Search in sources :

Example 21 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method prepareNextCertG.

protected static void prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    //
    // (g) handle the name constraints extension
    //
    NameConstraints nc = null;
    try {
        ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.NAME_CONSTRAINTS));
        if (ncSeq != null) {
            nc = new NameConstraints(ncSeq);
        }
    } catch (Exception e) {
        throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, index);
    }
    if (nc != null) {
        //
        // (g) (1) permitted subtrees
        //
        ASN1Sequence permitted = nc.getPermittedSubtrees();
        if (permitted != null) {
            try {
                nameConstraintValidator.intersectPermittedSubtree(permitted);
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
        //
        // (g) (2) excluded subtrees
        //
        ASN1Sequence excluded = nc.getExcludedSubtrees();
        if (excluded != null) {
            Enumeration e = excluded.getObjects();
            try {
                while (e.hasMoreElements()) {
                    GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement());
                    nameConstraintValidator.addExcludedSubtree(subtree);
                }
            } catch (Exception ex) {
                throw new ExtCertPathValidatorException("Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
            }
        }
    }
}
Also used : NameConstraints(org.bouncycastle.asn1.x509.NameConstraints) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Enumeration(java.util.Enumeration) List(java.util.List) ArrayList(java.util.ArrayList) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException)

Example 22 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.

the class NameConstraints method createSequence.

private DERSequence createSequence(Vector subtree) {
    ASN1EncodableVector vec = new ASN1EncodableVector();
    Enumeration e = subtree.elements();
    while (e.hasMoreElements()) {
        vec.add((GeneralSubtree) e.nextElement());
    }
    return new DERSequence(vec);
}
Also used : Enumeration(java.util.Enumeration) DERSequence(org.bouncycastle.asn1.DERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 23 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.

the class PKIXNameConstraintValidator method intersectPermittedSubtree.

/**
     * Updates the permitted set of these name constraints with the intersection
     * with the given subtree.
     *
     * @param permitted The permitted subtrees
     */
public void intersectPermittedSubtree(GeneralSubtree[] permitted) {
    Map subtreesMap = new HashMap();
    // group in sets in a map ordered by tag no.
    for (int i = 0; i != permitted.length; i++) {
        GeneralSubtree subtree = permitted[i];
        Integer tagNo = Integers.valueOf(subtree.getBase().getTagNo());
        if (subtreesMap.get(tagNo) == null) {
            subtreesMap.put(tagNo, new HashSet());
        }
        ((Set) subtreesMap.get(tagNo)).add(subtree);
    }
    for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext(); ) {
        Map.Entry entry = (Map.Entry) it.next();
        // go through all subtree groups
        switch(((Integer) entry.getKey()).intValue()) {
            case 1:
                permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, (Set) entry.getValue());
                break;
            case 2:
                permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, (Set) entry.getValue());
                break;
            case 4:
                permittedSubtreesDN = intersectDN(permittedSubtreesDN, (Set) entry.getValue());
                break;
            case 6:
                permittedSubtreesURI = intersectURI(permittedSubtreesURI, (Set) entry.getValue());
                break;
            case 7:
                permittedSubtreesIP = intersectIP(permittedSubtreesIP, (Set) entry.getValue());
        }
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Iterator(java.util.Iterator) GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree) HashMap(java.util.HashMap) Map(java.util.Map) HashSet(java.util.HashSet)

Example 24 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.

the class PKIXNameConstraintValidator method intersectURI.

private Set intersectURI(Set permitted, Set uris) {
    Set intersect = new HashSet();
    for (Iterator it = uris.iterator(); it.hasNext(); ) {
        String uri = extractNameAsString(((GeneralSubtree) it.next()).getBase());
        if (permitted == null) {
            if (uri != null) {
                intersect.add(uri);
            }
        } else {
            Iterator _iter = permitted.iterator();
            while (_iter.hasNext()) {
                String _permitted = (String) _iter.next();
                intersectURI(_permitted, uri, intersect);
            }
        }
    }
    return intersect;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Iterator(java.util.Iterator) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) HashSet(java.util.HashSet)

Example 25 with GeneralSubtree

use of org.bouncycastle.asn1.x509.GeneralSubtree in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testPathToName.

/*
     * Tests matching on the name constraints extension contained in the
     * certificate.
     */
private void testPathToName() throws IOException {
    System.out.println("X.509 Certificate Match on pathToName");
    X509CertSelector selector = null;
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.30"));
    byte[] encoded = in.getOctetString();
    NameConstraintsExtension ext = new NameConstraintsExtension(false, encoded);
    GeneralSubtrees permitted = (GeneralSubtrees) ext.get(PERMITTED_SUBTREES);
    GeneralSubtrees excluded = (GeneralSubtrees) ext.get(EXCLUDED_SUBTREES);
    // bad matches on pathToName within excluded subtrees
    if (excluded != null) {
        Iterator<GeneralSubtree> e = excluded.iterator();
        while (e.hasNext()) {
            GeneralSubtree tree = e.next();
            if (tree.getName().getType() == NAME_DIRECTORY) {
                X500Name excludedDN1 = new X500Name(tree.getName().toString());
                X500Name excludedDN2 = new X500Name("CN=Bogus, " + tree.getName().toString());
                DerOutputStream derDN1 = new DerOutputStream();
                DerOutputStream derDN2 = new DerOutputStream();
                excludedDN1.encode(derDN1);
                excludedDN2.encode(derDN2);
                selector = new X509CertSelector();
                selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
                checkMatch(selector, cert, false);
                selector.setPathToNames(null);
                selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
                checkMatch(selector, cert, false);
            }
        }
    }
    // good matches on pathToName within permitted subtrees
    if (permitted != null) {
        Iterator<GeneralSubtree> e = permitted.iterator();
        while (e.hasNext()) {
            GeneralSubtree tree = e.next();
            if (tree.getName().getType() == NAME_DIRECTORY) {
                X500Name permittedDN1 = new X500Name(tree.getName().toString());
                X500Name permittedDN2 = new X500Name("CN=good, " + tree.getName().toString());
                DerOutputStream derDN1 = new DerOutputStream();
                DerOutputStream derDN2 = new DerOutputStream();
                permittedDN1.encode(derDN1);
                permittedDN2.encode(derDN2);
                selector = new X509CertSelector();
                selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
                checkMatch(selector, cert, true);
                selector.setPathToNames(null);
                selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
                checkMatch(selector, cert, true);
            }
        }
    }
}
Also used : DerOutputStream(sun.security.util.DerOutputStream) GeneralSubtrees(sun.security.x509.GeneralSubtrees) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) NameConstraintsExtension(sun.security.x509.NameConstraintsExtension) GeneralSubtree(sun.security.x509.GeneralSubtree) X500Name(sun.security.x509.X500Name)

Aggregations

GeneralSubtree (org.bouncycastle.asn1.x509.GeneralSubtree)18 BigInteger (java.math.BigInteger)7 GeneralName (org.bouncycastle.asn1.x509.GeneralName)6 NameConstraints (org.bouncycastle.asn1.x509.NameConstraints)6 IOException (java.io.IOException)5 X509Certificate (java.security.cert.X509Certificate)5 HashSet (java.util.HashSet)5 Iterator (java.util.Iterator)5 Set (java.util.Set)5 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)5 DERIA5String (org.bouncycastle.asn1.DERIA5String)5 X500Name (org.bouncycastle.asn1.x500.X500Name)4 Enumeration (java.util.Enumeration)3 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)3 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)2 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)2 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)2 GeneralSubtree (com.github.zhenwei.core.asn1.x509.GeneralSubtree)2