use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method processAttrCert7.
protected static void processAttrCert7(X509AttributeCertificate attrCert, CertPath certPath, CertPath holderCertPath, PKIXExtendedParameters pkixParams, Set attrCertCheckers) throws CertPathValidatorException {
// TODO:
// AA Controls
// Attribute encryption
// Proxy
Set set = attrCert.getCriticalExtensionOIDs();
// target information checked in step 6 / X509AttributeCertStoreSelector
if (set.contains(TARGET_INFORMATION)) {
try {
TargetInformation.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, TARGET_INFORMATION));
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
} catch (IllegalArgumentException e) {
throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
}
}
set.remove(TARGET_INFORMATION);
for (Iterator it = attrCertCheckers.iterator(); it.hasNext(); ) {
((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, holderCertPath, set);
}
if (!set.isEmpty()) {
throw new CertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + set);
}
}
use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.
the class LDAPStoreHelper method getAttributeDescriptorCertificates.
/**
* Returns an attribute certificate for an authority
* <p>
* The attributeDescriptorCertificate is self signed by a source of authority and holds a
* description of the privilege and its delegation rules.
* </p>
*
* @param selector The selector to find the attribute certificates.
* @return A possible empty collection with attribute certificates.
* @throws StoreException
*/
public Collection getAttributeDescriptorCertificates(X509AttributeCertStoreSelector selector) throws StoreException {
String[] attrs = splitString(params.getAttributeDescriptorCertificateAttribute());
String[] attrNames = splitString(params.getLdapAttributeDescriptorCertificateAttributeName());
String[] subjectAttributeNames = splitString(params.getAttributeDescriptorCertificateSubjectAttributeName());
List list = attrCertSubjectSerialSearch(selector, attrs, attrNames, subjectAttributeNames);
Set resultSet = createAttributeCertificates(list, selector);
if (resultSet.size() == 0) {
X509AttributeCertStoreSelector emptySelector = new X509AttributeCertStoreSelector();
list = attrCertSubjectSerialSearch(emptySelector, attrs, attrNames, subjectAttributeNames);
resultSet.addAll(createAttributeCertificates(list, selector));
}
return resultSet;
}
use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.
the class LDAPStoreHelper method createAttributeCertificates.
private Set createAttributeCertificates(List list, X509AttributeCertStoreSelector xselector) throws StoreException {
Set certSet = new HashSet();
Iterator it = list.iterator();
X509AttrCertParser parser = new X509AttrCertParser();
while (it.hasNext()) {
try {
parser.engineInit(new ByteArrayInputStream((byte[]) it.next()));
X509AttributeCertificate cert = (X509AttributeCertificate) parser.engineRead();
if (xselector.match((Object) cert)) {
certSet.add(cert);
}
} catch (StreamParsingException e) {
}
}
return certSet;
}
use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathBuilderSpi method engineBuild.
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to build the CertPath
*/
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
}
List targetStores = new ArrayList();
PKIXExtendedBuilderParameters paramsPKIX;
if (params instanceof PKIXBuilderParameters) {
PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
targetStores = extPKIX.getStores();
}
paramsPKIX = paramsPKIXBldr.build();
} else {
paramsPKIX = (PKIXExtendedBuilderParameters) params;
}
Collection targets;
Iterator targetIter;
List certPathList = new ArrayList();
X509AttributeCertificate cert;
// search target certificates
PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
Selector certSelect = baseParams.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
}
try {
targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
}
if (targets.isEmpty()) {
throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
}
CertPathBuilderResult result = null;
// check all potential target certificates
targetIter = targets.iterator();
while (targetIter.hasNext() && result == null) {
cert = (X509AttributeCertificate) targetIter.next();
X509CertStoreSelector selector = new X509CertStoreSelector();
Principal[] principals = cert.getIssuer().getPrincipals();
LinkedHashSet issuers = new LinkedHashSet();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setSubject(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
}
}
if (issuers.isEmpty()) {
throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
Iterator it = issuers.iterator();
while (it.hasNext() && result == null) {
result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
}
}
if (result == null && certPathException != null) {
throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
}
if (result == null && certPathException == null) {
throw new CertPathBuilderException("Unable to find certificate chain.");
}
return result;
}
use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathValidatorSpi method engineValidate.
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPKIXParameters</code>.
* <p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttributeCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be necessary to correctly
* validate this attribute certificate.
* <p>
* The attribute certificate issuer must be added to the trusted attribute issuers with {@link
* com.github.zhenwei.provider.x509.ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
*
* @param certPath The certificate path which belongs to the attribute certificate issuer public
* key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the
* <code>certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
* validator.
* @throws CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
}
Set attrCertCheckers = new HashSet();
Set prohibitedACAttrbiutes = new HashSet();
Set necessaryACAttributes = new HashSet();
Set trustedACIssuers = new HashSet();
PKIXExtendedParameters paramsPKIX;
if (params instanceof PKIXParameters) {
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters) params);
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters) params;
paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
attrCertCheckers = extPKIX.getAttrCertCheckers();
prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
necessaryACAttributes = extPKIX.getNecessaryACAttributes();
}
paramsPKIX = paramsPKIXBldr.build();
} else {
paramsPKIX = (PKIXExtendedParameters) params;
}
final Date currentDate = new Date();
final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
Selector certSelect = paramsPKIX.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
}
X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, certPath.getCertificates(), helper);
return result;
}
Aggregations