Search in sources :

Example 51 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class ResponderEntryWrapper method initSigner.

public void initSigner(SecurityFactory securityFactory) throws ObjectCreationException {
    ParamUtil.requireNonNull("securityFactory", securityFactory);
    if (signer != null) {
        return;
    }
    if (dbEntry == null) {
        throw new ObjectCreationException("dbEntry is null");
    }
    X509Certificate responderCert = dbEntry.getCertificate();
    dbEntry.setConfFaulty(true);
    signer = securityFactory.createSigner(dbEntry.getType(), new SignerConf(dbEntry.getConf()), responderCert);
    if (signer.getCertificate() == null) {
        throw new ObjectCreationException("signer without certificate is not allowed");
    }
    dbEntry.setConfFaulty(false);
    if (dbEntry.getBase64Cert() == null) {
        dbEntry.setCertificate(signer.getCertificate());
        subjectAsX500Name = X500Name.getInstance(signer.getBcCertificate().getSubject());
        subjectAsGeneralName = new GeneralName(subjectAsX500Name);
    }
}
Also used : ObjectCreationException(org.xipki.common.ObjectCreationException) SignerConf(org.xipki.security.SignerConf) GeneralName(org.bouncycastle.asn1.x509.GeneralName) X509Certificate(java.security.cert.X509Certificate)

Example 52 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class ResponderEntryWrapper method setDbEntry.

public void setDbEntry(ResponderEntry dbEntry) {
    this.dbEntry = ParamUtil.requireNonNull("dbEntry", dbEntry);
    signer = null;
    if (dbEntry.getCertificate() != null) {
        subjectAsX500Name = X500Name.getInstance(dbEntry.getCertificate().getSubjectX500Principal().getEncoded());
        subjectAsGeneralName = new GeneralName(subjectAsX500Name);
    }
}
Also used : GeneralName(org.bouncycastle.asn1.x509.GeneralName)

Example 53 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class ExtensionsChecker method checkExtensionIssuerKeyIdentifier.

// method checkExtensionSubjectKeyIdentifier
private void checkExtensionIssuerKeyIdentifier(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
    AuthorityKeyIdentifier asn1 = AuthorityKeyIdentifier.getInstance(extensionValue);
    byte[] keyIdentifier = asn1.getKeyIdentifier();
    if (keyIdentifier == null) {
        failureMsg.append("keyIdentifier is 'absent' but expected 'present'; ");
    } else if (!Arrays.equals(issuerInfo.getSubjectKeyIdentifier(), keyIdentifier)) {
        addViolation(failureMsg, "keyIdentifier", hex(keyIdentifier), hex(issuerInfo.getSubjectKeyIdentifier()));
    }
    BigInteger serialNumber = asn1.getAuthorityCertSerialNumber();
    GeneralNames names = asn1.getAuthorityCertIssuer();
    if (certProfile.isIncludeIssuerAndSerialInAki()) {
        if (serialNumber == null) {
            failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
        } else {
            if (!issuerInfo.getCert().getSerialNumber().equals(serialNumber)) {
                addViolation(failureMsg, "authorityCertSerialNumber", LogUtil.formatCsn(serialNumber), LogUtil.formatCsn(issuerInfo.getCert().getSerialNumber()));
            }
        }
        if (names == null) {
            failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
        } else {
            GeneralName[] genNames = names.getNames();
            X500Name x500GenName = null;
            for (GeneralName genName : genNames) {
                if (genName.getTagNo() != GeneralName.directoryName) {
                    continue;
                }
                if (x500GenName != null) {
                    failureMsg.append("authorityCertIssuer contains at least two directoryName " + "but expected one; ");
                    break;
                } else {
                    x500GenName = (X500Name) genName.getName();
                }
            }
            if (x500GenName == null) {
                failureMsg.append("authorityCertIssuer does not contain directoryName but expected one; ");
            } else {
                X500Name caSubject = issuerInfo.getBcCert().getTBSCertificate().getSubject();
                if (!caSubject.equals(x500GenName)) {
                    addViolation(failureMsg, "authorityCertIssuer", x500GenName, caSubject);
                }
            }
        }
    } else {
        if (serialNumber != null) {
            failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
        }
        if (names != null) {
            failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
        }
    }
}
Also used : GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) BigInteger(java.math.BigInteger) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) GeneralName(org.bouncycastle.asn1.x509.GeneralName) X500Name(org.bouncycastle.asn1.x500.X500Name)

Example 54 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectInfoAccess.

private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable requestExtValue = null;
    if (requestedExtensions != null) {
        requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
    }
    if (requestExtValue == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
    ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
    int size = requestSeq.size();
    if (certSeq.size() != size) {
        addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
        return;
    }
    for (int i = 0; i < size; i++) {
        AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
        ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
        Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
        if (generalNameModes == null) {
            failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
            continue;
        }
        AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
        ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
        boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
        if (!bo) {
            addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
            continue;
        }
        GeneralName accessLocation;
        try {
            accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
            continue;
        }
        GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
        if (!certAccessLocation.equals(accessLocation)) {
            failureMsg.append("accessLocation does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) Set(java.util.Set) HashSet(java.util.HashSet) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 55 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class ExtensionsChecker method checkExtensionNameConstraintsSubtrees.

// method checkExtensionNameConstraints
private void checkExtensionNameConstraintsSubtrees(StringBuilder failureMsg, String description, GeneralSubtree[] subtrees, List<QaGeneralSubtree> expectedSubtrees) {
    int isSize = (subtrees == null) ? 0 : subtrees.length;
    int expSize = (expectedSubtrees == null) ? 0 : expectedSubtrees.size();
    if (isSize != expSize) {
        addViolation(failureMsg, "size of " + description, isSize, expSize);
        return;
    }
    if (subtrees == null || expectedSubtrees == null) {
        return;
    }
    for (int i = 0; i < isSize; i++) {
        GeneralSubtree isSubtree = subtrees[i];
        QaGeneralSubtree expSubtree = expectedSubtrees.get(i);
        BigInteger bigInt = isSubtree.getMinimum();
        int isMinimum = (bigInt == null) ? 0 : bigInt.intValue();
        Integer minimum = expSubtree.getMinimum();
        int expMinimum = (minimum == null) ? 0 : minimum.intValue();
        String desc = description + " [" + i + "]";
        if (isMinimum != expMinimum) {
            addViolation(failureMsg, "minimum of " + desc, isMinimum, expMinimum);
        }
        bigInt = isSubtree.getMaximum();
        Integer isMaximum = (bigInt == null) ? null : bigInt.intValue();
        Integer expMaximum = expSubtree.getMaximum();
        if (!CompareUtil.equalsObject(isMaximum, expMaximum)) {
            addViolation(failureMsg, "maxmum of " + desc, isMaximum, expMaximum);
        }
        GeneralName isBase = isSubtree.getBase();
        GeneralName expBase;
        if (expSubtree.getDirectoryName() != null) {
            expBase = new GeneralName(X509Util.reverse(new X500Name(expSubtree.getDirectoryName())));
        } else if (expSubtree.getDnsName() != null) {
            expBase = new GeneralName(GeneralName.dNSName, expSubtree.getDnsName());
        } else if (expSubtree.getIpAddress() != null) {
            expBase = new GeneralName(GeneralName.iPAddress, expSubtree.getIpAddress());
        } else if (expSubtree.getRfc822Name() != null) {
            expBase = new GeneralName(GeneralName.rfc822Name, expSubtree.getRfc822Name());
        } else if (expSubtree.getUri() != null) {
            expBase = new GeneralName(GeneralName.uniformResourceIdentifier, expSubtree.getUri());
        } else {
            throw new RuntimeException("should not reach here, unknown child of GeneralName");
        }
        if (!isBase.equals(expBase)) {
            addViolation(failureMsg, "base of " + desc, isBase, expBase);
        }
    }
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) QaGeneralSubtree(org.xipki.ca.qa.internal.QaGeneralSubtree) BigInteger(java.math.BigInteger) QaGeneralSubtree(org.xipki.ca.qa.internal.QaGeneralSubtree) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) X500Name(org.bouncycastle.asn1.x500.X500Name) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)58 IOException (java.io.IOException)50 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16