Search in sources :

Example 61 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project certmgr by hdecarne.

the class SubjectAlternativeNameController method init.

/**
 * Initialize the dialog with existing extension data.
 *
 * @param data The extension data to use.
 * @param expertMode Whether to run in expert mode ({@code true}) or not ({@code false}).
 * @return This controller.
 */
public SubjectAlternativeNameController init(SubjectAlternativeNameExtensionData data, boolean expertMode) {
    init(expertMode);
    this.ctlCritical.setSelected(data.getCritical());
    ObservableList<GeneralName> nameItems = this.ctlNames.getItems();
    for (GeneralName name : data.getGeneralNames()) {
        nameItems.add(name);
    }
    return this;
}
Also used : GeneralName(de.carne.certmgr.certs.x509.GeneralName)

Example 62 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project certmgr by hdecarne.

the class GeneralNameFactory method directoryName.

private static GeneralName directoryName(String name) throws IllegalArgumentException {
    String directoryNameString = Strings.safe(name).trim();
    if (Strings.isEmpty(directoryNameString)) {
        throw new IllegalArgumentException(GeneralNameFactoryI18N.formatSTR_MESSAGE_NO_DIRECTORY_NAME());
    }
    X500Principal directoryNameX500;
    try {
        directoryNameX500 = X500Names.fromString(directoryNameString);
    } catch (IllegalArgumentException e) {
        throw new IllegalArgumentException(GeneralNameFactoryI18N.formatSTR_MESSAGE_INVALID_DIRECTORY_NAME(directoryNameString, e.getLocalizedMessage()), e);
    }
    return new DirectoryName(directoryNameX500);
}
Also used : X500Principal(javax.security.auth.x500.X500Principal) DirectoryName(de.carne.certmgr.certs.x509.DirectoryName)

Example 63 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class XmlX509Certprofile method createRequestedSubjectAltNames.

private GeneralNames createRequestedSubjectAltNames(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions) throws BadCertTemplateException {
    ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
    if (extValue == null && subjectToSubjectAltNameModes == null) {
        return null;
    }
    GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
    if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
        return reqNames;
    }
    List<GeneralName> grantedNames = new LinkedList<>();
    // copy the required attributes of Subject
    if (subjectToSubjectAltNameModes != null) {
        for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
            GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
            RDN[] rdns = grantedSubject.getRDNs(attrType);
            if (rdns == null) {
                rdns = requestedSubject.getRDNs(attrType);
            }
            if (rdns == null) {
                continue;
            }
            for (RDN rdn : rdns) {
                String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
                switch(tag) {
                    case rfc822Name:
                    case dNSName:
                    case uniformResourceIdentifier:
                    case iPAddress:
                    case directoryName:
                    case registeredID:
                        grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
                        break;
                    default:
                        throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
                }
            // end switch (tag)
            }
        }
    }
    // copy the requested SubjectAltName entries
    if (reqNames != null) {
        GeneralName[] reqL = reqNames.getNames();
        for (int i = 0; i < reqL.length; i++) {
            grantedNames.add(X509CertprofileUtil.createGeneralName(reqL[i], subjectAltNameModes));
        }
    }
    return grantedNames.isEmpty() ? null : new GeneralNames(grantedNames.toArray(new GeneralName[0]));
}
Also used : GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) LinkedList(java.util.LinkedList) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) RDN(org.bouncycastle.asn1.x500.RDN) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 64 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class CmpRequestor method signAndSend.

protected PkiResponse signAndSend(PKIMessage request, RequestResponseDebug debug) throws CmpRequestorException {
    ParamUtil.requireNonNull("request", request);
    PKIMessage tmpRequest = (signRequest) ? sign(request) : request;
    byte[] encodedRequest;
    try {
        encodedRequest = tmpRequest.getEncoded();
    } catch (IOException ex) {
        LOG.error("could not encode the PKI request {}", tmpRequest);
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    RequestResponsePair reqResp = null;
    if (debug != null) {
        reqResp = new RequestResponsePair();
        debug.add(reqResp);
        if (debug.saveRequest()) {
            reqResp.setRequest(encodedRequest);
        }
    }
    byte[] encodedResponse;
    try {
        encodedResponse = send(encodedRequest);
    } catch (IOException ex) {
        LOG.error("could not send the PKI request {} to server", tmpRequest);
        throw new CmpRequestorException("TRANSPORT_ERROR", ex);
    }
    if (reqResp != null && debug.saveResponse()) {
        reqResp.setResponse(encodedResponse);
    }
    GeneralPKIMessage response;
    try {
        response = new GeneralPKIMessage(encodedResponse);
    } catch (IOException ex) {
        LOG.error("could not decode the received PKI message: {}", Hex.encode(encodedResponse));
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    PKIHeader reqHeader = request.getHeader();
    PKIHeader respHeader = response.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    ASN1OctetString respTid = respHeader.getTransactionID();
    if (!tid.equals(respTid)) {
        LOG.warn("Response contains different tid ({}) than requested {}", respTid, tid);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    ASN1OctetString respRecipientNonce = respHeader.getRecipNonce();
    if (!senderNonce.equals(respRecipientNonce)) {
        LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", tid, respRecipientNonce, senderNonce);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    GeneralName rec = respHeader.getRecipient();
    if (!sender.equals(rec)) {
        LOG.warn("tid={}: unknown CMP requestor '{}'", tid, rec);
    }
    PkiResponse ret = new PkiResponse(response);
    if (response.hasProtection()) {
        try {
            ProtectionVerificationResult verifyProtection = verifyProtection(Hex.encode(tid.getOctets()), response);
            ret.setProtectionVerificationResult(verifyProtection);
        } catch (InvalidKeyException | OperatorCreationException | CMPException ex) {
            throw new CmpRequestorException(ex.getMessage(), ex);
        }
    } else if (signRequest) {
        PKIBody respBody = response.getBody();
        int bodyType = respBody.getType();
        if (bodyType != PKIBody.TYPE_ERROR) {
            throw new CmpRequestorException("response is not signed");
        }
    }
    return ret;
}
Also used : ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) RequestResponsePair(org.xipki.common.RequestResponsePair) PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) PkiResponse(org.xipki.cmp.PkiResponse) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) CMPException(org.bouncycastle.cert.cmp.CMPException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 65 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project xipki by xipki.

the class X509CmpRequestor method parse.

private RevokeCertResultType parse(PkiResponse response, List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("response", response);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
    }
    RevRepContent content = RevRepContent.getInstance(respBody.getContent());
    PKIStatusInfo[] statuses = content.getStatus();
    if (statuses == null || statuses.length != reqEntries.size()) {
        int statusesLen = 0;
        if (statuses != null) {
            statusesLen = statuses.length;
        }
        throw new CmpRequestorException(String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size()));
    }
    CertId[] revCerts = content.getRevCerts();
    RevokeCertResultType result = new RevokeCertResultType();
    for (int i = 0; i < statuses.length; i++) {
        PKIStatusInfo statusInfo = statuses[i];
        int status = statusInfo.getStatus().intValue();
        IssuerSerialEntry re = reqEntries.get(i);
        if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
            PKIFreeText text = statusInfo.getStatusString();
            String statusString = (text == null) ? null : text.getStringAt(0).getString();
            ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString);
            result.addResultEntry(resultEntry);
            continue;
        }
        CertId certId = null;
        if (revCerts != null) {
            for (CertId entry : revCerts) {
                if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) {
                    certId = entry;
                    break;
                }
            }
        }
        if (certId == null) {
            LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber()));
            certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber());
            continue;
        }
        ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId);
        result.addResultEntry(resultEntry);
    }
    return result;
}
Also used : ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ResultEntry(org.xipki.ca.client.api.dto.ResultEntry) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) CertId(org.bouncycastle.asn1.crmf.CertId) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) IssuerSerialEntry(org.xipki.ca.client.api.dto.IssuerSerialEntry) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString) RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)58 IOException (java.io.IOException)50 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16