use of org.bouncycastle.asn1.ASN1ObjectIdentifier in project xipki by xipki.
the class BaseX509Certprofile method verifySubjectDnOccurence.
protected void verifySubjectDnOccurence(X500Name requestedSubject) throws BadCertTemplateException {
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
SubjectControl occurences = getSubjectControl();
if (occurences == null) {
return;
}
ASN1ObjectIdentifier[] types = requestedSubject.getAttributeTypes();
for (ASN1ObjectIdentifier type : types) {
RdnControl occu = occurences.getControl(type);
if (occu == null) {
throw new BadCertTemplateException(String.format("subject DN of type %s is not allowed", oidToDisplayName(type)));
}
RDN[] rdns = requestedSubject.getRDNs(type);
if (rdns.length > occu.getMaxOccurs() || rdns.length < occu.getMinOccurs()) {
throw new BadCertTemplateException(String.format("occurrence of subject DN of type %s not within the allowed range. " + "%d is not within [%d, %d]", oidToDisplayName(type), rdns.length, occu.getMinOccurs(), occu.getMaxOccurs()));
}
}
for (ASN1ObjectIdentifier m : occurences.getTypes()) {
RdnControl occurence = occurences.getControl(m);
if (occurence.getMinOccurs() == 0) {
continue;
}
boolean present = false;
for (ASN1ObjectIdentifier type : types) {
if (occurence.getType().equals(type)) {
present = true;
break;
}
}
if (!present) {
throw new BadCertTemplateException(String.format("required subject DN of type %s is not present", oidToDisplayName(occurence.getType())));
}
}
}
use of org.bouncycastle.asn1.ASN1ObjectIdentifier in project xipki by xipki.
the class BaseX509Certprofile method getRdns.
private static RDN[] getRdns(RDN[] rdns, ASN1ObjectIdentifier type) {
ParamUtil.requireNonNull("rdns", rdns);
ParamUtil.requireNonNull("type", type);
List<RDN> ret = new ArrayList<>(1);
for (int i = 0; i < rdns.length; i++) {
RDN rdn = rdns[i];
if (rdn.getFirst().getType().equals(type)) {
ret.add(rdn);
}
}
return CollectionUtil.isEmpty(ret) ? null : ret.toArray(new RDN[0]);
}
use of org.bouncycastle.asn1.ASN1ObjectIdentifier in project xipki by xipki.
the class BaseX509Certprofile method checkPublicKey.
@Override
public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo publicKey) throws BadCertTemplateException {
ParamUtil.requireNonNull("publicKey", publicKey);
Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms();
if (CollectionUtil.isEmpty(keyAlgorithms)) {
return publicKey;
}
ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm();
if (!keyAlgorithms.containsKey(keyType)) {
throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted");
}
KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType);
if (keyParamsOption instanceof AllowAllParametersOption) {
return publicKey;
} else if (keyParamsOption instanceof ECParamatersOption) {
ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption;
// parameters
ASN1Encodable algParam = publicKey.getAlgorithm().getParameters();
ASN1ObjectIdentifier curveOid;
if (algParam instanceof ASN1ObjectIdentifier) {
curveOid = (ASN1ObjectIdentifier) algParam;
if (!ecOption.allowsCurve(curveOid)) {
throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId()));
}
} else {
throw new BadCertTemplateException("only namedCurve EC public key is supported");
}
// point encoding
if (ecOption.pointEncodings() != null) {
byte[] keyData = publicKey.getPublicKeyData().getBytes();
if (keyData.length < 1) {
throw new BadCertTemplateException("invalid publicKeyData");
}
byte pointEncoding = keyData[0];
if (!ecOption.pointEncodings().contains(pointEncoding)) {
throw new BadCertTemplateException(String.format("not accepted EC point encoding '%s'", pointEncoding));
}
}
byte[] keyData = publicKey.getPublicKeyData().getBytes();
try {
checkEcSubjectPublicKeyInfo(curveOid, keyData);
} catch (BadCertTemplateException ex) {
throw ex;
} catch (Exception ex) {
LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo");
throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage()));
}
return publicKey;
} else if (keyParamsOption instanceof RSAParametersOption) {
RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption;
ASN1Integer modulus;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes());
modulus = ASN1Integer.getInstance(seq.getObjectAt(0));
} catch (IllegalArgumentException ex) {
throw new BadCertTemplateException("invalid publicKeyData");
}
int modulusLength = modulus.getPositiveValue().bitLength();
if ((rsaOption.allowsModulusLength(modulusLength))) {
return publicKey;
}
} else if (keyParamsOption instanceof DSAParametersOption) {
DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption;
ASN1Encodable params = publicKey.getAlgorithm().getParameters();
if (params == null) {
throw new BadCertTemplateException("null Dss-Parms is not permitted");
}
int plength;
int qlength;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(params);
ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0));
ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1));
plength = rsaP.getPositiveValue().bitLength();
qlength = rsaQ.getPositiveValue().bitLength();
} catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) {
throw new BadCertTemplateException("illegal Dss-Parms");
}
boolean match = dsaOption.allowsPlength(plength);
if (match) {
match = dsaOption.allowsQlength(qlength);
}
if (match) {
return publicKey;
}
} else {
throw new RuntimeException(String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption));
}
throw new BadCertTemplateException("the given publicKey is not permitted");
}
use of org.bouncycastle.asn1.ASN1ObjectIdentifier in project xipki by xipki.
the class BaseX509Certprofile method getSubject.
@Override
public SubjectInfo getSubject(X500Name requestedSubject) throws CertprofileException, BadCertTemplateException {
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
verifySubjectDnOccurence(requestedSubject);
RDN[] requstedRdns = requestedSubject.getRDNs();
SubjectControl scontrol = getSubjectControl();
List<RDN> rdns = new LinkedList<>();
for (ASN1ObjectIdentifier type : scontrol.getTypes()) {
RdnControl control = scontrol.getControl(type);
if (control == null) {
continue;
}
RDN[] thisRdns = getRdns(requstedRdns, type);
if (thisRdns == null) {
continue;
}
int len = thisRdns.length;
if (len == 0) {
continue;
}
if (ObjectIdentifiers.DN_EmailAddress.equals(type)) {
throw new BadCertTemplateException("emailAddress is not allowed");
}
if (len == 1) {
ASN1Encodable rdnValue = thisRdns[0].getFirst().getValue();
RDN rdn;
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(type)) {
rdn = createDateOfBirthRdn(type, rdnValue);
} else if (ObjectIdentifiers.DN_POSTAL_ADDRESS.equals(type)) {
rdn = createPostalAddressRdn(type, rdnValue, control, 0);
} else {
String value = X509Util.rdnValueToString(rdnValue);
rdn = createSubjectRdn(value, type, control, 0);
}
if (rdn != null) {
rdns.add(rdn);
}
} else {
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(type)) {
for (int i = 0; i < len; i++) {
RDN rdn = createDateOfBirthRdn(type, thisRdns[i].getFirst().getValue());
rdns.add(rdn);
}
} else if (ObjectIdentifiers.DN_POSTAL_ADDRESS.equals(type)) {
for (int i = 0; i < len; i++) {
RDN rdn = createPostalAddressRdn(type, thisRdns[i].getFirst().getValue(), control, i);
rdns.add(rdn);
}
} else {
String[] values = new String[len];
for (int i = 0; i < len; i++) {
values[i] = X509Util.rdnValueToString(thisRdns[i].getFirst().getValue());
}
values = sortRdns(control, values);
int idx = 0;
for (String value : values) {
rdns.add(createSubjectRdn(value, type, control, idx++));
}
}
// if
}
// if
}
// for
Set<String> subjectDnGroups = scontrol.getGroups();
if (CollectionUtil.isNonEmpty(subjectDnGroups)) {
Set<String> consideredGroups = new HashSet<>();
final int n = rdns.size();
List<RDN> newRdns = new ArrayList<>(rdns.size());
for (int i = 0; i < n; i++) {
RDN rdn = rdns.get(i);
ASN1ObjectIdentifier type = rdn.getFirst().getType();
String group = scontrol.getGroup(type);
if (group == null) {
newRdns.add(rdn);
} else if (!consideredGroups.contains(group)) {
List<AttributeTypeAndValue> atvs = new LinkedList<>();
atvs.add(rdn.getFirst());
for (int j = i + 1; j < n; j++) {
RDN rdn2 = rdns.get(j);
ASN1ObjectIdentifier type2 = rdn2.getFirst().getType();
String group2 = scontrol.getGroup(type2);
if (group.equals(group2)) {
atvs.add(rdn2.getFirst());
}
}
newRdns.add(new RDN(atvs.toArray(new AttributeTypeAndValue[0])));
consideredGroups.add(group);
}
}
// for
rdns = newRdns;
}
// if
X500Name grantedSubject = new X500Name(rdns.toArray(new RDN[0]));
return new SubjectInfo(grantedSubject, null);
}
use of org.bouncycastle.asn1.ASN1ObjectIdentifier in project xipki by xipki.
the class BaseX509Certprofile method checkEcSubjectPublicKeyInfo.
private static void checkEcSubjectPublicKeyInfo(ASN1ObjectIdentifier curveOid, byte[] encoded) throws BadCertTemplateException {
ParamUtil.requireNonNull("curveOid", curveOid);
ParamUtil.requireNonNull("encoded", encoded);
ParamUtil.requireMin("encoded.length", encoded.length, 1);
Integer expectedLength = ecCurveFieldSizes.get(curveOid);
if (expectedLength == null) {
X9ECParameters ecP = ECUtil.getNamedCurveByOid(curveOid);
ECCurve curve = ecP.getCurve();
expectedLength = (curve.getFieldSize() + 7) / 8;
ecCurveFieldSizes.put(curveOid, expectedLength);
}
switch(encoded[0]) {
// compressed
case 0x02:
case // compressed
0x03:
if (encoded.length != (expectedLength + 1)) {
throw new BadCertTemplateException("incorrect length for compressed encoding");
}
break;
// uncompressed
case 0x04:
// hybrid
case 0x06:
case // hybrid
0x07:
if (encoded.length != (2 * expectedLength + 1)) {
throw new BadCertTemplateException("incorrect length for uncompressed/hybrid encoding");
}
break;
default:
throw new BadCertTemplateException(String.format("invalid point encoding 0x%02x", encoded[0]));
}
}
Aggregations