Examples with Attribute org.bouncycastle.asn1.pkcs.Attribute used on opensource projects

Example 21 with Attribute

use of org.bouncycastle.asn1.pkcs.Attribute in project robovm by robovm.

the class AttributeTable method getAll.

/**
     * Return all the attributes matching the OBJECT IDENTIFIER oid. The vector will be 
     * empty if there are no attributes of the required type present.
     * 
     * @param oid type of attribute required.
     * @return a vector of all the attributes found of type oid.
     */
public ASN1EncodableVector getAll(ASN1ObjectIdentifier oid) {
    ASN1EncodableVector v = new ASN1EncodableVector();
    Object value = attributes.get(oid);
    if (value instanceof Vector) {
        Enumeration e = ((Vector) value).elements();
        while (e.hasMoreElements()) {
            v.add((Attribute) e.nextElement());
        }
    } else if (value != null) {
        v.add((Attribute) value);
    }
    return v;
}

Example 22 with Attribute

use of org.bouncycastle.asn1.pkcs.Attribute in project robovm by robovm.

the class SignedData method calculateVersion.

// RFC3852, section 5.1:
// IF ((certificates is present) AND
//    (any certificates with a type of other are present)) OR
//    ((crls is present) AND
//    (any crls with a type of other are present))
// THEN version MUST be 5
// ELSE
//    IF (certificates is present) AND
//       (any version 2 attribute certificates are present)
//    THEN version MUST be 4
//    ELSE
//       IF ((certificates is present) AND
//          (any version 1 attribute certificates are present)) OR
//          (any SignerInfo structures are version 3) OR
//          (encapContentInfo eContentType is other than id-data)
//       THEN version MUST be 3
//       ELSE version MUST be 1
//
private ASN1Integer calculateVersion(ASN1ObjectIdentifier contentOid, ASN1Set certs, ASN1Set crls, ASN1Set signerInfs) {
    boolean otherCert = false;
    boolean otherCrl = false;
    boolean attrCertV1Found = false;
    boolean attrCertV2Found = false;
    if (certs != null) {
        for (Enumeration en = certs.getObjects(); en.hasMoreElements(); ) {
            Object obj = en.nextElement();
            if (obj instanceof ASN1TaggedObject) {
                ASN1TaggedObject tagged = ASN1TaggedObject.getInstance(obj);
                if (tagged.getTagNo() == 1) {
                    attrCertV1Found = true;
                } else if (tagged.getTagNo() == 2) {
                    attrCertV2Found = true;
                } else if (tagged.getTagNo() == 3) {
                    otherCert = true;
                }
            }
        }
    }
    if (otherCert) {
        return new ASN1Integer(5);
    }
    if (// no need to check if otherCert is true
    crls != null) {
        for (Enumeration en = crls.getObjects(); en.hasMoreElements(); ) {
            Object obj = en.nextElement();
            if (obj instanceof ASN1TaggedObject) {
                otherCrl = true;
            }
        }
    }
    if (otherCrl) {
        return VERSION_5;
    }
    if (attrCertV2Found) {
        return VERSION_4;
    }
    if (attrCertV1Found) {
        return VERSION_3;
    }
    if (checkForVersion3(signerInfs)) {
        return VERSION_3;
    }
    if (!CMSObjectIdentifiers.data.equals(contentOid)) {
        return VERSION_3;
    }
    return VERSION_1;
}

Example 23 with Attribute

use of org.bouncycastle.asn1.pkcs.Attribute in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLF.

/**
     * Obtain and validate the certification path for the complete CRL issuer.
     * If a key usage extension is present in the CRL issuer's certificate,
     * verify that the cRLSign bit is set.
     *
     * @param crl                CRL which contains revocation information for the certificate
     *                           <code>cert</code>.
     * @param cert               The attribute certificate or certificate to check if it is
     *                           revoked.
     * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
     * @param defaultCRLSignKey  The public key of the issuer certificate
     *                           <code>defaultCRLSignCert</code>.
     * @param paramsPKIX         paramsPKIX PKIX parameters.
     * @param certPathCerts      The certificates on the certification path.
     * @return A <code>Set</code> with all keys of possible CRL issuer
     *         certificates.
     * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
     *                            some error occurs.
     */
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts) throws AnnotatedException {
    // (f)
    // get issuer from CRL
    X509CertStoreSelector selector = new X509CertStoreSelector();
    try {
        byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();
        selector.setSubject(issuerPrincipal);
    } catch (IOException e) {
        throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
    }
    // get CRL signing certs
    Collection coll;
    try {
        coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores());
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores()));
        coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores()));
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
    }
    coll.add(defaultCRLSignCert);
    Iterator cert_it = coll.iterator();
    List validCerts = new ArrayList();
    List validKeys = new ArrayList();
    while (cert_it.hasNext()) {
        X509Certificate signingCert = (X509Certificate) cert_it.next();
        /*
             * CA of the certificate, for which this CRL is checked, has also
             * signed CRL, so skip the path validation, because is already done
             */
        if (signingCert.equals(defaultCRLSignCert)) {
            validCerts.add(signingCert);
            validKeys.add(defaultCRLSignKey);
            continue;
        }
        try {
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
            selector = new X509CertStoreSelector();
            selector.setCertificate(signingCert);
            ExtendedPKIXParameters temp = (ExtendedPKIXParameters) paramsPKIX.clone();
            temp.setTargetCertConstraints(selector);
            ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(temp);
            /*
                 * if signingCert is placed not higher on the cert path a
                 * dependency loop results. CRL for cert is checked, but
                 * signingCert is needed for checking the CRL which is dependent
                 * on checking cert because it is higher in the cert path and so
                 * signing signingCert transitively. so, revocation is disabled,
                 * forgery attacks of the CRL are detected in this outer loop
                 * for all other it must be enabled to prevent forgery attacks
                 */
            if (certPathCerts.contains(signingCert)) {
                params.setRevocationEnabled(false);
            } else {
                params.setRevocationEnabled(true);
            }
            List certs = builder.build(params).getCertPath().getCertificates();
            validCerts.add(signingCert);
            validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0));
        } catch (CertPathBuilderException e) {
            throw new AnnotatedException("Internal error.", e);
        } catch (CertPathValidatorException e) {
            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }
    Set checkKeys = new HashSet();
    AnnotatedException lastException = null;
    for (int i = 0; i < validCerts.size(); i++) {
        X509Certificate signCert = (X509Certificate) validCerts.get(i);
        boolean[] keyusage = signCert.getKeyUsage();
        if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) {
            lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
        } else {
            checkKeys.add(validKeys.get(i));
        }
    }
    if (checkKeys.isEmpty() && lastException == null) {
        throw new AnnotatedException("Cannot find a valid issuer certificate.");
    }
    if (checkKeys.isEmpty() && lastException != null) {
        throw lastException;
    }
    return checkKeys;
}

Example 24 with Attribute

use of org.bouncycastle.asn1.pkcs.Attribute in project ddf by codice.

the class PkiTools method makeDistinguishedName.

/**
     * Create an X500 name with a single populated attribute, the "common name". An X500 name object details the
     * identity of a machine, person, or organization. The name object is used as the "subject" of a certificate.
     * SSL/TLS typically uses a subject's common name as the DNS name for a machine and this name must be correct
     * or SSl/TLS will not trust the machine's certificate.
     * <p>
     * TLS can use a different set of attributes to, the Subject Alternative Names. SANs are extensions to the
     * X509 specification and can include IP addresses, DNS names and other machine information. This package does
     * not use SANs.
     *
     * @param commonName the fully qualified host name of the end entity
     * @return X500 name object with common name attribute set
     * @see <a href="https://www.ietf.org/rfc/rfc4514.txt">RFC 4514, section 'LDAP: Distinguished Names'</a>
     * @see <a href="https://tools.ietf.org/html/rfc4519">RFC 4519 details the exact construction of distinguished names</a>
     * @see <a href="https://en.wikipedia.org/wiki/SubjectAltName">Subject Alternative Names on Wikipedia'</a>
     */
public static X500Name makeDistinguishedName(String commonName) {
    Validate.isTrue(commonName != null, "Certificate common name cannot be null");
    assert commonName != null;
    if (commonName.isEmpty()) {
        LOGGER.warn("Setting certificate common name to empty string. This could result in an unusable TLS certificate.");
    }
    X500NameBuilder nameBuilder = new X500NameBuilder(RFC4519Style.INSTANCE);
    //Add more nameBuilder.addRDN(....) statements to support more X500 attributes.
    nameBuilder.addRDN(RFC4519Style.cn, commonName);
    return nameBuilder.build();
}

Example 25 with Attribute

use of org.bouncycastle.asn1.pkcs.Attribute in project ddf by codice.

the class SubjectUtils method getAttribute.

/**
     * Get any attribute from a subject by key.
     *
     * @param subject
     * @param key
     * @return attribute values or an empty list if not found.
     */
public static List<String> getAttribute(@Nullable Subject subject, String key) {
    Validate.notNull(key);
    if (subject == null) {
        LOGGER.debug("Incoming subject was null, cannot look up {}.", key);
        return Collections.emptyList();
    }
    PrincipalCollection principals = subject.getPrincipals();
    if (principals == null) {
        LOGGER.debug("No principals located in the incoming subject, cannot look up {}.", key);
        return Collections.emptyList();
    }
    SecurityAssertion assertion = principals.oneByType(SecurityAssertion.class);
    if (assertion == null) {
        LOGGER.debug("Could not find Security Assertion, cannot look up {}.", key);
        return Collections.emptyList();
    }
    return assertion.getAttributeStatements().stream().flatMap(as -> as.getAttributes().stream()).filter(a -> a.getName().equals(key)).flatMap(a -> a.getAttributeValues().stream()).filter(o -> o instanceof XSString).map(o -> (XSString) o).map(XSString::getValue).collect(Collectors.toList());
}