Examples with X509AttributeCertificate com.github.zhenwei.provider.x509.X509AttributeCertificate used on opensource projects

Example 6 with X509AttributeCertificate

use of com.github.zhenwei.provider.x509.X509AttributeCertificate in project LinLong-Java by zhenwei1108.

the class X509AttrCertParser method readDERCertificate.

private X509AttributeCertificate readDERCertificate(InputStream in) throws IOException {
    ASN1InputStream dIn = new ASN1InputStream(in);
    ASN1Sequence seq = ASN1Sequence.getInstance(dIn.readObject());
    if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) {
        if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) {
            sData = new SignedData(ASN1Sequence.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true)).getCertificates();
            return getCertificate();
        }
    }
    return new X509V2AttributeCertificate(seq.getEncoded());
}

Example 7 with X509AttributeCertificate

use of com.github.zhenwei.provider.x509.X509AttributeCertificate in project LinLong-Java by zhenwei1108.

the class LDAPStoreHelper method createAttributeCertificates.

private Set createAttributeCertificates(List list, X509AttributeCertStoreSelector xselector) throws StoreException {
    Set certSet = new HashSet();
    Iterator it = list.iterator();
    X509AttrCertParser parser = new X509AttrCertParser();
    while (it.hasNext()) {
        try {
            parser.engineInit(new ByteArrayInputStream((byte[]) it.next()));
            X509AttributeCertificate cert = (X509AttributeCertificate) parser.engineRead();
            if (xselector.match((Object) cert)) {
                certSet.add(cert);
            }
        } catch (StreamParsingException e) {
        }
    }
    return certSet;
}

Example 8 with X509AttributeCertificate

use of com.github.zhenwei.provider.x509.X509AttributeCertificate in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathBuilderSpi method engineBuild.

/**
 * Build and validate a CertPath using the given parameter.
 *
 * @param params PKIXBuilderParameters object containing all information to build the CertPath
 */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
    }
    List targetStores = new ArrayList();
    PKIXExtendedBuilderParameters paramsPKIX;
    if (params instanceof PKIXBuilderParameters) {
        PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
            paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
            paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
            targetStores = extPKIX.getStores();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedBuilderParameters) params;
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509AttributeCertificate cert;
    // search target certificates
    PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
    Selector certSelect = baseParams.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509AttributeCertificate) targetIter.next();
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = cert.getIssuer().getPrincipals();
        LinkedHashSet issuers = new LinkedHashSet();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setSubject(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
            }
        }
        if (issuers.isEmpty()) {
            throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
        }
        Iterator it = issuers.iterator();
        while (it.hasNext() && result == null) {
            result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
        }
    }
    if (result == null && certPathException != null) {
        throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}

Example 9 with X509AttributeCertificate

use of com.github.zhenwei.provider.x509.X509AttributeCertificate in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathValidatorSpi method engineValidate.

/**
 * Validates an attribute certificate with the given certificate path.
 *
 * <p>
 * <code>params</code> must be an instance of
 * <code>ExtendedPKIXParameters</code>.
 * <p>
 * The target constraints in the <code>params</code> must be an
 * <code>X509AttributeCertStoreSelector</code> with at least the attribute
 * certificate criterion set. Obey that also target informations may be necessary to correctly
 * validate this attribute certificate.
 * <p>
 * The attribute certificate issuer must be added to the trusted attribute issuers with {@link
 * com.github.zhenwei.provider.x509.ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
 *
 * @param certPath The certificate path which belongs to the attribute certificate issuer public
 *                 key certificate.
 * @param params   The PKIX parameters.
 * @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the
 * <code>certPath</code>.
 * @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
 *                                            validator.
 * @throws CertPathValidatorException         if the verification fails.
 */
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    Set attrCertCheckers = new HashSet();
    Set prohibitedACAttrbiutes = new HashSet();
    Set necessaryACAttributes = new HashSet();
    Set trustedACIssuers = new HashSet();
    PKIXExtendedParameters paramsPKIX;
    if (params instanceof PKIXParameters) {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters) params;
            paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
            paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
            attrCertCheckers = extPKIX.getAttrCertCheckers();
            prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
            necessaryACAttributes = extPKIX.getNecessaryACAttributes();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedParameters) params;
    }
    final Date currentDate = new Date();
    final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
    Selector certSelect = paramsPKIX.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
    CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
    X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
    RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
    RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, certPath.getCertificates(), helper);
    return result;
}

Example 10 with X509AttributeCertificate

use of com.github.zhenwei.provider.x509.X509AttributeCertificate in project robovm by robovm.

the class CertPathValidatorUtilities method getCompleteCRLs.

/**
     * Fetches complete CRLs according to RFC 3280.
     *
     * @param dp          The distribution point for which the complete CRL
     * @param cert        The <code>X509Certificate</code> or
     *                    {@link org.bouncycastle.x509.X509AttributeCertificate} for
     *                    which the CRL should be searched.
     * @param currentDate The date for which the delta CRLs must be valid.
     * @param paramsPKIX  The extended PKIX parameters.
     * @return A <code>Set</code> of <code>X509CRL</code>s with complete
     *         CRLs.
     * @throws AnnotatedException if an exception occurs while picking the CRLs
     * or no CRLs are found.
     */
protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, Date currentDate, ExtendedPKIXParameters paramsPKIX) throws AnnotatedException {
    X509CRLStoreSelector crlselect = new X509CRLStoreSelector();
    try {
        Set issuers = new HashSet();
        if (cert instanceof X509AttributeCertificate) {
            issuers.add(((X509AttributeCertificate) cert).getIssuer().getPrincipals()[0]);
        } else {
            issuers.add(getEncodedIssuerPrincipal(cert));
        }
        CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Could not get issuer information from distribution point.", e);
    }
    if (cert instanceof X509Certificate) {
        crlselect.setCertificateChecking((X509Certificate) cert);
    } else if (cert instanceof X509AttributeCertificate) {
        crlselect.setAttrCertificateChecking((X509AttributeCertificate) cert);
    }
    crlselect.setCompleteCRLEnabled(true);
    Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate);
    if (crls.isEmpty()) {
        if (cert instanceof X509AttributeCertificate) {
            X509AttributeCertificate aCert = (X509AttributeCertificate) cert;
            throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\"");
        } else {
            X509Certificate xCert = (X509Certificate) cert;
            throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\"");
        }
    }
    return crls;
}