Example 1 with ASN1Encodable
use of org.bouncycastle.asn1.ASN1Encodable in project OpenAttestation by OpenAttestation.
the class X509AttributeCertificate method valueOf.
/**
*
* @param encodedCertificate
* @return
*/
@JsonCreator
public static X509AttributeCertificate valueOf(@JsonProperty("encoded") byte[] encodedCertificate) {
X509AttributeCertificate result = new X509AttributeCertificate(encodedCertificate);
X509AttributeCertificateHolder cert;
try {
cert = new X509AttributeCertificateHolder(encodedCertificate);
} catch (IOException e) {
throw new IllegalArgumentException(e);
}
// calls toString() on each X500Name so we get the default representation; we can do it ourselves for custom display; output example: CN=Attr CA,OU=CPG,OU=DCSG,O=Intel,ST=CA,C=US
log.debug("issuer: {}", StringUtils.join(cert.getIssuer().getNames(), "; "));
// but expected to be only one
result.issuer = StringUtils.join(cert.getIssuer().getNames(), "; ");
// output example: 1
log.debug("serial number: {}", cert.getSerialNumber().toString());
result.serialNumber = cert.getSerialNumber();
// output example: 2.25=#041092a71a228c174522a18bfd3ed3d00b39
log.debug("holder: {}", StringUtils.join(cert.getHolder().getEntityNames(), ", "));
// now let's get the UUID specifically out of this
log.debug("holder has {} entity names", cert.getHolder().getEntityNames().length);
for (X500Name entityName : cert.getHolder().getEntityNames()) {
log.debug("holder entity name has {} rdns", entityName.getRDNs().length);
for (RDN rdn : entityName.getRDNs()) {
log.debug("entity rdn is multivalued? {}", rdn.isMultiValued());
AttributeTypeAndValue attr = rdn.getFirst();
if (attr.getType().toString().equals(OID.HOST_UUID)) {
UUID uuid = UUID.valueOf(DEROctetString.getInstance(attr.getValue()).getOctets());
log.debug("holder uuid: {}", uuid);
// example: 33766a63-5c55-4461-8a84-5936577df450
result.subject = uuid.toString();
}
}
}
// if we ddin't identify the UUID, just display the subject same way we did the issuer... concat all the entity names. example: 2.25=#041033766a635c5544618a845936577df450 (notice that in the value, there's a #0410 prepended to the uuid 33766a635c5544618a845936577df450)
if (result.subject == null) {
result.subject = StringUtils.join(cert.getHolder().getEntityNames(), "; ");
}
// output example: Thu Aug 08 15:21:13 PDT 2013
log.debug("not before: {}", cert.getNotBefore());
// output example: Sun Sep 08 15:21:13 PDT 2013
log.debug("not after: {}", cert.getNotAfter());
result.notBefore = cert.getNotBefore();
result.notAfter = cert.getNotAfter();
Attribute[] attributes = cert.getAttributes();
result.tags1 = new ArrayList<UTF8NameValueMicroformat>();
result.tags2 = new ArrayList<UTF8NameValueSequence>();
result.tagsOther = new ArrayList<ASN1Encodable>();
for (Attribute attr : attributes) {
log.debug("attr {} is {}", attr.hashCode(), attr.toString());
result.attributes.add(attr);
for (ASN1Encodable value : attr.getAttributeValues()) {
// result.tags.add(new AttributeOidAndValue(attr.getAttrType().toString(), DERUTF8String.getInstance(value).getString()));
if (attr.getAttrType().toString().equals(UTF8NameValueMicroformat.OID)) {
// our values are just UTF-8 strings but if you use new String(value.getEncoded()) you will get two extra spaces at the beginning of the string
log.debug("name-value microformat attribute: {}", DERUTF8String.getInstance(value).getString());
UTF8NameValueMicroformat microformat = new UTF8NameValueMicroformat(DERUTF8String.getInstance(value));
log.debug("name-value microformat attribute (2) name {} value {}", microformat.getName(), microformat.getValue());
result.tags1.add(microformat);
} else if (attr.getAttrType().toString().equals(UTF8NameValueSequence.OID)) {
UTF8NameValueSequence sequence = new UTF8NameValueSequence(ASN1Sequence.getInstance(value));
String name = sequence.getName();
List<String> values = sequence.getValues();
log.debug("name-values asn.1 attribute {} values {}", name, values);
result.tags2.add(sequence);
} else {
log.debug("unrecognzied attribute type {}", attr.getAttrType().toString());
result.tagsOther.add(value);
}
/*
* output examples:
* attribute: 1.3.6.1.4.1.99999.1.1.1.1 is US
* attribute: 1.3.6.1.4.1.99999.2.2.2.2 is CA
* attribute: 1.3.6.1.4.1.99999.3.3.3.3 is Folsom
*/
}
}
log.debug("valueOf ok");
return result;
}
Also used :
Attribute(org.bouncycastle.asn1.x509.Attribute)
X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder)
IOException(java.io.IOException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
ArrayList(java.util.ArrayList)
List(java.util.List)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
UUID(com.intel.mtwilson.util.io.UUID)
RDN(org.bouncycastle.asn1.x500.RDN)
JsonCreator(org.codehaus.jackson.annotate.JsonCreator)
Example 2 with ASN1Encodable
use of org.bouncycastle.asn1.ASN1Encodable in project OpenAttestation by OpenAttestation.
the class CertificateRepository method create.
@Override
public // @RequiresPermissions("tag_certificates:create")
void create(Certificate item) {
log.debug("Certificate:Create - Got request to create a new Certificate {}.", item.getId().toString());
CertificateLocator locator = new CertificateLocator();
locator.id = item.getId();
try (CertificateDAO dao = TagJdbi.certificateDao()) {
Certificate newCert = dao.findById(item.getId());
if (newCert == null) {
newCert = Certificate.valueOf(item.getCertificate());
dao.insert(item.getId(), newCert.getCertificate(), newCert.getSha1().toHexString(), newCert.getSha256().toHexString(), newCert.getSubject(), newCert.getIssuer(), newCert.getNotBefore(), newCert.getNotAfter());
log.debug("Certificate:Create - Created the Certificate {} successfully.", item.getId().toString());
} else {
log.error("Certificate:Create - Certificate {} will not be created since a duplicate Certificate already exists.", item.getId().toString());
throw new RepositoryCreateConflictException(locator);
}
} catch (RepositoryException re) {
throw re;
} catch (Exception ex) {
log.error("Certificate:Create - Error during certificate creation.", ex);
throw new RepositoryCreateException(ex, locator);
}
//Store tag values from Certificate
try {
log.info("Tags from certificate will now be stored");
KvAttributeRepository repository = new KvAttributeRepository();
KvAttribute kvAttrib = new KvAttribute();
if (kvAttrib == null || repository == null)
log.debug("kvAttrib or repository Obj is null, unable to store certificate tags");
else {
List<Attribute> certAttributes = X509AttributeCertificate.valueOf(item.getCertificate()).getAttribute();
for (Attribute attr : certAttributes) {
for (ASN1Encodable value : attr.getAttributeValues()) {
if (attr.getAttrType().toString().equals(UTF8NameValueMicroformat.OID)) {
UTF8NameValueMicroformat microformat = new UTF8NameValueMicroformat(DERUTF8String.getInstance(value));
// Check if that tag with same value already exists
KvAttributeFilterCriteria criteria = new KvAttributeFilterCriteria();
criteria.nameEqualTo = microformat.getName();
criteria.valueEqualTo = microformat.getValue();
KvAttributeCollection results = repository.search(criteria);
if (results.getDocuments().isEmpty()) {
kvAttrib.setId(new UUID());
kvAttrib.setName(microformat.getName());
kvAttrib.setValue(microformat.getValue());
repository.create(kvAttrib);
} else
log.debug("Tag with Name:{} & Value:{} is already stored.", microformat.getName(), microformat.getValue());
}
}
}
}
} catch (Exception e) {
log.error("Certificate:Create - Error during attribute scan", e);
}
}
Also used :
CertificateLocator(com.intel.mtwilson.datatypes.CertificateLocator)
CertificateDAO(com.intel.mtwilson.tag.dao.jdbi.CertificateDAO)
KvAttribute(com.intel.mtwilson.datatypes.KvAttribute)
Attribute(org.bouncycastle.asn1.x509.Attribute)
KvAttribute(com.intel.mtwilson.datatypes.KvAttribute)
RepositoryException(com.intel.mtwilson.tag.repository.RepositoryException)
RepositoryCreateConflictException(com.intel.mtwilson.tag.repository.RepositoryCreateConflictException)
RepositoryCreateException(com.intel.mtwilson.tag.repository.RepositoryCreateException)
RepositoryDeleteException(com.intel.mtwilson.tag.repository.RepositoryDeleteException)
RepositoryStoreException(com.intel.mtwilson.tag.repository.RepositoryStoreException)
RepositoryStoreConflictException(com.intel.mtwilson.tag.repository.RepositoryStoreConflictException)
RepositoryRetrieveException(com.intel.mtwilson.tag.repository.RepositoryRetrieveException)
RepositoryException(com.intel.mtwilson.tag.repository.RepositoryException)
RepositorySearchException(com.intel.mtwilson.tag.repository.RepositorySearchException)
RepositoryCreateConflictException(com.intel.mtwilson.tag.repository.RepositoryCreateConflictException)
KvAttributeCollection(com.intel.mtwilson.datatypes.KvAttributeCollection)
KvAttributeRepository(com.intel.mtwilson.tag.repository.KvAttributeRepository)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
KvAttributeFilterCriteria(com.intel.mtwilson.datatypes.KvAttributeFilterCriteria)
UUID(com.intel.mtwilson.util.io.UUID)
UTF8NameValueMicroformat(com.intel.mtwilson.datatypes.UTF8NameValueMicroformat)
Certificate(com.intel.mtwilson.datatypes.Certificate)
X509AttributeCertificate(com.intel.mtwilson.datatypes.X509AttributeCertificate)
RepositoryCreateException(com.intel.mtwilson.tag.repository.RepositoryCreateException)
Example 3 with ASN1Encodable
use of org.bouncycastle.asn1.ASN1Encodable in project Openfire by igniterealtime.
the class CertificateManagerTest method testServerIdentitiesXmppAddr.
/**
* {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
* <ul>
* <li>the 'xmppAddr' subjectAltName value</li>
* <li>explicitly not the Common Name</li>
* </ul>
*
* when a certificate contains:
* <ul>
* <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"</li>
* </ul>
*/
@Test
public void testServerIdentitiesXmppAddr() throws Exception {
// Setup fixture.
final String subjectCommonName = "MySubjectCommonName";
final String subjectAltNameXmppAddr = "MySubjectAltNameXmppAddr";
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
new X500Name("CN=MyIssuer"), // Random serial number
BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
final DERSequence otherName = new DERSequence(new ASN1Encodable[] { XMPP_ADDR_OID, new DERUTF8String(subjectAltNameXmppAddr) });
final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
// Execute system under test
final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
// Verify result
assertEquals(1, serverIdentities.size());
assertTrue(serverIdentities.contains(subjectAltNameXmppAddr));
assertFalse(serverIdentities.contains(subjectCommonName));
}
Also used :
SecureRandom(java.security.SecureRandom)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Test(org.junit.Test)
Example 4 with ASN1Encodable
use of org.bouncycastle.asn1.ASN1Encodable in project Openfire by igniterealtime.
the class CertificateManager method createX509V3Certificate.
/**
* Creates an X509 version3 certificate.
*
* @param kp KeyPair that keeps the public and private keys for the new certificate.
* @param days time to live
* @param issuerBuilder IssuerDN builder
* @param subjectBuilder SubjectDN builder
* @param domain Domain of the server.
* @param signAlgoritm Signature algorithm. This can be either a name or an OID.
* @return X509 V3 Certificate
* @throws GeneralSecurityException
* @throws IOException
*/
public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int days, X500NameBuilder issuerBuilder, X500NameBuilder subjectBuilder, String domain, String signAlgoritm) throws GeneralSecurityException, IOException {
PublicKey pubKey = kp.getPublic();
PrivateKey privKey = kp.getPrivate();
byte[] serno = new byte[8];
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed((new Date().getTime()));
random.nextBytes(serno);
BigInteger serial = (new java.math.BigInteger(serno)).abs();
X500Name issuerDN = issuerBuilder.build();
X500Name subjectDN = subjectBuilder.build();
// builder
JcaX509v3CertificateBuilder certBuilder = new //
JcaX509v3CertificateBuilder(//
issuerDN, //
serial, //
new Date(), //
new Date(System.currentTimeMillis() + days * (1000L * 60 * 60 * 24)), //
subjectDN, //
pubKey);
// add subjectAlternativeName extension
boolean critical = subjectDN.getRDNs().length == 0;
ASN1Sequence othernameSequence = new DERSequence(new ASN1Encodable[] { new ASN1ObjectIdentifier("1.3.6.1.5.5.7.8.5"), new DERUTF8String(domain) });
GeneralName othernameGN = new GeneralName(GeneralName.otherName, othernameSequence);
GeneralNames subjectAltNames = new GeneralNames(new GeneralName[] { othernameGN });
certBuilder.addExtension(Extension.subjectAlternativeName, critical, subjectAltNames);
// add keyIdentifiers extensions
JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils();
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(pubKey));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(pubKey));
try {
// build the certificate
ContentSigner signer = new JcaContentSignerBuilder(signAlgoritm).build(privKey);
X509CertificateHolder cert = certBuilder.build(signer);
// verify the validity
if (!cert.isValidOn(new Date())) {
throw new GeneralSecurityException("Certificate validity not valid");
}
// verify the signature (self-signed)
ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().build(pubKey);
if (!cert.isSignatureValid(verifierProvider)) {
throw new GeneralSecurityException("Certificate signature not valid");
}
return new JcaX509CertificateConverter().getCertificate(cert);
} catch (OperatorCreationException | CertException e) {
throw new GeneralSecurityException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
PrivateKey(java.security.PrivateKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
CertException(org.bouncycastle.cert.CertException)
Date(java.util.Date)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Example 5 with ASN1Encodable
use of org.bouncycastle.asn1.ASN1Encodable in project robovm by robovm.
the class PKIXCertPathValidatorSpi method engineValidate.
// END android-added
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
if (!(params instanceof PKIXParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + " instance.");
}
ExtendedPKIXParameters paramsPKIX;
if (params instanceof ExtendedPKIXParameters) {
paramsPKIX = (ExtendedPKIXParameters) params;
} else {
paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters) params);
}
if (paramsPKIX.getTrustAnchors() == null) {
throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
List certs = certPath.getCertificates();
int n = certs.size();
if (certs.isEmpty()) {
throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
// BEGIN android-added
{
X509Certificate cert = (X509Certificate) certs.get(0);
if (cert != null) {
BigInteger serial = cert.getSerialNumber();
if (blacklist.isSerialNumberBlackListed(serial)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of serial 0x" + serial.toString(16);
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, 0);
}
}
}
// END android-added
//
// (b)
//
// Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
//
// (c)
//
Set userInitialPolicySet = paramsPKIX.getInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try {
trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider());
} catch (AnnotatedException e) {
throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1);
}
if (trust == null) {
throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
//
// (e), (f), (g) are part of the paramsPKIX object.
//
Iterator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
List[] policyNodes = new ArrayList[n + 1];
for (int j = 0; j < policyNodes.length; j++) {
policyNodes[j] = new ArrayList();
}
Set policySet = new HashSet();
policySet.add(RFC3280CertPathUtilities.ANY_POLICY);
PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), RFC3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].add(validPolicyTree);
//
// (b) and (c)
//
PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
// (d)
//
int explicitPolicy;
Set acceptablePolicies = new HashSet();
if (paramsPKIX.isExplicitPolicyRequired()) {
explicitPolicy = 0;
} else {
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPKIX.isAnyPolicyInhibited()) {
inhibitAnyPolicy = 0;
} else {
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPKIX.isPolicyMappingInhibited()) {
policyMapping = 0;
} else {
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
PublicKey workingPublicKey;
X500Principal workingIssuerName;
X509Certificate sign = trust.getTrustedCert();
try {
if (sign != null) {
workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
workingPublicKey = sign.getPublicKey();
} else {
workingIssuerName = new X500Principal(trust.getCAName());
workingPublicKey = trust.getCAPublicKey();
}
} catch (IllegalArgumentException ex) {
throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1);
}
AlgorithmIdentifier workingAlgId = null;
try {
workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
} catch (CertPathValidatorException e) {
throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId();
ASN1Encodable workingPublicKeyParameters = workingAlgId.getParameters();
//
// (k)
//
int maxPathLength = n;
if (paramsPKIX.getTargetConstraints() != null && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) {
throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
List pathCheckers = paramsPKIX.getCertPathCheckers();
certIter = pathCheckers.iterator();
while (certIter.hasNext()) {
((PKIXCertPathChecker) certIter.next()).init(false);
}
X509Certificate cert = null;
for (index = certs.size() - 1; index >= 0; index--) {
// BEGIN android-added
if (blacklist.isPublicKeyBlackListed(workingPublicKey)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of public key " + workingPublicKey;
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
}
// END android-added
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate) certs.get(index);
boolean verificationAlreadyPerformed = (index == certs.size() - 1);
//
// 6.1.3
//
RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree);
RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy);
if (i != n) {
if (cert != null && cert.getVersion() == 1) {
throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
RFC3280CertPathUtilities.prepareNextCertA(certPath, index);
validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping);
RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
RFC3280CertPathUtilities.prepareNextCertK(certPath, index);
// (l)
maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength);
// (n)
RFC3280CertPathUtilities.prepareNextCertN(certPath, index);
Set criticalExtensions = cert.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
// these extensions are handled by the algorithm
criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
} else {
criticalExtensions = new HashSet();
}
// (o)
RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
// (d)
try {
workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index);
} catch (CertPathValidatorException e) {
throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
// (f)
workingPublicKeyAlgorithm = workingAlgId.getObjectId();
// (e)
workingPublicKeyParameters = workingAlgId.getParameters();
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert);
explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
Set criticalExtensions = cert.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
// these extensions are handled by the algorithm
criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS);
} else {
criticalExtensions = new HashSet();
}
RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null)) {
return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey());
}
throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
ArrayList(java.util.ArrayList)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
HashSet(java.util.HashSet)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PublicKey(java.security.PublicKey)
TrustAnchor(java.security.cert.TrustAnchor)
DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)
X509Certificate(java.security.cert.X509Certificate)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
BigInteger(java.math.BigInteger)
X500Principal(javax.security.auth.x500.X500Principal)
Aggregations
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)24
IOException (java.io.IOException)17
ArrayList (java.util.ArrayList)13
List (java.util.List)13
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)11
X500Principal (javax.security.auth.x500.X500Principal)9
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)8
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)8
GeneralName (org.bouncycastle.asn1.x509.GeneralName)8
X509Certificate (java.security.cert.X509Certificate)7
HashSet (java.util.HashSet)7
Set (java.util.Set)7
X962Parameters (org.bouncycastle.asn1.x9.X962Parameters)7
Enumeration (java.util.Enumeration)6
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)6
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)6
X500Name (org.bouncycastle.asn1.x500.X500Name)6
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)6
Asn1Integer (com.android.hotspot2.asn1.Asn1Integer)5
Asn1Object (com.android.hotspot2.asn1.Asn1Object)5
