Example 11 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class ProfileConfCreatorDemo method certprofileGsmcK.
// method certprofileTlsWithIncSerial
private static X509ProfileType certprofileGsmcK() throws Exception {
X509ProfileType profile = getBaseProfile("certprofile gsmc-k", X509CertLevel.EndEntity, "5y", false);
// SpecialBehavior
profile.setSpecialBehavior(SpecialX509CertprofileBehavior.gematik_gSMC_K.name());
// Maximal life time
Parameters profileParams = new Parameters();
profile.setParameters(profileParams);
NameValueType nv = new NameValueType();
nv.setName(SpecialX509CertprofileBehavior.PARAMETER_MAXLIFTIME);
nv.setValue(Integer.toString(20 * 365));
profileParams.getParameter().add(nv);
// Subject
Subject subject = profile.getSubject();
subject.setDuplicateSubjectPermitted(true);
subject.setIncSerialNumber(false);
List<RdnType> rdnControls = subject.getRdn();
rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE" }, null, null));
rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_ST, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_L, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_POSTAL_CODE, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_STREET, 0, 1));
// regex: ICCSN-yyyyMMdd
String regex = "80276[\\d]{15,15}-20\\d\\d(0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01])";
rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1, new String[] { regex }, null, null));
// Extensions
ExtensionsType extensions = profile.getExtensions();
List<ExtensionType> list = extensions.getExtension();
list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null));
list.add(createExtension(Extension.cRLDistributionPoints, false, false, null));
// Extensions - basicConstraints
ExtensionValueType extensionValue = null;
list.add(createExtension(Extension.basicConstraints, true, true, extensionValue));
// Extensions - AuthorityInfoAccess
extensionValue = createAuthorityInfoAccess();
list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue));
// Extensions - AuthorityKeyIdentifier
extensionValue = createAuthorityKeyIdentifier(true);
list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue));
// Extensions - keyUsage
extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.KEY_ENCIPHERMENT }, null);
list.add(createExtension(Extension.keyUsage, true, true, extensionValue));
// Extensions - extenedKeyUsage
extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth });
list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue));
// Extensions - Policy
CertificatePolicies policies = new CertificatePolicies();
ASN1ObjectIdentifier[] policyIds = new ASN1ObjectIdentifier[] { ID_GEMATIK.branch("79"), ID_GEMATIK.branch("163") };
for (ASN1ObjectIdentifier id : policyIds) {
CertificatePolicyInformationType policyInfo = new CertificatePolicyInformationType();
policies.getCertificatePolicyInformation().add(policyInfo);
policyInfo.setPolicyIdentifier(createOidType(id));
}
extensionValue = createExtensionValueType(policies);
list.add(createExtension(Extension.certificatePolicies, true, false, extensionValue));
// Extension - Admission
AdmissionSyntax admissionSyntax = new AdmissionSyntax();
AdmissionsType admissions = new AdmissionsType();
admissionSyntax.getContentsOfAdmissions().add(admissions);
ProfessionInfoType pi = new ProfessionInfoType();
admissions.getProfessionInfo().add(pi);
pi.getProfessionOid().add(createOidType(ID_GEMATIK.branch("103")));
pi.getProfessionItem().add("Anwendungskonnektor");
extensionValue = createExtensionValueType(admissionSyntax);
// check the syntax
XmlX509CertprofileUtil.buildAdmissionSyntax(false, admissionSyntax);
list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue));
// SubjectAltNames
extensionValue = null;
list.add(createExtension(Extension.subjectAlternativeName, false, false, extensionValue));
return profile;
}
Also used :
DSAParameters(org.xipki.ca.certprofile.x509.jaxb.DSAParameters)
RSAParameters(org.xipki.ca.certprofile.x509.jaxb.RSAParameters)
ECParameters(org.xipki.ca.certprofile.x509.jaxb.ECParameters)
Parameters(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.Parameters)
NameValueType(org.xipki.ca.certprofile.x509.jaxb.NameValueType)
X509ProfileType(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType)
ExtensionValueType(org.xipki.ca.certprofile.x509.jaxb.ExtensionValueType)
Subject(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.Subject)
RdnType(org.xipki.ca.certprofile.x509.jaxb.RdnType)
KeyUsageEnum(org.xipki.ca.certprofile.x509.jaxb.KeyUsageEnum)
AdmissionsType(org.xipki.ca.certprofile.x509.jaxb.AdmissionsType)
CertificatePolicyInformationType(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicyInformationType)
CertificatePolicies(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)
AdmissionSyntax(org.xipki.ca.certprofile.x509.jaxb.AdmissionSyntax)
ExtensionsType(org.xipki.ca.certprofile.x509.jaxb.ExtensionsType)
ExtensionType(org.xipki.ca.certprofile.x509.jaxb.ExtensionType)
TlsExtensionType(org.xipki.security.TlsExtensionType)
ProfessionInfoType(org.xipki.ca.certprofile.x509.jaxb.ProfessionInfoType)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 12 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class ExtensionsChecker method getExensionTypes.
// getExpectedExtValue
private Set<ASN1ObjectIdentifier> getExensionTypes(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions) {
Set<ASN1ObjectIdentifier> types = new HashSet<>();
// profile required extension types
Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
for (ASN1ObjectIdentifier oid : extensionControls.keySet()) {
if (extensionControls.get(oid).isRequired()) {
types.add(oid);
}
}
Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>();
if (requestedExtensions != null) {
Extension reqExtension = requestedExtensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
if (reqExtension != null) {
ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue());
types.addAll(ee.getNeedExtensions());
wantedExtensionTypes.addAll(ee.getWantExtensions());
}
}
if (CollectionUtil.isEmpty(wantedExtensionTypes)) {
return types;
}
// wanted extension types
// Authority key identifier
ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// Subject key identifier
type = Extension.subjectKeyIdentifier;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// KeyUsage
type = Extension.keyUsage;
if (wantedExtensionTypes.contains(type)) {
boolean required = false;
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
required = true;
}
if (!required) {
Set<KeyUsageControl> requiredKeyusage = getKeyusage(true);
if (CollectionUtil.isNonEmpty(requiredKeyusage)) {
required = true;
}
}
if (required) {
types.add(type);
}
}
// CertificatePolicies
type = Extension.certificatePolicies;
if (wantedExtensionTypes.contains(type)) {
if (certificatePolicies != null) {
types.add(type);
}
}
// Policy Mappings
type = Extension.policyMappings;
if (wantedExtensionTypes.contains(type)) {
if (policyMappings != null) {
types.add(type);
}
}
// SubjectAltNames
type = Extension.subjectAlternativeName;
if (wantedExtensionTypes.contains(type)) {
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
types.add(type);
}
}
// IssuerAltName
type = Extension.issuerAlternativeName;
if (wantedExtensionTypes.contains(type)) {
if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) {
types.add(type);
}
}
// BasicConstraints
type = Extension.basicConstraints;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// Name Constraints
type = Extension.nameConstraints;
if (wantedExtensionTypes.contains(type)) {
if (nameConstraints != null) {
types.add(type);
}
}
// PolicyConstrains
type = Extension.policyConstraints;
if (wantedExtensionTypes.contains(type)) {
if (policyConstraints != null) {
types.add(type);
}
}
// ExtendedKeyUsage
type = Extension.extendedKeyUsage;
if (wantedExtensionTypes.contains(type)) {
boolean required = false;
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
required = true;
}
if (!required) {
Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true);
if (CollectionUtil.isNonEmpty(requiredExtKeyusage)) {
required = true;
}
}
if (required) {
types.add(type);
}
}
// CRLDistributionPoints
type = Extension.cRLDistributionPoints;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getCrlUrls() != null) {
types.add(type);
}
}
// Inhibit anyPolicy
type = Extension.inhibitAnyPolicy;
if (wantedExtensionTypes.contains(type)) {
if (inhibitAnyPolicy != null) {
types.add(type);
}
}
// FreshestCRL
type = Extension.freshestCRL;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getDeltaCrlUrls() != null) {
types.add(type);
}
}
// AuthorityInfoAccess
type = Extension.authorityInfoAccess;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getOcspUrls() != null) {
types.add(type);
}
}
// SubjectInfoAccess
type = Extension.subjectInfoAccess;
if (wantedExtensionTypes.contains(type)) {
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
types.add(type);
}
}
// Admission
type = ObjectIdentifiers.id_extension_admission;
if (wantedExtensionTypes.contains(type)) {
if (certProfile.getAdmission() != null) {
types.add(type);
}
}
// ocsp-nocheck
type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
wantedExtensionTypes.removeAll(types);
for (ASN1ObjectIdentifier oid : wantedExtensionTypes) {
if (requestedExtensions != null && requestedExtensions.getExtension(oid) != null) {
if (constantExtensions.containsKey(oid)) {
types.add(oid);
}
}
}
return types;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
ExtensionExistence(org.xipki.security.ExtensionExistence)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
HashSet(java.util.HashSet)
Example 13 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class ExtensionsChecker method checkExtensionCertificatePolicies.
// method checkExtensionTlsFeature
private void checkExtensionCertificatePolicies(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QaCertificatePolicies conf = certificatePolicies;
if (conf == null) {
byte[] expected = getExpectedExtValue(Extension.certificatePolicies, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
org.bouncycastle.asn1.x509.CertificatePolicies asn1 = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(extensionValue);
PolicyInformation[] isPolicyInformations = asn1.getPolicyInformation();
for (PolicyInformation isPolicyInformation : isPolicyInformations) {
ASN1ObjectIdentifier isPolicyId = isPolicyInformation.getPolicyIdentifier();
QaCertificatePolicyInformation expCp = conf.getPolicyInformation(isPolicyId.getId());
if (expCp == null) {
failureMsg.append("certificate policy '").append(isPolicyId).append("' is not expected; ");
continue;
}
QaPolicyQualifiers expCpPq = expCp.getPolicyQualifiers();
if (expCpPq == null) {
continue;
}
ASN1Sequence isPolicyQualifiers = isPolicyInformation.getPolicyQualifiers();
List<String> isCpsUris = new LinkedList<>();
List<String> isUserNotices = new LinkedList<>();
int size = isPolicyQualifiers.size();
for (int i = 0; i < size; i++) {
PolicyQualifierInfo isPolicyQualifierInfo = (PolicyQualifierInfo) isPolicyQualifiers.getObjectAt(i);
ASN1ObjectIdentifier isPolicyQualifierId = isPolicyQualifierInfo.getPolicyQualifierId();
ASN1Encodable isQualifier = isPolicyQualifierInfo.getQualifier();
if (PolicyQualifierId.id_qt_cps.equals(isPolicyQualifierId)) {
String isCpsUri = ((DERIA5String) isQualifier).getString();
isCpsUris.add(isCpsUri);
} else if (PolicyQualifierId.id_qt_unotice.equals(isPolicyQualifierId)) {
UserNotice isUserNotice = UserNotice.getInstance(isQualifier);
if (isUserNotice.getExplicitText() != null) {
isUserNotices.add(isUserNotice.getExplicitText().getString());
}
}
}
List<QaPolicyQualifierInfo> qualifierInfos = expCpPq.getPolicyQualifiers();
for (QaPolicyQualifierInfo qualifierInfo : qualifierInfos) {
if (qualifierInfo instanceof QaCpsUriPolicyQualifier) {
String value = ((QaCpsUriPolicyQualifier) qualifierInfo).getCpsUri();
if (!isCpsUris.contains(value)) {
failureMsg.append("CPSUri '").append(value).append("' is absent but is required; ");
}
} else if (qualifierInfo instanceof QaUserNoticePolicyQualifierInfo) {
String value = ((QaUserNoticePolicyQualifierInfo) qualifierInfo).getUserNotice();
if (!isUserNotices.contains(value)) {
failureMsg.append("userNotice '").append(value).append("' is absent but is required; ");
}
} else {
throw new RuntimeException("should not reach here");
}
}
}
for (QaCertificatePolicyInformation cp : conf.getPolicyInformations()) {
boolean present = false;
for (PolicyInformation isPolicyInformation : isPolicyInformations) {
if (isPolicyInformation.getPolicyIdentifier().getId().equals(cp.getPolicyId())) {
present = true;
break;
}
}
if (present) {
continue;
}
failureMsg.append("certificate policy '").append(cp.getPolicyId()).append("' is absent but is required; ");
}
}
Also used :
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation)
UserNotice(org.bouncycastle.asn1.x509.UserNotice)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
QaPolicyQualifiers(org.xipki.ca.qa.internal.QaPolicyQualifiers)
QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo)
QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo)
PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo)
QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation)
LinkedList(java.util.LinkedList)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo)
QaCertificatePolicies(org.xipki.ca.qa.internal.QaCertificatePolicies)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
QaCpsUriPolicyQualifier(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaCpsUriPolicyQualifier)
Example 14 with CertificatePolicies
use of org.bouncycastle.asn1.x509.CertificatePolicies in project xipki by xipki.
the class XmlX509CertprofileUtil method buildCertificatePolicies.
// method parse
public static List<CertificatePolicyInformation> buildCertificatePolicies(CertificatePolicies type) {
List<CertificatePolicyInformationType> policyPairs = type.getCertificatePolicyInformation();
List<CertificatePolicyInformation> policies = new ArrayList<CertificatePolicyInformation>(policyPairs.size());
for (CertificatePolicyInformationType policyPair : policyPairs) {
List<CertificatePolicyQualifier> qualifiers = null;
PolicyQualifiers policyQualifiers = policyPair.getPolicyQualifiers();
if (policyQualifiers != null) {
List<JAXBElement<String>> cpsUriOrUserNotice = policyQualifiers.getCpsUriOrUserNotice();
qualifiers = new ArrayList<CertificatePolicyQualifier>(cpsUriOrUserNotice.size());
for (JAXBElement<String> element : cpsUriOrUserNotice) {
String elementValue = element.getValue();
CertificatePolicyQualifier qualifier = null;
String elementName = element.getName().getLocalPart();
qualifier = "cpsUri".equals(elementName) ? CertificatePolicyQualifier.getInstanceForCpsUri(elementValue) : CertificatePolicyQualifier.getInstanceForUserNotice(elementValue);
qualifiers.add(qualifier);
}
}
CertificatePolicyInformation cpi = new CertificatePolicyInformation(policyPair.getPolicyIdentifier().getValue(), qualifiers);
policies.add(cpi);
}
return policies;
}
Also used :
ArrayList(java.util.ArrayList)
JAXBElement(javax.xml.bind.JAXBElement)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
CertificatePolicyQualifier(org.xipki.ca.api.profile.x509.CertificatePolicyQualifier)
CertificatePolicyInformationType(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicyInformationType)
CertificatePolicyInformation(org.xipki.ca.api.profile.x509.CertificatePolicyInformation)
PolicyQualifiers(org.xipki.ca.certprofile.x509.jaxb.CertificatePolicyInformationType.PolicyQualifiers)
Aggregations
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)10
PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)6
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)4
DERIA5String (org.bouncycastle.asn1.DERIA5String)4
CertificatePolicies (org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies)4
CertificateException (java.security.cert.CertificateException)3
ArrayList (java.util.ArrayList)3
LinkedList (java.util.LinkedList)3
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
DEROctetString (org.bouncycastle.asn1.DEROctetString)3
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)3
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3
CertificatePolicies (org.bouncycastle.asn1.x509.CertificatePolicies)3
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3
Extension (org.bouncycastle.asn1.x509.Extension)3
CertificatePolicyInformation (org.xipki.ca.api.profile.x509.CertificatePolicyInformation)3
IOException (java.io.IOException)2
X509Certificate (java.security.cert.X509Certificate)2
HashSet (java.util.HashSet)2
