use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.
the class ResponderEntryWrapper method initSigner.
public void initSigner(SecurityFactory securityFactory) throws ObjectCreationException {
ParamUtil.requireNonNull("securityFactory", securityFactory);
if (signer != null) {
return;
}
if (dbEntry == null) {
throw new ObjectCreationException("dbEntry is null");
}
X509Certificate responderCert = dbEntry.getCertificate();
dbEntry.setConfFaulty(true);
signer = securityFactory.createSigner(dbEntry.getType(), new SignerConf(dbEntry.getConf()), responderCert);
if (signer.getCertificate() == null) {
throw new ObjectCreationException("signer without certificate is not allowed");
}
dbEntry.setConfFaulty(false);
if (dbEntry.getBase64Cert() == null) {
dbEntry.setCertificate(signer.getCertificate());
subjectAsX500Name = X500Name.getInstance(signer.getBcCertificate().getSubject());
subjectAsGeneralName = new GeneralName(subjectAsX500Name);
}
}
use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.
the class ResponderEntryWrapper method setDbEntry.
public void setDbEntry(ResponderEntry dbEntry) {
this.dbEntry = ParamUtil.requireNonNull("dbEntry", dbEntry);
signer = null;
if (dbEntry.getCertificate() != null) {
subjectAsX500Name = X500Name.getInstance(dbEntry.getCertificate().getSubjectX500Principal().getEncoded());
subjectAsGeneralName = new GeneralName(subjectAsX500Name);
}
}
use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.
the class ExtensionsChecker method checkExtensionIssuerKeyIdentifier.
// method checkExtensionSubjectKeyIdentifier
private void checkExtensionIssuerKeyIdentifier(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
AuthorityKeyIdentifier asn1 = AuthorityKeyIdentifier.getInstance(extensionValue);
byte[] keyIdentifier = asn1.getKeyIdentifier();
if (keyIdentifier == null) {
failureMsg.append("keyIdentifier is 'absent' but expected 'present'; ");
} else if (!Arrays.equals(issuerInfo.getSubjectKeyIdentifier(), keyIdentifier)) {
addViolation(failureMsg, "keyIdentifier", hex(keyIdentifier), hex(issuerInfo.getSubjectKeyIdentifier()));
}
BigInteger serialNumber = asn1.getAuthorityCertSerialNumber();
GeneralNames names = asn1.getAuthorityCertIssuer();
if (certProfile.isIncludeIssuerAndSerialInAki()) {
if (serialNumber == null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
} else {
if (!issuerInfo.getCert().getSerialNumber().equals(serialNumber)) {
addViolation(failureMsg, "authorityCertSerialNumber", LogUtil.formatCsn(serialNumber), LogUtil.formatCsn(issuerInfo.getCert().getSerialNumber()));
}
}
if (names == null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
} else {
GeneralName[] genNames = names.getNames();
X500Name x500GenName = null;
for (GeneralName genName : genNames) {
if (genName.getTagNo() != GeneralName.directoryName) {
continue;
}
if (x500GenName != null) {
failureMsg.append("authorityCertIssuer contains at least two directoryName " + "but expected one; ");
break;
} else {
x500GenName = (X500Name) genName.getName();
}
}
if (x500GenName == null) {
failureMsg.append("authorityCertIssuer does not contain directoryName but expected one; ");
} else {
X500Name caSubject = issuerInfo.getBcCert().getTBSCertificate().getSubject();
if (!caSubject.equals(x500GenName)) {
addViolation(failureMsg, "authorityCertIssuer", x500GenName, caSubject);
}
}
}
} else {
if (serialNumber != null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
}
if (names != null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
}
}
}
use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectInfoAccess.
private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable requestExtValue = null;
if (requestedExtensions != null) {
requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
}
if (requestExtValue == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
int size = requestSeq.size();
if (certSeq.size() != size) {
addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
return;
}
for (int i = 0; i < size; i++) {
AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
if (generalNameModes == null) {
failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
continue;
}
AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
if (!bo) {
addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
continue;
}
GeneralName accessLocation;
try {
accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
} catch (BadCertTemplateException ex) {
failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
continue;
}
GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
if (!certAccessLocation.equals(accessLocation)) {
failureMsg.append("accessLocation does not match the requested one; ");
}
}
}
use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.
the class ExtensionsChecker method checkExtensionNameConstraintsSubtrees.
// method checkExtensionNameConstraints
private void checkExtensionNameConstraintsSubtrees(StringBuilder failureMsg, String description, GeneralSubtree[] subtrees, List<QaGeneralSubtree> expectedSubtrees) {
int isSize = (subtrees == null) ? 0 : subtrees.length;
int expSize = (expectedSubtrees == null) ? 0 : expectedSubtrees.size();
if (isSize != expSize) {
addViolation(failureMsg, "size of " + description, isSize, expSize);
return;
}
if (subtrees == null || expectedSubtrees == null) {
return;
}
for (int i = 0; i < isSize; i++) {
GeneralSubtree isSubtree = subtrees[i];
QaGeneralSubtree expSubtree = expectedSubtrees.get(i);
BigInteger bigInt = isSubtree.getMinimum();
int isMinimum = (bigInt == null) ? 0 : bigInt.intValue();
Integer minimum = expSubtree.getMinimum();
int expMinimum = (minimum == null) ? 0 : minimum.intValue();
String desc = description + " [" + i + "]";
if (isMinimum != expMinimum) {
addViolation(failureMsg, "minimum of " + desc, isMinimum, expMinimum);
}
bigInt = isSubtree.getMaximum();
Integer isMaximum = (bigInt == null) ? null : bigInt.intValue();
Integer expMaximum = expSubtree.getMaximum();
if (!CompareUtil.equalsObject(isMaximum, expMaximum)) {
addViolation(failureMsg, "maxmum of " + desc, isMaximum, expMaximum);
}
GeneralName isBase = isSubtree.getBase();
GeneralName expBase;
if (expSubtree.getDirectoryName() != null) {
expBase = new GeneralName(X509Util.reverse(new X500Name(expSubtree.getDirectoryName())));
} else if (expSubtree.getDnsName() != null) {
expBase = new GeneralName(GeneralName.dNSName, expSubtree.getDnsName());
} else if (expSubtree.getIpAddress() != null) {
expBase = new GeneralName(GeneralName.iPAddress, expSubtree.getIpAddress());
} else if (expSubtree.getRfc822Name() != null) {
expBase = new GeneralName(GeneralName.rfc822Name, expSubtree.getRfc822Name());
} else if (expSubtree.getUri() != null) {
expBase = new GeneralName(GeneralName.uniformResourceIdentifier, expSubtree.getUri());
} else {
throw new RuntimeException("should not reach here, unknown child of GeneralName");
}
if (!isBase.equals(expBase)) {
addViolation(failureMsg, "base of " + desc, isBase, expBase);
}
}
}
Aggregations