Search in sources :

Example 36 with Extensions

use of org.bouncycastle.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionBiometricInfo.

// method checkExtensionQcStatements
private void checkExtensionBiometricInfo(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    BiometricInfoOption conf = certProfile.getBiometricInfo();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable extInRequest = null;
    if (requestedExtensions != null) {
        extInRequest = requestedExtensions.getExtensionParsedValue(Extension.biometricInfo);
    }
    if (extInRequest == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence extValueInReq = ASN1Sequence.getInstance(extInRequest);
    final int expSize = extValueInReq.size();
    ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
    final int isSize = extValue.size();
    if (isSize != expSize) {
        addViolation(failureMsg, "number of biometricData", isSize, expSize);
        return;
    }
    for (int i = 0; i < expSize; i++) {
        BiometricData isData = BiometricData.getInstance(extValue.getObjectAt(i));
        BiometricData expData = BiometricData.getInstance(extValueInReq.getObjectAt(i));
        TypeOfBiometricData isType = isData.getTypeOfBiometricData();
        TypeOfBiometricData expType = expData.getTypeOfBiometricData();
        if (!isType.equals(expType)) {
            String isStr = isType.isPredefined() ? Integer.toString(isType.getPredefinedBiometricType()) : isType.getBiometricDataOid().getId();
            String expStr = expType.isPredefined() ? Integer.toString(expType.getPredefinedBiometricType()) : expType.getBiometricDataOid().getId();
            addViolation(failureMsg, "biometricData[" + i + "].typeOfBiometricData", isStr, expStr);
        }
        ASN1ObjectIdentifier is = isData.getHashAlgorithm().getAlgorithm();
        ASN1ObjectIdentifier exp = expData.getHashAlgorithm().getAlgorithm();
        if (!is.equals(exp)) {
            addViolation(failureMsg, "biometricData[" + i + "].hashAlgorithm", is.getId(), exp.getId());
        }
        ASN1Encodable isHashAlgoParam = isData.getHashAlgorithm().getParameters();
        if (isHashAlgoParam == null) {
            failureMsg.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present' but expected 'absent'; ");
        } else {
            try {
                byte[] isBytes = isHashAlgoParam.toASN1Primitive().getEncoded();
                if (!Arrays.equals(isBytes, DER_NULL)) {
                    addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash.parameters", hex(isBytes), hex(DER_NULL));
                }
            } catch (IOException ex) {
                failureMsg.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
            }
        }
        byte[] isBytes = isData.getBiometricDataHash().getOctets();
        byte[] expBytes = expData.getBiometricDataHash().getOctets();
        if (!Arrays.equals(isBytes, expBytes)) {
            addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash", hex(isBytes), hex(expBytes));
        }
        DERIA5String str = isData.getSourceDataUri();
        String isSourceDataUri = (str == null) ? null : str.getString();
        String expSourceDataUri = null;
        if (conf.getSourceDataUriOccurrence() != TripleState.FORBIDDEN) {
            str = expData.getSourceDataUri();
            expSourceDataUri = (str == null) ? null : str.getString();
        }
        if (expSourceDataUri == null) {
            if (isSourceDataUri != null) {
                addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", "present", "absent");
            }
        } else {
            if (isSourceDataUri == null) {
                failureMsg.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
                failureMsg.append(" but expected 'present'; ");
            } else if (!isSourceDataUri.equals(expSourceDataUri)) {
                addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", isSourceDataUri, expSourceDataUri);
            }
        }
    }
}
Also used : BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERIA5String(org.bouncycastle.asn1.DERIA5String) BiometricInfoOption(org.xipki.ca.certprofile.BiometricInfoOption) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 37 with Extensions

use of org.bouncycastle.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectInfoAccess.

private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable requestExtValue = null;
    if (requestedExtensions != null) {
        requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
    }
    if (requestExtValue == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
    ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
    int size = requestSeq.size();
    if (certSeq.size() != size) {
        addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
        return;
    }
    for (int i = 0; i < size; i++) {
        AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
        ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
        Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
        if (generalNameModes == null) {
            failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
            continue;
        }
        AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
        ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
        boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
        if (!bo) {
            addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
            continue;
        }
        GeneralName accessLocation;
        try {
            accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
            continue;
        }
        GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
        if (!certAccessLocation.equals(accessLocation)) {
            failureMsg.append("accessLocation does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) Set(java.util.Set) HashSet(java.util.HashSet) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 38 with Extensions

use of org.bouncycastle.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionAuthorizationTemplate.

// method checkExtensionBiometricInfo
private void checkExtensionAuthorizationTemplate(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QaAuthorizationTemplate conf = authorizationTemplate;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_xipki_ext_authorizationTemplate, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
    ASN1ObjectIdentifier type = ASN1ObjectIdentifier.getInstance(seq.getObjectAt(0));
    ASN1OctetString accessRights = DEROctetString.getInstance(seq.getObjectAt(1));
    if (!conf.getType().equals(type.getId())) {
        addViolation(failureMsg, "type", type.getId(), conf.getType());
    }
    byte[] isRights = accessRights.getOctets();
    if (!Arrays.equals(conf.getAccessRights(), isRights)) {
        addViolation(failureMsg, "accessRights", hex(isRights), hex(conf.getAccessRights()));
    }
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) QaAuthorizationTemplate(org.xipki.ca.qa.internal.QaAuthorizationTemplate) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 39 with Extensions

use of org.bouncycastle.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionAdmission.

// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    AdmissionSyntaxOption conf = certProfile.getAdmission();
    ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    List<List<String>> reqRegNumsList = null;
    if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
        Extension extension = requestedExtensions.getExtension(type);
        if (extension == null) {
            failureMsg.append("no Admission extension is contained in the request;");
            return;
        }
        Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
        final int n = reqAdmissions.length;
        reqRegNumsList = new ArrayList<>(n);
        for (int i = 0; i < n; i++) {
            Admissions reqAdmission = reqAdmissions[i];
            ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
            List<String> reqNums = new ArrayList<>(reqPis.length);
            reqRegNumsList.add(reqNums);
            for (ProfessionInfo reqPi : reqPis) {
                String reqNum = reqPi.getRegistrationNumber();
                reqNums.add(reqNum);
            }
        }
    }
    try {
        byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
        }
    } catch (IOException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("IOException while computing the expected extension value;");
        return;
    } catch (BadCertTemplateException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("BadCertTemplateException while computing the expected extension value;");
    }
}
Also used : AdmissionSyntaxOption(org.xipki.ca.certprofile.commonpki.AdmissionSyntaxOption) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) Extension(org.bouncycastle.asn1.x509.Extension) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions) ArrayList(java.util.ArrayList) List(java.util.List) LinkedList(java.util.LinkedList) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)

Example 40 with Extensions

use of org.bouncycastle.asn1.x509.Extensions in project xipki by xipki.

the class ExtensionsChecker method checkExtensionTlsFeature.

// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QaTlsFeature conf = tlsFeature;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    Set<String> isFeatures = new HashSet<>();
    ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
    final int n = seq.size();
    for (int i = 0; i < n; i++) {
        ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
        isFeatures.add(asn1Feature.getPositiveValue().toString());
    }
    Set<String> expFeatures = new HashSet<>();
    for (Integer m : conf.getFeatures()) {
        expFeatures.add(m.toString());
    }
    Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
    }
    diffs = strInBnotInA(isFeatures, expFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
    }
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) QaTlsFeature(org.xipki.ca.qa.internal.QaTlsFeature) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) HashSet(java.util.HashSet)

Aggregations

ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)67 Extensions (org.bouncycastle.asn1.x509.Extensions)58 Extension (org.bouncycastle.asn1.x509.Extension)54 IOException (java.io.IOException)44 DEROctetString (org.bouncycastle.asn1.DEROctetString)38 HashSet (java.util.HashSet)35 Enumeration (java.util.Enumeration)34 X500Name (org.bouncycastle.asn1.x500.X500Name)31 Date (java.util.Date)29 BigInteger (java.math.BigInteger)27 DERIA5String (org.bouncycastle.asn1.DERIA5String)26 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)25 X509Certificate (java.security.cert.X509Certificate)24 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)23 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)23 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)23 GeneralName (org.bouncycastle.asn1.x509.GeneralName)23 ContentSigner (org.bouncycastle.operator.ContentSigner)22 ArrayList (java.util.ArrayList)21 Set (java.util.Set)21