Example 51 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project milo by eclipse.
the class SelfSignedCertificateGenerator method generateSelfSigned.
public X509Certificate generateSelfSigned(KeyPair keyPair, Date notBefore, Date notAfter, @Nullable String commonName, @Nullable String organization, @Nullable String organizationalUnit, @Nullable String localityName, @Nullable String stateName, @Nullable String countryCode, @Nullable String applicationUri, List<String> dnsNames, List<String> ipAddresses, String signatureAlgorithm) throws Exception {
X500NameBuilder nameBuilder = new X500NameBuilder();
if (commonName != null) {
nameBuilder.addRDN(BCStyle.CN, commonName);
}
if (organization != null) {
nameBuilder.addRDN(BCStyle.O, organization);
}
if (organizationalUnit != null) {
nameBuilder.addRDN(BCStyle.OU, organizationalUnit);
}
if (localityName != null) {
nameBuilder.addRDN(BCStyle.L, localityName);
}
if (stateName != null) {
nameBuilder.addRDN(BCStyle.ST, stateName);
}
if (countryCode != null) {
nameBuilder.addRDN(BCStyle.C, countryCode);
}
X500Name name = nameBuilder.build();
// Using the current timestamp as the certificate serial number
BigInteger certSerialNumber = new BigInteger(Long.toString(System.currentTimeMillis()));
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(name, certSerialNumber, notBefore, notAfter, Locale.ENGLISH, name, subjectPublicKeyInfo);
BasicConstraints basicConstraints = new BasicConstraints(true);
// Authority Key Identifier
addAuthorityKeyIdentifier(certificateBuilder, keyPair);
// Basic Constraints
addBasicConstraints(certificateBuilder, basicConstraints);
// Key Usage
addKeyUsage(certificateBuilder);
// Extended Key Usage
addExtendedKeyUsage(certificateBuilder);
// Subject Alternative Name
addSubjectAlternativeNames(certificateBuilder, keyPair, applicationUri, dnsNames, ipAddresses);
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate());
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
return new JcaX509CertificateConverter().getCertificate(certificateHolder);
}
Also used :
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 52 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project radixdlt by radixdlt.
the class RadixKeyStore method selfSignedCert.
/**
* Creates a self-signed certificate from the specified key-pair.
*
* <p>The validity period for the certificate extends from the current local clock time for the
* specified validity period in years.
*
* @param keyPair The key-pair to create the self-signed certificate for.
* @param validityYears Years The validity period in years.
* @param subjectDN The key's distinguished subject name.
* @return A self-signed certificate
* @throws KeyStoreException If an error occurs while building the certificate
* @throws IOException If an I/O error occurs while building the certificate
*/
@VisibleForTesting
static Certificate selfSignedCert(KeyPair keyPair, int validityYears, String subjectDN) throws KeyStoreException, IOException {
X500Name dnName = new X500Name(subjectDN);
LocalDateTime startDate = LocalDateTime.now();
LocalDateTime endDate = startDate.plusYears(validityYears);
BigInteger certSerialNumber = BigInteger.valueOf(toDate(startDate).getTime());
var certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, toDate(startDate), toDate(endDate), dnName, keyPair.getPublic());
BasicConstraints basicConstraints = new BasicConstraints(true);
certBuilder.addExtension(OID_BASIC_CONSTRAINTS, true, basicConstraints);
try {
ContentSigner contentSigner = new JcaContentSignerBuilder(CERT_SIGNATURE_ALG).build(keyPair.getPrivate());
return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
} catch (OperatorCreationException | CertificateException ex) {
throw new KeyStoreException("Error creating certificate", ex);
}
}
Also used :
LocalDateTime(java.time.LocalDateTime)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyStoreException(com.radixdlt.crypto.exception.KeyStoreException)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BigInteger(java.math.BigInteger)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 53 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project LinLong-Java by zhenwei1108.
the class PKIXCertPathReviewer method checkCRLs.
protected void checkCRLs(PKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, Vector crlDistPointUrls, int index) throws CertPathReviewerException {
X509CRLStoreSelector crlselect;
crlselect = new X509CRLStoreSelector();
try {
crlselect.addIssuerName(getEncodedIssuerPrincipal(cert).getEncoded());
} catch (IOException e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlIssuerException");
throw new CertPathReviewerException(msg, e);
}
crlselect.setCertificateChecking(cert);
Iterator crl_iter;
try {
Collection crl_coll = PKIXCRLUtil.findCRLs(crlselect, paramsPKIX);
crl_iter = crl_coll.iterator();
if (crl_coll.isEmpty()) {
// notification - no local crls found
crl_coll = PKIXCRLUtil.findCRLs(new X509CRLStoreSelector(), paramsPKIX);
Iterator it = crl_coll.iterator();
List nonMatchingCrlNames = new ArrayList();
while (it.hasNext()) {
nonMatchingCrlNames.add(((X509CRL) it.next()).getIssuerX500Principal());
}
int numbOfCrls = nonMatchingCrlNames.size();
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCrlInCertstore", new Object[] { new UntrustedInput(crlselect.getIssuerNames()), new UntrustedInput(nonMatchingCrlNames), Integers.valueOf(numbOfCrls) });
addNotification(msg, index);
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlExtractionError", new Object[] { ae.getCause().getMessage(), ae.getCause(), ae.getCause().getClass().getName() });
addError(msg, index);
crl_iter = new ArrayList().iterator();
}
boolean validCrlFound = false;
X509CRL crl = null;
while (crl_iter.hasNext()) {
crl = (X509CRL) crl_iter.next();
Date thisUpdate = crl.getThisUpdate();
Date nextUpdate = crl.getNextUpdate();
Object[] arguments = new Object[] { new TrustedInput(thisUpdate), new TrustedInput(nextUpdate) };
if (nextUpdate == null || validDate.before(nextUpdate)) {
validCrlFound = true;
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localValidCRL", arguments);
addNotification(msg, index);
break;
}
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localInvalidCRL", arguments);
addNotification(msg, index);
}
// crl distribution point
if (!validCrlFound) {
X500Principal certIssuer = cert.getIssuerX500Principal();
X509CRL onlineCRL = null;
Iterator urlIt = crlDistPointUrls.iterator();
while (urlIt.hasNext()) {
try {
String location = (String) urlIt.next();
onlineCRL = getCRL(location);
if (onlineCRL != null) {
X500Principal crlIssuer = onlineCRL.getIssuerX500Principal();
// check if crl issuer is correct
if (!certIssuer.equals(crlIssuer)) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineCRLWrongCA", new Object[] { new UntrustedInput(crlIssuer.getName()), new UntrustedInput(certIssuer.getName()), new UntrustedUrlInput(location) });
addNotification(msg, index);
continue;
}
Date thisUpdate = onlineCRL.getThisUpdate();
Date nextUpdate = onlineCRL.getNextUpdate();
Object[] arguments = new Object[] { new TrustedInput(thisUpdate), new TrustedInput(nextUpdate), new UntrustedUrlInput(location) };
if (nextUpdate == null || validDate.before(nextUpdate)) {
validCrlFound = true;
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineValidCRL", arguments);
addNotification(msg, index);
crl = onlineCRL;
break;
}
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineInvalidCRL", arguments);
addNotification(msg, index);
}
} catch (CertPathReviewerException cpre) {
addNotification(cpre.getErrorMessage(), index);
}
}
}
// check the crl
X509CRLEntry crl_entry;
if (crl != null) {
if (sign != null) {
boolean[] keyUsage = sign.getKeyUsage();
if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCrlSigningPermited");
throw new CertPathReviewerException(msg);
}
}
if (workingPublicKey != null) {
try {
crl.verify(workingPublicKey, "WeGoo");
} catch (Exception e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlVerifyFailed");
throw new CertPathReviewerException(msg, e);
}
} else // issuer public key not known
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlNoIssuerPublicKey");
throw new CertPathReviewerException(msg);
}
crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
if (crl_entry != null) {
String reason = null;
if (crl_entry.hasExtensions()) {
ASN1Enumerated reasonCode;
try {
reasonCode = ASN1Enumerated.getInstance(getExtensionValue(crl_entry, Extension.reasonCode.getId()));
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlReasonExtError");
throw new CertPathReviewerException(msg, ae);
}
if (reasonCode != null) {
reason = crlReasons[reasonCode.intValueExact()];
}
}
if (reason == null) {
// unknown
reason = crlReasons[7];
}
// i18n reason
LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
if (!validDate.before(crl_entry.getRevocationDate())) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certRevoked", new Object[] { new TrustedInput(crl_entry.getRevocationDate()), ls });
throw new CertPathReviewerException(msg);
} else // cert was revoked after validation date
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.revokedAfterValidation", new Object[] { new TrustedInput(crl_entry.getRevocationDate()), ls });
addNotification(msg, index);
}
} else // cert is not revoked
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notRevoked");
addNotification(msg, index);
}
//
// warn if a new crl is available
//
Date nextUpdate = crl.getNextUpdate();
if (!(nextUpdate == null || validDate.before(nextUpdate))) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlUpdateAvailable", new Object[] { new TrustedInput(nextUpdate) });
addNotification(msg, index);
}
//
// check the DeltaCRL indicator, base point and the issuing distribution point
//
ASN1Primitive idp;
try {
idp = getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.distrPtExtError");
throw new CertPathReviewerException(msg);
}
ASN1Primitive dci;
try {
dci = getExtensionValue(crl, DELTA_CRL_INDICATOR);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.deltaCrlExtError");
throw new CertPathReviewerException(msg);
}
if (dci != null) {
X509CRLStoreSelector baseSelect = new X509CRLStoreSelector();
try {
baseSelect.addIssuerName(getIssuerPrincipal(crl).getEncoded());
} catch (IOException e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlIssuerException");
throw new CertPathReviewerException(msg, e);
}
baseSelect.setMinCRLNumber(((ASN1Integer) dci).getPositiveValue());
try {
baseSelect.setMaxCRLNumber(((ASN1Integer) getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1)));
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlNbrExtError");
throw new CertPathReviewerException(msg, ae);
}
boolean foundBase = false;
Iterator it;
try {
it = PKIXCRLUtil.findCRLs(baseSelect, paramsPKIX).iterator();
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlExtractionError");
throw new CertPathReviewerException(msg, ae);
}
while (it.hasNext()) {
X509CRL base = (X509CRL) it.next();
ASN1Primitive baseIdp;
try {
baseIdp = getExtensionValue(base, ISSUING_DISTRIBUTION_POINT);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.distrPtExtError");
throw new CertPathReviewerException(msg, ae);
}
if (Objects.areEqual(idp, baseIdp)) {
foundBase = true;
break;
}
}
if (!foundBase) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBaseCRL");
throw new CertPathReviewerException(msg);
}
}
if (idp != null) {
IssuingDistributionPoint p = IssuingDistributionPoint.getInstance(idp);
BasicConstraints bc = null;
try {
bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlBCExtError");
throw new CertPathReviewerException(msg, ae);
}
if (p.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyUserCert");
throw new CertPathReviewerException(msg);
}
if (p.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyCaCert");
throw new CertPathReviewerException(msg);
}
if (p.onlyContainsAttributeCerts()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyAttrCert");
throw new CertPathReviewerException(msg);
}
}
}
if (!validCrlFound) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noValidCrlFound");
throw new CertPathReviewerException(msg);
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
ArrayList(java.util.ArrayList)
ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString)
DEROctetString(com.github.zhenwei.core.asn1.DEROctetString)
LocaleString(com.github.zhenwei.core.i18n.LocaleString)
ASN1IA5String(com.github.zhenwei.core.asn1.ASN1IA5String)
UntrustedUrlInput(com.github.zhenwei.core.i18n.filter.UntrustedUrlInput)
X509CRLEntry(java.security.cert.X509CRLEntry)
ASN1Enumerated(com.github.zhenwei.core.asn1.ASN1Enumerated)
Iterator(java.util.Iterator)
TrustedInput(com.github.zhenwei.core.i18n.filter.TrustedInput)
List(java.util.List)
ArrayList(java.util.ArrayList)
UntrustedInput(com.github.zhenwei.core.i18n.filter.UntrustedInput)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
LocaleString(com.github.zhenwei.core.i18n.LocaleString)
IOException(java.io.IOException)
ASN1Integer(com.github.zhenwei.core.asn1.ASN1Integer)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
Date(java.util.Date)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
SignatureException(java.security.SignatureException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
PKIXNameConstraintValidatorException(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException)
IOException(java.io.IOException)
ErrorBundle(com.github.zhenwei.core.i18n.ErrorBundle)
Collection(java.util.Collection)
X500Principal(javax.security.auth.x500.X500Principal)
ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject)
ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive)
BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)
Example 54 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project LinLong-Java by zhenwei1108.
the class PKIXCertPathReviewer method checkSignatures.
/*
* checks: - signatures - name chaining - validity of certificates - todo:
* if certificate revoked (if specified in the parameters)
*/
private void checkSignatures() {
// 1.6.1 - Inputs
// d)
TrustAnchor trust = null;
X500Principal trustPrincipal = null;
// validation date
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certPathValidDate", new Object[] { new TrustedInput(validDate), new TrustedInput(currentDate) });
addNotification(msg);
}
// find trust anchors
try {
X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1);
Collection trustColl = getTrustAnchors(cert, pkixParams.getTrustAnchors());
if (trustColl.size() > 1) {
// conflicting trust anchors
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.conflictingTrustAnchors", new Object[] { Integers.valueOf(trustColl.size()), new UntrustedInput(cert.getIssuerX500Principal()) });
addError(msg);
} else if (trustColl.isEmpty()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noTrustAnchorFound", new Object[] { new UntrustedInput(cert.getIssuerX500Principal()), Integers.valueOf(pkixParams.getTrustAnchors().size()) });
addError(msg);
} else {
PublicKey trustPublicKey;
trust = (TrustAnchor) trustColl.iterator().next();
if (trust.getTrustedCert() != null) {
trustPublicKey = trust.getTrustedCert().getPublicKey();
} else {
trustPublicKey = trust.getCAPublicKey();
}
try {
CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey, pkixParams.getSigProvider());
} catch (SignatureException e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustButInvalidCert");
addError(msg);
} catch (Exception e) {
// do nothing, error occurs again later
}
}
} catch (CertPathReviewerException cpre) {
addError(cpre.getErrorMessage());
} catch (Throwable t) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.unknown", new Object[] { new UntrustedInput(t.getMessage()), new UntrustedInput(t) });
addError(msg);
}
if (trust != null) {
// get the name of the trustAnchor
X509Certificate sign = trust.getTrustedCert();
try {
if (sign != null) {
trustPrincipal = getSubjectPrincipal(sign);
} else {
trustPrincipal = new X500Principal(trust.getCAName());
}
} catch (IllegalArgumentException ex) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustDNInvalid", new Object[] { new UntrustedInput(trust.getCAName()) });
addError(msg);
}
// test key usages of the trust anchor
if (sign != null) {
boolean[] ku = sign.getKeyUsage();
if (ku != null && (ku.length <= 5 || !ku[5])) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage");
addNotification(msg);
}
}
}
// 1.6.2 - Initialization
PublicKey workingPublicKey = null;
X500Principal workingIssuerName = trustPrincipal;
X509Certificate sign = null;
AlgorithmIdentifier workingAlgId = null;
ASN1ObjectIdentifier workingPublicKeyAlgorithm = null;
ASN1Encodable workingPublicKeyParameters = null;
if (trust != null) {
sign = trust.getTrustedCert();
if (sign != null) {
workingPublicKey = sign.getPublicKey();
} else {
workingPublicKey = trust.getCAPublicKey();
}
try {
workingAlgId = getAlgorithmIdentifier(workingPublicKey);
workingPublicKeyAlgorithm = workingAlgId.getAlgorithm();
workingPublicKeyParameters = workingAlgId.getParameters();
} catch (CertPathValidatorException ex) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustPubKeyError");
addError(msg);
workingAlgId = null;
}
}
// Basic cert checks
X509Certificate cert = null;
int i;
for (int index = certs.size() - 1; index >= 0; index--) {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialied the
// first time from the TrustAnchor
//
cert = (X509Certificate) certs.get(index);
// verify signature
if (workingPublicKey != null) {
try {
CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, pkixParams.getSigProvider());
} catch (GeneralSecurityException ex) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() });
addError(msg, index);
}
} else if (isSelfIssued(cert)) {
try {
CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(), pkixParams.getSigProvider());
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
addError(msg, index);
} catch (GeneralSecurityException ex) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() });
addError(msg, index);
}
} else {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.NoIssuerPublicKey");
// if there is an authority key extension add the serial and issuer of the missing certificate
byte[] akiBytes = cert.getExtensionValue(Extension.authorityKeyIdentifier.getId());
if (akiBytes != null) {
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(DEROctetString.getInstance(akiBytes).getOctets());
GeneralNames issuerNames = aki.getAuthorityCertIssuer();
if (issuerNames != null) {
GeneralName name = issuerNames.getNames()[0];
BigInteger serial = aki.getAuthorityCertSerialNumber();
if (serial != null) {
Object[] extraArgs = { new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name, "\" ", new LocaleString(RESOURCE_NAME, "missingSerial"), " ", serial };
msg.setExtraArguments(extraArgs);
}
}
}
addError(msg, index);
}
// certificate valid?
try {
cert.checkValidity(validDate);
} catch (CertificateNotYetValidException cnve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateNotYetValid", new Object[] { new TrustedInput(cert.getNotBefore()) });
addError(msg, index);
} catch (CertificateExpiredException cee) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateExpired", new Object[] { new TrustedInput(cert.getNotAfter()) });
addError(msg, index);
}
// certificate revoked?
if (pkixParams.isRevocationEnabled()) {
// read crl distribution points extension
CRLDistPoint crlDistPoints = null;
try {
ASN1Primitive crl_dp = getExtensionValue(cert, CRL_DIST_POINTS);
if (crl_dp != null) {
crlDistPoints = CRLDistPoint.getInstance(crl_dp);
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlDistPtExtError");
addError(msg, index);
}
// read authority information access extension
AuthorityInformationAccess authInfoAcc = null;
try {
ASN1Primitive auth_info_acc = getExtensionValue(cert, AUTH_INFO_ACCESS);
if (auth_info_acc != null) {
authInfoAcc = AuthorityInformationAccess.getInstance(auth_info_acc);
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlAuthInfoAccError");
addError(msg, index);
}
Vector crlDistPointUrls = getCRLDistUrls(crlDistPoints);
Vector ocspUrls = getOCSPUrls(authInfoAcc);
// add notifications with the crl distribution points
// output crl distribution points
Iterator urlIt = crlDistPointUrls.iterator();
while (urlIt.hasNext()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlDistPoint", new Object[] { new UntrustedUrlInput(urlIt.next()) });
addNotification(msg, index);
}
// output ocsp urls
urlIt = ocspUrls.iterator();
while (urlIt.hasNext()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ocspLocation", new Object[] { new UntrustedUrlInput(urlIt.next()) });
addNotification(msg, index);
}
// check CRLs
try {
checkRevocation(pkixParams, cert, validDate, sign, workingPublicKey, crlDistPointUrls, ocspUrls, index);
} catch (CertPathReviewerException cpre) {
addError(cpre.getErrorMessage(), index);
}
}
// certificate issuer correct
if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName)) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certWrongIssuer", new Object[] { workingIssuerName.getName(), cert.getIssuerX500Principal().getName() });
addError(msg, index);
}
//
if (i != n) {
if (cert != null && cert.getVersion() == 1) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert");
addError(msg, index);
}
// k)
BasicConstraints bc;
try {
bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
if (bc != null) {
if (!bc.isCA()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert");
addError(msg, index);
}
} else {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBasicConstraints");
addError(msg, index);
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.errorProcesingBC");
addError(msg, index);
}
// n)
boolean[] keyUsage = cert.getKeyUsage();
if (keyUsage != null && (keyUsage.length <= KEY_CERT_SIGN || !keyUsage[KEY_CERT_SIGN])) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCertSign");
addError(msg, index);
}
}
// if
// set signing certificate for next round
sign = cert;
// c)
workingIssuerName = cert.getSubjectX500Principal();
try {
workingPublicKey = getNextWorkingKey(certs, index);
workingAlgId = getAlgorithmIdentifier(workingPublicKey);
workingPublicKeyAlgorithm = workingAlgId.getAlgorithm();
workingPublicKeyParameters = workingAlgId.getParameters();
} catch (CertPathValidatorException ex) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.pubKeyError");
addError(msg, index);
workingAlgId = null;
workingPublicKeyAlgorithm = null;
workingPublicKeyParameters = null;
}
}
// for
trustAnchor = trust;
subjectPublicKey = workingPublicKey;
}
Also used :
AuthorityInformationAccess(com.github.zhenwei.core.asn1.x509.AuthorityInformationAccess)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
AuthorityKeyIdentifier(com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier)
SignatureException(java.security.SignatureException)
UntrustedUrlInput(com.github.zhenwei.core.i18n.filter.UntrustedUrlInput)
AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)
TrustedInput(com.github.zhenwei.core.i18n.filter.TrustedInput)
Iterator(java.util.Iterator)
ASN1Encodable(com.github.zhenwei.core.asn1.ASN1Encodable)
UntrustedInput(com.github.zhenwei.core.i18n.filter.UntrustedInput)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
Vector(java.util.Vector)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
LocaleString(com.github.zhenwei.core.i18n.LocaleString)
PublicKey(java.security.PublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
SignatureException(java.security.SignatureException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
PKIXNameConstraintValidatorException(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException)
IOException(java.io.IOException)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ErrorBundle(com.github.zhenwei.core.i18n.ErrorBundle)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
X500Principal(javax.security.auth.x500.X500Principal)
Collection(java.util.Collection)
BigInteger(java.math.BigInteger)
ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive)
BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)
ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)
Example 55 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLB2.
/**
* If the complete CRL includes an issuing distribution point (IDP) CRL extension check the
* following:
* <p>
* (i) If the distribution point name is present in the IDP CRL extension and the distribution
* field is present in the DP, then verify that one of the names in the IDP matches one of the
* names in the DP. If the distribution point name is present in the IDP CRL extension and the
* distribution field is omitted from the DP, then verify that one of the names in the IDP matches
* one of the names in the cRLIssuer field of the DP.
* </p>
* <p>
* (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the
* certificate does not include the basic constraints extension with the cA boolean asserted.
* </p>
* <p>
* (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the
* certificate includes the basic constraints extension with the cA boolean asserted.
* </p>
* <p>
* (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
* </p>
*
* @param dp The distribution point.
* @param cert The certificate.
* @param crl The CRL.
* @throws AnnotatedException if one of the conditions is not met or an error occurs.
*/
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
IssuingDistributionPoint idp = null;
try {
idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
// distribution point name is present
if (idp != null) {
if (idp.getDistributionPoint() != null) {
// make list of names
DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
List names = new ArrayList();
if (dpName.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
names.add(genNames[j]);
}
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
ASN1EncodableVector vec = new ASN1EncodableVector();
try {
Enumeration e = ASN1Sequence.getInstance(PrincipalUtils.getIssuerPrincipal(crl)).getObjects();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
} catch (Exception e) {
throw new AnnotatedException("Could not read CRL issuer.", e);
}
vec.add(dpName.getName());
names.add(new GeneralName(X500Name.getInstance(new DERSequence(vec))));
}
boolean matches = false;
// of the names in the DP.
if (dp.getDistributionPoint() != null) {
dpName = dp.getDistributionPoint();
GeneralName[] genNames = null;
if (dpName.getType() == DistributionPointName.FULL_NAME) {
genNames = GeneralNames.getInstance(dpName.getName()).getNames();
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
if (dp.getCRLIssuer() != null) {
genNames = dp.getCRLIssuer().getNames();
} else {
genNames = new GeneralName[1];
try {
genNames[0] = new GeneralName(PrincipalUtils.getEncodedIssuerPrincipal(cert));
} catch (Exception e) {
throw new AnnotatedException("Could not read certificate issuer.", e);
}
}
for (int j = 0; j < genNames.length; j++) {
Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
ASN1EncodableVector vec = new ASN1EncodableVector();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
vec.add(dpName.getName());
genNames[j] = new GeneralName(X500Name.getInstance(new DERSequence(vec)));
}
}
if (genNames != null) {
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
} else // verify that one of the names in
// the IDP matches one of the names in the cRLIssuer field of
// the DP
{
if (dp.getCRLIssuer() == null) {
throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
}
GeneralName[] genNames = dp.getCRLIssuer().getNames();
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
}
}
BasicConstraints bc = null;
try {
bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
} catch (Exception e) {
throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
}
if (cert instanceof X509Certificate) {
// (b) (2) (ii)
if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
throw new AnnotatedException("CA Cert CRL only contains user certificates.");
}
// (b) (2) (iii)
if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
throw new AnnotatedException("End CRL only contains CA certificates.");
}
}
// (b) (2) (iv)
if (idp.onlyContainsAttributeCerts()) {
throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
}
}
}
Also used :
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
Enumeration(java.util.Enumeration)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
ArrayList(java.util.ArrayList)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)
Aggregations
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)112
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)66
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)64
X500Name (org.bouncycastle.asn1.x500.X500Name)63
ContentSigner (org.bouncycastle.operator.ContentSigner)61
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)58
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)56
BigInteger (java.math.BigInteger)55
X509Certificate (java.security.cert.X509Certificate)50
Date (java.util.Date)48
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)37
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)36
IOException (java.io.IOException)29
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)28
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)22
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)21
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)21
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)19
X500NameBuilder (org.bouncycastle.asn1.x500.X500NameBuilder)17
