Search in sources :

Example 31 with PolicyInformation

use of com.github.zhenwei.core.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testPolicy.

/*
     * Tests matching on the policy constraints extension contained in the
     * certificate.
     */
private void testPolicy() throws IOException {
    System.out.println("X.509 Certificate Match on certificatePolicies");
    // test encoding of CertificatePoliciesExtension because we wrote the
    // code
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Set<String> s = new HashSet<>();
    s.add(new String("1.2.5.7.68"));
    selector.setPolicy(s);
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32"));
    CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString());
    List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
    // match on the first policy id
    PolicyInformation policyInfo = (PolicyInformation) policies.get(0);
    s.clear();
    s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString());
    selector.setPolicy(s);
    checkMatch(selector, cert, true);
}
Also used : PolicyInformation(sun.security.x509.PolicyInformation) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) HashSet(java.util.HashSet)

Example 32 with PolicyInformation

use of com.github.zhenwei.core.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class PolicyChecker method processPolicies.

/**
     * Processes certificate policies in the certificate.
     *
     * @param certIndex the index of the certificate
     * @param initPolicies the initial policies required by the user
     * @param explicitPolicy an integer which indicates if a non-null
     * valid policy tree is required
     * @param policyMapping an integer which indicates if policy
     * mapping is inhibited
     * @param inhibitAnyPolicy an integer which indicates whether
     * "any-policy" is considered a match
     * @param rejectPolicyQualifiers a boolean indicating whether the
     * user wants to reject policies that have qualifiers
     * @param origRootNode the root node of the valid policy tree
     * @param currCert the Certificate to be processed
     * @param finalCert a boolean indicating whether currCert is the final
     * cert in the cert path
     * @return the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if an
     * error occurs while processing policies.
     */
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
    boolean policiesCritical = false;
    List<PolicyInformation> policyInfo;
    PolicyNodeImpl rootNode = null;
    Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
    if (origRootNode == null)
        rootNode = null;
    else
        rootNode = origRootNode.copyTree();
    // retrieve policyOIDs from currCert
    CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
    // PKIX: Section 6.1.3: Step (d)
    if ((currCertPolicies != null) && (rootNode != null)) {
        policiesCritical = currCertPolicies.isCritical();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
        try {
            policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
        } catch (IOException ioe) {
            throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
        }
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
        boolean foundAnyPolicy = false;
        // process each policy in cert
        for (PolicyInformation curPolInfo : policyInfo) {
            String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
            if (curPolicy.equals(ANY_POLICY)) {
                foundAnyPolicy = true;
                anyQuals = curPolInfo.getPolicyQualifiers();
            } else {
                // PKIX: Section 6.1.3: Step (d)(1)
                if (debug != null)
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
                // retrieve policy qualifiers from cert
                Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
                // the policyQualifiersRejected flag is set in the params
                if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
                    throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
                }
                // PKIX: Section 6.1.3: Step (d)(1)(i)
                boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
                if (!foundMatch) {
                    // PKIX: Section 6.1.3: Step (d)(1)(ii)
                    processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
                }
            }
        }
        // PKIX: Section 6.1.3: Step (d)(2)
        if (foundAnyPolicy) {
            if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
                if (debug != null) {
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
                }
                processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
            }
        }
        // PKIX: Section 6.1.3: Step (d)(3)
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    } else if (currCertPolicies == null) {
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
        // PKIX: Section 6.1.3: Step (e)
        rootNode = null;
    }
    // resulting in a null tree
    if (rootNode != null) {
        if (!finalCert) {
            // PKIX: Section 6.1.4: Steps (a)-(b)
            rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
        }
    }
    if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
        rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
        // PKIX: Section 6.1.5: Step (g)(iii)
        if ((rootNode != null) && finalCert) {
            // rewrite anyPolicy leaf nodes (see method comments)
            rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
        }
    }
    if (finalCert) {
        // PKIX: Section 6.1.5: Steps (a) and (b)
        explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
    }
    if ((explicitPolicy == 0) && (rootNode == null)) {
        throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) PolicyQualifierInfo(java.security.cert.PolicyQualifierInfo) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) IOException(java.io.IOException)

Example 33 with PolicyInformation

use of com.github.zhenwei.core.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class PolicyChecker method removeInvalidNodes.

/**
     * Removes those nodes which do not intersect with the initial policies
     * specified by the user.
     *
     * @param rootNode the root node of the valid policy tree
     * @param certIndex the index of the certificate being processed
     * @param initPolicies the Set of policies required by the user
     * @param currCertPolicies the CertificatePoliciesExtension of the
     * certificate being processed
     * @returns the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if error occurs.
     */
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, int certIndex, Set<String> initPolicies, CertificatePoliciesExtension currCertPolicies) throws CertPathValidatorException {
    List<PolicyInformation> policyInfo = null;
    try {
        policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
    } catch (IOException ioe) {
        throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
    }
    boolean childDeleted = false;
    for (PolicyInformation curPolInfo : policyInfo) {
        String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "processing policy second time: " + curPolicy);
        Set<PolicyNodeImpl> validNodes = rootNode.getPolicyNodesValid(certIndex, curPolicy);
        for (PolicyNodeImpl curNode : validNodes) {
            PolicyNodeImpl parentNode = (PolicyNodeImpl) curNode.getParent();
            if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
                if ((!initPolicies.contains(curPolicy)) && (!curPolicy.equals(ANY_POLICY))) {
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "before deleting: policy tree = " + rootNode);
                    parentNode.deleteChild(curNode);
                    childDeleted = true;
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "after deleting: policy tree = " + rootNode);
                }
            }
        }
    }
    if (childDeleted) {
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) IOException(java.io.IOException)

Example 34 with PolicyInformation

use of com.github.zhenwei.core.asn1.x509.PolicyInformation in project nhin-d by DirectProject.

the class CertificatePolicyCpsUriExtensionField method injectReferenceValue.

/**
	 * {@inheritDoc}
	 */
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
    this.certificate = value;
    final DERObject exValue = getExtensionValue(value);
    if (exValue == null) {
        if (isRequired())
            throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
        else {
            final Collection<String> emptyList = Collections.emptyList();
            this.policyValue = PolicyValueFactory.getInstance(emptyList);
            return;
        }
    }
    final Collection<String> retVal = new ArrayList<String>();
    final ASN1Sequence seq = (ASN1Sequence) exValue;
    @SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
    while (pols.hasMoreElements()) {
        final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
        if (pol.getPolicyQualifiers() != null) {
            @SuppressWarnings("unchecked") final Enumeration<DEREncodable> polInfos = pol.getPolicyQualifiers().getObjects();
            while (polInfos.hasMoreElements()) {
                final PolicyQualifierInfo polInfo = PolicyQualifierInfo.getInstance(polInfos.nextElement());
                if (polInfo.getPolicyQualifierId().equals(PolicyQualifierId.id_qt_cps)) {
                    retVal.add(polInfo.getQualifier().toString());
                }
            }
        }
    }
    ///CLOVER:OFF
    if (retVal.isEmpty() && isRequired())
        throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
    ///CLOVER:ON	
    this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used : PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException) DERObject(org.bouncycastle.asn1.DERObject) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) DEREncodable(org.bouncycastle.asn1.DEREncodable) ArrayList(java.util.ArrayList) PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo)

Example 35 with PolicyInformation

use of com.github.zhenwei.core.asn1.x509.PolicyInformation in project nhin-d by DirectProject.

the class CertificatePolicyIndentifierExtensionField method injectReferenceValue.

/**
	 * {@inheritDoc}
	 */
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
    this.certificate = value;
    final DERObject exValue = getExtensionValue(value);
    if (exValue == null) {
        if (isRequired())
            throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
        else {
            final Collection<String> emptyList = Collections.emptyList();
            this.policyValue = PolicyValueFactory.getInstance(emptyList);
            return;
        }
    }
    final Collection<String> retVal = new ArrayList<String>();
    final ASN1Sequence seq = (ASN1Sequence) exValue;
    @SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
    while (pols.hasMoreElements()) {
        final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
        retVal.add(pol.getPolicyIdentifier().getId());
    }
    this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used : PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException) DERObject(org.bouncycastle.asn1.DERObject) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) DEREncodable(org.bouncycastle.asn1.DEREncodable) ArrayList(java.util.ArrayList)

Aggregations

IOException (java.io.IOException)24 PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)23 ArrayList (java.util.ArrayList)19 CertPathValidatorException (java.security.cert.CertPathValidatorException)17 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)14 HashSet (java.util.HashSet)12 Enumeration (java.util.Enumeration)11 Iterator (java.util.Iterator)11 Set (java.util.Set)11 X509Certificate (java.security.cert.X509Certificate)9 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)9 List (java.util.List)8 GeneralSecurityException (java.security.GeneralSecurityException)7 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)7 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)7 PolicyInformation (sun.security.x509.PolicyInformation)7 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)6 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)5 PolicyInformation (com.github.zhenwei.core.asn1.x509.PolicyInformation)5 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)4