Search in sources :

Example 91 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class CmpCaClient method revokeCert.

// method requestCerts
public boolean revokeCert(BigInteger serialNumber, CRLReason reason) throws Exception {
    ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(PKIHeader.CMP_2000, requestorSubject, responderSubject);
    builder.setMessageTime(new Date());
    builder.setTransactionID(randomTransactionId());
    builder.setSenderNonce(randomSenderNonce());
    CertTemplateBuilder certTempBuilder = new CertTemplateBuilder();
    certTempBuilder.setIssuer(caSubject);
    certTempBuilder.setSerialNumber(new ASN1Integer(serialNumber));
    AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(caSubjectKeyIdentifier);
    byte[] encodedAki = aki.getEncoded();
    Extension extAki = new Extension(Extension.authorityKeyIdentifier, false, encodedAki);
    Extensions certTempExts = new Extensions(extAki);
    certTempBuilder.setExtensions(certTempExts);
    ASN1Enumerated asn1Reason = new ASN1Enumerated(reason.getValue().intValue());
    Extensions exts = new Extensions(new Extension(Extension.reasonCode, true, new DEROctetString(asn1Reason.getEncoded())));
    RevDetails revDetails = new RevDetails(certTempBuilder.build(), exts);
    RevReqContent content = new RevReqContent(revDetails);
    builder.setBody(new PKIBody(PKIBody.TYPE_REVOCATION_REQ, content));
    ProtectedPKIMessage request = builder.build(requestorSigner);
    PKIMessage response = transmit(request);
    return parseRevocationResult(response, serialNumber);
}
Also used : ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) Extensions(org.bouncycastle.asn1.x509.Extensions) RevReqContent(org.bouncycastle.asn1.cmp.RevReqContent) Date(java.util.Date) DEROctetString(org.bouncycastle.asn1.DEROctetString) Extension(org.bouncycastle.asn1.x509.Extension) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) ASN1Enumerated(org.bouncycastle.asn1.ASN1Enumerated) ProtectedPKIMessageBuilder(org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder) RevDetails(org.bouncycastle.asn1.cmp.RevDetails)

Example 92 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class EnrollCertAction method execute0.

@Override
protected Object execute0() throws Exception {
    if (caName != null) {
        caName = caName.toLowerCase();
    }
    CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
    ConcurrentContentSigner signer = getSigner(new SignatureAlgoControl(rsaMgf1, dsaPlain, gm));
    X509CertificateHolder ssCert = signer.getBcCertificate();
    X500Name x500Subject = new X500Name(subject);
    certTemplateBuilder.setSubject(x500Subject);
    certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo());
    if (StringUtil.isNotBlank(notBeforeS) || StringUtil.isNotBlank(notAfterS)) {
        Time notBefore = StringUtil.isNotBlank(notBeforeS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notBeforeS)) : null;
        Time notAfter = StringUtil.isNotBlank(notAfterS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notAfterS)) : null;
        OptionalValidity validity = new OptionalValidity(notBefore, notAfter);
        certTemplateBuilder.setValidity(validity);
    }
    if (needExtensionTypes == null) {
        needExtensionTypes = new LinkedList<>();
    }
    // SubjectAltNames
    List<Extension> extensions = new LinkedList<>();
    if (isNotEmpty(subjectAltNames)) {
        extensions.add(X509Util.createExtnSubjectAltName(subjectAltNames, false));
        needExtensionTypes.add(Extension.subjectAlternativeName.getId());
    }
    // SubjectInfoAccess
    if (isNotEmpty(subjectInfoAccesses)) {
        extensions.add(X509Util.createExtnSubjectInfoAccess(subjectInfoAccesses, false));
        needExtensionTypes.add(Extension.subjectInfoAccess.getId());
    }
    // Keyusage
    if (isNotEmpty(keyusages)) {
        Set<KeyUsage> usages = new HashSet<>();
        for (String usage : keyusages) {
            usages.add(KeyUsage.getKeyUsage(usage));
        }
        org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages);
        ASN1ObjectIdentifier extType = Extension.keyUsage;
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // ExtendedKeyusage
    if (isNotEmpty(extkeyusages)) {
        ExtendedKeyUsage extValue = X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(extkeyusages));
        ASN1ObjectIdentifier extType = Extension.extendedKeyUsage;
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // QcEuLimitValue
    if (isNotEmpty(qcEuLimits)) {
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (String m : qcEuLimits) {
            StringTokenizer st = new StringTokenizer(m, ":");
            try {
                String currencyS = st.nextToken();
                String amountS = st.nextToken();
                String exponentS = st.nextToken();
                Iso4217CurrencyCode currency;
                try {
                    int intValue = Integer.parseInt(currencyS);
                    currency = new Iso4217CurrencyCode(intValue);
                } catch (NumberFormatException ex) {
                    currency = new Iso4217CurrencyCode(currencyS);
                }
                int amount = Integer.parseInt(amountS);
                int exponent = Integer.parseInt(exponentS);
                MonetaryValue monterayValue = new MonetaryValue(currency, amount, exponent);
                QCStatement statment = new QCStatement(ObjectIdentifiers.id_etsi_qcs_QcLimitValue, monterayValue);
                vec.add(statment);
            } catch (Exception ex) {
                throw new Exception("invalid qc-eu-limit '" + m + "'");
            }
        }
        ASN1ObjectIdentifier extType = Extension.qCStatements;
        ASN1Sequence extValue = new DERSequence(vec);
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // biometricInfo
    if (biometricType != null && biometricHashAlgo != null && biometricFile != null) {
        TypeOfBiometricData objBiometricType = StringUtil.isNumber(biometricType) ? new TypeOfBiometricData(Integer.parseInt(biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(biometricType));
        ASN1ObjectIdentifier objBiometricHashAlgo = AlgorithmUtil.getHashAlg(biometricHashAlgo);
        byte[] biometricBytes = IoUtil.read(biometricFile);
        MessageDigest md = MessageDigest.getInstance(objBiometricHashAlgo.getId());
        md.reset();
        byte[] biometricDataHash = md.digest(biometricBytes);
        DERIA5String sourceDataUri = null;
        if (biometricUri != null) {
            sourceDataUri = new DERIA5String(biometricUri);
        }
        BiometricData biometricData = new BiometricData(objBiometricType, new AlgorithmIdentifier(objBiometricHashAlgo), new DEROctetString(biometricDataHash), sourceDataUri);
        ASN1EncodableVector vec = new ASN1EncodableVector();
        vec.add(biometricData);
        ASN1ObjectIdentifier extType = Extension.biometricInfo;
        ASN1Sequence extValue = new DERSequence(vec);
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    } else if (biometricType == null && biometricHashAlgo == null && biometricFile == null) {
    // Do nothing
    } else {
        throw new Exception("either all of biometric triples (type, hash algo, file)" + " must be set or none of them should be set");
    }
    if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) {
        ExtensionExistence ee = new ExtensionExistence(textToAsn1ObjectIdentifers(needExtensionTypes), textToAsn1ObjectIdentifers(wantExtensionTypes));
        extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded()));
    }
    if (isNotEmpty(extensions)) {
        Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0]));
        certTemplateBuilder.setExtensions(asn1Extensions);
    }
    CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
    ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq);
    ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
    POPOSigningKey popoSk;
    try {
        popoSk = popoBuilder.build(signer0.value());
    } finally {
        signer.requiteSigner(signer0);
    }
    ProofOfPossession popo = new ProofOfPossession(popoSk);
    EnrollCertRequestEntry reqEntry = new EnrollCertRequestEntry("id-1", profile, certReq, popo);
    EnrollCertRequest request = new EnrollCertRequest(EnrollCertRequest.Type.CERT_REQ);
    request.addRequestEntry(reqEntry);
    RequestResponseDebug debug = getRequestResponseDebug();
    EnrollCertResult result;
    try {
        result = caClient.requestCerts(caName, request, debug);
    } finally {
        saveRequestResponse(debug);
    }
    X509Certificate cert = null;
    if (result != null) {
        String id = result.getAllIds().iterator().next();
        CertOrError certOrError = result.getCertOrError(id);
        cert = (X509Certificate) certOrError.getCertificate();
    }
    if (cert == null) {
        throw new CmdFailure("no certificate received from the server");
    }
    File certFile = new File(outputFile);
    saveVerbose("saved certificate to file", certFile, cert.getEncoded());
    return null;
}
Also used : TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.xipki.security.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DERSequence(org.bouncycastle.asn1.DERSequence) EnrollCertRequestEntry(org.xipki.ca.client.api.dto.EnrollCertRequestEntry) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) MessageDigest(java.security.MessageDigest) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) HashSet(java.util.HashSet) RequestResponseDebug(org.xipki.common.RequestResponseDebug) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) LinkedList(java.util.LinkedList) X509Certificate(java.security.cert.X509Certificate) OptionalValidity(org.bouncycastle.asn1.crmf.OptionalValidity) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ProofOfPossessionSigningKeyBuilder(org.bouncycastle.cert.crmf.ProofOfPossessionSigningKeyBuilder) File(java.io.File) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement) EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest) Time(org.bouncycastle.asn1.x509.Time) Extensions(org.bouncycastle.asn1.x509.Extensions) Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode) DERIA5String(org.bouncycastle.asn1.DERIA5String) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) CmdFailure(org.xipki.console.karaf.CmdFailure) EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue) ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner) CertOrError(org.xipki.ca.client.api.CertOrError) ObjectCreationException(org.xipki.common.ObjectCreationException) InvalidOidOrNameException(org.xipki.security.exception.InvalidOidOrNameException) Extension(org.bouncycastle.asn1.x509.Extension) StringTokenizer(java.util.StringTokenizer) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) ExtensionExistence(org.xipki.security.ExtensionExistence) EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest) CertRequest(org.bouncycastle.asn1.crmf.CertRequest) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) SignatureAlgoControl(org.xipki.security.SignatureAlgoControl)

Example 93 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class ExtensionsChecker method checkExtensionQcStatements.

// method checkExtensionPrivateKeyUsagePeriod
private void checkExtensionQcStatements(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QcStatements conf = qcStatements;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(Extension.qCStatements, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    final int expSize = conf.getQcStatement().size();
    ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
    final int isSize = extValue.size();
    if (isSize != expSize) {
        addViolation(failureMsg, "number of statements", isSize, expSize);
        return;
    }
    // extract the euLimit and pdsLocations data from request
    Map<String, int[]> reqQcEuLimits = new HashMap<>();
    Extension reqExtension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(Extension.qCStatements);
    if (reqExtension != null) {
        ASN1Sequence seq = ASN1Sequence.getInstance(reqExtension.getParsedValue());
        final int n = seq.size();
        for (int j = 0; j < n; j++) {
            QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(j));
            if (ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) {
                MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo());
                int amount = monetaryValue.getAmount().intValue();
                int exponent = monetaryValue.getExponent().intValue();
                Iso4217CurrencyCode currency = monetaryValue.getCurrency();
                String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric());
                reqQcEuLimits.put(currencyS, new int[] { amount, exponent });
            }
        }
    }
    for (int i = 0; i < expSize; i++) {
        QCStatement is = QCStatement.getInstance(extValue.getObjectAt(i));
        QcStatementType exp = conf.getQcStatement().get(i);
        if (!is.getStatementId().getId().equals(exp.getStatementId().getValue())) {
            addViolation(failureMsg, "statmentId[" + i + "]", is.getStatementId().getId(), exp.getStatementId().getValue());
            continue;
        }
        if (exp.getStatementValue() == null) {
            if (is.getStatementInfo() != null) {
                addViolation(failureMsg, "statmentInfo[" + i + "]", "present", "absent");
            }
            continue;
        }
        if (is.getStatementInfo() == null) {
            addViolation(failureMsg, "statmentInfo[" + i + "]", "absent", "present");
            continue;
        }
        QcStatementValueType expStatementValue = exp.getStatementValue();
        try {
            if (expStatementValue.getConstant() != null) {
                byte[] expValue = expStatementValue.getConstant().getValue();
                byte[] isValue = is.getStatementInfo().toASN1Primitive().getEncoded();
                if (!Arrays.equals(isValue, expValue)) {
                    addViolation(failureMsg, "statementInfo[" + i + "]", hex(isValue), hex(expValue));
                }
            } else if (expStatementValue.getQcRetentionPeriod() != null) {
                String isValue = ASN1Integer.getInstance(is.getStatementInfo()).toString();
                String expValue = expStatementValue.getQcRetentionPeriod().toString();
                if (!isValue.equals(expValue)) {
                    addViolation(failureMsg, "statementInfo[" + i + "]", isValue, expValue);
                }
            } else if (expStatementValue.getPdsLocations() != null) {
                Set<String> pdsLocations = new HashSet<>();
                ASN1Sequence pdsLocsSeq = ASN1Sequence.getInstance(is.getStatementInfo());
                int size = pdsLocsSeq.size();
                for (int k = 0; k < size; k++) {
                    ASN1Sequence pdsLocSeq = ASN1Sequence.getInstance(pdsLocsSeq.getObjectAt(k));
                    int size2 = pdsLocSeq.size();
                    if (size2 != 2) {
                        throw new IllegalArgumentException("sequence size is " + size2 + " but expected 2");
                    }
                    String url = DERIA5String.getInstance(pdsLocSeq.getObjectAt(0)).getString();
                    String lang = DERPrintableString.getInstance(pdsLocSeq.getObjectAt(1)).getString();
                    pdsLocations.add("url=" + url + ",lang=" + lang);
                }
                PdsLocationsType pdsLocationsConf = expStatementValue.getPdsLocations();
                Set<String> expectedPdsLocations = new HashSet<>();
                for (PdsLocationType m : pdsLocationsConf.getPdsLocation()) {
                    expectedPdsLocations.add("url=" + m.getUrl() + ",lang=" + m.getLanguage());
                }
                Set<String> diffs = strInBnotInA(expectedPdsLocations, pdsLocations);
                if (CollectionUtil.isNonEmpty(diffs)) {
                    failureMsg.append("statementInfo[").append(i).append("]: ").append(diffs).append(" are present but not expected; ");
                }
                diffs = strInBnotInA(pdsLocations, expectedPdsLocations);
                if (CollectionUtil.isNonEmpty(diffs)) {
                    failureMsg.append("statementInfo[").append(i).append("]: ").append(diffs).append(" are absent but are required; ");
                }
            } else if (expStatementValue.getQcEuLimitValue() != null) {
                QcEuLimitValueType euLimitConf = expStatementValue.getQcEuLimitValue();
                String expCurrency = euLimitConf.getCurrency().toUpperCase();
                int[] expAmountExp = reqQcEuLimits.get(expCurrency);
                Range2Type range = euLimitConf.getAmount();
                int value;
                if (range.getMin() == range.getMax()) {
                    value = range.getMin();
                } else if (expAmountExp != null) {
                    value = expAmountExp[0];
                } else {
                    failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; ");
                    return;
                }
                // CHECKSTYLE:SKIP
                String expAmount = Integer.toString(value);
                range = euLimitConf.getExponent();
                if (range.getMin() == range.getMax()) {
                    value = range.getMin();
                } else if (expAmountExp != null) {
                    value = expAmountExp[1];
                } else {
                    failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; ");
                    return;
                }
                String expExponent = Integer.toString(value);
                MonetaryValue monterayValue = MonetaryValue.getInstance(is.getStatementInfo());
                Iso4217CurrencyCode currency = monterayValue.getCurrency();
                String isCurrency = currency.isAlphabetic() ? currency.getAlphabetic() : Integer.toString(currency.getNumeric());
                String isAmount = monterayValue.getAmount().toString();
                String isExponent = monterayValue.getExponent().toString();
                if (!isCurrency.equals(expCurrency)) {
                    addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.currency", isCurrency, expCurrency);
                }
                if (!isAmount.equals(expAmount)) {
                    addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.amount", isAmount, expAmount);
                }
                if (!isExponent.equals(expExponent)) {
                    addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.exponent", isExponent, expExponent);
                }
            } else {
                throw new RuntimeException("statementInfo[" + i + "]should not reach here");
            }
        } catch (IOException ex) {
            failureMsg.append("statementInfo[").append(i).append("] has incorrect syntax; ");
        }
    }
}
Also used : QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement) HashMap(java.util.HashMap) QcStatementValueType(org.xipki.ca.certprofile.x509.jaxb.QcStatementValueType) MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) PdsLocationType(org.xipki.ca.certprofile.x509.jaxb.PdsLocationType) QcStatements(org.xipki.ca.certprofile.x509.jaxb.QcStatements) Extension(org.bouncycastle.asn1.x509.Extension) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) Range2Type(org.xipki.ca.certprofile.x509.jaxb.Range2Type) QcStatementType(org.xipki.ca.certprofile.x509.jaxb.QcStatementType) PdsLocationsType(org.xipki.ca.certprofile.x509.jaxb.PdsLocationsType) HashSet(java.util.HashSet) QcEuLimitValueType(org.xipki.ca.certprofile.x509.jaxb.QcEuLimitValueType)

Example 94 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class PublicKeyChecker method checkPublicKey.

public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
    ParamUtil.requireNonNull("publicKey", publicKey);
    ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
    List<ValidationIssue> resultIssues = new LinkedList<>();
    if (keyAlgorithms != null) {
        ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
        resultIssues.add(issue);
        try {
            checkPublicKey(publicKey);
        } catch (BadCertTemplateException ex) {
            issue.setFailureMessage(ex.getMessage());
        }
    }
    ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
    resultIssues.add(issue);
    SubjectPublicKeyInfo c14nRequestedPublicKey;
    try {
        c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
        if (!c14nRequestedPublicKey.equals(publicKey)) {
            issue.setFailureMessage("public key in the certificate does not equal the requested one");
        }
    } catch (InvalidKeySpecException ex) {
        issue.setFailureMessage("public key in request is invalid");
    }
    return resultIssues;
}
Also used : BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) ValidationIssue(org.xipki.common.qa.ValidationIssue) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) LinkedList(java.util.LinkedList)

Example 95 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class SubjectChecker method checkSubject.

public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
    ParamUtil.requireNonNull("subject", subject);
    ParamUtil.requireNonNull("requestedSubject", requestedSubject);
    // collect subject attribute types to check
    Set<ASN1ObjectIdentifier> oids = new HashSet<>();
    for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
        oids.add(oid);
    }
    for (ASN1ObjectIdentifier oid : subject.getAttributeTypes()) {
        oids.add(oid);
    }
    List<ValidationIssue> result = new LinkedList<>();
    ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
    result.add(issue);
    if (CollectionUtil.isNonEmpty(subjectControl.getGroups())) {
        Set<String> groups = new HashSet<>(subjectControl.getGroups());
        for (String g : groups) {
            boolean toBreak = false;
            RDN rdn = null;
            for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
                RDN[] rdns = subject.getRDNs(type);
                if (rdns == null || rdns.length == 0) {
                    continue;
                }
                if (rdns.length > 1) {
                    issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
                    toBreak = true;
                    break;
                }
                if (rdn == null) {
                    rdn = rdns[0];
                } else if (rdn != rdns[0]) {
                    issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
                    toBreak = true;
                    break;
                }
            }
            if (toBreak) {
                break;
            }
        }
    }
    for (ASN1ObjectIdentifier type : oids) {
        ValidationIssue valIssue;
        try {
            valIssue = checkSubjectAttribute(type, subject, requestedSubject);
        } catch (BadCertTemplateException ex) {
            valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
            valIssue.setFailureMessage(ex.getMessage());
        }
        result.add(valIssue);
    }
    return result;
}
Also used : BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DERT61String(org.bouncycastle.asn1.DERT61String) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) ValidationIssue(org.xipki.common.qa.ValidationIssue) RDN(org.bouncycastle.asn1.x500.RDN) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) LinkedList(java.util.LinkedList) HashSet(java.util.HashSet)

Aggregations

IOException (java.io.IOException)47 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)30 Date (java.util.Date)27 DEROctetString (org.bouncycastle.asn1.DEROctetString)26 BigInteger (java.math.BigInteger)23 X509Certificate (java.security.cert.X509Certificate)22 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)22 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)20 CertificateException (java.security.cert.CertificateException)18 ArrayList (java.util.ArrayList)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)17 X500Name (org.bouncycastle.asn1.x500.X500Name)16 Extension (org.bouncycastle.asn1.x509.Extension)16 Extensions (org.bouncycastle.asn1.x509.Extensions)16 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)15 DERIA5String (org.bouncycastle.asn1.DERIA5String)15 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)13 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)12 GeneralName (org.bouncycastle.asn1.x509.GeneralName)11