Search in sources :

Example 31 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project jdk8u_jdk by JetBrains.

the class ForwardState method updateState.

/**
     * Update the state with the next certificate added to the path.
     *
     * @param cert the certificate which is used to update the state
     */
@Override
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
    if (cert == null)
        return;
    X509CertImpl icert = X509CertImpl.toImpl(cert);
    /* see if certificate key has null parameters */
    if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
        keyParamsNeededFlag = true;
    }
    /* update certificate */
    this.cert = icert;
    /* update issuer DN */
    issuerDN = cert.getIssuerX500Principal();
    if (!X509CertImpl.isSelfIssued(cert)) {
        /*
             * update traversedCACerts only if this is a non-self-issued
             * intermediate CA cert
             */
        if (!init && cert.getBasicConstraints() != -1) {
            traversedCACerts++;
        }
    }
    /* update subjectNamesTraversed only if this is the EE cert or if
           this cert is not self-issued */
    if (init || !X509CertImpl.isSelfIssued(cert)) {
        X500Principal subjName = cert.getSubjectX500Principal();
        subjectNamesTraversed.add(X500Name.asX500Name(subjName));
        try {
            SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension();
            if (subjAltNameExt != null) {
                GeneralNames gNames = subjAltNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
                for (GeneralName gName : gNames.names()) {
                    subjectNamesTraversed.add(gName.getName());
                }
            }
        } catch (IOException e) {
            if (debug != null) {
                debug.println("ForwardState.updateState() unexpected " + "exception");
                e.printStackTrace();
            }
            throw new CertPathValidatorException(e);
        }
    }
    init = false;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(sun.security.x509.GeneralName) IOException(java.io.IOException)

Example 32 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method getGeneralSubtree.

private static GeneralSubtree getGeneralSubtree(GeneralNameInterface gni) {
    // Create a new GeneralSubtree with the specified name, 0 base, and
    // unlimited length
    GeneralName gn = new GeneralName(gni);
    GeneralSubtree subTree = new GeneralSubtree(gn, 0, -1);
    return subTree;
}
Also used : GeneralName(sun.security.x509.GeneralName) GeneralSubtree(sun.security.x509.GeneralSubtree)

Example 33 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testSubjectAltName.

/*
     * Tests matching on the subject alternative name extension contained in the
     * certificate.
     */
private void testSubjectAltName() throws IOException {
    System.out.println("X.509 Certificate Match on subjectAltName");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    GeneralNameInterface dnsName = new DNSName("foo.com");
    DerOutputStream tmp = new DerOutputStream();
    dnsName.encode(tmp);
    selector.addSubjectAlternativeName(2, tmp.toByteArray());
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
    byte[] encoded = in.getOctetString();
    SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
    GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
    GeneralName name = (GeneralName) names.get(0);
    selector.setSubjectAlternativeNames(null);
    DerOutputStream tmp2 = new DerOutputStream();
    name.getName().encode(tmp2);
    selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
    checkMatch(selector, cert, true);
    // good match 2 (matches at least one)
    selector.setMatchAllSubjectAltNames(false);
    selector.addSubjectAlternativeName(2, "foo.com");
    checkMatch(selector, cert, true);
}
Also used : GeneralNameInterface(sun.security.x509.GeneralNameInterface) GeneralNames(sun.security.x509.GeneralNames) DerOutputStream(sun.security.util.DerOutputStream) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) GeneralName(sun.security.x509.GeneralName) DNSName(sun.security.x509.DNSName)

Example 34 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project athenz by yahoo.

the class ZTSClient method getAWSLambdaServiceCertificate.

/**
 * For AWS Lambda functions generate a new private key, request a
 * x.509 certificate based on the requested CSR and return both to
 * the client in order to establish tls connections with other
 * Athenz enabled services.
 * @param domainName name of the domain
 * @param serviceName name of the service
 * @param account AWS account name that the function runs in
 * @param provider name of the provider service for AWS Lambda
 * @return AWSLambdaIdentity with private key and certificate
 */
public AWSLambdaIdentity getAWSLambdaServiceCertificate(String domainName, String serviceName, String account, String provider) {
    if (domainName == null || serviceName == null) {
        throw new IllegalArgumentException("Domain and Service must be specified");
    }
    if (account == null || provider == null) {
        throw new IllegalArgumentException("AWS Account and Provider must be specified");
    }
    if (x509CsrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // first we're going to generate a private key for the request
    AWSLambdaIdentity lambdaIdentity = new AWSLambdaIdentity();
    try {
        lambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
    }
    // we need to generate an csr with an instance register object
    InstanceRegisterInformation info = new InstanceRegisterInformation();
    info.setDomain(domainName.toLowerCase());
    info.setService(serviceName.toLowerCase());
    info.setProvider(provider.toLowerCase());
    final String athenzService = info.getDomain() + "." + info.getService();
    // generate our dn which will be based on our service name
    StringBuilder dnBuilder = new StringBuilder(128);
    dnBuilder.append("cn=");
    dnBuilder.append(athenzService);
    if (x509CsrDn != null) {
        dnBuilder.append(',');
        dnBuilder.append(x509CsrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    StringBuilder hostBuilder = new StringBuilder(128);
    hostBuilder.append(info.getService());
    hostBuilder.append('.');
    hostBuilder.append(info.getDomain().replace('.', '-'));
    hostBuilder.append('.');
    hostBuilder.append(x509CsrDomain);
    StringBuilder instanceHostBuilder = new StringBuilder(128);
    instanceHostBuilder.append("lambda-");
    instanceHostBuilder.append(account);
    instanceHostBuilder.append('-');
    instanceHostBuilder.append(info.getService());
    instanceHostBuilder.append(".instanceid.athenz.");
    instanceHostBuilder.append(x509CsrDomain);
    GeneralName[] sanArray = new GeneralName[2];
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostBuilder.toString()));
    sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(instanceHostBuilder.toString()));
    try {
        info.setCsr(Crypto.generateX509CSR(lambdaIdentity.getPrivateKey(), dnBuilder.toString(), sanArray));
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
    }
    // finally obtain attestation data for lambda
    info.setAttestationData(getAWSLambdaAttestationData(athenzService, account));
    // request the x.509 certificate from zts server
    Map<String, List<String>> responseHeaders = new HashMap<>();
    InstanceIdentity identity = postInstanceRegisterInformation(info, responseHeaders);
    try {
        lambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(identity.getX509Certificate()));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
    }
    return lambdaIdentity;
}
Also used : ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) DERIA5String(org.bouncycastle.asn1.DERIA5String) IOException(java.io.IOException) DERIA5String(org.bouncycastle.asn1.DERIA5String) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CryptoException(com.yahoo.athenz.auth.util.CryptoException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 35 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project athenz by yahoo.

the class CryptoTest method testX509CSRrequest.

@Test(dataProvider = "x500Principal")
public void testX509CSRrequest(String x500Principal, boolean badRequest) throws Exception {
    PublicKey publicKey = Crypto.loadPublicKey(rsaPublicKey);
    PrivateKey privateKey = Crypto.loadPrivateKey(rsaPrivateKey);
    String certRequest = null;
    GeneralName otherName1 = new GeneralName(GeneralName.otherName, new DERIA5String("role1"));
    GeneralName otherName2 = new GeneralName(GeneralName.otherName, new DERIA5String("role2"));
    GeneralName[] sanArray = new GeneralName[] { otherName1, otherName2 };
    try {
        certRequest = Crypto.generateX509CSR(privateKey, publicKey, x500Principal, sanArray);
    } catch (Exception e) {
        if (!badRequest) {
            fail("Should not have failed to create csr");
        }
    }
    if (!badRequest) {
        // Now validate the csr
        Crypto.getPKCS10CertRequest(certRequest);
    }
}
Also used : PrivateKey(java.security.PrivateKey) DERIA5String(org.bouncycastle.asn1.DERIA5String) PublicKey(java.security.PublicKey) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CryptoException(com.yahoo.athenz.auth.util.CryptoException) Test(org.testng.annotations.Test)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)58 IOException (java.io.IOException)50 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16