Search in sources :

Example 1 with CertificatePolicies

use of org.bouncycastle.asn1.x509.CertificatePolicies in project keystore-explorer by kaikramer.

the class X509Ext method getCertificatePoliciesStringValue.

private String getCertificatePoliciesStringValue(byte[] value) throws IOException {
    // @formatter:off
    /*
		 * CertificatePolicies ::= ASN1Sequence SIZE (1..MAX) OF PolicyInformation
		 *
		 * PolicyInformation ::= ASN1Sequence
		 * {
		 *      policyIdentifier CertPolicyId,
		 *      policyQualifiers ASN1Sequence SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
		 * }
		 *
		 * CertPolicyId ::= OBJECT IDENTIFIER
		 *
		 * PolicyQualifierInfo ::= ASN1Sequence
		 * {
		 *      policyQualifierId PolicyQualifierId,
		 *      qualifier ANY DEFINED BY policyQualifierId
		 * }
		 *
		 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
		 *
		 * Qualifier ::= CHOICE
		 * {
		 *      cPSuri CPSuri,
		 *      userNotice UserNotice
		 * }
		 *
		 * CPSuri ::= DERIA5String
		 *
		 * UserNotice ::= ASN1Sequence
		 * {
		 *      noticeRef NoticeReference OPTIONAL,
		 *      explicitText DisplayText OPTIONAL
		 * }
		 *
		 * NoticeReference ::= ASN1Sequence
		 * {
		 *      organization DisplayText,
		 *      noticeNumbers ASN1Sequence OF ASN1Integer
		 * }
		 *
		 * DisplayText ::= CHOICE
		 * {
		 *      ia5String DERIA5String (SIZE (1..200)),
		 *      visibleString VisibleString (SIZE (1..200)),
		 *      bmpString BMPString (SIZE (1..200)),
		 *      utf8String UTF8String (SIZE (1..200))
		 * }
		 */
    // @formatter:on
    StringBuilder sb = new StringBuilder();
    CertificatePolicies certificatePolicies = CertificatePolicies.getInstance(value);
    int certPolicy = 0;
    for (PolicyInformation policyInformation : certificatePolicies.getPolicyInformation()) {
        certPolicy++;
        sb.append(MessageFormat.format(res.getString("CertificatePolicy"), certPolicy));
        sb.append(NEWLINE);
        ASN1ObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
        String policyIdentifierStr = ObjectIdUtil.toString(policyIdentifier);
        sb.append(INDENT);
        sb.append(MessageFormat.format(res.getString("PolicyIdentifier"), policyIdentifierStr));
        sb.append(NEWLINE);
        ASN1Sequence policyQualifiers = policyInformation.getPolicyQualifiers();
        if (policyQualifiers != null) {
            // Optional
            int policyQual = 0;
            for (ASN1Encodable policyQualifier : policyQualifiers.toArray()) {
                ASN1Sequence policyQualifierInfo = (ASN1Sequence) policyQualifier;
                sb.append(INDENT.toString(1));
                sb.append(MessageFormat.format(res.getString("PolicyQualifierInformation"), certPolicy, ++policyQual));
                sb.append(NEWLINE);
                ASN1ObjectIdentifier policyQualifierId = (ASN1ObjectIdentifier) policyQualifierInfo.getObjectAt(0);
                CertificatePolicyQualifierType certificatePolicyQualifierType = CertificatePolicyQualifierType.resolveOid(policyQualifierId.getId());
                if (certificatePolicyQualifierType != null) {
                    sb.append(INDENT.toString(2));
                    sb.append(certificatePolicyQualifierType.friendly());
                    sb.append(NEWLINE);
                    if (certificatePolicyQualifierType == PKIX_CPS_POINTER_QUALIFIER) {
                        DERIA5String cpsPointer = (DERIA5String) policyQualifierInfo.getObjectAt(1);
                        sb.append(INDENT.toString(2));
                        sb.append(MessageFormat.format(res.getString("CpsPointer"), "<a href=\"" + cpsPointer + "\">" + cpsPointer + "</a>"));
                        sb.append(NEWLINE);
                    } else if (certificatePolicyQualifierType == PKIX_USER_NOTICE_QUALIFIER) {
                        ASN1Encodable userNoticeObj = policyQualifierInfo.getObjectAt(1);
                        UserNotice userNotice = UserNotice.getInstance(userNoticeObj);
                        sb.append(INDENT.toString(2));
                        sb.append(res.getString("UserNotice"));
                        sb.append(NEWLINE);
                        NoticeReference noticeReference = userNotice.getNoticeRef();
                        DisplayText explicitText = userNotice.getExplicitText();
                        if (noticeReference != null) {
                            // Optional
                            sb.append(INDENT.toString(3));
                            sb.append(res.getString("NoticeReference"));
                            sb.append(NEWLINE);
                            DisplayText organization = noticeReference.getOrganization();
                            String organizationString = organization.getString();
                            sb.append(INDENT.toString(4));
                            sb.append(MessageFormat.format(res.getString("Organization"), organizationString));
                            sb.append(NEWLINE);
                            ASN1Integer[] noticeNumbers = noticeReference.getNoticeNumbers();
                            StringBuilder sbNoticeNumbers = new StringBuilder();
                            for (ASN1Integer noticeNumber : noticeNumbers) {
                                sbNoticeNumbers.append(noticeNumber.getValue().intValue());
                                sbNoticeNumbers.append(", ");
                            }
                            sbNoticeNumbers.setLength(sbNoticeNumbers.length() - 2);
                            sb.append(INDENT.toString(4));
                            sb.append(MessageFormat.format(res.getString("NoticeNumbers"), sbNoticeNumbers.toString()));
                            sb.append(NEWLINE);
                        }
                        if (explicitText != null) {
                            // Optional
                            String explicitTextString = explicitText.getString();
                            sb.append(INDENT.toString(3));
                            sb.append(MessageFormat.format(res.getString("ExplicitText"), explicitTextString));
                            sb.append(NEWLINE);
                        }
                    }
                }
            }
        }
    }
    return sb.toString();
}
Also used : PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) UserNotice(org.bouncycastle.asn1.x509.UserNotice) DERBitString(org.bouncycastle.asn1.DERBitString) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERGeneralString(org.bouncycastle.asn1.DERGeneralString) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERIA5String(org.bouncycastle.asn1.DERIA5String) NoticeReference(org.bouncycastle.asn1.x509.NoticeReference) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERIA5String(org.bouncycastle.asn1.DERIA5String) CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies) DisplayText(org.bouncycastle.asn1.x509.DisplayText) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 2 with CertificatePolicies

use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.

the class ProfileConfCreatorDemo method createCertificatePolicies.

private static ExtensionValueType createCertificatePolicies(ASN1ObjectIdentifier... policyOids) {
    if (policyOids == null || policyOids.length == 0) {
        return null;
    }
    CertificatePolicies extValue = new CertificatePolicies();
    List<CertificatePolicyInformationType> pis = extValue.getCertificatePolicyInformation();
    for (ASN1ObjectIdentifier oid : policyOids) {
        CertificatePolicyInformationType single = new CertificatePolicyInformationType();
        pis.add(single);
        single.setPolicyIdentifier(createOidType(oid));
    }
    return createExtensionValueType(extValue);
}
Also used : CertificatePolicyInformationType(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicyInformationType) CertificatePolicies(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 3 with CertificatePolicies

use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.

the class XmlX509CertprofileUtil method createCertificatePolicies.

public static org.bouncycastle.asn1.x509.CertificatePolicies createCertificatePolicies(List<CertificatePolicyInformation> policyInfos) throws CertprofileException {
    ParamUtil.requireNonEmpty("policyInfos", policyInfos);
    int size = policyInfos.size();
    PolicyInformation[] infos = new PolicyInformation[size];
    int idx = 0;
    for (CertificatePolicyInformation policyInfo : policyInfos) {
        String policyId = policyInfo.getCertPolicyId();
        List<CertificatePolicyQualifier> qualifiers = policyInfo.getQualifiers();
        ASN1Sequence policyQualifiers = null;
        if (CollectionUtil.isNonEmpty(qualifiers)) {
            policyQualifiers = createPolicyQualifiers(qualifiers);
        }
        ASN1ObjectIdentifier policyOid = new ASN1ObjectIdentifier(policyId);
        infos[idx++] = (policyQualifiers == null) ? new PolicyInformation(policyOid) : new PolicyInformation(policyOid, policyQualifiers);
    }
    return new org.bouncycastle.asn1.x509.CertificatePolicies(infos);
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) CertificatePolicyInformation(org.xipki.ca.api.profile.x509.CertificatePolicyInformation) CertificatePolicyInformation(org.xipki.ca.api.profile.x509.CertificatePolicyInformation) CertificatePolicies(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) CertificatePolicyQualifier(org.xipki.ca.api.profile.x509.CertificatePolicyQualifier) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 4 with CertificatePolicies

use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.

the class ExtensionsChecker method checkExtensions.

// constructor
public List<ValidationIssue> checkExtensions(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions, X500Name requestedSubject) {
    ParamUtil.requireNonNull("cert", cert);
    ParamUtil.requireNonNull("issuerInfo", issuerInfo);
    X509Certificate jceCert;
    try {
        jceCert = X509Util.toX509Cert(cert);
    } catch (CertificateException ex) {
        throw new IllegalArgumentException("invalid cert: " + ex.getMessage());
    }
    List<ValidationIssue> result = new LinkedList<>();
    // detect the list of extension types in certificate
    Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions);
    Extensions extensions = cert.getTBSCertificate().getExtensions();
    ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
    if (oids == null) {
        ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
        result.add(issue);
        issue.setFailureMessage("no extension is present");
        return result;
    }
    List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
    for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
        if (!certExtTypes.contains(extType)) {
            ValidationIssue issue = createExtensionIssue(extType);
            result.add(issue);
            issue.setFailureMessage("extension is absent but is required");
        }
    }
    Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
    for (ASN1ObjectIdentifier oid : certExtTypes) {
        ValidationIssue issue = createExtensionIssue(oid);
        result.add(issue);
        if (!presentExtenionTypes.contains(oid)) {
            issue.setFailureMessage("extension is present but is not permitted");
            continue;
        }
        Extension ext = extensions.getExtension(oid);
        StringBuilder failureMsg = new StringBuilder();
        ExtensionControl extControl = extensionControls.get(oid);
        if (extControl.isCritical() != ext.isCritical()) {
            addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical());
        }
        byte[] extensionValue = ext.getExtnValue().getOctets();
        try {
            if (Extension.authorityKeyIdentifier.equals(oid)) {
                // AuthorityKeyIdentifier
                checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.subjectKeyIdentifier.equals(oid)) {
                // SubjectKeyIdentifier
                checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo());
            } else if (Extension.keyUsage.equals(oid)) {
                // KeyUsage
                checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl);
            } else if (Extension.certificatePolicies.equals(oid)) {
                // CertificatePolicies
                checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.policyMappings.equals(oid)) {
                // Policy Mappings
                checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.subjectAlternativeName.equals(oid)) {
                // SubjectAltName
                checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject);
            } else if (Extension.subjectDirectoryAttributes.equals(oid)) {
                // SubjectDirectoryAttributes
                checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.issuerAlternativeName.equals(oid)) {
                // IssuerAltName
                checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.basicConstraints.equals(oid)) {
                // Basic Constraints
                checkExtensionBasicConstraints(failureMsg, extensionValue);
            } else if (Extension.nameConstraints.equals(oid)) {
                // Name Constraints
                checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl);
            } else if (Extension.policyConstraints.equals(oid)) {
                // PolicyConstrains
                checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.extendedKeyUsage.equals(oid)) {
                // ExtendedKeyUsage
                checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.cRLDistributionPoints.equals(oid)) {
                // CRL Distribution Points
                checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.inhibitAnyPolicy.equals(oid)) {
                // Inhibit anyPolicy
                checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl);
            } else if (Extension.freshestCRL.equals(oid)) {
                // Freshest CRL
                checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.authorityInfoAccess.equals(oid)) {
                // Authority Information Access
                checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo);
            } else if (Extension.subjectInfoAccess.equals(oid)) {
                // SubjectInfoAccess
                checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) {
                // Admission
                checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) {
                // ocsp-nocheck
                checkExtensionOcspNocheck(failureMsg, extensionValue);
            } else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) {
                // restriction
                checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) {
                // additionalInformation
                checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) {
                // validityModel
                checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.privateKeyUsagePeriod.equals(oid)) {
                // privateKeyUsagePeriod
                checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter());
            } else if (Extension.qCStatements.equals(oid)) {
                // qCStatements
                checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (Extension.biometricInfo.equals(oid)) {
                // biometricInfo
                checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) {
                // tlsFeature
                checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl);
            } else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) {
                // authorizationTemplate
                checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl);
            } else {
                byte[] expected;
                if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) {
                    // SMIMECapabilities
                    expected = smimeCapabilities.getValue();
                } else {
                    expected = getExpectedExtValue(oid, requestedExtensions, extControl);
                }
                if (!Arrays.equals(expected, extensionValue)) {
                    addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
                }
            }
            if (failureMsg.length() > 0) {
                issue.setFailureMessage(failureMsg.toString());
            }
        } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) {
            LOG.debug("extension value does not have correct syntax", ex);
            issue.setFailureMessage("extension value does not have correct syntax");
        }
    }
    return result;
}
Also used : CertificateException(java.security.cert.CertificateException) Extensions(org.bouncycastle.asn1.x509.Extensions) ValidationIssue(org.xipki.common.qa.ValidationIssue) X509Certificate(java.security.cert.X509Certificate) LinkedList(java.util.LinkedList) Extension(org.bouncycastle.asn1.x509.Extension) ExtensionControl(org.xipki.ca.api.profile.ExtensionControl) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 5 with CertificatePolicies

use of org.bouncycastle.asn1.x509.CertificatePolicies in project keystore-explorer by kaikramer.

the class DCertificatePolicies method prepopulateWithValue.

private void prepopulateWithValue(byte[] value) throws IOException {
    CertificatePolicies certificatePolicies = CertificatePolicies.getInstance(value);
    List<PolicyInformation> accessDescriptionList = new ArrayList<PolicyInformation>(Arrays.asList(certificatePolicies.getPolicyInformation()));
    jpiCertificatePolicies.setPolicyInformation(accessDescriptionList);
}
Also used : CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) JPolicyInformation(org.kse.gui.crypto.policyinformation.JPolicyInformation) ArrayList(java.util.ArrayList)

Aggregations

ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)10 PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)6 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)4 DERIA5String (org.bouncycastle.asn1.DERIA5String)4 CertificatePolicies (org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)4 CertificateException (java.security.cert.CertificateException)3 ArrayList (java.util.ArrayList)3 LinkedList (java.util.LinkedList)3 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3 DEROctetString (org.bouncycastle.asn1.DEROctetString)3 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)3 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3 CertificatePolicies (org.bouncycastle.asn1.x509.CertificatePolicies)3 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3 Extension (org.bouncycastle.asn1.x509.Extension)3 CertificatePolicyInformation (org.xipki.ca.api.profile.x509.CertificatePolicyInformation)3 IOException (java.io.IOException)2 X509Certificate (java.security.cert.X509Certificate)2 HashSet (java.util.HashSet)2