Search in sources :

Example 16 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method prepareNextCertG.

protected static void prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    //
    // (g) handle the name constraints extension
    //
    NameConstraints nc = null;
    try {
        ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.NAME_CONSTRAINTS));
        if (ncSeq != null) {
            nc = new NameConstraints(ncSeq);
        }
    } catch (Exception e) {
        throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, index);
    }
    if (nc != null) {
        //
        // (g) (1) permitted subtrees
        //
        ASN1Sequence permitted = nc.getPermittedSubtrees();
        if (permitted != null) {
            try {
                nameConstraintValidator.intersectPermittedSubtree(permitted);
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
        //
        // (g) (2) excluded subtrees
        //
        ASN1Sequence excluded = nc.getExcludedSubtrees();
        if (excluded != null) {
            Enumeration e = excluded.getObjects();
            try {
                while (e.hasMoreElements()) {
                    GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement());
                    nameConstraintValidator.addExcludedSubtree(subtree);
                }
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
    }
}
Also used : NameConstraints(org.bouncycastle.asn1.x509.NameConstraints) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Enumeration(java.util.Enumeration) List(java.util.List) ArrayList(java.util.ArrayList) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException)

Example 17 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project robovm by robovm.

the class PKIXNameConstraintValidator method intersectPermittedSubtree.

/**
     * Updates the permitted set of these name constraints with the intersection
     * with the given subtree.
     *
     * @param permitted The permitted subtrees
     */
public void intersectPermittedSubtree(GeneralSubtree[] permitted) {
    Map subtreesMap = new HashMap();
    // group in sets in a map ordered by tag no.
    for (int i = 0; i != permitted.length; i++) {
        GeneralSubtree subtree = permitted[i];
        Integer tagNo = Integers.valueOf(subtree.getBase().getTagNo());
        if (subtreesMap.get(tagNo) == null) {
            subtreesMap.put(tagNo, new HashSet());
        }
        ((Set) subtreesMap.get(tagNo)).add(subtree);
    }
    for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext(); ) {
        Map.Entry entry = (Map.Entry) it.next();
        // go through all subtree groups
        switch(((Integer) entry.getKey()).intValue()) {
            case 1:
                permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, (Set) entry.getValue());
                break;
            case 2:
                permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, (Set) entry.getValue());
                break;
            case 4:
                permittedSubtreesDN = intersectDN(permittedSubtreesDN, (Set) entry.getValue());
                break;
            case 6:
                permittedSubtreesURI = intersectURI(permittedSubtreesURI, (Set) entry.getValue());
                break;
            case 7:
                permittedSubtreesIP = intersectIP(permittedSubtreesIP, (Set) entry.getValue());
        }
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Iterator(java.util.Iterator) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) HashMap(java.util.HashMap) Map(java.util.Map) HashSet(java.util.HashSet)

Example 18 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testPathToName.

/*
     * Tests matching on the name constraints extension contained in the
     * certificate.
     */
private void testPathToName() throws IOException {
    System.out.println("X.509 Certificate Match on pathToName");
    X509CertSelector selector = null;
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.30"));
    byte[] encoded = in.getOctetString();
    NameConstraintsExtension ext = new NameConstraintsExtension(false, encoded);
    GeneralSubtrees permitted = (GeneralSubtrees) ext.get(PERMITTED_SUBTREES);
    GeneralSubtrees excluded = (GeneralSubtrees) ext.get(EXCLUDED_SUBTREES);
    // bad matches on pathToName within excluded subtrees
    if (excluded != null) {
        Iterator<GeneralSubtree> e = excluded.iterator();
        while (e.hasNext()) {
            GeneralSubtree tree = e.next();
            if (tree.getName().getType() == NAME_DIRECTORY) {
                X500Name excludedDN1 = new X500Name(tree.getName().toString());
                X500Name excludedDN2 = new X500Name("CN=Bogus, " + tree.getName().toString());
                DerOutputStream derDN1 = new DerOutputStream();
                DerOutputStream derDN2 = new DerOutputStream();
                excludedDN1.encode(derDN1);
                excludedDN2.encode(derDN2);
                selector = new X509CertSelector();
                selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
                checkMatch(selector, cert, false);
                selector.setPathToNames(null);
                selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
                checkMatch(selector, cert, false);
            }
        }
    }
    // good matches on pathToName within permitted subtrees
    if (permitted != null) {
        Iterator<GeneralSubtree> e = permitted.iterator();
        while (e.hasNext()) {
            GeneralSubtree tree = e.next();
            if (tree.getName().getType() == NAME_DIRECTORY) {
                X500Name permittedDN1 = new X500Name(tree.getName().toString());
                X500Name permittedDN2 = new X500Name("CN=good, " + tree.getName().toString());
                DerOutputStream derDN1 = new DerOutputStream();
                DerOutputStream derDN2 = new DerOutputStream();
                permittedDN1.encode(derDN1);
                permittedDN2.encode(derDN2);
                selector = new X509CertSelector();
                selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
                checkMatch(selector, cert, true);
                selector.setPathToNames(null);
                selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
                checkMatch(selector, cert, true);
            }
        }
    }
}
Also used : DerOutputStream(sun.security.util.DerOutputStream) GeneralSubtrees(sun.security.x509.GeneralSubtrees) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) NameConstraintsExtension(sun.security.x509.NameConstraintsExtension) GeneralSubtree(sun.security.x509.GeneralSubtree) X500Name(sun.security.x509.X500Name)

Example 19 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project xipki by xipki.

the class XmlX509CertprofileUtil method buildGeneralSubtree.

// method buildGeneralSubtrees
private static GeneralSubtree buildGeneralSubtree(GeneralSubtreeBaseType type) throws CertprofileException {
    ParamUtil.requireNonNull("type", type);
    GeneralName base = null;
    if (type.getDirectoryName() != null) {
        base = new GeneralName(X509Util.reverse(new X500Name(type.getDirectoryName())));
    } else if (type.getDnsName() != null) {
        base = new GeneralName(GeneralName.dNSName, type.getDnsName());
    } else if (type.getIpAddress() != null) {
        base = new GeneralName(GeneralName.iPAddress, type.getIpAddress());
    } else if (type.getRfc822Name() != null) {
        base = new GeneralName(GeneralName.rfc822Name, type.getRfc822Name());
    } else if (type.getUri() != null) {
        base = new GeneralName(GeneralName.uniformResourceIdentifier, type.getUri());
    } else {
        throw new RuntimeException("should not reach here, unknown child of GeneralSubtreeBaseType");
    }
    Integer min = type.getMinimum();
    if (min != null && min < 0) {
        throw new CertprofileException("negative minimum is not allowed: " + min);
    }
    BigInteger minimum = (min == null) ? null : BigInteger.valueOf(min.intValue());
    Integer max = type.getMaximum();
    if (max != null && max < 0) {
        throw new CertprofileException("negative maximum is not allowed: " + max);
    }
    BigInteger maximum = (max == null) ? null : BigInteger.valueOf(max.intValue());
    return new GeneralSubtree(base, minimum, maximum);
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName) X500Name(org.bouncycastle.asn1.x500.X500Name) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree)

Example 20 with GeneralSubtree

use of com.github.zhenwei.core.asn1.x509.GeneralSubtree in project keystore-explorer by kaikramer.

the class X509Ext method getNameConstraintsStringValue.

private static String getNameConstraintsStringValue(byte[] value) throws IOException {
    // @formatter:off
    /*
		 * NameConstraints ::= ASN1Sequence { permittedSubtrees [0]
		 * GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees
		 * OPTIONAL }
		 *
		 * GeneralSubtrees ::= ASN1Sequence SIZE (1..MAX) OF GeneralSubtree
		 *
		 * GeneralSubtree ::= ASN1Sequence { base GeneralName, minimum [0]
		 * BaseDistance DEFAULT nodistance, maximum [1] BaseDistance OPTIONAL }
		 *
		 * BaseDistance ::= ASN1Integer {nodistance(0) } (0..MAX)
		 */
    // @formatter:on
    StringBuilder sb = new StringBuilder();
    NameConstraints nameConstraints = NameConstraints.getInstance(value);
    GeneralSubtrees permittedSubtrees = null;
    if (nameConstraints.getPermittedSubtrees() != null && nameConstraints.getPermittedSubtrees().length != 0) {
        permittedSubtrees = new GeneralSubtrees(nameConstraints.getPermittedSubtrees());
    }
    sb.append(res.getString("PermittedSubtrees"));
    if (permittedSubtrees == null) {
        sb.append(" ").append(res.getString("NoValue"));
        sb.append(NEWLINE);
    } else {
        sb.append(NEWLINE);
        int permitted = 0;
        for (GeneralSubtree permittedSubtree : permittedSubtrees.getGeneralSubtrees()) {
            permitted++;
            sb.append(INDENT);
            sb.append(MessageFormat.format(res.getString("PermittedSubtree"), permitted));
            sb.append(NEWLINE);
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(res.getString("Base"));
            sb.append(NEWLINE);
            GeneralName base = permittedSubtree.getBase();
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(GeneralNameUtil.toString(base));
            sb.append(NEWLINE);
            BigInteger minimum = permittedSubtree.getMinimum();
            // Default 'nodistance' value
            int minimumInt = 0;
            if (minimum != null) {
                minimumInt = minimum.intValue();
            }
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(MessageFormat.format(res.getString("Minimum"), minimumInt));
            sb.append(NEWLINE);
            BigInteger maximum = permittedSubtree.getMaximum();
            if (maximum != null) {
                int maximumInt = maximum.intValue();
                sb.append(INDENT);
                sb.append(INDENT);
                sb.append(MessageFormat.format(res.getString("Maximum"), maximumInt));
                sb.append(NEWLINE);
            }
        }
    }
    GeneralSubtree[] excludedSubtreeArray = nameConstraints.getExcludedSubtrees();
    sb.append(res.getString("ExcludedSubtrees"));
    if (excludedSubtreeArray == null) {
        // Optional
        sb.append(" ").append(res.getString("NoValue"));
        sb.append(NEWLINE);
    } else {
        GeneralSubtrees excludedSubtrees = new GeneralSubtrees(excludedSubtreeArray);
        sb.append(NEWLINE);
        int excluded = 0;
        for (GeneralSubtree excludedSubtree : excludedSubtrees.getGeneralSubtrees()) {
            excluded++;
            sb.append(INDENT);
            sb.append(MessageFormat.format(res.getString("ExcludedSubtree"), excluded));
            sb.append(NEWLINE);
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(res.getString("Base"));
            sb.append(NEWLINE);
            GeneralName base = excludedSubtree.getBase();
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(GeneralNameUtil.toString(base));
            sb.append(NEWLINE);
            BigInteger minimum = excludedSubtree.getMinimum();
            int minimumInt = minimum.intValue();
            sb.append(INDENT);
            sb.append(INDENT);
            sb.append(MessageFormat.format(res.getString("Minimum"), minimumInt));
            sb.append(NEWLINE);
            BigInteger maximum = excludedSubtree.getMaximum();
            if (maximum != null) {
                int maximumInt = maximum.intValue();
                sb.append(INDENT);
                sb.append(INDENT);
                sb.append(MessageFormat.format(res.getString("Maximum"), maximumInt));
                sb.append(NEWLINE);
            }
        }
    }
    return sb.toString();
}
Also used : NameConstraints(org.bouncycastle.asn1.x509.NameConstraints) BigInteger(java.math.BigInteger) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Aggregations

GeneralSubtree (org.bouncycastle.asn1.x509.GeneralSubtree)18 BigInteger (java.math.BigInteger)7 GeneralName (org.bouncycastle.asn1.x509.GeneralName)6 NameConstraints (org.bouncycastle.asn1.x509.NameConstraints)6 IOException (java.io.IOException)5 X509Certificate (java.security.cert.X509Certificate)5 HashSet (java.util.HashSet)4 Iterator (java.util.Iterator)4 Set (java.util.Set)4 X500Name (org.bouncycastle.asn1.x500.X500Name)4 GeneralSecurityException (java.security.GeneralSecurityException)3 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3 ASN1IA5String (com.github.zhenwei.core.asn1.ASN1IA5String)2 ASN1OctetString (com.github.zhenwei.core.asn1.ASN1OctetString)2 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)2 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)2 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)2 GeneralSubtree (com.github.zhenwei.core.asn1.x509.GeneralSubtree)2