Search in sources :

Example 51 with ASN1Sequence

use of org.bouncycastle.asn1.ASN1Sequence in project XobotOS by xamarin.

the class CertPathValidatorUtilities method prepareNextCertB1.

protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws AnnotatedException, CertPathValidatorException {
    boolean idp_found = false;
    Iterator nodes_i = policyNodes[i].iterator();
    while (nodes_i.hasNext()) {
        PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
        if (node.getValidPolicy().equals(id_p)) {
            idp_found = true;
            node.expectedPolicies = (Set) m_idp.get(id_p);
            break;
        }
    }
    if (!idp_found) {
        nodes_i = policyNodes[i].iterator();
        while (nodes_i.hasNext()) {
            PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
            if (ANY_POLICY.equals(node.getValidPolicy())) {
                Set pq = null;
                ASN1Sequence policies = null;
                try {
                    policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES));
                } catch (Exception e) {
                    throw new AnnotatedException("Certificate policies cannot be decoded.", e);
                }
                Enumeration e = policies.getObjects();
                while (e.hasMoreElements()) {
                    PolicyInformation pinfo = null;
                    try {
                        pinfo = PolicyInformation.getInstance(e.nextElement());
                    } catch (Exception ex) {
                        throw new AnnotatedException("Policy information cannot be decoded.", ex);
                    }
                    if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) {
                        try {
                            pq = getQualifierSet(pinfo.getPolicyQualifiers());
                        } catch (CertPathValidatorException ex) {
                            throw new ExtCertPathValidatorException("Policy qualifier info set could not be built.", ex);
                        }
                        break;
                    }
                }
                boolean ci = false;
                if (cert.getCriticalExtensionOIDs() != null) {
                    ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES);
                }
                PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
                if (ANY_POLICY.equals(p_node.getValidPolicy())) {
                    PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set) m_idp.get(id_p), p_node, pq, id_p, ci);
                    p_node.addChild(c_node);
                    policyNodes[i].add(c_node);
                }
                break;
            }
        }
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Set(java.util.Set) HashSet(java.util.HashSet) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) Enumeration(java.util.Enumeration) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException)

Example 52 with ASN1Sequence

use of org.bouncycastle.asn1.ASN1Sequence in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCertStatus.

protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    // use BC X509CRLObject so that indirect CRLs are supported
    X509CRLObject bcCRL = null;
    try {
        bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded())));
    } catch (Exception exception) {
        throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception);
    }
    // use BC X509CRLEntryObject, so that getCertificateIssuer() is
    // supported.
    X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert));
    if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl)))) {
        DEREnumerated reasonCode = null;
        if (crl_entry.hasExtensions()) {
            try {
                reasonCode = DEREnumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
            } catch (Exception e) {
                new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
            }
        }
        // unspecified
        if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) {
            // (i) or (j) (1)
            if (reasonCode != null) {
                certStatus.setCertStatus(reasonCode.getValue().intValue());
            } else // (i) or (j) (2)
            {
                certStatus.setCertStatus(CRLReason.unspecified);
            }
            certStatus.setRevocationDate(crl_entry.getRevocationDate());
        }
    }
}
Also used : DEREnumerated(org.bouncycastle.asn1.DEREnumerated) CertificateList(org.bouncycastle.asn1.x509.CertificateList) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException)

Example 53 with ASN1Sequence

use of org.bouncycastle.asn1.ASN1Sequence in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method processCertE.

protected static PKIXPolicyNode processCertE(CertPath certPath, int index, PKIXPolicyNode validPolicyTree) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    // 
    // (e)
    //
    ASN1Sequence certPolicies = null;
    try {
        certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES));
    } catch (AnnotatedException e) {
        throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index);
    }
    if (certPolicies == null) {
        validPolicyTree = null;
    }
    return validPolicyTree;
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) List(java.util.List) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate)

Example 54 with ASN1Sequence

use of org.bouncycastle.asn1.ASN1Sequence in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method prepareNextCertI1.

protected static int prepareNextCertI1(CertPath certPath, int index, int explicitPolicy) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    //
    // (i)
    //
    ASN1Sequence pc = null;
    try {
        pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.POLICY_CONSTRAINTS));
    } catch (Exception e) {
        throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, index);
    }
    int tmpInt;
    if (pc != null) {
        Enumeration policyConstraints = pc.getObjects();
        while (policyConstraints.hasMoreElements()) {
            try {
                ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement());
                if (constraint.getTagNo() == 0) {
                    tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue();
                    if (tmpInt < explicitPolicy) {
                        return tmpInt;
                    }
                    break;
                }
            } catch (IllegalArgumentException e) {
                throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", e, certPath, index);
            }
        }
    }
    return explicitPolicy;
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Enumeration(java.util.Enumeration) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) List(java.util.List) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 55 with ASN1Sequence

use of org.bouncycastle.asn1.ASN1Sequence in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method processCRLB2.

/**
     * If the complete CRL includes an issuing distribution point (IDP) CRL
     * extension check the following:
     * <p/>
     * (i) If the distribution point name is present in the IDP CRL extension
     * and the distribution field is present in the DP, then verify that one of
     * the names in the IDP matches one of the names in the DP. If the
     * distribution point name is present in the IDP CRL extension and the
     * distribution field is omitted from the DP, then verify that one of the
     * names in the IDP matches one of the names in the cRLIssuer field of the
     * DP.
     * </p>
     * <p/>
     * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate does not include the basic
     * constraints extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate includes the basic constraints
     * extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
     * </p>
     *
     * @param dp   The distribution point.
     * @param cert The certificate.
     * @param crl  The CRL.
     * @throws AnnotatedException if one of the conditions is not met or an error occurs.
     */
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    IssuingDistributionPoint idp = null;
    try {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // distribution point name is present
    if (idp != null) {
        if (idp.getDistributionPoint() != null) {
            // make list of names
            DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
            List names = new ArrayList();
            if (dpName.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                for (int j = 0; j < genNames.length; j++) {
                    names.add(genNames[j]);
                }
            }
            if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                ASN1EncodableVector vec = new ASN1EncodableVector();
                try {
                    Enumeration e = ASN1Sequence.getInstance(ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded())).getObjects();
                    while (e.hasMoreElements()) {
                        vec.add((DEREncodable) e.nextElement());
                    }
                } catch (IOException e) {
                    throw new AnnotatedException("Could not read CRL issuer.", e);
                }
                vec.add(dpName.getName());
                names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec))));
            }
            boolean matches = false;
            // of the names in the DP.
            if (dp.getDistributionPoint() != null) {
                dpName = dp.getDistributionPoint();
                GeneralName[] genNames = null;
                if (dpName.getType() == DistributionPointName.FULL_NAME) {
                    genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                }
                if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                    if (dp.getCRLIssuer() != null) {
                        genNames = dp.getCRLIssuer().getNames();
                    } else {
                        genNames = new GeneralName[1];
                        try {
                            genNames[0] = new GeneralName(new X509Name((ASN1Sequence) ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded())));
                        } catch (IOException e) {
                            throw new AnnotatedException("Could not read certificate issuer.", e);
                        }
                    }
                    for (int j = 0; j < genNames.length; j++) {
                        Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().getDERObject()).getObjects();
                        ASN1EncodableVector vec = new ASN1EncodableVector();
                        while (e.hasMoreElements()) {
                            vec.add((DEREncodable) e.nextElement());
                        }
                        vec.add(dpName.getName());
                        genNames[j] = new GeneralName(new X509Name(new DERSequence(vec)));
                    }
                }
                if (genNames != null) {
                    for (int j = 0; j < genNames.length; j++) {
                        if (names.contains(genNames[j])) {
                            matches = true;
                            break;
                        }
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            } else // verify that one of the names in
            // the IDP matches one of the names in the cRLIssuer field of
            // the DP
            {
                if (dp.getCRLIssuer() == null) {
                    throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
                }
                GeneralName[] genNames = dp.getCRLIssuer().getNames();
                for (int j = 0; j < genNames.length; j++) {
                    if (names.contains(genNames[j])) {
                        matches = true;
                        break;
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            }
        }
        BasicConstraints bc = null;
        try {
            bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
        } catch (Exception e) {
            throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
        }
        if (cert instanceof X509Certificate) {
            // (b) (2) (ii)
            if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
                throw new AnnotatedException("CA Cert CRL only contains user certificates.");
            }
            // (b) (2) (iii)
            if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
                throw new AnnotatedException("End CRL only contains CA certificates.");
            }
        }
        // (b) (2) (iv)
        if (idp.onlyContainsAttributeCerts()) {
            throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
        }
    }
}
Also used : IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) Enumeration(java.util.Enumeration) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) ArrayList(java.util.ArrayList) IOException(java.io.IOException) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) X509Certificate(java.security.cert.X509Certificate) DERSequence(org.bouncycastle.asn1.DERSequence) X509Name(org.bouncycastle.asn1.x509.X509Name) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Aggregations

ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)57 IOException (java.io.IOException)42 ArrayList (java.util.ArrayList)31 Enumeration (java.util.Enumeration)30 List (java.util.List)28 X509Certificate (java.security.cert.X509Certificate)25 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)25 CertPathValidatorException (java.security.cert.CertPathValidatorException)21 GeneralSecurityException (java.security.GeneralSecurityException)20 CertificateExpiredException (java.security.cert.CertificateExpiredException)20 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)20 DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)18 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)18 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)18 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)18 CertPathBuilderException (java.security.cert.CertPathBuilderException)16 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)16 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)15 HashSet (java.util.HashSet)12 Set (java.util.Set)12