use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method prepareNextCertG.
protected static void prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certs.get(index);
//
// (g) handle the name constraints extension
//
NameConstraints nc = null;
try {
ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.NAME_CONSTRAINTS));
if (ncSeq != null) {
nc = new NameConstraints(ncSeq);
}
} catch (Exception e) {
throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, index);
}
if (nc != null) {
//
// (g) (1) permitted subtrees
//
ASN1Sequence permitted = nc.getPermittedSubtrees();
if (permitted != null) {
try {
nameConstraintValidator.intersectPermittedSubtree(permitted);
} catch (Exception ex) {
throw new ExtCertPathValidatorException("Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
//
// (g) (2) excluded subtrees
//
ASN1Sequence excluded = nc.getExcludedSubtrees();
if (excluded != null) {
Enumeration e = excluded.getObjects();
try {
while (e.hasMoreElements()) {
GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement());
nameConstraintValidator.addExcludedSubtree(subtree);
}
} catch (Exception ex) {
throw new ExtCertPathValidatorException("Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index);
}
}
}
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project XobotOS by xamarin.
the class NameConstraints method createSequence.
private DERSequence createSequence(Vector subtree) {
ASN1EncodableVector vec = new ASN1EncodableVector();
Enumeration e = subtree.elements();
while (e.hasMoreElements()) {
vec.add((GeneralSubtree) e.nextElement());
}
return new DERSequence(vec);
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.
the class PKIXNameConstraintValidator method intersectPermittedSubtree.
/**
* Updates the permitted set of these name constraints with the intersection
* with the given subtree.
*
* @param permitted The permitted subtrees
*/
public void intersectPermittedSubtree(GeneralSubtree[] permitted) {
Map subtreesMap = new HashMap();
// group in sets in a map ordered by tag no.
for (int i = 0; i != permitted.length; i++) {
GeneralSubtree subtree = permitted[i];
Integer tagNo = Integers.valueOf(subtree.getBase().getTagNo());
if (subtreesMap.get(tagNo) == null) {
subtreesMap.put(tagNo, new HashSet());
}
((Set) subtreesMap.get(tagNo)).add(subtree);
}
for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext(); ) {
Map.Entry entry = (Map.Entry) it.next();
// go through all subtree groups
switch(((Integer) entry.getKey()).intValue()) {
case 1:
permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, (Set) entry.getValue());
break;
case 2:
permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, (Set) entry.getValue());
break;
case 4:
permittedSubtreesDN = intersectDN(permittedSubtreesDN, (Set) entry.getValue());
break;
case 6:
permittedSubtreesURI = intersectURI(permittedSubtreesURI, (Set) entry.getValue());
break;
case 7:
permittedSubtreesIP = intersectIP(permittedSubtreesIP, (Set) entry.getValue());
}
}
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project robovm by robovm.
the class PKIXNameConstraintValidator method intersectURI.
private Set intersectURI(Set permitted, Set uris) {
Set intersect = new HashSet();
for (Iterator it = uris.iterator(); it.hasNext(); ) {
String uri = extractNameAsString(((GeneralSubtree) it.next()).getBase());
if (permitted == null) {
if (uri != null) {
intersect.add(uri);
}
} else {
Iterator _iter = permitted.iterator();
while (_iter.hasNext()) {
String _permitted = (String) _iter.next();
intersectURI(_permitted, uri, intersect);
}
}
}
return intersect;
}
use of org.bouncycastle.asn1.x509.GeneralSubtree in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testPathToName.
/*
* Tests matching on the name constraints extension contained in the
* certificate.
*/
private void testPathToName() throws IOException {
System.out.println("X.509 Certificate Match on pathToName");
X509CertSelector selector = null;
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.30"));
byte[] encoded = in.getOctetString();
NameConstraintsExtension ext = new NameConstraintsExtension(false, encoded);
GeneralSubtrees permitted = (GeneralSubtrees) ext.get(PERMITTED_SUBTREES);
GeneralSubtrees excluded = (GeneralSubtrees) ext.get(EXCLUDED_SUBTREES);
// bad matches on pathToName within excluded subtrees
if (excluded != null) {
Iterator<GeneralSubtree> e = excluded.iterator();
while (e.hasNext()) {
GeneralSubtree tree = e.next();
if (tree.getName().getType() == NAME_DIRECTORY) {
X500Name excludedDN1 = new X500Name(tree.getName().toString());
X500Name excludedDN2 = new X500Name("CN=Bogus, " + tree.getName().toString());
DerOutputStream derDN1 = new DerOutputStream();
DerOutputStream derDN2 = new DerOutputStream();
excludedDN1.encode(derDN1);
excludedDN2.encode(derDN2);
selector = new X509CertSelector();
selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
checkMatch(selector, cert, false);
selector.setPathToNames(null);
selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
checkMatch(selector, cert, false);
}
}
}
// good matches on pathToName within permitted subtrees
if (permitted != null) {
Iterator<GeneralSubtree> e = permitted.iterator();
while (e.hasNext()) {
GeneralSubtree tree = e.next();
if (tree.getName().getType() == NAME_DIRECTORY) {
X500Name permittedDN1 = new X500Name(tree.getName().toString());
X500Name permittedDN2 = new X500Name("CN=good, " + tree.getName().toString());
DerOutputStream derDN1 = new DerOutputStream();
DerOutputStream derDN2 = new DerOutputStream();
permittedDN1.encode(derDN1);
permittedDN2.encode(derDN2);
selector = new X509CertSelector();
selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
checkMatch(selector, cert, true);
selector.setPathToNames(null);
selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
checkMatch(selector, cert, true);
}
}
}
}
Aggregations