Search in sources :

Example 26 with GeneralNames

use of org.bouncycastle.asn1.x509.GeneralNames in project jdk8u_jdk by JetBrains.

the class ForwardState method updateState.

/**
     * Update the state with the next certificate added to the path.
     *
     * @param cert the certificate which is used to update the state
     */
@Override
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
    if (cert == null)
        return;
    X509CertImpl icert = X509CertImpl.toImpl(cert);
    /* see if certificate key has null parameters */
    if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
        keyParamsNeededFlag = true;
    }
    /* update certificate */
    this.cert = icert;
    /* update issuer DN */
    issuerDN = cert.getIssuerX500Principal();
    if (!X509CertImpl.isSelfIssued(cert)) {
        /*
             * update traversedCACerts only if this is a non-self-issued
             * intermediate CA cert
             */
        if (!init && cert.getBasicConstraints() != -1) {
            traversedCACerts++;
        }
    }
    /* update subjectNamesTraversed only if this is the EE cert or if
           this cert is not self-issued */
    if (init || !X509CertImpl.isSelfIssued(cert)) {
        X500Principal subjName = cert.getSubjectX500Principal();
        subjectNamesTraversed.add(X500Name.asX500Name(subjName));
        try {
            SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension();
            if (subjAltNameExt != null) {
                GeneralNames gNames = subjAltNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
                for (GeneralName gName : gNames.names()) {
                    subjectNamesTraversed.add(gName.getName());
                }
            }
        } catch (IOException e) {
            if (debug != null) {
                debug.println("ForwardState.updateState() unexpected " + "exception");
                e.printStackTrace();
            }
            throw new CertPathValidatorException(e);
        }
    }
    init = false;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(sun.security.x509.GeneralName) IOException(java.io.IOException)

Example 27 with GeneralNames

use of org.bouncycastle.asn1.x509.GeneralNames in project Openfire by igniterealtime.

the class CertificateManagerTest method testServerIdentitiesXmppAddrAndDNS.

/**
     * {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
     * <ul>
     *     <li>the DNS subjectAltName value</li>
     *     <li>the 'xmppAddr' subjectAltName value</li>
     *     <li>explicitly not the Common Name</li>
     * </ul>
     *
     * when a certificate contains:
     * <ul>
     *     <li>a subjectAltName entry of type DNS </li>
     *     <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"</li>
     * </ul>
     */
@Test
public void testServerIdentitiesXmppAddrAndDNS() throws Exception {
    // Setup fixture.
    final String subjectCommonName = "MySubjectCommonName";
    final String subjectAltNameXmppAddr = "MySubjectAltNameXmppAddr";
    final String subjectAltNameDNS = "MySubjectAltNameDNS";
    final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
    new X500Name("CN=MyIssuer"), // Random serial number
    BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
    new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
    new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
    new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
    final DERSequence otherName = new DERSequence(new ASN1Encodable[] { XMPP_ADDR_OID, new DERUTF8String(subjectAltNameXmppAddr) });
    final GeneralNames subjectAltNames = new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.otherName, otherName), new GeneralName(GeneralName.dNSName, subjectAltNameDNS) });
    builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
    final X509CertificateHolder certificateHolder = builder.build(contentSigner);
    final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
    // Execute system under test
    final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
    // Verify result
    assertEquals(2, serverIdentities.size());
    assertTrue(serverIdentities.contains(subjectAltNameXmppAddr));
    assertFalse(serverIdentities.contains(subjectCommonName));
}
Also used : SecureRandom(java.security.SecureRandom) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Test(org.junit.Test)

Example 28 with GeneralNames

use of org.bouncycastle.asn1.x509.GeneralNames in project Openfire by igniterealtime.

the class CertificateManagerTest method testServerIdentitiesDnsSrv.

/**
     * {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
     * <ul>
     *     <li>the 'DNS SRV' subjectAltName value</li>
     *     <li>explicitly not the Common Name</li>
     * </ul>
     *
     * when a certificate contains:
     * <ul>
     *     <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-dnsSRV"</li>
     * </ul>
     */
@Test
public void testServerIdentitiesDnsSrv() throws Exception {
    // Setup fixture.
    final String subjectCommonName = "MySubjectCommonName";
    final String subjectAltNameDnsSrv = "MySubjectAltNameXmppAddr";
    final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
    new X500Name("CN=MyIssuer"), // Random serial number
    BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
    new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
    new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
    new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
    final DERSequence otherName = new DERSequence(new ASN1Encodable[] { DNS_SRV_OID, new DERUTF8String("_xmpp-server." + subjectAltNameDnsSrv) });
    final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
    builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
    final X509CertificateHolder certificateHolder = builder.build(contentSigner);
    final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
    // Execute system under test
    final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
    // Verify result
    assertEquals(1, serverIdentities.size());
    assertTrue(serverIdentities.contains(subjectAltNameDnsSrv));
    assertFalse(serverIdentities.contains(subjectCommonName));
}
Also used : SecureRandom(java.security.SecureRandom) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Test(org.junit.Test)

Example 29 with GeneralNames

use of org.bouncycastle.asn1.x509.GeneralNames in project OpenAttestation by OpenAttestation.

the class X509Builder method ipAlternativeName.

public X509Builder ipAlternativeName(String ip) {
    try {
        v3();
        String alternativeName = ip;
        if (ip.startsWith("ip:")) {
            alternativeName = ip.substring(3);
        }
        //                InetAddress ipAddress = new InetAddress.getByName(alternativeName.substring(3));
        //                IPAddressName ipAddressName = new IPAddressName(ipAddress.getAddress());
        IPAddressName ipAddressName = new IPAddressName(alternativeName);
        if (alternativeNames == null) {
            alternativeNames = new GeneralNames();
        }
        alternativeNames.add(new GeneralName(ipAddressName));
        SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(san.getExtensionId().toString(), san);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    //   ObjectIdentifier("2.5.29.17") , false, "ipaddress".getBytes()                            
    } catch (Exception e) {
        fault(e, "ipAlternativeName(%s)", ip);
    }
    return this;
}
Also used : GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) IPAddressName(sun.security.x509.IPAddressName) CertificateExtensions(sun.security.x509.CertificateExtensions) GeneralName(sun.security.x509.GeneralName)

Example 30 with GeneralNames

use of org.bouncycastle.asn1.x509.GeneralNames in project robovm by robovm.

the class RFC3280CertPathUtilities method checkCRLs.

/**
     * Checks a certificate if it is revoked.
     *
     * @param paramsPKIX       PKIX parameters.
     * @param cert             Certificate to check if it is revoked.
     * @param validDate        The date when the certificate revocation status should be
     *                         checked.
     * @param sign             The issuer certificate of the certificate <code>cert</code>.
     * @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
     * @param certPathCerts    The certificates of the certification path.
     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
     *                            or some error occurs.
     */
protected static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts) throws AnnotatedException {
    AnnotatedException lastException = null;
    CRLDistPoint crldp = null;
    try {
        crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
    } catch (Exception e) {
        throw new AnnotatedException("CRL distribution point extension could not be read.", e);
    }
    try {
        CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
    } catch (AnnotatedException e) {
        throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
    }
    CertStatus certStatus = new CertStatus();
    ReasonsMask reasonsMask = new ReasonsMask();
    boolean validCrlFound = false;
    // for each distribution point
    if (crldp != null) {
        DistributionPoint[] dps = null;
        try {
            dps = crldp.getDistributionPoints();
        } catch (Exception e) {
            throw new AnnotatedException("Distribution points could not be read.", e);
        }
        if (dps != null) {
            for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
                ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
                try {
                    checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                } catch (AnnotatedException e) {
                    lastException = e;
                }
            }
        }
    }
    if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
        try {
            /*
                 * assume a DP with both the reasons and the cRLIssuer fields
                 * omitted and a distribution point name of the certificate
                 * issuer.
                 */
            ASN1Primitive issuer = null;
            try {
                issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
            } catch (Exception e) {
                throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
            }
            DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
            ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
            checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
            validCrlFound = true;
        } catch (AnnotatedException e) {
            lastException = e;
        }
    }
    if (!validCrlFound) {
        if (lastException instanceof AnnotatedException) {
            throw lastException;
        }
        throw new AnnotatedException("No valid CRL found.", lastException);
    }
    if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
        String message = "Certificate revocation after " + certStatus.getRevocationDate();
        message += ", reason: " + crlReasons[certStatus.getCertStatus()];
        throw new AnnotatedException(message);
    }
    if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
        certStatus.setCertStatus(CertStatus.UNDETERMINED);
    }
    if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
        throw new AnnotatedException("Certificate status could not be determined.");
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)

Aggregations

GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)29 GeneralName (org.bouncycastle.asn1.x509.GeneralName)24 IOException (java.io.IOException)16 X509Certificate (java.security.cert.X509Certificate)15 ArrayList (java.util.ArrayList)12 List (java.util.List)12 GeneralNames (sun.security.x509.GeneralNames)10 Date (java.util.Date)9 X500Name (org.bouncycastle.asn1.x500.X500Name)9 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)9 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)8 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)8 GeneralSecurityException (java.security.GeneralSecurityException)7 SecureRandom (java.security.SecureRandom)7 X509CertSelector (java.security.cert.X509CertSelector)7 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)7 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)7 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)7 GeneralName (sun.security.x509.GeneralName)7