Search in sources :

Example 1 with X509AttributeCertStoreSelector

use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.

the class RFC3281CertPathUtilities method processAttrCert7.

protected static void processAttrCert7(X509AttributeCertificate attrCert, CertPath certPath, CertPath holderCertPath, PKIXExtendedParameters pkixParams, Set attrCertCheckers) throws CertPathValidatorException {
    // TODO:
    // AA Controls
    // Attribute encryption
    // Proxy
    Set set = attrCert.getCriticalExtensionOIDs();
    // target information checked in step 6 / X509AttributeCertStoreSelector
    if (set.contains(TARGET_INFORMATION)) {
        try {
            TargetInformation.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, TARGET_INFORMATION));
        } catch (AnnotatedException e) {
            throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
        } catch (IllegalArgumentException e) {
            throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
        }
    }
    set.remove(TARGET_INFORMATION);
    for (Iterator it = attrCertCheckers.iterator(); it.hasNext(); ) {
        ((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, holderCertPath, set);
    }
    if (!set.isEmpty()) {
        throw new CertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + set);
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) LinkedHashSet(java.util.LinkedHashSet) Set(java.util.Set) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) Iterator(java.util.Iterator) PKIXAttrCertChecker(com.github.zhenwei.provider.x509.PKIXAttrCertChecker)

Example 2 with X509AttributeCertStoreSelector

use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.

the class LDAPStoreHelper method getAttributeDescriptorCertificates.

/**
 * Returns an attribute certificate for an authority
 * <p>
 * The attributeDescriptorCertificate is self signed by a source of authority and holds a
 * description of the privilege and its delegation rules.
 * </p>
 *
 * @param selector The selector to find the attribute certificates.
 * @return A possible empty collection with attribute certificates.
 * @throws StoreException
 */
public Collection getAttributeDescriptorCertificates(X509AttributeCertStoreSelector selector) throws StoreException {
    String[] attrs = splitString(params.getAttributeDescriptorCertificateAttribute());
    String[] attrNames = splitString(params.getLdapAttributeDescriptorCertificateAttributeName());
    String[] subjectAttributeNames = splitString(params.getAttributeDescriptorCertificateSubjectAttributeName());
    List list = attrCertSubjectSerialSearch(selector, attrs, attrNames, subjectAttributeNames);
    Set resultSet = createAttributeCertificates(list, selector);
    if (resultSet.size() == 0) {
        X509AttributeCertStoreSelector emptySelector = new X509AttributeCertStoreSelector();
        list = attrCertSubjectSerialSearch(emptySelector, attrs, attrNames, subjectAttributeNames);
        resultSet.addAll(createAttributeCertificates(list, selector));
    }
    return resultSet;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) ArrayList(java.util.ArrayList) List(java.util.List)

Example 3 with X509AttributeCertStoreSelector

use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.

the class LDAPStoreHelper method createAttributeCertificates.

private Set createAttributeCertificates(List list, X509AttributeCertStoreSelector xselector) throws StoreException {
    Set certSet = new HashSet();
    Iterator it = list.iterator();
    X509AttrCertParser parser = new X509AttrCertParser();
    while (it.hasNext()) {
        try {
            parser.engineInit(new ByteArrayInputStream((byte[]) it.next()));
            X509AttributeCertificate cert = (X509AttributeCertificate) parser.engineRead();
            if (xselector.match((Object) cert)) {
                certSet.add(cert);
            }
        } catch (StreamParsingException e) {
        }
    }
    return certSet;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) ByteArrayInputStream(java.io.ByteArrayInputStream) X509AttrCertParser(com.github.zhenwei.provider.jce.provider.X509AttrCertParser) Iterator(java.util.Iterator) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) HashSet(java.util.HashSet)

Example 4 with X509AttributeCertStoreSelector

use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathBuilderSpi method engineBuild.

/**
 * Build and validate a CertPath using the given parameter.
 *
 * @param params PKIXBuilderParameters object containing all information to build the CertPath
 */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
    }
    List targetStores = new ArrayList();
    PKIXExtendedBuilderParameters paramsPKIX;
    if (params instanceof PKIXBuilderParameters) {
        PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
            paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
            paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
            targetStores = extPKIX.getStores();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedBuilderParameters) params;
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509AttributeCertificate cert;
    // search target certificates
    PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
    Selector certSelect = baseParams.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509AttributeCertificate) targetIter.next();
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = cert.getIssuer().getPrincipals();
        LinkedHashSet issuers = new LinkedHashSet();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setSubject(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
            }
        }
        if (issuers.isEmpty()) {
            throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
        }
        Iterator it = issuers.iterator();
        while (it.hasNext() && result == null) {
            result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
        }
    }
    if (result == null && certPathException != null) {
        throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) Selector(com.github.zhenwei.core.util.Selector) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Collection(java.util.Collection) X500Principal(javax.security.auth.x500.X500Principal) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal)

Example 5 with X509AttributeCertStoreSelector

use of com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathValidatorSpi method engineValidate.

/**
 * Validates an attribute certificate with the given certificate path.
 *
 * <p>
 * <code>params</code> must be an instance of
 * <code>ExtendedPKIXParameters</code>.
 * <p>
 * The target constraints in the <code>params</code> must be an
 * <code>X509AttributeCertStoreSelector</code> with at least the attribute
 * certificate criterion set. Obey that also target informations may be necessary to correctly
 * validate this attribute certificate.
 * <p>
 * The attribute certificate issuer must be added to the trusted attribute issuers with {@link
 * com.github.zhenwei.provider.x509.ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
 *
 * @param certPath The certificate path which belongs to the attribute certificate issuer public
 *                 key certificate.
 * @param params   The PKIX parameters.
 * @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the
 * <code>certPath</code>.
 * @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
 *                                            validator.
 * @throws CertPathValidatorException         if the verification fails.
 */
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    Set attrCertCheckers = new HashSet();
    Set prohibitedACAttrbiutes = new HashSet();
    Set necessaryACAttributes = new HashSet();
    Set trustedACIssuers = new HashSet();
    PKIXExtendedParameters paramsPKIX;
    if (params instanceof PKIXParameters) {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters) params;
            paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
            paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
            attrCertCheckers = extPKIX.getAttrCertCheckers();
            prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
            necessaryACAttributes = extPKIX.getNecessaryACAttributes();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedParameters) params;
    }
    final Date currentDate = new Date();
    final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
    Selector certSelect = paramsPKIX.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
    CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
    X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
    RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
    RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, certPath.getCertificates(), helper);
    return result;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) Set(java.util.Set) HashSet(java.util.HashSet) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) PKIXParameters(java.security.cert.PKIXParameters) CertPath(java.security.cert.CertPath) CertPathValidatorResult(java.security.cert.CertPathValidatorResult) HashSet(java.util.HashSet) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) Selector(com.github.zhenwei.core.util.Selector)

Aggregations

Set (java.util.Set)7 X509AttributeCertStoreSelector (com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector)6 HashSet (java.util.HashSet)6 ArrayList (java.util.ArrayList)4 List (java.util.List)4 X509AttributeCertificate (com.github.zhenwei.provider.x509.X509AttributeCertificate)3 Iterator (java.util.Iterator)3 Selector (com.github.zhenwei.core.util.Selector)2 PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)2 ExtendedPKIXParameters (com.github.zhenwei.provider.x509.ExtendedPKIXParameters)2 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)2 X509Certificate (java.security.cert.X509Certificate)2 LinkedHashSet (java.util.LinkedHashSet)2 PKIXCertStoreSelector (com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector)1 PKIXExtendedBuilderParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters)1 ExtCertPathBuilderException (com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException)1 ExtCertPathValidatorException (com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)1 X509AttrCertParser (com.github.zhenwei.provider.jce.provider.X509AttrCertParser)1 ExtendedPKIXBuilderParameters (com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters)1 PKIXAttrCertChecker (com.github.zhenwei.provider.x509.PKIXAttrCertChecker)1