Search in sources :

Example 16 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelector method addPathToName.

/**
     * Adds a {@literal "pathToName"} to the respective criterion.
     *
     * @param type
     *            the type of the name
     * @param name
     *            the name in ASN.1 DER encoded form.
     * @throws IOException
     *             if decoding fails.
     * @see #setPathToNames
     */
public void addPathToName(int type, byte[] name) throws IOException {
    GeneralName path_name = new GeneralName(type, name);
    // create only if there was not any errors
    if (pathToNames == null) {
        pathToNames = new ArrayList<GeneralName>();
    }
    pathToNames.add(path_name);
}
Also used : GeneralName(org.apache.harmony.security.x509.GeneralName)

Example 17 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelector method match.

/**
     * Returns whether the specified certificate matches all the criteria
     * collected in this instance.
     *
     * @param certificate
     *            the certificate to check.
     * @return {@code true} if the certificate matches all the criteria,
     *         otherwise {@code false}.
     */
public boolean match(Certificate certificate) {
    if (!(certificate instanceof X509Certificate)) {
        return false;
    }
    X509Certificate cert = (X509Certificate) certificate;
    if ((certificateEquals != null) && !certificateEquals.equals(cert)) {
        return false;
    }
    if ((serialNumber != null) && !serialNumber.equals(cert.getSerialNumber())) {
        return false;
    }
    if ((issuer != null) && !issuer.equals(cert.getIssuerX500Principal())) {
        return false;
    }
    if ((subject != null) && !subject.equals(cert.getSubjectX500Principal())) {
        return false;
    }
    if ((subjectKeyIdentifier != null) && !Arrays.equals(subjectKeyIdentifier, // are taken from rfc 3280 (http://www.ietf.org/rfc/rfc3280.txt)
    getExtensionValue(cert, "2.5.29.14"))) {
        return false;
    }
    if ((authorityKeyIdentifier != null) && !Arrays.equals(authorityKeyIdentifier, getExtensionValue(cert, "2.5.29.35"))) {
        return false;
    }
    if (certificateValid != null) {
        try {
            cert.checkValidity(certificateValid);
        } catch (CertificateExpiredException e) {
            return false;
        } catch (CertificateNotYetValidException e) {
            return false;
        }
    }
    if (privateKeyValid != null) {
        try {
            byte[] bytes = getExtensionValue(cert, "2.5.29.16");
            if (bytes == null) {
                return false;
            }
            PrivateKeyUsagePeriod pkup = (PrivateKeyUsagePeriod) PrivateKeyUsagePeriod.ASN1.decode(bytes);
            Date notBefore = pkup.getNotBefore();
            Date notAfter = pkup.getNotAfter();
            if ((notBefore == null) && (notAfter == null)) {
                return false;
            }
            if ((notBefore != null) && notBefore.compareTo(privateKeyValid) > 0) {
                return false;
            }
            if ((notAfter != null) && notAfter.compareTo(privateKeyValid) < 0) {
                return false;
            }
        } catch (IOException e) {
            return false;
        }
    }
    if (subjectPublicKeyAlgID != null) {
        try {
            byte[] encoding = cert.getPublicKey().getEncoded();
            AlgorithmIdentifier ai = ((SubjectPublicKeyInfo) SubjectPublicKeyInfo.ASN1.decode(encoding)).getAlgorithmIdentifier();
            if (!subjectPublicKeyAlgID.equals(ai.getAlgorithm())) {
                return false;
            }
        } catch (IOException e) {
            e.printStackTrace();
            return false;
        }
    }
    if (subjectPublicKey != null) {
        if (!Arrays.equals(subjectPublicKey, cert.getPublicKey().getEncoded())) {
            return false;
        }
    }
    if (keyUsage != null) {
        boolean[] ku = cert.getKeyUsage();
        if (ku != null) {
            int i = 0;
            int min_length = (ku.length < keyUsage.length) ? ku.length : keyUsage.length;
            for (; i < min_length; i++) {
                if (keyUsage[i] && !ku[i]) {
                    // but certificate does not.
                    return false;
                }
            }
            for (; i < keyUsage.length; i++) {
                if (keyUsage[i]) {
                    return false;
                }
            }
        }
    }
    if (extendedKeyUsage != null) {
        try {
            List keyUsage = cert.getExtendedKeyUsage();
            if (keyUsage != null) {
                if (!keyUsage.containsAll(extendedKeyUsage)) {
                    return false;
                }
            }
        } catch (CertificateParsingException e) {
            return false;
        }
    }
    if (pathLen != -1) {
        int p_len = cert.getBasicConstraints();
        if ((pathLen < 0) && (p_len >= 0)) {
            // need end-entity but got CA
            return false;
        }
        if ((pathLen > 0) && (pathLen > p_len)) {
            // allowed _pathLen is small
            return false;
        }
    }
    if (subjectAltNames != null) {
        PASSED: try {
            byte[] bytes = getExtensionValue(cert, "2.5.29.17");
            if (bytes == null) {
                return false;
            }
            List<GeneralName> sans = ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames();
            if ((sans == null) || (sans.size() == 0)) {
                return false;
            }
            boolean[][] map = new boolean[9][];
            // initialize the check map
            for (int i = 0; i < 9; i++) {
                map[i] = (subjectAltNames[i] == null) ? EmptyArray.BOOLEAN : new boolean[subjectAltNames[i].size()];
            }
            for (GeneralName name : sans) {
                int tag = name.getTag();
                for (int i = 0; i < map[tag].length; i++) {
                    if (subjectAltNames[tag].get(i).equals(name)) {
                        if (!matchAllNames) {
                            break PASSED;
                        }
                        map[tag][i] = true;
                    }
                }
            }
            if (!matchAllNames) {
                // there was not any match
                return false;
            }
            // else check the map
            for (int tag = 0; tag < 9; tag++) {
                for (int name = 0; name < map[tag].length; name++) {
                    if (!map[tag][name]) {
                        return false;
                    }
                }
            }
        } catch (IOException e) {
            e.printStackTrace();
            return false;
        }
    }
    if (nameConstraints != null) {
        if (!nameConstraints.isAcceptable(cert)) {
            return false;
        }
    }
    if (policies != null) {
        byte[] bytes = getExtensionValue(cert, "2.5.29.32");
        if (bytes == null) {
            return false;
        }
        if (policies.size() == 0) {
            // one policy in it.
            return true;
        }
        PASSED: try {
            List<PolicyInformation> policyInformations = ((CertificatePolicies) CertificatePolicies.ASN1.decode(bytes)).getPolicyInformations();
            for (PolicyInformation policyInformation : policyInformations) {
                if (policies.contains(policyInformation.getPolicyIdentifier())) {
                    break PASSED;
                }
            }
            return false;
        } catch (IOException e) {
            // the extension is invalid
            return false;
        }
    }
    if (pathToNames != null) {
        byte[] bytes = getExtensionValue(cert, "2.5.29.30");
        if (bytes != null) {
            NameConstraints nameConstraints;
            try {
                nameConstraints = (NameConstraints) NameConstraints.ASN1.decode(bytes);
            } catch (IOException e) {
                // the extension is invalid;
                return false;
            }
            if (!nameConstraints.isAcceptable(pathToNames)) {
                return false;
            }
        }
    }
    return true;
}
Also used : NameConstraints(org.apache.harmony.security.x509.NameConstraints) PolicyInformation(org.apache.harmony.security.x509.PolicyInformation) IOException(java.io.IOException) SubjectPublicKeyInfo(org.apache.harmony.security.x509.SubjectPublicKeyInfo) Date(java.util.Date) AlgorithmIdentifier(org.apache.harmony.security.x509.AlgorithmIdentifier) ArrayList(java.util.ArrayList) List(java.util.List) GeneralName(org.apache.harmony.security.x509.GeneralName) PrivateKeyUsagePeriod(org.apache.harmony.security.x509.PrivateKeyUsagePeriod)

Example 18 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelector method addSubjectAlternativeName.

/**
     * Adds a subject alternative name to the respective criterion.
     *
     * @param tag
     *            the type of the name
     * @param name
     *            the name in string format.
     * @throws IOException
     *             if parsing the name fails.
     */
public void addSubjectAlternativeName(int tag, String name) throws IOException {
    GeneralName alt_name = new GeneralName(tag, name);
    // create only if there was not any errors
    if (subjectAltNames == null) {
        subjectAltNames = new ArrayList[9];
    }
    if (subjectAltNames[tag] == null) {
        subjectAltNames[tag] = new ArrayList<GeneralName>();
    }
    subjectAltNames[tag].add(alt_name);
}
Also used : GeneralName(org.apache.harmony.security.x509.GeneralName)

Example 19 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class RFC3280CertPathUtilities method processCertBC.

protected static void processCertBC(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    int n = certs.size();
    // i as defined in the algorithm description
    int i = n - index;
    //
    if (!(CertPathValidatorUtilities.isSelfIssued(cert) && (i < n))) {
        X500Principal principal = CertPathValidatorUtilities.getSubjectPrincipal(cert);
        ASN1InputStream aIn = new ASN1InputStream(principal.getEncoded());
        ASN1Sequence dns;
        try {
            dns = DERSequence.getInstance(aIn.readObject());
        } catch (Exception e) {
            throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e, certPath, index);
        }
        try {
            nameConstraintValidator.checkPermittedDN(dns);
            nameConstraintValidator.checkExcludedDN(dns);
        } catch (PKIXNameConstraintValidatorException e) {
            throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath, index);
        }
        GeneralNames altName = null;
        try {
            altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME));
        } catch (Exception e) {
            throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e, certPath, index);
        }
        Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress);
        for (Enumeration e = emails.elements(); e.hasMoreElements(); ) {
            String email = (String) e.nextElement();
            GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email);
            try {
                nameConstraintValidator.checkPermitted(emailAsGeneralName);
                nameConstraintValidator.checkExcluded(emailAsGeneralName);
            } catch (PKIXNameConstraintValidatorException ex) {
                throw new CertPathValidatorException("Subtree check for certificate subject alternative email failed.", ex, certPath, index);
            }
        }
        if (altName != null) {
            GeneralName[] genNames = null;
            try {
                genNames = altName.getNames();
            } catch (Exception e) {
                throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e, certPath, index);
            }
            for (int j = 0; j < genNames.length; j++) {
                try {
                    nameConstraintValidator.checkPermitted(genNames[j]);
                    nameConstraintValidator.checkExcluded(genNames[j]);
                } catch (PKIXNameConstraintValidatorException e) {
                    throw new CertPathValidatorException("Subtree check for certificate subject alternative name failed.", e, certPath, index);
                }
            }
        }
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) Enumeration(java.util.Enumeration) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) X509Name(org.bouncycastle.asn1.x509.X509Name) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X500Principal(javax.security.auth.x500.X500Principal) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Vector(java.util.Vector) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 20 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLB2.

/**
     * If the complete CRL includes an issuing distribution point (IDP) CRL
     * extension check the following:
     * <p/>
     * (i) If the distribution point name is present in the IDP CRL extension
     * and the distribution field is present in the DP, then verify that one of
     * the names in the IDP matches one of the names in the DP. If the
     * distribution point name is present in the IDP CRL extension and the
     * distribution field is omitted from the DP, then verify that one of the
     * names in the IDP matches one of the names in the cRLIssuer field of the
     * DP.
     * </p>
     * <p/>
     * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate does not include the basic
     * constraints extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate includes the basic constraints
     * extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
     * </p>
     *
     * @param dp   The distribution point.
     * @param cert The certificate.
     * @param crl  The CRL.
     * @throws AnnotatedException if one of the conditions is not met or an error occurs.
     */
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    IssuingDistributionPoint idp = null;
    try {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // distribution point name is present
    if (idp != null) {
        if (idp.getDistributionPoint() != null) {
            // make list of names
            DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
            List names = new ArrayList();
            if (dpName.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                for (int j = 0; j < genNames.length; j++) {
                    names.add(genNames[j]);
                }
            }
            if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                ASN1EncodableVector vec = new ASN1EncodableVector();
                try {
                    Enumeration e = ASN1Sequence.getInstance(ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded())).getObjects();
                    while (e.hasMoreElements()) {
                        vec.add((ASN1Encodable) e.nextElement());
                    }
                } catch (IOException e) {
                    throw new AnnotatedException("Could not read CRL issuer.", e);
                }
                vec.add(dpName.getName());
                names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec))));
            }
            boolean matches = false;
            // of the names in the DP.
            if (dp.getDistributionPoint() != null) {
                dpName = dp.getDistributionPoint();
                GeneralName[] genNames = null;
                if (dpName.getType() == DistributionPointName.FULL_NAME) {
                    genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                }
                if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                    if (dp.getCRLIssuer() != null) {
                        genNames = dp.getCRLIssuer().getNames();
                    } else {
                        genNames = new GeneralName[1];
                        try {
                            genNames[0] = new GeneralName(new X509Name((ASN1Sequence) ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded())));
                        } catch (IOException e) {
                            throw new AnnotatedException("Could not read certificate issuer.", e);
                        }
                    }
                    for (int j = 0; j < genNames.length; j++) {
                        Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
                        ASN1EncodableVector vec = new ASN1EncodableVector();
                        while (e.hasMoreElements()) {
                            vec.add((ASN1Encodable) e.nextElement());
                        }
                        vec.add(dpName.getName());
                        genNames[j] = new GeneralName(new X509Name(new DERSequence(vec)));
                    }
                }
                if (genNames != null) {
                    for (int j = 0; j < genNames.length; j++) {
                        if (names.contains(genNames[j])) {
                            matches = true;
                            break;
                        }
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            } else // verify that one of the names in
            // the IDP matches one of the names in the cRLIssuer field of
            // the DP
            {
                if (dp.getCRLIssuer() == null) {
                    throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
                }
                GeneralName[] genNames = dp.getCRLIssuer().getNames();
                for (int j = 0; j < genNames.length; j++) {
                    if (names.contains(genNames[j])) {
                        matches = true;
                        break;
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            }
        }
        BasicConstraints bc = null;
        try {
            bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
        } catch (Exception e) {
            throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
        }
        if (cert instanceof X509Certificate) {
            // (b) (2) (ii)
            if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
                throw new AnnotatedException("CA Cert CRL only contains user certificates.");
            }
            // (b) (2) (iii)
            if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
                throw new AnnotatedException("End CRL only contains CA certificates.");
            }
        }
        // (b) (2) (iv)
        if (idp.onlyContainsAttributeCerts()) {
            throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
        }
    }
}
Also used : IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) Enumeration(java.util.Enumeration) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) ArrayList(java.util.ArrayList) IOException(java.io.IOException) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) X509Certificate(java.security.cert.X509Certificate) DERSequence(org.bouncycastle.asn1.DERSequence) X509Name(org.bouncycastle.asn1.x509.X509Name) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)58 IOException (java.io.IOException)50 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16