis();
    Date start = new Date(now - millisPerDay);
    Date end = new Date(now + millisPerDay);
    BigInteger serial = BigInteger.valueOf(1);
    String keyAlgorithm = privateKey.getAlgorithm();
    String signatureAlgorithm;
    if (keyAlgorithm.equals("RSA")) {
        signatureAlgorithm = "sha1WithRSA";
    } else if (keyAlgorithm.equals("DSA")) {
        signatureAlgorithm = "sha1WithDSA";
    } else if (keyAlgorithm.equals("EC")) {
        signatureAlgorithm = "sha1WithECDSA";
    } else if (keyAlgorithm.equals("EC_RSA")) {
        signatureAlgorithm = "sha1WithRSA";
    } else {
        throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm);
    }
    X509V3CertificateGenerator x509cg = new X509V3CertificateGenerator();
    x509cg.setSubjectDN(subject);
    x509cg.setIssuerDN(issuer);
    x509cg.setNotBefore(start);
    x509cg.setNotAfter(end);
    x509cg.setPublicKey(publicKey);
    x509cg.setSignatureAlgorithm(signatureAlgorithm);
    x509cg.setSerialNumber(serial);
    if (keyUsage != 0) {
        x509cg.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(keyUsage));
    }
    if (ca) {
        x509cg.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
    }
    for (int i = 0; i < extendedKeyUsages.size(); i++) {
        KeyPurposeId keyPurposeId = extendedKeyUsages.get(i);
        boolean critical = criticalExtendedKeyUsages.get(i);
        x509cg.addExtension(X509Extensions.ExtendedKeyUsage, critical, new ExtendedKeyUsage(keyPurposeId));
    }
    for (GeneralName subjectAltName : subjectAltNames) {
        x509cg.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(subjectAltName).getEncoded());
    }
    if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) {
        x509cg.addExtension(X509Extensions.NameConstraints, true, new NameConstraints(permittedNameConstraints.toArray(new GeneralSubtree[permittedNameConstraints.size()]), excludedNameConstraints.toArray(new GeneralSubtree[excludedNameConstraints.size()])));
    }
    if (privateKey instanceof ECPrivateKey) {
        /*
             * bouncycastle needs its own ECPrivateKey implementation
             */
        KeyFactory kf = KeyFactory.getInstance(keyAlgorithm, "BC");
        PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(privateKey.getEncoded());
        privateKey = kf.generatePrivate(ks);
    }
    X509Certificate x509c = x509cg.generateX509Certificate(privateKey);
    if (StandardNames.IS_RI) {
        /*
             * The RI can't handle the BC EC signature algorithm
             * string of "ECDSA", since it expects "...WITHEC...",
             * so convert from BC to RI X509Certificate
             * implementation via bytes.
             */
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        ByteArrayInputStream bais = new ByteArrayInputStream(x509c.getEncoded());
        Certificate c = cf.generateCertificate(bais);
        x509c = (X509Certificate) c;
    }
    return x509c;
}

Example 3 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method getGeneralSubtree.

private static GeneralSubtree getGeneralSubtree(GeneralNameInterface gni) {
    // Create a new GeneralSubtree with the specified name, 0 base, and
    // unlimited length
    GeneralName gn = new GeneralName(gni);
    GeneralSubtree subTree = new GeneralSubtree(gn, 0, -1);
    return subTree;
}

Example 4 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project xipki by xipki.

the class XmlX509CertprofileUtil method buildNameConstrains.

// method buildPolicyMappings
public static NameConstraints buildNameConstrains(org.xipki.ca.certprofile.x509.jaxb.NameConstraints type) throws CertprofileException {
    ParamUtil.requireNonNull("type", type);
    GeneralSubtree[] permitted = buildGeneralSubtrees(type.getPermittedSubtrees());
    GeneralSubtree[] excluded = buildGeneralSubtrees(type.getExcludedSubtrees());
    return (permitted == null && excluded == null) ? null : new NameConstraints(permitted, excluded);
}

Example 5 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project xipki by xipki.

the class ExtensionsChecker method checkExtensionNameConstraintsSubtrees.

// method checkExtensionNameConstraints
private void checkExtensionNameConstraintsSubtrees(StringBuilder failureMsg, String description, GeneralSubtree[] subtrees, List<QaGeneralSubtree> expectedSubtrees) {
    int isSize = (subtrees == null) ? 0 : subtrees.length;
    int expSize = (expectedSubtrees == null) ? 0 : expectedSubtrees.size();
    if (isSize != expSize) {
        addViolation(failureMsg, "size of " + description, isSize, expSize);
        return;
    }
    if (subtrees == null || expectedSubtrees == null) {
        return;
    }
    for (int i = 0; i < isSize; i++) {
        GeneralSubtree isSubtree = subtrees[i];
        QaGeneralSubtree expSubtree = expectedSubtrees.get(i);
        BigInteger bigInt = isSubtree.getMinimum();
        int isMinimum = (bigInt == null) ? 0 : bigInt.intValue();
        Integer minimum = expSubtree.getMinimum();
        int expMinimum = (minimum == null) ? 0 : minimum.intValue();
        String desc = description + " [" + i + "]";
        if (isMinimum != expMinimum) {
            addViolation(failureMsg, "minimum of " + desc, isMinimum, expMinimum);
        }
        bigInt = isSubtree.getMaximum();
        Integer isMaximum = (bigInt == null) ? null : bigInt.intValue();
        Integer expMaximum = expSubtree.getMaximum();
        if (!CompareUtil.equalsObject(isMaximum, expMaximum)) {
            addViolation(failureMsg, "maxmum of " + desc, isMaximum, expMaximum);
        }
        GeneralName isBase = isSubtree.getBase();
        GeneralName expBase;
        if (expSubtree.getDirectoryName() != null) {
            expBase = new GeneralName(X509Util.reverse(new X500Name(expSubtree.getDirectoryName())));
        } else if (expSubtree.getDnsName() != null) {
            expBase = new GeneralName(GeneralName.dNSName, expSubtree.getDnsName());
        } else if (expSubtree.getIpAddress() != null) {
            expBase = new GeneralName(GeneralName.iPAddress, expSubtree.getIpAddress());
        } else if (expSubtree.getRfc822Name() != null) {
            expBase = new GeneralName(GeneralName.rfc822Name, expSubtree.getRfc822Name());
        } else if (expSubtree.getUri() != null) {
            expBase = new GeneralName(GeneralName.uniformResourceIdentifier, expSubtree.getUri());
        } else {
            throw new RuntimeException("should not reach here, unknown child of GeneralName");
        }
        if (!isBase.equals(expBase)) {
            addViolation(failureMsg, "base of " + desc, isBase, expBase);
        }
    }
}