Search in sources :

Example 41 with GeneralNames

use of de.carne.certmgr.certs.x509.GeneralNames in project xipki by xipki.

the class XmlX509Certprofile method getExtensions.

@Override
public ExtensionValues getExtensions(Map<ASN1ObjectIdentifier, ExtensionControl> extensionOccurences, X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, Date notBefore, Date notAfter, PublicCaInfo caInfo) throws CertprofileException, BadCertTemplateException {
    ExtensionValues values = new ExtensionValues();
    if (CollectionUtil.isEmpty(extensionOccurences)) {
        return values;
    }
    ParamUtil.requireNonNull("requestedSubject", requestedSubject);
    ParamUtil.requireNonNull("notBefore", notBefore);
    ParamUtil.requireNonNull("notAfter", notAfter);
    Set<ASN1ObjectIdentifier> occurences = new HashSet<>(extensionOccurences.keySet());
    // AuthorityKeyIdentifier
    // processed by the CA
    // SubjectKeyIdentifier
    // processed by the CA
    // KeyUsage
    // processed by the CA
    // CertificatePolicies
    ASN1ObjectIdentifier type = Extension.certificatePolicies;
    if (certificatePolicies != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, certificatePolicies);
        }
    }
    // Policy Mappings
    type = Extension.policyMappings;
    if (policyMappings != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, policyMappings);
        }
    }
    // SubjectAltName
    type = Extension.subjectAlternativeName;
    if (occurences.contains(type)) {
        GeneralNames genNames = createRequestedSubjectAltNames(requestedSubject, grantedSubject, requestedExtensions);
        if (genNames != null) {
            ExtensionValue value = new ExtensionValue(extensionControls.get(type).isCritical(), genNames);
            values.addExtension(type, value);
            occurences.remove(type);
        }
    }
    // IssuerAltName
    // processed by the CA
    // Subject Directory Attributes
    type = Extension.subjectDirectoryAttributes;
    if (occurences.contains(type) && subjectDirAttrsControl != null) {
        Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
        if (extension == null) {
            throw new BadCertTemplateException("no SubjectDirecotryAttributes extension is contained in the request");
        }
        ASN1GeneralizedTime dateOfBirth = null;
        String placeOfBirth = null;
        String gender = null;
        List<String> countryOfCitizenshipList = new LinkedList<>();
        List<String> countryOfResidenceList = new LinkedList<>();
        Map<ASN1ObjectIdentifier, List<ASN1Encodable>> otherAttrs = new HashMap<>();
        Vector<?> reqSubDirAttrs = SubjectDirectoryAttributes.getInstance(extension.getParsedValue()).getAttributes();
        final int n = reqSubDirAttrs.size();
        for (int i = 0; i < n; i++) {
            Attribute attr = (Attribute) reqSubDirAttrs.get(i);
            ASN1ObjectIdentifier attrType = attr.getAttrType();
            ASN1Encodable attrVal = attr.getAttributeValues()[0];
            if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
                dateOfBirth = ASN1GeneralizedTime.getInstance(attrVal);
            } else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
                placeOfBirth = DirectoryString.getInstance(attrVal).getString();
            } else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
                gender = DERPrintableString.getInstance(attrVal).getString();
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
                String country = DERPrintableString.getInstance(attrVal).getString();
                countryOfCitizenshipList.add(country);
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
                String country = DERPrintableString.getInstance(attrVal).getString();
                countryOfResidenceList.add(country);
            } else {
                List<ASN1Encodable> otherAttrVals = otherAttrs.get(attrType);
                if (otherAttrVals == null) {
                    otherAttrVals = new LinkedList<>();
                    otherAttrs.put(attrType, otherAttrVals);
                }
                otherAttrVals.add(attrVal);
            }
        }
        Vector<Attribute> attrs = new Vector<>();
        for (ASN1ObjectIdentifier attrType : subjectDirAttrsControl.getTypes()) {
            if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
                if (dateOfBirth != null) {
                    String timeStirng = dateOfBirth.getTimeString();
                    if (!SubjectDnSpec.PATTERN_DATE_OF_BIRTH.matcher(timeStirng).matches()) {
                        throw new BadCertTemplateException("invalid dateOfBirth " + timeStirng);
                    }
                    attrs.add(new Attribute(attrType, new DERSet(dateOfBirth)));
                    continue;
                }
            } else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
                if (placeOfBirth != null) {
                    ASN1Encodable attrVal = new DERUTF8String(placeOfBirth);
                    attrs.add(new Attribute(attrType, new DERSet(attrVal)));
                    continue;
                }
            } else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
                if (gender != null && !gender.isEmpty()) {
                    char ch = gender.charAt(0);
                    if (!(gender.length() == 1 && (ch == 'f' || ch == 'F' || ch == 'm' || ch == 'M'))) {
                        throw new BadCertTemplateException("invalid gender " + gender);
                    }
                    ASN1Encodable attrVal = new DERPrintableString(gender);
                    attrs.add(new Attribute(attrType, new DERSet(attrVal)));
                    continue;
                }
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
                if (!countryOfCitizenshipList.isEmpty()) {
                    for (String country : countryOfCitizenshipList) {
                        if (!SubjectDnSpec.isValidCountryAreaCode(country)) {
                            throw new BadCertTemplateException("invalid countryOfCitizenship code " + country);
                        }
                        ASN1Encodable attrVal = new DERPrintableString(country);
                        attrs.add(new Attribute(attrType, new DERSet(attrVal)));
                    }
                    continue;
                }
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
                if (!countryOfResidenceList.isEmpty()) {
                    for (String country : countryOfResidenceList) {
                        if (!SubjectDnSpec.isValidCountryAreaCode(country)) {
                            throw new BadCertTemplateException("invalid countryOfResidence code " + country);
                        }
                        ASN1Encodable attrVal = new DERPrintableString(country);
                        attrs.add(new Attribute(attrType, new DERSet(attrVal)));
                    }
                    continue;
                }
            } else if (otherAttrs.containsKey(attrType)) {
                for (ASN1Encodable attrVal : otherAttrs.get(attrType)) {
                    attrs.add(new Attribute(attrType, new DERSet(attrVal)));
                }
                continue;
            }
            throw new BadCertTemplateException("could not process type " + attrType.getId() + " in extension SubjectDirectoryAttributes");
        }
        SubjectDirectoryAttributes subjDirAttrs = new SubjectDirectoryAttributes(attrs);
        ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), subjDirAttrs);
        values.addExtension(type, extValue);
        occurences.remove(type);
    }
    // Basic Constraints
    // processed by the CA
    // Name Constraints
    type = Extension.nameConstraints;
    if (nameConstraints != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, nameConstraints);
        }
    }
    // PolicyConstrains
    type = Extension.policyConstraints;
    if (policyConstraints != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, policyConstraints);
        }
    }
    // ExtendedKeyUsage
    // processed by CA
    // CRL Distribution Points
    // processed by the CA
    // Inhibit anyPolicy
    type = Extension.inhibitAnyPolicy;
    if (inhibitAnyPolicy != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, inhibitAnyPolicy);
        }
    }
    // Freshest CRL
    // processed by the CA
    // Authority Information Access
    // processed by the CA
    // Subject Information Access
    // processed by the CA
    // Admission
    type = ObjectIdentifiers.id_extension_admission;
    if (occurences.contains(type) && admission != null) {
        if (admission.isInputFromRequestRequired()) {
            Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
            if (extension == null) {
                throw new BadCertTemplateException("No Admission extension is contained in the request");
            }
            Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
            final int n = reqAdmissions.length;
            List<List<String>> reqRegNumsList = new ArrayList<>(n);
            for (int i = 0; i < n; i++) {
                Admissions reqAdmission = reqAdmissions[i];
                ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
                List<String> reqNums = new ArrayList<>(reqPis.length);
                reqRegNumsList.add(reqNums);
                for (ProfessionInfo reqPi : reqPis) {
                    String reqNum = reqPi.getRegistrationNumber();
                    reqNums.add(reqNum);
                }
            }
            values.addExtension(type, admission.getExtensionValue(reqRegNumsList));
            occurences.remove(type);
        } else {
            values.addExtension(type, admission.getExtensionValue(null));
            occurences.remove(type);
        }
    }
    // OCSP Nocheck
    // processed by the CA
    // restriction
    type = ObjectIdentifiers.id_extension_restriction;
    if (restriction != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, restriction);
        }
    }
    // AdditionalInformation
    type = ObjectIdentifiers.id_extension_additionalInformation;
    if (additionalInformation != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, additionalInformation);
        }
    }
    // ValidityModel
    type = ObjectIdentifiers.id_extension_validityModel;
    if (validityModel != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, validityModel);
        }
    }
    // PrivateKeyUsagePeriod
    type = Extension.privateKeyUsagePeriod;
    if (occurences.contains(type)) {
        Date tmpNotAfter;
        if (privateKeyUsagePeriod == null) {
            tmpNotAfter = notAfter;
        } else {
            tmpNotAfter = privateKeyUsagePeriod.add(notBefore);
            if (tmpNotAfter.after(notAfter)) {
                tmpNotAfter = notAfter;
            }
        }
        ASN1EncodableVector vec = new ASN1EncodableVector();
        vec.add(new DERTaggedObject(false, 0, new DERGeneralizedTime(notBefore)));
        vec.add(new DERTaggedObject(false, 1, new DERGeneralizedTime(tmpNotAfter)));
        ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
        values.addExtension(type, extValue);
        occurences.remove(type);
    }
    // QCStatements
    type = Extension.qCStatements;
    if (occurences.contains(type) && (qcStatments != null || qcStatementsOption != null)) {
        if (qcStatments != null) {
            values.addExtension(type, qcStatments);
            occurences.remove(type);
        } else if (requestedExtensions != null && qcStatementsOption != null) {
            // extract the euLimit data from request
            Extension extension = requestedExtensions.getExtension(type);
            if (extension == null) {
                throw new BadCertTemplateException("No QCStatement extension is contained in the request");
            }
            ASN1Sequence seq = ASN1Sequence.getInstance(extension.getParsedValue());
            Map<String, int[]> qcEuLimits = new HashMap<>();
            final int n = seq.size();
            for (int i = 0; i < n; i++) {
                QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(i));
                if (!ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) {
                    continue;
                }
                MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo());
                int amount = monetaryValue.getAmount().intValue();
                int exponent = monetaryValue.getExponent().intValue();
                Iso4217CurrencyCode currency = monetaryValue.getCurrency();
                String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric());
                qcEuLimits.put(currencyS, new int[] { amount, exponent });
            }
            ASN1EncodableVector vec = new ASN1EncodableVector();
            for (QcStatementOption m : qcStatementsOption) {
                if (m.getStatement() != null) {
                    vec.add(m.getStatement());
                    continue;
                }
                MonetaryValueOption monetaryOption = m.getMonetaryValueOption();
                String currencyS = monetaryOption.getCurrencyString();
                int[] limit = qcEuLimits.get(currencyS);
                if (limit == null) {
                    throw new BadCertTemplateException("no EuLimitValue is specified for currency '" + currencyS + "'");
                }
                int amount = limit[0];
                Range2Type range = monetaryOption.getAmountRange();
                if (amount < range.getMin() || amount > range.getMax()) {
                    throw new BadCertTemplateException("amount for currency '" + currencyS + "' is not within [" + range.getMin() + ", " + range.getMax() + "]");
                }
                int exponent = limit[1];
                range = monetaryOption.getExponentRange();
                if (exponent < range.getMin() || exponent > range.getMax()) {
                    throw new BadCertTemplateException("exponent for currency '" + currencyS + "' is not within [" + range.getMin() + ", " + range.getMax() + "]");
                }
                MonetaryValue monetaryVale = new MonetaryValue(monetaryOption.getCurrency(), amount, exponent);
                QCStatement qcStatment = new QCStatement(m.getStatementId(), monetaryVale);
                vec.add(qcStatment);
            }
            ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
            values.addExtension(type, extValue);
            occurences.remove(type);
        } else {
            throw new RuntimeException("should not reach here");
        }
    }
    // BiometricData
    type = Extension.biometricInfo;
    if (occurences.contains(type) && biometricInfo != null) {
        Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
        if (extension == null) {
            throw new BadCertTemplateException("no biometricInfo extension is contained in the request");
        }
        ASN1Sequence seq = ASN1Sequence.getInstance(extension.getParsedValue());
        final int n = seq.size();
        if (n < 1) {
            throw new BadCertTemplateException("biometricInfo extension in request contains empty sequence");
        }
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (int i = 0; i < n; i++) {
            BiometricData bd = BiometricData.getInstance(seq.getObjectAt(i));
            TypeOfBiometricData bdType = bd.getTypeOfBiometricData();
            if (!biometricInfo.isTypePermitted(bdType)) {
                throw new BadCertTemplateException("biometricInfo[" + i + "].typeOfBiometricData is not permitted");
            }
            ASN1ObjectIdentifier hashAlgo = bd.getHashAlgorithm().getAlgorithm();
            if (!biometricInfo.isHashAlgorithmPermitted(hashAlgo)) {
                throw new BadCertTemplateException("biometricInfo[" + i + "].hashAlgorithm is not permitted");
            }
            int expHashValueSize;
            try {
                expHashValueSize = AlgorithmUtil.getHashOutputSizeInOctets(hashAlgo);
            } catch (NoSuchAlgorithmException ex) {
                throw new CertprofileException("should not happen, unknown hash algorithm " + hashAlgo);
            }
            byte[] hashValue = bd.getBiometricDataHash().getOctets();
            if (hashValue.length != expHashValueSize) {
                throw new BadCertTemplateException("biometricInfo[" + i + "].biometricDataHash has incorrect length");
            }
            DERIA5String sourceDataUri = bd.getSourceDataUri();
            switch(biometricInfo.getSourceDataUriOccurrence()) {
                case FORBIDDEN:
                    sourceDataUri = null;
                    break;
                case REQUIRED:
                    if (sourceDataUri == null) {
                        throw new BadCertTemplateException("biometricInfo[" + i + "].sourceDataUri is not specified in request but is required");
                    }
                    break;
                case OPTIONAL:
                    break;
                default:
                    throw new BadCertTemplateException("could not reach here, unknown tripleState");
            }
            AlgorithmIdentifier newHashAlg = new AlgorithmIdentifier(hashAlgo, DERNull.INSTANCE);
            BiometricData newBiometricData = new BiometricData(bdType, newHashAlg, new DEROctetString(hashValue), sourceDataUri);
            vec.add(newBiometricData);
        }
        ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
        values.addExtension(type, extValue);
        occurences.remove(type);
    }
    // TlsFeature
    type = ObjectIdentifiers.id_pe_tlsfeature;
    if (tlsFeature != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, tlsFeature);
        }
    }
    // AuthorizationTemplate
    type = ObjectIdentifiers.id_xipki_ext_authorizationTemplate;
    if (authorizationTemplate != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, authorizationTemplate);
        }
    }
    // SMIME
    type = ObjectIdentifiers.id_smimeCapabilities;
    if (smimeCapabilities != null) {
        if (occurences.remove(type)) {
            values.addExtension(type, smimeCapabilities);
        }
    }
    // constant extensions
    if (constantExtensions != null) {
        for (ASN1ObjectIdentifier m : constantExtensions.keySet()) {
            if (!occurences.remove(m)) {
                continue;
            }
            ExtensionValue extensionValue = constantExtensions.get(m);
            if (extensionValue != null) {
                values.addExtension(m, extensionValue);
            }
        }
    }
    ExtensionValues extraExtensions = getExtraExtensions(extensionOccurences, requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter, caInfo);
    if (extraExtensions != null) {
        for (ASN1ObjectIdentifier m : extraExtensions.getExtensionTypes()) {
            values.addExtension(m, extraExtensions.getExtensionValue(m));
        }
    }
    return values;
}
Also used : BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DERSequence(org.bouncycastle.asn1.DERSequence) ExtensionValue(org.xipki.ca.api.profile.ExtensionValue) DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime) Range2Type(org.xipki.ca.certprofile.x509.jaxb.Range2Type) CertprofileException(org.xipki.ca.api.profile.CertprofileException) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ArrayList(java.util.ArrayList) List(java.util.List) LinkedList(java.util.LinkedList) ExtensionValues(org.xipki.ca.api.profile.ExtensionValues) Vector(java.util.Vector) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) HashSet(java.util.HashSet) LinkedList(java.util.LinkedList) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) Map(java.util.Map) HashMap(java.util.HashMap) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement) Attribute(org.bouncycastle.asn1.x509.Attribute) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) DERSet(org.bouncycastle.asn1.DERSet) Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode) DERIA5String(org.bouncycastle.asn1.DERIA5String) Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) SubjectDirectoryAttributes(org.bouncycastle.asn1.x509.SubjectDirectoryAttributes) MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension)

Example 42 with GeneralNames

use of de.carne.certmgr.certs.x509.GeneralNames in project xipki by xipki.

the class XmlX509Certprofile method createRequestedSubjectAltNames.

private GeneralNames createRequestedSubjectAltNames(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions) throws BadCertTemplateException {
    ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
    if (extValue == null && subjectToSubjectAltNameModes == null) {
        return null;
    }
    GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
    if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
        return reqNames;
    }
    List<GeneralName> grantedNames = new LinkedList<>();
    // copy the required attributes of Subject
    if (subjectToSubjectAltNameModes != null) {
        for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
            GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
            RDN[] rdns = grantedSubject.getRDNs(attrType);
            if (rdns == null) {
                rdns = requestedSubject.getRDNs(attrType);
            }
            if (rdns == null) {
                continue;
            }
            for (RDN rdn : rdns) {
                String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
                switch(tag) {
                    case rfc822Name:
                    case dNSName:
                    case uniformResourceIdentifier:
                    case iPAddress:
                    case directoryName:
                    case registeredID:
                        grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
                        break;
                    default:
                        throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
                }
            // end switch (tag)
            }
        }
    }
    // copy the requested SubjectAltName entries
    if (reqNames != null) {
        GeneralName[] reqL = reqNames.getNames();
        for (int i = 0; i < reqL.length; i++) {
            grantedNames.add(X509CertprofileUtil.createGeneralName(reqL[i], subjectAltNameModes));
        }
    }
    return grantedNames.isEmpty() ? null : new GeneralNames(grantedNames.toArray(new GeneralName[0]));
}
Also used : GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) LinkedList(java.util.LinkedList) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) RDN(org.bouncycastle.asn1.x500.RDN) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 43 with GeneralNames

use of de.carne.certmgr.certs.x509.GeneralNames in project vespa by vespa-engine.

the class X509CertificateBuilder method build.

public X509Certificate build() {
    try {
        JcaX509v3CertificateBuilder jcaCertBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(serialNumber), Date.from(notBefore), Date.from(notAfter), subject, certPublicKey);
        if (basicConstraintsExtension != null) {
            jcaCertBuilder.addExtension(Extension.basicConstraints, basicConstraintsExtension.isCritical, new BasicConstraints(basicConstraintsExtension.isCertAuthorityCertificate));
        }
        if (!subjectAlternativeNames.isEmpty()) {
            GeneralNames generalNames = new GeneralNames(subjectAlternativeNames.stream().map(san -> new GeneralName(GeneralName.dNSName, san)).toArray(GeneralName[]::new));
            jcaCertBuilder.addExtension(Extension.subjectAlternativeName, false, generalNames);
        }
        ContentSigner contentSigner = new JcaContentSignerBuilder(signingAlgorithm.getAlgorithmName()).setProvider(BouncyCastleProviderHolder.getInstance()).build(caPrivateKey);
        return new JcaX509CertificateConverter().setProvider(BouncyCastleProviderHolder.getInstance()).getCertificate(jcaCertBuilder.build(contentSigner));
    } catch (OperatorException | GeneralSecurityException e) {
        throw new RuntimeException(e);
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
Also used : JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) GeneralSecurityException(java.security.GeneralSecurityException) ContentSigner(org.bouncycastle.operator.ContentSigner) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) OperatorException(org.bouncycastle.operator.OperatorException)

Example 44 with GeneralNames

use of de.carne.certmgr.certs.x509.GeneralNames in project Bytecoder by mirkosertic.

the class ForwardState method updateState.

/**
 * Update the state with the next certificate added to the path.
 *
 * @param cert the certificate which is used to update the state
 */
@Override
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
    if (cert == null)
        return;
    X509CertImpl icert = X509CertImpl.toImpl(cert);
    /* see if certificate key has null parameters */
    if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
        keyParamsNeededFlag = true;
    }
    /* update certificate */
    this.cert = icert;
    /* update issuer DN */
    issuerDN = cert.getIssuerX500Principal();
    if (!X509CertImpl.isSelfIssued(cert)) {
        /*
             * update traversedCACerts only if this is a non-self-issued
             * intermediate CA cert
             */
        if (!init && cert.getBasicConstraints() != -1) {
            traversedCACerts++;
        }
    }
    /* update subjectNamesTraversed only if this is the EE cert or if
           this cert is not self-issued */
    if (init || !X509CertImpl.isSelfIssued(cert)) {
        X500Principal subjName = cert.getSubjectX500Principal();
        subjectNamesTraversed.add(X500Name.asX500Name(subjName));
        try {
            SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension();
            if (subjAltNameExt != null) {
                GeneralNames gNames = subjAltNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
                for (GeneralName gName : gNames.names()) {
                    subjectNamesTraversed.add(gName.getName());
                }
            }
        } catch (IOException e) {
            if (debug != null) {
                debug.println("ForwardState.updateState() unexpected " + "exception");
                e.printStackTrace();
            }
            throw new CertPathValidatorException(e);
        }
    }
    init = false;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(sun.security.x509.GeneralName) IOException(java.io.IOException)

Example 45 with GeneralNames

use of de.carne.certmgr.certs.x509.GeneralNames in project Bytecoder by mirkosertic.

the class Builder method targetDistance.

/**
 * Determine how close a given certificate gets you toward
 * a given target.
 *
 * @param constraints Current NameConstraints; if null,
 *        then caller must verify NameConstraints
 *        independently, realizing that this certificate
 *        may not actually lead to the target at all.
 * @param cert Candidate certificate for chain
 * @param target GeneralNameInterface name of target
 * @return distance from this certificate to target:
 * <ul>
 * <li>-1 means certificate could be CA for target, but
 *     there are no NameConstraints limiting how close
 * <li> 0 means certificate subject or subjectAltName
 *      matches target
 * <li> 1 means certificate is permitted to be CA for
 *      target.
 * <li> 2 means certificate is permitted to be CA for
 *      parent of target.
 * <li>&gt;0 in general, means certificate is permitted
 *     to be a CA for this distance higher in the naming
 *     hierarchy than the target, plus 1.
 * </ul>
 * <p>Note that the subject and/or subjectAltName of the
 * candidate cert does not have to be an ancestor of the
 * target in order to be a CA that can issue a certificate to
 * the target. In these cases, the target distance is calculated
 * by inspecting the NameConstraints extension in the candidate
 * certificate. For example, suppose the target is an X.500 DN with
 * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
 * NameConstraints extension in the candidate certificate
 * includes a permitted component of "O=sun,C=us", which implies
 * that the candidate certificate is allowed to issue certs in
 * the "O=sun,C=us" namespace. The target distance is 3
 * ((distance of permitted NC from target) + 1).
 * The (+1) is added to distinguish the result from the case
 * which returns (0).
 * @throws IOException if certificate does not get closer
 */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}
Also used : GeneralNameInterface(sun.security.x509.GeneralNameInterface) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) GeneralSubtrees(sun.security.x509.GeneralSubtrees) IOException(java.io.IOException) X500Name(sun.security.x509.X500Name) NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)

Aggregations

GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)72 GeneralName (org.bouncycastle.asn1.x509.GeneralName)58 IOException (java.io.IOException)31 X509Certificate (java.security.cert.X509Certificate)22 ArrayList (java.util.ArrayList)19 X500Name (org.bouncycastle.asn1.x500.X500Name)19 DERIA5String (org.bouncycastle.asn1.DERIA5String)14 Date (java.util.Date)13 List (java.util.List)13 DEROctetString (org.bouncycastle.asn1.DEROctetString)13 X500Principal (javax.security.auth.x500.X500Principal)12 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)12 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)12 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)12 GeneralNames (sun.security.x509.GeneralNames)12 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)11 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)11 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)11 Test (org.junit.Test)11 BigInteger (java.math.BigInteger)10