Search in sources :

Example 36 with SubjectKeyIdentifier

use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project runwar by cfmlprojects.

the class SelfSignedCertificate method createSubjectKeyIdentifier.

private static SubjectKeyIdentifier createSubjectKeyIdentifier(Key publicKey) throws IOException {
    try (ASN1InputStream is = new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded()))) {
        ASN1Sequence seq = (ASN1Sequence) is.readObject();
        SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(seq);
        return new BcX509ExtensionUtils().createSubjectKeyIdentifier(info);
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ByteArrayInputStream(java.io.ByteArrayInputStream) BcX509ExtensionUtils(org.bouncycastle.cert.bc.BcX509ExtensionUtils) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)

Example 37 with SubjectKeyIdentifier

use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project xipki by xipki.

the class IdentifiedCertprofile method getExtensions.

/**
 * Get the extensions.
 *
 * @param requestedSubject
 *          Subject requested subject. Must not be {@code null}.
 * @param grantedSubject
 *          Granted subject. Must not be {@code null}.
 * @param requestedExtensions
 *          Extensions requested by the requestor. Could be {@code null}.
 * @param publicKeyInfo
 *          Subject public key. Must not be {@code null}.
 * @param publicCaInfo
 *          CA information. Must not be {@code null}.
 * @param crlSignerCert
 *          CRL signer certificate. Could be {@code null}.
 * @param notBefore
 *          NotBefore. Must not be {@code null}.
 * @param notAfter
 *          NotAfter. Must not be {@code null}.
 * @return the extensions of the certificate to be issued.
 */
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Cert crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
    notNull(publicKeyInfo, "publicKeyInfo");
    ExtensionValues values = new ExtensionValues();
    Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
    // CTLog extension will be processed by the CA
    controls.remove(Extn.id_SCTs);
    Map<ASN1ObjectIdentifier, Extension> requestedExtns = new HashMap<>();
    // remove the request extensions which are not permitted in the request
    if (requestedExtensions != null) {
        ASN1ObjectIdentifier[] oids = requestedExtensions.getExtensionOIDs();
        for (ASN1ObjectIdentifier m : oids) {
            ExtensionControl control = controls.get(m);
            if (control == null || control.isRequest()) {
                requestedExtns.put(m, requestedExtensions.getExtension(m));
            }
        }
    }
    // SubjectKeyIdentifier
    ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
    ExtensionControl extControl = controls.remove(extType);
    if (extControl != null) {
        SubjectKeyIdentifier value = certprofile.getSubjectKeyIdentifier(publicKeyInfo);
        addExtension(values, extType, value, extControl);
    }
    // Authority key identifier
    extType = Extension.authorityKeyIdentifier;
    extControl = controls.remove(extType);
    if (extControl != null) {
        AuthorityKeyIdentifier value = null;
        if (certprofile.useIssuerAndSerialInAki()) {
            GeneralNames x509CaIssuer = new GeneralNames(new GeneralName(publicCaInfo.getIssuer()));
            value = new AuthorityKeyIdentifier(x509CaIssuer, publicCaInfo.getSerialNumber());
        } else {
            byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
            if (ikiValue != null) {
                value = new AuthorityKeyIdentifier(ikiValue);
            }
        }
        addExtension(values, extType, value, extControl);
    }
    // IssuerAltName
    extType = Extension.issuerAlternativeName;
    extControl = controls.remove(extType);
    if (extControl != null) {
        GeneralNames value = publicCaInfo.getSubjectAltName();
        addExtension(values, extType, value, extControl);
    }
    // AuthorityInfoAccess
    extType = Extension.authorityInfoAccess;
    extControl = controls.remove(extType);
    CaUris caUris = publicCaInfo.getCaUris();
    if (extControl != null) {
        AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
        List<String> caIssuers = null;
        if (aiaControl != null && aiaControl.isIncludesCaIssuers()) {
            caIssuers = caUris.getCacertUris();
            assertAllUrisHasProtocol(caIssuers, aiaControl.getCaIssuersProtocols());
        }
        List<String> ocspUris = null;
        if (aiaControl != null && aiaControl.isIncludesOcsp()) {
            ocspUris = caUris.getOcspUris();
            assertAllUrisHasProtocol(ocspUris, aiaControl.getOcspProtocols());
        }
        AuthorityInformationAccess value = null;
        if (CollectionUtil.isNotEmpty(caIssuers) || CollectionUtil.isNotEmpty(ocspUris)) {
            value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
        }
        addExtension(values, extType, value, extControl);
    }
    if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
        X500Name crlSignerSubject = (crlSignerCert == null) ? null : crlSignerCert.getSubject();
        X500Name x500CaPrincipal = publicCaInfo.getSubject();
        // CRLDistributionPoints
        extType = Extension.cRLDistributionPoints;
        extControl = controls.remove(extType);
        if (extControl != null) {
            CRLDistPoint value = null;
            List<String> uris = caUris.getCrlUris();
            if (CollectionUtil.isNotEmpty(uris)) {
                CrlDistributionPointsControl control = certprofile.getCrlDpControl();
                Set<String> protocols = control == null ? null : control.getProtocols();
                assertAllUrisHasProtocol(uris, protocols);
                value = CaUtil.createCrlDistributionPoints(uris, x500CaPrincipal, crlSignerSubject);
            }
            addExtension(values, extType, value, extControl);
        }
        // FreshestCRL
        extType = Extension.freshestCRL;
        extControl = controls.remove(extType);
        if (extControl != null) {
            CRLDistPoint value = null;
            List<String> uris = caUris.getDeltaCrlUris();
            if (CollectionUtil.isNotEmpty(uris)) {
                CrlDistributionPointsControl control = certprofile.getFreshestCrlControl();
                Set<String> protocols = control == null ? null : control.getProtocols();
                assertAllUrisHasProtocol(uris, protocols);
                value = CaUtil.createCrlDistributionPoints(caUris.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
            }
            addExtension(values, extType, value, extControl);
        }
    }
    // BasicConstraints
    extType = Extension.basicConstraints;
    extControl = controls.remove(extType);
    if (extControl != null) {
        BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
        addExtension(values, extType, value, extControl);
    }
    // KeyUsage
    extType = Extension.keyUsage;
    extControl = controls.remove(extType);
    if (extControl != null) {
        Set<KeyUsage> usages = new HashSet<>();
        Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
        for (KeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getKeyUsage());
            }
        }
        // the optional KeyUsage will only be set if requested explicitly
        addRequestedKeyusage(usages, requestedExtns, usageOccs);
        org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
        addExtension(values, extType, value, extControl);
    }
    // ExtendedKeyUsage
    extType = Extension.extendedKeyUsage;
    extControl = controls.remove(extType);
    if (extControl != null) {
        List<ASN1ObjectIdentifier> usages = new LinkedList<>();
        Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
        for (ExtKeyUsageControl k : usageOccs) {
            if (k.isRequired()) {
                usages.add(k.getExtKeyUsage());
            }
        }
        // the optional ExtKeyUsage will only be set if requested explicitly
        addRequestedExtKeyusage(usages, requestedExtns, usageOccs);
        if (extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
            extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
        }
        if (!extControl.isCritical() && usages.contains(ObjectIdentifiers.XKU.id_kp_timeStamping)) {
            extControl = new ExtensionControl(true, extControl.isRequired(), extControl.isRequest());
        }
        ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
        addExtension(values, extType, value, extControl);
    }
    // ocsp-nocheck
    extType = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
    extControl = controls.remove(extType);
    if (extControl != null) {
        // the extension ocsp-nocheck will only be set if requested explicitly
        addExtension(values, extType, DERNull.INSTANCE, extControl);
    }
    // SubjectInfoAccess
    extType = Extension.subjectInfoAccess;
    extControl = controls.remove(extType);
    if (extControl != null) {
        ASN1Sequence value = createSubjectInfoAccess(requestedExtns, certprofile.getSubjectInfoAccessModes());
        addExtension(values, extType, value, extControl);
    }
    // CertificatePolicies
    extType = Extension.certificatePolicies;
    extControl = controls.remove(extType);
    if (extControl != null) {
        ASN1Encodable value = certprofile.getCertificatePolicies();
        addExtension(values, extType, value, extControl);
    }
    ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtns, notBefore, notAfter, publicCaInfo);
    Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
    for (ASN1ObjectIdentifier type : extTypes) {
        extControl = controls.get(type);
        ExtensionValue value = subvalues.getExtensionValue(type);
        if (value == null && extControl.isRequest()) {
            Extension reqExt = requestedExtns.get(type);
            if (reqExt != null) {
                value = new ExtensionValue(extControl.isCritical(), reqExt.getParsedValue());
            }
        }
        if (value != null) {
            addExtension(values, type, value, extControl);
            controls.remove(type);
        }
    }
    Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
    for (Entry<ASN1ObjectIdentifier, ExtensionControl> entry : controls.entrySet()) {
        if (entry.getValue().isRequired()) {
            unprocessedExtTypes.add(entry.getKey());
        }
    }
    if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) {
        throw new CertprofileException("could not add required extensions " + CertprofileUtil.toString(unprocessedExtTypes));
    }
    // Check the SubjectAltNames
    if (certprofile.getCertDomain() == CertDomain.CABForumBR && getCertLevel() == CertLevel.EndEntity) {
        // Make sure that the commonName included in SubjectAltName
        String commonName = X509Util.getCommonName(grantedSubject);
        boolean commonNameInSan = commonName == null;
        // No private IP address is permitted
        GeneralName[] genNames = GeneralNames.getInstance(values.getExtensionValue(Extension.subjectAlternativeName).getValue()).getNames();
        for (GeneralName m : genNames) {
            if (GeneralName.dNSName == m.getTagNo()) {
                String domain = DERIA5String.getInstance(m.getName()).getString();
                if (!commonNameInSan && domain.equals(commonName)) {
                    commonNameInSan = true;
                }
                if (domain.indexOf('_') != -1) {
                    throw new BadCertTemplateException("invalid DNSName " + domain);
                }
                if (!ExtensionSpec.isValidPublicDomain(domain)) {
                    throw new BadCertTemplateException("invalid DNSName " + domain);
                }
            } else if (GeneralName.iPAddress == m.getTagNo()) {
                byte[] octets = DEROctetString.getInstance(m.getName()).getOctets();
                if (octets.length == 4) {
                    // IPv4 address
                    if (!commonNameInSan) {
                        String ipAddressText = (0xFF & octets[0]) + "." + (0xFF & octets[1]) + "." + (0xFF & octets[2]) + "." + (0xFF & octets[3]);
                        if (ipAddressText.equals(commonName)) {
                            commonNameInSan = true;
                        }
                    }
                // if (!ExtensionSpec.isValidPublicIPv4Address(octets)) {
                // throw new BadCertTemplateException(
                // "invalid IPv4Address " + ipAddressText);
                // }
                } else if (octets.length == 8) {
                    // IPv6 address
                    if (!commonNameInSan) {
                        // get the number of ":"
                        List<Integer> positions = new ArrayList<>(7);
                        int n = commonName.length();
                        for (int i = 0; i < n; i++) {
                            if (commonName.charAt(i) == ':') {
                                positions.add(i);
                            }
                        }
                        if (positions.size() == 7) {
                            String[] blocks = new String[8];
                            blocks[0] = commonName.substring(0, positions.get(0));
                            for (int i = 0; i < 6; i++) {
                                blocks[i + 1] = commonName.substring(positions.get(i) + 1, positions.get(i + 1));
                            }
                            blocks[7] = commonName.substring(positions.get(6) + 1);
                            byte[] commonNameBytes = new byte[16];
                            for (int i = 0; i < 8; i++) {
                                String block = blocks[i];
                                int blen = block.length();
                                if (blen == 1 | blen == 2) {
                                    commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block, 16);
                                } else if (blen == 3 | blen == 4) {
                                    commonNameBytes[i * 2] = (byte) Integer.parseInt(block.substring(0, blen - 2), 16);
                                    commonNameBytes[i * 2 + 1] = (byte) Integer.parseInt(block.substring(blen - 2), 16);
                                } else if (blen != 0) {
                                    throw new BadCertTemplateException("invalid IP address in commonName " + commonName);
                                }
                            }
                            if (Arrays.equals(commonNameBytes, octets)) {
                                commonNameInSan = true;
                            }
                        }
                    }
                } else {
                    throw new BadCertTemplateException("invalid IP address " + Hex.toHexString(octets));
                }
            }
        }
        if (!commonNameInSan) {
            throw new BadCertTemplateException("content of subject:commonName is not included in extension:SubjectAlternativeNames");
        }
    }
    return values;
}
Also used : KeyUsage(org.xipki.security.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) BigInteger(java.math.BigInteger) CaUris(org.xipki.ca.api.CaUris)

Example 38 with SubjectKeyIdentifier

use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project keystore-explorer by kaikramer.

the class X509ExtensionSetUpdater method updateSKI.

private static void updateSKI(X509ExtensionSet extensionSet, String extensionOid, PublicKey subjectPublicKey) throws CryptoException, IOException {
    // extracting old SKI data not necessary because there is only one possible component in SKI extension
    KeyIdentifierGenerator skiGenerator = new KeyIdentifierGenerator(subjectPublicKey);
    SubjectKeyIdentifier ski = new SubjectKeyIdentifier(skiGenerator.generate160BitHashId());
    byte[] skiEncoded = X509Ext.wrapInOctetString(ski.getEncoded(ASN1Encoding.DER));
    // update
    extensionSet.addExtension(extensionOid, extensionSet.isCritical(extensionOid), skiEncoded);
}
Also used : KeyIdentifierGenerator(org.kse.crypto.publickey.KeyIdentifierGenerator) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)

Example 39 with SubjectKeyIdentifier

use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project keystore-explorer by kaikramer.

the class DSelectStandardExtensionTemplate method addSubjectKeyIdentifier.

private void addSubjectKeyIdentifier(X509ExtensionSet extensionSet) throws CryptoException, IOException {
    KeyIdentifierGenerator skiGenerator = new KeyIdentifierGenerator(subjectPublicKey);
    SubjectKeyIdentifier ski = new SubjectKeyIdentifier(skiGenerator.generate160BitHashId());
    byte[] skiEncoded = X509Ext.wrapInOctetString(ski.getEncoded());
    extensionSet.addExtension(X509ExtensionType.SUBJECT_KEY_IDENTIFIER.oid(), false, skiEncoded);
}
Also used : KeyIdentifierGenerator(org.kse.crypto.publickey.KeyIdentifierGenerator) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)

Example 40 with SubjectKeyIdentifier

use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project keystore-explorer by kaikramer.

the class DSubjectKeyIdentifier method okPressed.

private void okPressed() {
    byte[] keyIdentifier = jkiKeyIdentifier.getKeyIdentifier();
    if (keyIdentifier == null) {
        JOptionPane.showMessageDialog(this, res.getString("DSubjectKeyIdentifier.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
        return;
    }
    SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifier(keyIdentifier);
    try {
        value = subjectKeyIdentifier.getEncoded(ASN1Encoding.DER);
    } catch (IOException e) {
        DError.displayError(this, e);
        return;
    }
    closeDialog();
}
Also used : SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) IOException(java.io.IOException)

Aggregations

SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)34 AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)17 X509Certificate (java.security.cert.X509Certificate)14 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)14 IOException (java.io.IOException)12 X500Name (org.bouncycastle.asn1.x500.X500Name)10 GeneralName (org.bouncycastle.asn1.x509.GeneralName)10 ContentSigner (org.bouncycastle.operator.ContentSigner)10 BigInteger (java.math.BigInteger)9 Date (java.util.Date)9 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)9 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)8 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)8 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)8 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)8 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 CertificateException (java.security.cert.CertificateException)6