use of org.bouncycastle.asn1.x509.GeneralSubtree in project LinLong-Java by zhenwei1108.
the class PKIXCertPathReviewer method checkNameConstraints.
private void checkNameConstraints() {
X509Certificate cert = null;
//
// Setup
//
// (b) and (c)
PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
//
// process each certificate except the last in the path
//
int index;
int i;
try {
for (index = certs.size() - 1; index > 0; index--) {
i = n - index;
//
// certificate processing
//
cert = (X509Certificate) certs.get(index);
if (!isSelfIssued(cert)) {
X500Principal principal = getSubjectPrincipal(cert);
ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded()));
ASN1Sequence dns;
try {
dns = (ASN1Sequence) aIn.readObject();
} catch (IOException e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncSubjectNameError", new Object[] { new UntrustedInput(principal) });
throw new CertPathReviewerException(msg, e, certPath, index);
}
try {
nameConstraintValidator.checkPermittedDN(dns);
} catch (PKIXNameConstraintValidatorException cpve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedDN", new Object[] { new UntrustedInput(principal.getName()) });
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
try {
nameConstraintValidator.checkExcludedDN(dns);
} catch (PKIXNameConstraintValidatorException cpve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.excludedDN", new Object[] { new UntrustedInput(principal.getName()) });
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
ASN1Sequence altName;
try {
altName = (ASN1Sequence) getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.subjAltNameExtError");
throw new CertPathReviewerException(msg, ae, certPath, index);
}
if (altName != null) {
for (int j = 0; j < altName.size(); j++) {
GeneralName name = GeneralName.getInstance(altName.getObjectAt(j));
try {
nameConstraintValidator.checkPermitted(name);
nameConstraintValidator.checkExcluded(name);
} catch (PKIXNameConstraintValidatorException cpve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedEmail", new Object[] { new UntrustedInput(name) });
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
// switch(o.getTagNo()) TODO - move resources to PKIXNameConstraints
// {
// case 1:
// String email = DERIA5String.getInstance(o, true).getString();
//
// try
// {
// checkPermittedEmail(permittedSubtreesEmail, email);
// }
// catch (CertPathValidatorException cpve)
// {
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail",
// new Object[] {new UntrustedInput(email)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
//
// try
// {
// checkExcludedEmail(excludedSubtreesEmail, email);
// }
// catch (CertPathValidatorException cpve)
// {
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedEmail",
// new Object[] {new UntrustedInput(email)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
//
// break;
// case 4:
// ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);
//
// try
// {
// checkPermittedDN(permittedSubtreesDN, altDN);
// }
// catch (CertPathValidatorException cpve)
// {
// X509Name altDNName = new X509Name(altDN);
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN",
// new Object[] {new UntrustedInput(altDNName)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
//
// try
// {
// checkExcludedDN(excludedSubtreesDN, altDN);
// }
// catch (CertPathValidatorException cpve)
// {
// X509Name altDNName = new X509Name(altDN);
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN",
// new Object[] {new UntrustedInput(altDNName)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
//
// break;
// case 7:
// byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();
//
// try
// {
// checkPermittedIP(permittedSubtreesIP, ip);
// }
// catch (CertPathValidatorException cpve)
// {
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedIP",
// new Object[] {IPtoString(ip)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
//
// try
// {
// checkExcludedIP(excludedSubtreesIP, ip);
// }
// catch (CertPathValidatorException cpve)
// {
// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedIP",
// new Object[] {IPtoString(ip)});
// throw new CertPathReviewerException(msg,cpve,certPath,index);
// }
// }
}
}
}
//
// prepare for next certificate
//
//
// (g) handle the name constraints extension
//
ASN1Sequence ncSeq;
try {
ncSeq = (ASN1Sequence) getExtensionValue(cert, NAME_CONSTRAINTS);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncExtError");
throw new CertPathReviewerException(msg, ae, certPath, index);
}
if (ncSeq != null) {
NameConstraints nc = NameConstraints.getInstance(ncSeq);
//
// (g) (1) permitted subtrees
//
GeneralSubtree[] permitted = nc.getPermittedSubtrees();
if (permitted != null) {
nameConstraintValidator.intersectPermittedSubtree(permitted);
}
//
// (g) (2) excluded subtrees
//
GeneralSubtree[] excluded = nc.getExcludedSubtrees();
if (excluded != null) {
for (int c = 0; c != excluded.length; c++) {
nameConstraintValidator.addExcludedSubtree(excluded[c]);
}
}
}
}
// for
} catch (CertPathReviewerException cpre) {
addError(cpre.getErrorMessage(), cpre.getIndex());
}
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.
the class GeneralSubtree method toASN1Primitive.
/**
* Produce an object suitable for an ASN1OutputStream.
*
* Returns:
*
* <pre>
* GeneralSubtree ::= SEQUENCE
* {
* base GeneralName,
* minimum [0] BaseDistance DEFAULT 0,
* maximum [1] BaseDistance OPTIONAL
* }
* </pre>
*
* @return a ASN1Primitive
*/
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(base);
if (minimum != null && !minimum.getValue().equals(ZERO)) {
v.add(new DERTaggedObject(false, 0, minimum));
}
if (maximum != null) {
v.add(new DERTaggedObject(false, 1, maximum));
}
return new DERSequence(v);
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.
the class PKIXNameConstraintValidator method intersectEmail.
private Set intersectEmail(Set permitted, Set emails) {
Set intersect = new HashSet();
for (Iterator it = emails.iterator(); it.hasNext(); ) {
String email = extractNameAsString(((GeneralSubtree) it.next()).getBase());
if (permitted == null) {
if (email != null) {
intersect.add(email);
}
} else {
Iterator it2 = permitted.iterator();
while (it2.hasNext()) {
String _permitted = (String) it2.next();
intersectEmail(email, _permitted, intersect);
}
}
}
return intersect;
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.
the class PKIXNameConstraintValidator method intersectURI.
private Set intersectURI(Set permitted, Set uris) {
Set intersect = new HashSet();
for (Iterator it = uris.iterator(); it.hasNext(); ) {
String uri = extractNameAsString(((GeneralSubtree) it.next()).getBase());
if (permitted == null) {
if (uri != null) {
intersect.add(uri);
}
} else {
Iterator _iter = permitted.iterator();
while (_iter.hasNext()) {
String _permitted = (String) _iter.next();
intersectURI(_permitted, uri, intersect);
}
}
}
return intersect;
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.
the class PKIXNameConstraintValidator method intersectPermittedSubtree.
/**
* Updates the permitted set of these name constraints with the intersection
* with the given subtree.
*
* @param permitted The permitted subtrees
*/
public void intersectPermittedSubtree(ASN1Sequence permitted) {
Map subtreesMap = new HashMap();
// group in sets in a map ordered by tag no.
for (Enumeration e = permitted.getObjects(); e.hasMoreElements(); ) {
GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement());
// BEGIN android-changed
Integer tagNo = Integer.valueOf(subtree.getBase().getTagNo());
// END android-changed
if (subtreesMap.get(tagNo) == null) {
subtreesMap.put(tagNo, new HashSet());
}
((Set) subtreesMap.get(tagNo)).add(subtree);
}
for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext(); ) {
Map.Entry entry = (Map.Entry) it.next();
// go through all subtree groups
switch(((Integer) entry.getKey()).intValue()) {
case 1:
permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, (Set) entry.getValue());
break;
case 2:
permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, (Set) entry.getValue());
break;
case 4:
permittedSubtreesDN = intersectDN(permittedSubtreesDN, (Set) entry.getValue());
break;
case 6:
permittedSubtreesURI = intersectURI(permittedSubtreesURI, (Set) entry.getValue());
break;
case 7:
permittedSubtreesIP = intersectIP(permittedSubtreesIP, (Set) entry.getValue());
}
}
}
Aggregations