use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class CmpCaClient method revokeCert.
// method requestCerts
public boolean revokeCert(BigInteger serialNumber, CRLReason reason) throws Exception {
ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(PKIHeader.CMP_2000, requestorSubject, responderSubject);
builder.setMessageTime(new Date());
builder.setTransactionID(randomTransactionId());
builder.setSenderNonce(randomSenderNonce());
CertTemplateBuilder certTempBuilder = new CertTemplateBuilder();
certTempBuilder.setIssuer(caSubject);
certTempBuilder.setSerialNumber(new ASN1Integer(serialNumber));
AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(caSubjectKeyIdentifier);
byte[] encodedAki = aki.getEncoded();
Extension extAki = new Extension(Extension.authorityKeyIdentifier, false, encodedAki);
Extensions certTempExts = new Extensions(extAki);
certTempBuilder.setExtensions(certTempExts);
ASN1Enumerated asn1Reason = new ASN1Enumerated(reason.getValue().intValue());
Extensions exts = new Extensions(new Extension(Extension.reasonCode, true, new DEROctetString(asn1Reason.getEncoded())));
RevDetails revDetails = new RevDetails(certTempBuilder.build(), exts);
RevReqContent content = new RevReqContent(revDetails);
builder.setBody(new PKIBody(PKIBody.TYPE_REVOCATION_REQ, content));
ProtectedPKIMessage request = builder.build(requestorSigner);
PKIMessage response = transmit(request);
return parseRevocationResult(response, serialNumber);
}
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class EnrollCertAction method execute0.
@Override
protected Object execute0() throws Exception {
if (caName != null) {
caName = caName.toLowerCase();
}
CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
ConcurrentContentSigner signer = getSigner(new SignatureAlgoControl(rsaMgf1, dsaPlain, gm));
X509CertificateHolder ssCert = signer.getBcCertificate();
X500Name x500Subject = new X500Name(subject);
certTemplateBuilder.setSubject(x500Subject);
certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo());
if (StringUtil.isNotBlank(notBeforeS) || StringUtil.isNotBlank(notAfterS)) {
Time notBefore = StringUtil.isNotBlank(notBeforeS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notBeforeS)) : null;
Time notAfter = StringUtil.isNotBlank(notAfterS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notAfterS)) : null;
OptionalValidity validity = new OptionalValidity(notBefore, notAfter);
certTemplateBuilder.setValidity(validity);
}
if (needExtensionTypes == null) {
needExtensionTypes = new LinkedList<>();
}
// SubjectAltNames
List<Extension> extensions = new LinkedList<>();
if (isNotEmpty(subjectAltNames)) {
extensions.add(X509Util.createExtnSubjectAltName(subjectAltNames, false));
needExtensionTypes.add(Extension.subjectAlternativeName.getId());
}
// SubjectInfoAccess
if (isNotEmpty(subjectInfoAccesses)) {
extensions.add(X509Util.createExtnSubjectInfoAccess(subjectInfoAccesses, false));
needExtensionTypes.add(Extension.subjectInfoAccess.getId());
}
// Keyusage
if (isNotEmpty(keyusages)) {
Set<KeyUsage> usages = new HashSet<>();
for (String usage : keyusages) {
usages.add(KeyUsage.getKeyUsage(usage));
}
org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages);
ASN1ObjectIdentifier extType = Extension.keyUsage;
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// ExtendedKeyusage
if (isNotEmpty(extkeyusages)) {
ExtendedKeyUsage extValue = X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(extkeyusages));
ASN1ObjectIdentifier extType = Extension.extendedKeyUsage;
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// QcEuLimitValue
if (isNotEmpty(qcEuLimits)) {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (String m : qcEuLimits) {
StringTokenizer st = new StringTokenizer(m, ":");
try {
String currencyS = st.nextToken();
String amountS = st.nextToken();
String exponentS = st.nextToken();
Iso4217CurrencyCode currency;
try {
int intValue = Integer.parseInt(currencyS);
currency = new Iso4217CurrencyCode(intValue);
} catch (NumberFormatException ex) {
currency = new Iso4217CurrencyCode(currencyS);
}
int amount = Integer.parseInt(amountS);
int exponent = Integer.parseInt(exponentS);
MonetaryValue monterayValue = new MonetaryValue(currency, amount, exponent);
QCStatement statment = new QCStatement(ObjectIdentifiers.id_etsi_qcs_QcLimitValue, monterayValue);
vec.add(statment);
} catch (Exception ex) {
throw new Exception("invalid qc-eu-limit '" + m + "'");
}
}
ASN1ObjectIdentifier extType = Extension.qCStatements;
ASN1Sequence extValue = new DERSequence(vec);
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// biometricInfo
if (biometricType != null && biometricHashAlgo != null && biometricFile != null) {
TypeOfBiometricData objBiometricType = StringUtil.isNumber(biometricType) ? new TypeOfBiometricData(Integer.parseInt(biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(biometricType));
ASN1ObjectIdentifier objBiometricHashAlgo = AlgorithmUtil.getHashAlg(biometricHashAlgo);
byte[] biometricBytes = IoUtil.read(biometricFile);
MessageDigest md = MessageDigest.getInstance(objBiometricHashAlgo.getId());
md.reset();
byte[] biometricDataHash = md.digest(biometricBytes);
DERIA5String sourceDataUri = null;
if (biometricUri != null) {
sourceDataUri = new DERIA5String(biometricUri);
}
BiometricData biometricData = new BiometricData(objBiometricType, new AlgorithmIdentifier(objBiometricHashAlgo), new DEROctetString(biometricDataHash), sourceDataUri);
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(biometricData);
ASN1ObjectIdentifier extType = Extension.biometricInfo;
ASN1Sequence extValue = new DERSequence(vec);
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
} else if (biometricType == null && biometricHashAlgo == null && biometricFile == null) {
// Do nothing
} else {
throw new Exception("either all of biometric triples (type, hash algo, file)" + " must be set or none of them should be set");
}
if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) {
ExtensionExistence ee = new ExtensionExistence(textToAsn1ObjectIdentifers(needExtensionTypes), textToAsn1ObjectIdentifers(wantExtensionTypes));
extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded()));
}
if (isNotEmpty(extensions)) {
Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0]));
certTemplateBuilder.setExtensions(asn1Extensions);
}
CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
POPOSigningKey popoSk;
try {
popoSk = popoBuilder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
ProofOfPossession popo = new ProofOfPossession(popoSk);
EnrollCertRequestEntry reqEntry = new EnrollCertRequestEntry("id-1", profile, certReq, popo);
EnrollCertRequest request = new EnrollCertRequest(EnrollCertRequest.Type.CERT_REQ);
request.addRequestEntry(reqEntry);
RequestResponseDebug debug = getRequestResponseDebug();
EnrollCertResult result;
try {
result = caClient.requestCerts(caName, request, debug);
} finally {
saveRequestResponse(debug);
}
X509Certificate cert = null;
if (result != null) {
String id = result.getAllIds().iterator().next();
CertOrError certOrError = result.getCertOrError(id);
cert = (X509Certificate) certOrError.getCertificate();
}
if (cert == null) {
throw new CmdFailure("no certificate received from the server");
}
File certFile = new File(outputFile);
saveVerbose("saved certificate to file", certFile, cert.getEncoded());
return null;
}
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class ExtensionsChecker method checkExtensionQcStatements.
// method checkExtensionPrivateKeyUsagePeriod
private void checkExtensionQcStatements(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QcStatements conf = qcStatements;
if (conf == null) {
byte[] expected = getExpectedExtValue(Extension.qCStatements, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected));
}
return;
}
final int expSize = conf.getQcStatement().size();
ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
final int isSize = extValue.size();
if (isSize != expSize) {
addViolation(failureMsg, "number of statements", isSize, expSize);
return;
}
// extract the euLimit and pdsLocations data from request
Map<String, int[]> reqQcEuLimits = new HashMap<>();
Extension reqExtension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(Extension.qCStatements);
if (reqExtension != null) {
ASN1Sequence seq = ASN1Sequence.getInstance(reqExtension.getParsedValue());
final int n = seq.size();
for (int j = 0; j < n; j++) {
QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(j));
if (ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) {
MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo());
int amount = monetaryValue.getAmount().intValue();
int exponent = monetaryValue.getExponent().intValue();
Iso4217CurrencyCode currency = monetaryValue.getCurrency();
String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric());
reqQcEuLimits.put(currencyS, new int[] { amount, exponent });
}
}
}
for (int i = 0; i < expSize; i++) {
QCStatement is = QCStatement.getInstance(extValue.getObjectAt(i));
QcStatementType exp = conf.getQcStatement().get(i);
if (!is.getStatementId().getId().equals(exp.getStatementId().getValue())) {
addViolation(failureMsg, "statmentId[" + i + "]", is.getStatementId().getId(), exp.getStatementId().getValue());
continue;
}
if (exp.getStatementValue() == null) {
if (is.getStatementInfo() != null) {
addViolation(failureMsg, "statmentInfo[" + i + "]", "present", "absent");
}
continue;
}
if (is.getStatementInfo() == null) {
addViolation(failureMsg, "statmentInfo[" + i + "]", "absent", "present");
continue;
}
QcStatementValueType expStatementValue = exp.getStatementValue();
try {
if (expStatementValue.getConstant() != null) {
byte[] expValue = expStatementValue.getConstant().getValue();
byte[] isValue = is.getStatementInfo().toASN1Primitive().getEncoded();
if (!Arrays.equals(isValue, expValue)) {
addViolation(failureMsg, "statementInfo[" + i + "]", hex(isValue), hex(expValue));
}
} else if (expStatementValue.getQcRetentionPeriod() != null) {
String isValue = ASN1Integer.getInstance(is.getStatementInfo()).toString();
String expValue = expStatementValue.getQcRetentionPeriod().toString();
if (!isValue.equals(expValue)) {
addViolation(failureMsg, "statementInfo[" + i + "]", isValue, expValue);
}
} else if (expStatementValue.getPdsLocations() != null) {
Set<String> pdsLocations = new HashSet<>();
ASN1Sequence pdsLocsSeq = ASN1Sequence.getInstance(is.getStatementInfo());
int size = pdsLocsSeq.size();
for (int k = 0; k < size; k++) {
ASN1Sequence pdsLocSeq = ASN1Sequence.getInstance(pdsLocsSeq.getObjectAt(k));
int size2 = pdsLocSeq.size();
if (size2 != 2) {
throw new IllegalArgumentException("sequence size is " + size2 + " but expected 2");
}
String url = DERIA5String.getInstance(pdsLocSeq.getObjectAt(0)).getString();
String lang = DERPrintableString.getInstance(pdsLocSeq.getObjectAt(1)).getString();
pdsLocations.add("url=" + url + ",lang=" + lang);
}
PdsLocationsType pdsLocationsConf = expStatementValue.getPdsLocations();
Set<String> expectedPdsLocations = new HashSet<>();
for (PdsLocationType m : pdsLocationsConf.getPdsLocation()) {
expectedPdsLocations.add("url=" + m.getUrl() + ",lang=" + m.getLanguage());
}
Set<String> diffs = strInBnotInA(expectedPdsLocations, pdsLocations);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("statementInfo[").append(i).append("]: ").append(diffs).append(" are present but not expected; ");
}
diffs = strInBnotInA(pdsLocations, expectedPdsLocations);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("statementInfo[").append(i).append("]: ").append(diffs).append(" are absent but are required; ");
}
} else if (expStatementValue.getQcEuLimitValue() != null) {
QcEuLimitValueType euLimitConf = expStatementValue.getQcEuLimitValue();
String expCurrency = euLimitConf.getCurrency().toUpperCase();
int[] expAmountExp = reqQcEuLimits.get(expCurrency);
Range2Type range = euLimitConf.getAmount();
int value;
if (range.getMin() == range.getMax()) {
value = range.getMin();
} else if (expAmountExp != null) {
value = expAmountExp[0];
} else {
failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; ");
return;
}
// CHECKSTYLE:SKIP
String expAmount = Integer.toString(value);
range = euLimitConf.getExponent();
if (range.getMin() == range.getMax()) {
value = range.getMin();
} else if (expAmountExp != null) {
value = expAmountExp[1];
} else {
failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; ");
return;
}
String expExponent = Integer.toString(value);
MonetaryValue monterayValue = MonetaryValue.getInstance(is.getStatementInfo());
Iso4217CurrencyCode currency = monterayValue.getCurrency();
String isCurrency = currency.isAlphabetic() ? currency.getAlphabetic() : Integer.toString(currency.getNumeric());
String isAmount = monterayValue.getAmount().toString();
String isExponent = monterayValue.getExponent().toString();
if (!isCurrency.equals(expCurrency)) {
addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.currency", isCurrency, expCurrency);
}
if (!isAmount.equals(expAmount)) {
addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.amount", isAmount, expAmount);
}
if (!isExponent.equals(expExponent)) {
addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.exponent", isExponent, expExponent);
}
} else {
throw new RuntimeException("statementInfo[" + i + "]should not reach here");
}
} catch (IOException ex) {
failureMsg.append("statementInfo[").append(i).append("] has incorrect syntax; ");
}
}
}
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class PublicKeyChecker method checkPublicKey.
public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
ParamUtil.requireNonNull("publicKey", publicKey);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<>();
if (keyAlgorithms != null) {
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
resultIssues.add(issue);
try {
checkPublicKey(publicKey);
} catch (BadCertTemplateException ex) {
issue.setFailureMessage(ex.getMessage());
}
}
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
resultIssues.add(issue);
SubjectPublicKeyInfo c14nRequestedPublicKey;
try {
c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
if (!c14nRequestedPublicKey.equals(publicKey)) {
issue.setFailureMessage("public key in the certificate does not equal the requested one");
}
} catch (InvalidKeySpecException ex) {
issue.setFailureMessage("public key in request is invalid");
}
return resultIssues;
}
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class SubjectChecker method checkSubject.
public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
ParamUtil.requireNonNull("subject", subject);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
// collect subject attribute types to check
Set<ASN1ObjectIdentifier> oids = new HashSet<>();
for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
oids.add(oid);
}
for (ASN1ObjectIdentifier oid : subject.getAttributeTypes()) {
oids.add(oid);
}
List<ValidationIssue> result = new LinkedList<>();
ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
result.add(issue);
if (CollectionUtil.isNonEmpty(subjectControl.getGroups())) {
Set<String> groups = new HashSet<>(subjectControl.getGroups());
for (String g : groups) {
boolean toBreak = false;
RDN rdn = null;
for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
RDN[] rdns = subject.getRDNs(type);
if (rdns == null || rdns.length == 0) {
continue;
}
if (rdns.length > 1) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
if (rdn == null) {
rdn = rdns[0];
} else if (rdn != rdns[0]) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
}
if (toBreak) {
break;
}
}
}
for (ASN1ObjectIdentifier type : oids) {
ValidationIssue valIssue;
try {
valIssue = checkSubjectAttribute(type, subject, requestedSubject);
} catch (BadCertTemplateException ex) {
valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
valIssue.setFailureMessage(ex.getMessage());
}
result.add(valIssue);
}
return result;
}
Aggregations