Search in sources :

Example 16 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project LinLong-Java by zhenwei1108.

the class PKIXCertPathReviewer method checkNameConstraints.

private void checkNameConstraints() {
    X509Certificate cert = null;
    // 
    // Setup
    // 
    // (b)  and (c)
    PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
    // 
    // process each certificate except the last in the path
    // 
    int index;
    int i;
    try {
        for (index = certs.size() - 1; index > 0; index--) {
            i = n - index;
            // 
            // certificate processing
            // 
            cert = (X509Certificate) certs.get(index);
            if (!isSelfIssued(cert)) {
                X500Principal principal = getSubjectPrincipal(cert);
                ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded()));
                ASN1Sequence dns;
                try {
                    dns = (ASN1Sequence) aIn.readObject();
                } catch (IOException e) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncSubjectNameError", new Object[] { new UntrustedInput(principal) });
                    throw new CertPathReviewerException(msg, e, certPath, index);
                }
                try {
                    nameConstraintValidator.checkPermittedDN(dns);
                } catch (PKIXNameConstraintValidatorException cpve) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedDN", new Object[] { new UntrustedInput(principal.getName()) });
                    throw new CertPathReviewerException(msg, cpve, certPath, index);
                }
                try {
                    nameConstraintValidator.checkExcludedDN(dns);
                } catch (PKIXNameConstraintValidatorException cpve) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.excludedDN", new Object[] { new UntrustedInput(principal.getName()) });
                    throw new CertPathReviewerException(msg, cpve, certPath, index);
                }
                ASN1Sequence altName;
                try {
                    altName = (ASN1Sequence) getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME);
                } catch (AnnotatedException ae) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.subjAltNameExtError");
                    throw new CertPathReviewerException(msg, ae, certPath, index);
                }
                if (altName != null) {
                    for (int j = 0; j < altName.size(); j++) {
                        GeneralName name = GeneralName.getInstance(altName.getObjectAt(j));
                        try {
                            nameConstraintValidator.checkPermitted(name);
                            nameConstraintValidator.checkExcluded(name);
                        } catch (PKIXNameConstraintValidatorException cpve) {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedEmail", new Object[] { new UntrustedInput(name) });
                            throw new CertPathReviewerException(msg, cpve, certPath, index);
                        }
                    // switch(o.getTagNo())            TODO - move resources to PKIXNameConstraints
                    // {
                    // case 1:
                    // String email = DERIA5String.getInstance(o, true).getString();
                    // 
                    // try
                    // {
                    // checkPermittedEmail(permittedSubtreesEmail, email);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail",
                    // new Object[] {new UntrustedInput(email)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedEmail(excludedSubtreesEmail, email);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedEmail",
                    // new Object[] {new UntrustedInput(email)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // break;
                    // case 4:
                    // ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);
                    // 
                    // try
                    // {
                    // checkPermittedDN(permittedSubtreesDN, altDN);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // X509Name altDNName = new X509Name(altDN);
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN",
                    // new Object[] {new UntrustedInput(altDNName)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedDN(excludedSubtreesDN, altDN);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // X509Name altDNName = new X509Name(altDN);
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN",
                    // new Object[] {new UntrustedInput(altDNName)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // break;
                    // case 7:
                    // byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();
                    // 
                    // try
                    // {
                    // checkPermittedIP(permittedSubtreesIP, ip);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedIP",
                    // new Object[] {IPtoString(ip)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedIP(excludedSubtreesIP, ip);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedIP",
                    // new Object[] {IPtoString(ip)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // }
                    }
                }
            }
            // 
            // prepare for next certificate
            // 
            // 
            // (g) handle the name constraints extension
            // 
            ASN1Sequence ncSeq;
            try {
                ncSeq = (ASN1Sequence) getExtensionValue(cert, NAME_CONSTRAINTS);
            } catch (AnnotatedException ae) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncExtError");
                throw new CertPathReviewerException(msg, ae, certPath, index);
            }
            if (ncSeq != null) {
                NameConstraints nc = NameConstraints.getInstance(ncSeq);
                // 
                // (g) (1) permitted subtrees
                // 
                GeneralSubtree[] permitted = nc.getPermittedSubtrees();
                if (permitted != null) {
                    nameConstraintValidator.intersectPermittedSubtree(permitted);
                }
                // 
                // (g) (2) excluded subtrees
                // 
                GeneralSubtree[] excluded = nc.getExcludedSubtrees();
                if (excluded != null) {
                    for (int c = 0; c != excluded.length; c++) {
                        nameConstraintValidator.addExcludedSubtree(excluded[c]);
                    }
                }
            }
        }
    // for
    } catch (CertPathReviewerException cpre) {
        addError(cpre.getErrorMessage(), cpre.getIndex());
    }
}
Also used : ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream) NameConstraints(com.github.zhenwei.core.asn1.x509.NameConstraints) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence) ErrorBundle(com.github.zhenwei.core.i18n.ErrorBundle) ByteArrayInputStream(java.io.ByteArrayInputStream) PKIXNameConstraintValidatorException(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException) PKIXNameConstraintValidator(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidator) X500Principal(javax.security.auth.x500.X500Principal) ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject) GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName) GeneralSubtree(com.github.zhenwei.core.asn1.x509.GeneralSubtree) UntrustedInput(com.github.zhenwei.core.i18n.filter.UntrustedInput) AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)

Example 17 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.

the class GeneralSubtree method toASN1Primitive.

/**
     * Produce an object suitable for an ASN1OutputStream.
     * 
     * Returns:
     * 
     * <pre>
     *       GeneralSubtree ::= SEQUENCE 
     *       {
     *         base                    GeneralName,
     *         minimum         [0]     BaseDistance DEFAULT 0,
     *         maximum         [1]     BaseDistance OPTIONAL 
     *       }
     * </pre>
     * 
     * @return a ASN1Primitive
     */
public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(base);
    if (minimum != null && !minimum.getValue().equals(ZERO)) {
        v.add(new DERTaggedObject(false, 0, minimum));
    }
    if (maximum != null) {
        v.add(new DERTaggedObject(false, 1, maximum));
    }
    return new DERSequence(v);
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 18 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class PKIXNameConstraintValidator method intersectEmail.

private Set intersectEmail(Set permitted, Set emails) {
    Set intersect = new HashSet();
    for (Iterator it = emails.iterator(); it.hasNext(); ) {
        String email = extractNameAsString(((GeneralSubtree) it.next()).getBase());
        if (permitted == null) {
            if (email != null) {
                intersect.add(email);
            }
        } else {
            Iterator it2 = permitted.iterator();
            while (it2.hasNext()) {
                String _permitted = (String) it2.next();
                intersectEmail(email, _permitted, intersect);
            }
        }
    }
    return intersect;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Iterator(java.util.Iterator) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) HashSet(java.util.HashSet)

Example 19 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class PKIXNameConstraintValidator method intersectURI.

private Set intersectURI(Set permitted, Set uris) {
    Set intersect = new HashSet();
    for (Iterator it = uris.iterator(); it.hasNext(); ) {
        String uri = extractNameAsString(((GeneralSubtree) it.next()).getBase());
        if (permitted == null) {
            if (uri != null) {
                intersect.add(uri);
            }
        } else {
            Iterator _iter = permitted.iterator();
            while (_iter.hasNext()) {
                String _permitted = (String) _iter.next();
                intersectURI(_permitted, uri, intersect);
            }
        }
    }
    return intersect;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Iterator(java.util.Iterator) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) HashSet(java.util.HashSet)

Example 20 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class PKIXNameConstraintValidator method intersectPermittedSubtree.

/**
     * Updates the permitted set of these name constraints with the intersection
     * with the given subtree.
     *
     * @param permitted The permitted subtrees
     */
public void intersectPermittedSubtree(ASN1Sequence permitted) {
    Map subtreesMap = new HashMap();
    // group in sets in a map ordered by tag no.
    for (Enumeration e = permitted.getObjects(); e.hasMoreElements(); ) {
        GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement());
        // BEGIN android-changed
        Integer tagNo = Integer.valueOf(subtree.getBase().getTagNo());
        // END android-changed
        if (subtreesMap.get(tagNo) == null) {
            subtreesMap.put(tagNo, new HashSet());
        }
        ((Set) subtreesMap.get(tagNo)).add(subtree);
    }
    for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext(); ) {
        Map.Entry entry = (Map.Entry) it.next();
        // go through all subtree groups
        switch(((Integer) entry.getKey()).intValue()) {
            case 1:
                permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, (Set) entry.getValue());
                break;
            case 2:
                permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, (Set) entry.getValue());
                break;
            case 4:
                permittedSubtreesDN = intersectDN(permittedSubtreesDN, (Set) entry.getValue());
                break;
            case 6:
                permittedSubtreesURI = intersectURI(permittedSubtreesURI, (Set) entry.getValue());
                break;
            case 7:
                permittedSubtreesIP = intersectIP(permittedSubtreesIP, (Set) entry.getValue());
        }
    }
}
Also used : Enumeration(java.util.Enumeration) Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Iterator(java.util.Iterator) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) HashMap(java.util.HashMap) Map(java.util.Map) HashSet(java.util.HashSet)

Aggregations

GeneralSubtree (org.bouncycastle.asn1.x509.GeneralSubtree)18 BigInteger (java.math.BigInteger)7 GeneralName (org.bouncycastle.asn1.x509.GeneralName)6 NameConstraints (org.bouncycastle.asn1.x509.NameConstraints)6 IOException (java.io.IOException)5 X509Certificate (java.security.cert.X509Certificate)5 HashSet (java.util.HashSet)5 Iterator (java.util.Iterator)5 Set (java.util.Set)5 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)5 DERIA5String (org.bouncycastle.asn1.DERIA5String)5 X500Name (org.bouncycastle.asn1.x500.X500Name)4 Enumeration (java.util.Enumeration)3 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)2 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)2 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)2 GeneralSubtree (com.github.zhenwei.core.asn1.x509.GeneralSubtree)2