Example 1 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project keystore-explorer by kaikramer.
the class X509Ext method getCertificatePoliciesStringValue.
private String getCertificatePoliciesStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* CertificatePolicies ::= ASN1Sequence SIZE (1..MAX) OF PolicyInformation
*
* PolicyInformation ::= ASN1Sequence
* {
* policyIdentifier CertPolicyId,
* policyQualifiers ASN1Sequence SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
* }
*
* CertPolicyId ::= OBJECT IDENTIFIER
*
* PolicyQualifierInfo ::= ASN1Sequence
* {
* policyQualifierId PolicyQualifierId,
* qualifier ANY DEFINED BY policyQualifierId
* }
*
* PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
*
* Qualifier ::= CHOICE
* {
* cPSuri CPSuri,
* userNotice UserNotice
* }
*
* CPSuri ::= DERIA5String
*
* UserNotice ::= ASN1Sequence
* {
* noticeRef NoticeReference OPTIONAL,
* explicitText DisplayText OPTIONAL
* }
*
* NoticeReference ::= ASN1Sequence
* {
* organization DisplayText,
* noticeNumbers ASN1Sequence OF ASN1Integer
* }
*
* DisplayText ::= CHOICE
* {
* ia5String DERIA5String (SIZE (1..200)),
* visibleString VisibleString (SIZE (1..200)),
* bmpString BMPString (SIZE (1..200)),
* utf8String UTF8String (SIZE (1..200))
* }
*/
// @formatter:on
StringBuilder sb = new StringBuilder();
CertificatePolicies certificatePolicies = CertificatePolicies.getInstance(value);
int certPolicy = 0;
for (PolicyInformation policyInformation : certificatePolicies.getPolicyInformation()) {
certPolicy++;
sb.append(MessageFormat.format(res.getString("CertificatePolicy"), certPolicy));
sb.append(NEWLINE);
ASN1ObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
String policyIdentifierStr = ObjectIdUtil.toString(policyIdentifier);
sb.append(INDENT);
sb.append(MessageFormat.format(res.getString("PolicyIdentifier"), policyIdentifierStr));
sb.append(NEWLINE);
ASN1Sequence policyQualifiers = policyInformation.getPolicyQualifiers();
if (policyQualifiers != null) {
// Optional
int policyQual = 0;
for (ASN1Encodable policyQualifier : policyQualifiers.toArray()) {
ASN1Sequence policyQualifierInfo = (ASN1Sequence) policyQualifier;
sb.append(INDENT.toString(1));
sb.append(MessageFormat.format(res.getString("PolicyQualifierInformation"), certPolicy, ++policyQual));
sb.append(NEWLINE);
ASN1ObjectIdentifier policyQualifierId = (ASN1ObjectIdentifier) policyQualifierInfo.getObjectAt(0);
CertificatePolicyQualifierType certificatePolicyQualifierType = CertificatePolicyQualifierType.resolveOid(policyQualifierId.getId());
if (certificatePolicyQualifierType != null) {
sb.append(INDENT.toString(2));
sb.append(certificatePolicyQualifierType.friendly());
sb.append(NEWLINE);
if (certificatePolicyQualifierType == PKIX_CPS_POINTER_QUALIFIER) {
DERIA5String cpsPointer = (DERIA5String) policyQualifierInfo.getObjectAt(1);
sb.append(INDENT.toString(2));
sb.append(MessageFormat.format(res.getString("CpsPointer"), "<a href=\"" + cpsPointer + "\">" + cpsPointer + "</a>"));
sb.append(NEWLINE);
} else if (certificatePolicyQualifierType == PKIX_USER_NOTICE_QUALIFIER) {
ASN1Encodable userNoticeObj = policyQualifierInfo.getObjectAt(1);
UserNotice userNotice = UserNotice.getInstance(userNoticeObj);
sb.append(INDENT.toString(2));
sb.append(res.getString("UserNotice"));
sb.append(NEWLINE);
NoticeReference noticeReference = userNotice.getNoticeRef();
DisplayText explicitText = userNotice.getExplicitText();
if (noticeReference != null) {
// Optional
sb.append(INDENT.toString(3));
sb.append(res.getString("NoticeReference"));
sb.append(NEWLINE);
DisplayText organization = noticeReference.getOrganization();
String organizationString = organization.getString();
sb.append(INDENT.toString(4));
sb.append(MessageFormat.format(res.getString("Organization"), organizationString));
sb.append(NEWLINE);
ASN1Integer[] noticeNumbers = noticeReference.getNoticeNumbers();
StringBuilder sbNoticeNumbers = new StringBuilder();
for (ASN1Integer noticeNumber : noticeNumbers) {
sbNoticeNumbers.append(noticeNumber.getValue().intValue());
sbNoticeNumbers.append(", ");
}
sbNoticeNumbers.setLength(sbNoticeNumbers.length() - 2);
sb.append(INDENT.toString(4));
sb.append(MessageFormat.format(res.getString("NoticeNumbers"), sbNoticeNumbers.toString()));
sb.append(NEWLINE);
}
if (explicitText != null) {
// Optional
String explicitTextString = explicitText.getString();
sb.append(INDENT.toString(3));
sb.append(MessageFormat.format(res.getString("ExplicitText"), explicitTextString));
sb.append(NEWLINE);
}
}
}
}
}
}
return sb.toString();
}
Also used :
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
UserNotice(org.bouncycastle.asn1.x509.UserNotice)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERGeneralString(org.bouncycastle.asn1.DERGeneralString)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
NoticeReference(org.bouncycastle.asn1.x509.NoticeReference)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies)
DisplayText(org.bouncycastle.asn1.x509.DisplayText)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 2 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class ProfileConfCreatorDemo method createCertificatePolicies.
private static ExtensionValueType createCertificatePolicies(ASN1ObjectIdentifier... policyOids) {
if (policyOids == null || policyOids.length == 0) {
return null;
}
CertificatePolicies extValue = new CertificatePolicies();
List<CertificatePolicyInformationType> pis = extValue.getCertificatePolicyInformation();
for (ASN1ObjectIdentifier oid : policyOids) {
CertificatePolicyInformationType single = new CertificatePolicyInformationType();
pis.add(single);
single.setPolicyIdentifier(createOidType(oid));
}
return createExtensionValueType(extValue);
}
Also used :
CertificatePolicyInformationType(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicyInformationType)
CertificatePolicies(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 3 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class XmlX509CertprofileUtil method createCertificatePolicies.
public static org.bouncycastle.asn1.x509.CertificatePolicies createCertificatePolicies(List<CertificatePolicyInformation> policyInfos) throws CertprofileException {
ParamUtil.requireNonEmpty("policyInfos", policyInfos);
int size = policyInfos.size();
PolicyInformation[] infos = new PolicyInformation[size];
int idx = 0;
for (CertificatePolicyInformation policyInfo : policyInfos) {
String policyId = policyInfo.getCertPolicyId();
List<CertificatePolicyQualifier> qualifiers = policyInfo.getQualifiers();
ASN1Sequence policyQualifiers = null;
if (CollectionUtil.isNonEmpty(qualifiers)) {
policyQualifiers = createPolicyQualifiers(qualifiers);
}
ASN1ObjectIdentifier policyOid = new ASN1ObjectIdentifier(policyId);
infos[idx++] = (policyQualifiers == null) ? new PolicyInformation(policyOid) : new PolicyInformation(policyOid, policyQualifiers);
}
return new org.bouncycastle.asn1.x509.CertificatePolicies(infos);
}
Also used :
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
CertificatePolicyInformation(org.xipki.ca.api.profile.x509.CertificatePolicyInformation)
CertificatePolicyInformation(org.xipki.ca.api.profile.x509.CertificatePolicyInformation)
CertificatePolicies(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
CertificatePolicyQualifier(org.xipki.ca.api.profile.x509.CertificatePolicyQualifier)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 4 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class ExtensionsChecker method checkExtensions.
// constructor
public List<ValidationIssue> checkExtensions(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions, X500Name requestedSubject) {
ParamUtil.requireNonNull("cert", cert);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
X509Certificate jceCert;
try {
jceCert = X509Util.toX509Cert(cert);
} catch (CertificateException ex) {
throw new IllegalArgumentException("invalid cert: " + ex.getMessage());
}
List<ValidationIssue> result = new LinkedList<>();
// detect the list of extension types in certificate
Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions);
Extensions extensions = cert.getTBSCertificate().getExtensions();
ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
if (oids == null) {
ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
result.add(issue);
issue.setFailureMessage("no extension is present");
return result;
}
List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
if (!certExtTypes.contains(extType)) {
ValidationIssue issue = createExtensionIssue(extType);
result.add(issue);
issue.setFailureMessage("extension is absent but is required");
}
}
Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
for (ASN1ObjectIdentifier oid : certExtTypes) {
ValidationIssue issue = createExtensionIssue(oid);
result.add(issue);
if (!presentExtenionTypes.contains(oid)) {
issue.setFailureMessage("extension is present but is not permitted");
continue;
}
Extension ext = extensions.getExtension(oid);
StringBuilder failureMsg = new StringBuilder();
ExtensionControl extControl = extensionControls.get(oid);
if (extControl.isCritical() != ext.isCritical()) {
addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical());
}
byte[] extensionValue = ext.getExtnValue().getOctets();
try {
if (Extension.authorityKeyIdentifier.equals(oid)) {
// AuthorityKeyIdentifier
checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectKeyIdentifier.equals(oid)) {
// SubjectKeyIdentifier
checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo());
} else if (Extension.keyUsage.equals(oid)) {
// KeyUsage
checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl);
} else if (Extension.certificatePolicies.equals(oid)) {
// CertificatePolicies
checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.policyMappings.equals(oid)) {
// Policy Mappings
checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.subjectAlternativeName.equals(oid)) {
// SubjectAltName
checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject);
} else if (Extension.subjectDirectoryAttributes.equals(oid)) {
// SubjectDirectoryAttributes
checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.issuerAlternativeName.equals(oid)) {
// IssuerAltName
checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo);
} else if (Extension.basicConstraints.equals(oid)) {
// Basic Constraints
checkExtensionBasicConstraints(failureMsg, extensionValue);
} else if (Extension.nameConstraints.equals(oid)) {
// Name Constraints
checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.policyConstraints.equals(oid)) {
// PolicyConstrains
checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.extendedKeyUsage.equals(oid)) {
// ExtendedKeyUsage
checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.cRLDistributionPoints.equals(oid)) {
// CRL Distribution Points
checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.inhibitAnyPolicy.equals(oid)) {
// Inhibit anyPolicy
checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.freshestCRL.equals(oid)) {
// Freshest CRL
checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.authorityInfoAccess.equals(oid)) {
// Authority Information Access
checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectInfoAccess.equals(oid)) {
// SubjectInfoAccess
checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_admission.equals(oid)) {
// Admission
checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) {
// ocsp-nocheck
checkExtensionOcspNocheck(failureMsg, extensionValue);
} else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) {
// restriction
checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) {
// additionalInformation
checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) {
// validityModel
checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.privateKeyUsagePeriod.equals(oid)) {
// privateKeyUsagePeriod
checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter());
} else if (Extension.qCStatements.equals(oid)) {
// qCStatements
checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.biometricInfo.equals(oid)) {
// biometricInfo
checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) {
// tlsFeature
checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) {
// authorizationTemplate
checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl);
} else {
byte[] expected;
if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) {
// SMIMECapabilities
expected = smimeCapabilities.getValue();
} else {
expected = getExpectedExtValue(oid, requestedExtensions, extControl);
}
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
}
if (failureMsg.length() > 0) {
issue.setFailureMessage(failureMsg.toString());
}
} catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) {
LOG.debug("extension value does not have correct syntax", ex);
issue.setFailureMessage("extension value does not have correct syntax");
}
}
return result;
}
Also used :
CertificateException(java.security.cert.CertificateException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 5 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project keystore-explorer by kaikramer.
the class DCertificatePolicies method prepopulateWithValue.
private void prepopulateWithValue(byte[] value) throws IOException {
CertificatePolicies certificatePolicies = CertificatePolicies.getInstance(value);
List<PolicyInformation> accessDescriptionList = new ArrayList<PolicyInformation>(Arrays.asList(certificatePolicies.getPolicyInformation()));
jpiCertificatePolicies.setPolicyInformation(accessDescriptionList);
}
Also used :
CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies)
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
JPolicyInformation(org.kse.gui.crypto.policyinformation.JPolicyInformation)
ArrayList(java.util.ArrayList)
Aggregations
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)10
PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)6
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)4
DERIA5String (org.bouncycastle.asn1.DERIA5String)4
CertificatePolicies (org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)4
CertificateException (java.security.cert.CertificateException)3
ArrayList (java.util.ArrayList)3
LinkedList (java.util.LinkedList)3
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
DEROctetString (org.bouncycastle.asn1.DEROctetString)3
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)3
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3
CertificatePolicies (org.bouncycastle.asn1.x509.CertificatePolicies)3
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3
Extension (org.bouncycastle.asn1.x509.Extension)3
CertificatePolicyInformation (org.xipki.ca.api.profile.x509.CertificatePolicyInformation)3
IOException (java.io.IOException)2
X509Certificate (java.security.cert.X509Certificate)2
HashSet (java.util.HashSet)2
