Search in sources :

Example 61 with GeneralName

use of org.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.

the class X509CertSelector method addSubjectAlternativeName.

/**
     * Adds a subject alternative name to the respective criterion.
     *
     * @param tag
     *            the type of the name.
     * @param name
     *            the name in ASN.1 DER encoded form.
     * @throws IOException
     *             if the decoding of the name fails.
     */
public void addSubjectAlternativeName(int tag, byte[] name) throws IOException {
    GeneralName alt_name = new GeneralName(tag, name);
    // create only if there was not any errors
    if (subjectAltNames == null) {
        subjectAltNames = new ArrayList[9];
    }
    if (subjectAltNames[tag] == null) {
        subjectAltNames[tag] = new ArrayList<GeneralName>();
    }
    subjectAltNames[tag].add(alt_name);
}
Also used : GeneralName(org.apache.harmony.security.x509.GeneralName)

Example 62 with GeneralName

use of org.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.

the class X509CertificateObject method getAlternativeNames.

private static Collection getAlternativeNames(byte[] extVal) throws CertificateParsingException {
    if (extVal == null) {
        return null;
    }
    try {
        Collection temp = new ArrayList();
        Enumeration it = ASN1Sequence.getInstance(extVal).getObjects();
        while (it.hasMoreElements()) {
            GeneralName genName = GeneralName.getInstance(it.nextElement());
            List list = new ArrayList();
            list.add(Integers.valueOf(genName.getTagNo()));
            switch(genName.getTagNo()) {
                case GeneralName.ediPartyName:
                case GeneralName.x400Address:
                case GeneralName.otherName:
                    list.add(genName.getEncoded());
                    break;
                case GeneralName.directoryName:
                    // BEGIN android-changed
                    list.add(X509Name.getInstance(genName.getName()).toString(true, X509Name.DefaultSymbols));
                    // END android-changed
                    break;
                case GeneralName.dNSName:
                case GeneralName.rfc822Name:
                case GeneralName.uniformResourceIdentifier:
                    list.add(((ASN1String) genName.getName()).getString());
                    break;
                case GeneralName.registeredID:
                    list.add(ASN1ObjectIdentifier.getInstance(genName.getName()).getId());
                    break;
                case GeneralName.iPAddress:
                    byte[] addrBytes = DEROctetString.getInstance(genName.getName()).getOctets();
                    final String addr;
                    try {
                        addr = InetAddress.getByAddress(addrBytes).getHostAddress();
                    } catch (UnknownHostException e) {
                        continue;
                    }
                    list.add(addr);
                    break;
                default:
                    throw new IOException("Bad tag number: " + genName.getTagNo());
            }
            temp.add(Collections.unmodifiableList(list));
        }
        if (temp.size() == 0) {
            return null;
        }
        return Collections.unmodifiableCollection(temp);
    } catch (Exception e) {
        throw new CertificateParsingException(e.getMessage());
    }
}
Also used : Enumeration(java.util.Enumeration) CertificateParsingException(java.security.cert.CertificateParsingException) UnknownHostException(java.net.UnknownHostException) ArrayList(java.util.ArrayList) Collection(java.util.Collection) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) DERBitString(org.bouncycastle.asn1.DERBitString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1String(org.bouncycastle.asn1.ASN1String) IOException(java.io.IOException) CertificateExpiredException(java.security.cert.CertificateExpiredException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateParsingException(java.security.cert.CertificateParsingException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) UnknownHostException(java.net.UnknownHostException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 63 with GeneralName

use of org.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLB1.

/**
     * If the DP includes cRLIssuer, then verify that the issuer field in the
     * complete CRL matches cRLIssuer in the DP and that the complete CRL
     * contains an issuing distribution point extension with the indirectCRL
     * boolean asserted. Otherwise, verify that the CRL issuer matches the
     * certificate issuer.
     *
     * @param dp   The distribution point.
     * @param cert The certificate ot attribute certificate.
     * @param crl  The CRL for <code>cert</code>.
     * @throws AnnotatedException if one of the above conditions does not apply or an error
     *                            occurs.
     */
protected static void processCRLB1(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null) {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();
    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null) {
        GeneralName[] genNames = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++) {
            if (genNames[j].getTagNo() == GeneralName.directoryName) {
                try {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes)) {
                        matchIssuer = true;
                    }
                } catch (IOException e) {
                    throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect) {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer) {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    } else {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert))) {
            matchIssuer = true;
        }
    }
    if (!matchIssuer) {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
Also used : GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 64 with GeneralName

use of org.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.

the class RFC3280CertPathUtilities method checkCRLs.

/**
     * Checks a certificate if it is revoked.
     *
     * @param paramsPKIX       PKIX parameters.
     * @param cert             Certificate to check if it is revoked.
     * @param validDate        The date when the certificate revocation status should be
     *                         checked.
     * @param sign             The issuer certificate of the certificate <code>cert</code>.
     * @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
     * @param certPathCerts    The certificates of the certification path.
     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
     *                            or some error occurs.
     */
protected static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts) throws AnnotatedException {
    AnnotatedException lastException = null;
    CRLDistPoint crldp = null;
    try {
        crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
    } catch (Exception e) {
        throw new AnnotatedException("CRL distribution point extension could not be read.", e);
    }
    try {
        CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
    } catch (AnnotatedException e) {
        throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
    }
    CertStatus certStatus = new CertStatus();
    ReasonsMask reasonsMask = new ReasonsMask();
    boolean validCrlFound = false;
    // for each distribution point
    if (crldp != null) {
        DistributionPoint[] dps = null;
        try {
            dps = crldp.getDistributionPoints();
        } catch (Exception e) {
            throw new AnnotatedException("Distribution points could not be read.", e);
        }
        if (dps != null) {
            for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
                ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
                try {
                    checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                } catch (AnnotatedException e) {
                    lastException = e;
                }
            }
        }
    }
    if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
        try {
            /*
                 * assume a DP with both the reasons and the cRLIssuer fields
                 * omitted and a distribution point name of the certificate
                 * issuer.
                 */
            ASN1Primitive issuer = null;
            try {
                issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
            } catch (Exception e) {
                throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
            }
            DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
            ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
            checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
            validCrlFound = true;
        } catch (AnnotatedException e) {
            lastException = e;
        }
    }
    if (!validCrlFound) {
        if (lastException instanceof AnnotatedException) {
            throw lastException;
        }
        throw new AnnotatedException("No valid CRL found.", lastException);
    }
    if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
        String message = "Certificate revocation after " + certStatus.getRevocationDate();
        message += ", reason: " + crlReasons[certStatus.getCertStatus()];
        throw new AnnotatedException(message);
    }
    if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
        certStatus.setCertStatus(CertStatus.UNDETERMINED);
    }
    if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
        throw new AnnotatedException("Certificate status could not be determined.");
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)

Example 65 with GeneralName

use of org.bouncycastle.asn1.x509.GeneralName in project zm-mailbox by Zimbra.

the class CertUtil method printCRLDistributionPoints.

private void printCRLDistributionPoints(PrintStream outStream) throws Exception {
    outStream.format("X509v3 CRL Distribution Points: \n");
    // 2.5.29.31
    String extOid = X509Extension.cRLDistributionPoints.getId();
    byte[] extVal = cert.getExtensionValue(extOid);
    if (extVal == null) {
        return;
    }
    /* http://download.oracle.com/javase/6/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
         *
           The ASN.1 definition for this is:

             Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

             Extension  ::=  SEQUENCE  {
                 extnId        OBJECT IDENTIFIER,
                 critical      BOOLEAN DEFAULT FALSE,
                 extnValue     OCTET STRING
                               -- contains a DER encoding of a value
                               -- of the type registered for use with
                               -- the extnId object identifier value
             }
         */
    byte[] extnValue = DEROctetString.getInstance(ASN1Object.fromByteArray(extVal)).getOctets();
    CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(ASN1Object.fromByteArray(extnValue));
    DistributionPoint[] distPoints = crlDistPoint.getDistributionPoints();
    for (DistributionPoint distPoint : distPoints) {
        DistributionPointName distPointName = distPoint.getDistributionPoint();
        int type = distPointName.getType();
        if (DistributionPointName.FULL_NAME == type) {
            outStream.format("Full Name: \n");
            GeneralNames generalNames = GeneralNames.getInstance(distPointName.getName());
            GeneralName[] names = generalNames.getNames();
            for (GeneralName generalname : names) {
                int tag = generalname.getTagNo();
                if (GeneralName.uniformResourceIdentifier == tag) {
                    DEREncodable name = generalname.getName();
                    DERIA5String str = DERIA5String.getInstance(name);
                    String value = str.getString();
                    outStream.format("    %s\n", value);
                } else {
                    outStream.format("tag %d not yet implemented", tag);
                }
            }
        } else {
            outStream.format("type %d not yet implemented", type);
        }
    }
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) DEREncodable(org.bouncycastle.asn1.DEREncodable) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)39 IOException (java.io.IOException)29 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)24 ArrayList (java.util.ArrayList)23 List (java.util.List)20 GeneralName (org.apache.harmony.security.x509.GeneralName)18 X509Certificate (java.security.cert.X509Certificate)16 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)16 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)15 X500Name (org.bouncycastle.asn1.x500.X500Name)10 GeneralName (sun.security.x509.GeneralName)10 GeneralSecurityException (java.security.GeneralSecurityException)9 CertPathValidatorException (java.security.cert.CertPathValidatorException)9 Date (java.util.Date)9 Enumeration (java.util.Enumeration)9 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9 CertificateExpiredException (java.security.cert.CertificateExpiredException)8 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)8 X500Principal (javax.security.auth.x500.X500Principal)8 DERIA5String (org.bouncycastle.asn1.DERIA5String)8