Example 1 with IssuingDistributionPoint
use of org.bouncycastle.asn1.x509.IssuingDistributionPoint in project robovm by robovm.
the class RFC3280CertPathUtilities method processCRLB2.
/**
* If the complete CRL includes an issuing distribution point (IDP) CRL
* extension check the following:
* <p/>
* (i) If the distribution point name is present in the IDP CRL extension
* and the distribution field is present in the DP, then verify that one of
* the names in the IDP matches one of the names in the DP. If the
* distribution point name is present in the IDP CRL extension and the
* distribution field is omitted from the DP, then verify that one of the
* names in the IDP matches one of the names in the cRLIssuer field of the
* DP.
* </p>
* <p/>
* (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL
* extension, verify that the certificate does not include the basic
* constraints extension with the cA boolean asserted.
* </p>
* <p/>
* (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL
* extension, verify that the certificate includes the basic constraints
* extension with the cA boolean asserted.
* </p>
* <p/>
* (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
* </p>
*
* @param dp The distribution point.
* @param cert The certificate.
* @param crl The CRL.
* @throws AnnotatedException if one of the conditions is not met or an error occurs.
*/
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
IssuingDistributionPoint idp = null;
try {
idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
// distribution point name is present
if (idp != null) {
if (idp.getDistributionPoint() != null) {
// make list of names
DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
List names = new ArrayList();
if (dpName.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
names.add(genNames[j]);
}
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
ASN1EncodableVector vec = new ASN1EncodableVector();
try {
Enumeration e = ASN1Sequence.getInstance(ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded())).getObjects();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
} catch (IOException e) {
throw new AnnotatedException("Could not read CRL issuer.", e);
}
vec.add(dpName.getName());
names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec))));
}
boolean matches = false;
// of the names in the DP.
if (dp.getDistributionPoint() != null) {
dpName = dp.getDistributionPoint();
GeneralName[] genNames = null;
if (dpName.getType() == DistributionPointName.FULL_NAME) {
genNames = GeneralNames.getInstance(dpName.getName()).getNames();
}
if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
if (dp.getCRLIssuer() != null) {
genNames = dp.getCRLIssuer().getNames();
} else {
genNames = new GeneralName[1];
try {
genNames[0] = new GeneralName(new X509Name((ASN1Sequence) ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded())));
} catch (IOException e) {
throw new AnnotatedException("Could not read certificate issuer.", e);
}
}
for (int j = 0; j < genNames.length; j++) {
Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
ASN1EncodableVector vec = new ASN1EncodableVector();
while (e.hasMoreElements()) {
vec.add((ASN1Encodable) e.nextElement());
}
vec.add(dpName.getName());
genNames[j] = new GeneralName(new X509Name(new DERSequence(vec)));
}
}
if (genNames != null) {
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
} else // verify that one of the names in
// the IDP matches one of the names in the cRLIssuer field of
// the DP
{
if (dp.getCRLIssuer() == null) {
throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
}
GeneralName[] genNames = dp.getCRLIssuer().getNames();
for (int j = 0; j < genNames.length; j++) {
if (names.contains(genNames[j])) {
matches = true;
break;
}
}
if (!matches) {
throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
}
}
}
BasicConstraints bc = null;
try {
bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
} catch (Exception e) {
throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
}
if (cert instanceof X509Certificate) {
// (b) (2) (ii)
if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
throw new AnnotatedException("CA Cert CRL only contains user certificates.");
}
// (b) (2) (iii)
if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
throw new AnnotatedException("End CRL only contains CA certificates.");
}
}
// (b) (2) (iv)
if (idp.onlyContainsAttributeCerts()) {
throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
}
}
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
Enumeration(java.util.Enumeration)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(org.bouncycastle.asn1.DERSequence)
X509Name(org.bouncycastle.asn1.x509.X509Name)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 2 with IssuingDistributionPoint
use of org.bouncycastle.asn1.x509.IssuingDistributionPoint in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method processCRLC.
/**
* If use-deltas is set, verify the issuer and scope of the delta CRL.
*
* @param deltaCRL The delta CRL.
* @param completeCRL The complete CRL.
* @param pkixParams The PKIX paramaters.
* @throws AnnotatedException if an exception occurs.
*/
protected static void processCRLC(X509CRL deltaCRL, X509CRL completeCRL, ExtendedPKIXParameters pkixParams) throws AnnotatedException {
if (deltaCRL == null) {
return;
}
IssuingDistributionPoint completeidp = null;
try {
completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(completeCRL, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
if (pkixParams.isUseDeltasEnabled()) {
// (c) (1)
if (!deltaCRL.getIssuerX500Principal().equals(completeCRL.getIssuerX500Principal())) {
throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer.");
}
// (c) (2)
IssuingDistributionPoint deltaidp = null;
try {
deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(deltaCRL, ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", e);
}
boolean match = false;
if (completeidp == null) {
if (deltaidp == null) {
match = true;
}
} else {
if (completeidp.equals(deltaidp)) {
match = true;
}
}
if (!match) {
throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match.");
}
// (c) (3)
DERObject completeKeyIdentifier = null;
try {
completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(completeCRL, AUTHORITY_KEY_IDENTIFIER);
} catch (AnnotatedException e) {
throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", e);
}
DERObject deltaKeyIdentifier = null;
try {
deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(deltaCRL, AUTHORITY_KEY_IDENTIFIER);
} catch (AnnotatedException e) {
throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", e);
}
if (completeKeyIdentifier == null) {
throw new AnnotatedException("CRL authority key identifier is null.");
}
if (deltaKeyIdentifier == null) {
throw new AnnotatedException("Delta CRL authority key identifier is null.");
}
if (!completeKeyIdentifier.equals(deltaKeyIdentifier)) {
throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier.");
}
}
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
DERObject(org.bouncycastle.asn1.DERObject)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
Example 3 with IssuingDistributionPoint
use of org.bouncycastle.asn1.x509.IssuingDistributionPoint in project robovm by robovm.
the class RFC3280CertPathUtilities method processCRLC.
/**
* If use-deltas is set, verify the issuer and scope of the delta CRL.
*
* @param deltaCRL The delta CRL.
* @param completeCRL The complete CRL.
* @param pkixParams The PKIX paramaters.
* @throws AnnotatedException if an exception occurs.
*/
protected static void processCRLC(X509CRL deltaCRL, X509CRL completeCRL, ExtendedPKIXParameters pkixParams) throws AnnotatedException {
if (deltaCRL == null) {
return;
}
IssuingDistributionPoint completeidp = null;
try {
completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(completeCRL, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
}
if (pkixParams.isUseDeltasEnabled()) {
// (c) (1)
if (!deltaCRL.getIssuerX500Principal().equals(completeCRL.getIssuerX500Principal())) {
throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer.");
}
// (c) (2)
IssuingDistributionPoint deltaidp = null;
try {
deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(deltaCRL, ISSUING_DISTRIBUTION_POINT));
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", e);
}
boolean match = false;
if (completeidp == null) {
if (deltaidp == null) {
match = true;
}
} else {
if (completeidp.equals(deltaidp)) {
match = true;
}
}
if (!match) {
throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match.");
}
// (c) (3)
ASN1Primitive completeKeyIdentifier = null;
try {
completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(completeCRL, AUTHORITY_KEY_IDENTIFIER);
} catch (AnnotatedException e) {
throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", e);
}
ASN1Primitive deltaKeyIdentifier = null;
try {
deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(deltaCRL, AUTHORITY_KEY_IDENTIFIER);
} catch (AnnotatedException e) {
throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", e);
}
if (completeKeyIdentifier == null) {
throw new AnnotatedException("CRL authority key identifier is null.");
}
if (deltaKeyIdentifier == null) {
throw new AnnotatedException("Delta CRL authority key identifier is null.");
}
if (!completeKeyIdentifier.equals(deltaKeyIdentifier)) {
throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier.");
}
}
}
Also used :
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
Example 4 with IssuingDistributionPoint
use of org.bouncycastle.asn1.x509.IssuingDistributionPoint in project robovm by robovm.
the class X509CRLStoreSelector method match.
public boolean match(Object obj) {
if (!(obj instanceof X509CRL)) {
return false;
}
X509CRL crl = (X509CRL) obj;
DERInteger dci = null;
try {
byte[] bytes = crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
if (bytes != null) {
dci = DERInteger.getInstance(X509ExtensionUtil.fromExtensionValue(bytes));
}
} catch (Exception e) {
return false;
}
if (isDeltaCRLIndicatorEnabled()) {
if (dci == null) {
return false;
}
}
if (isCompleteCRLEnabled()) {
if (dci != null) {
return false;
}
}
if (dci != null) {
if (maxBaseCRLNumber != null) {
if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) {
return false;
}
}
}
if (issuingDistributionPointEnabled) {
byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
if (issuingDistributionPoint == null) {
if (idp != null) {
return false;
}
} else {
if (!Arrays.areEqual(idp, issuingDistributionPoint)) {
return false;
}
}
}
return super.match((X509CRL) obj);
}
Also used :
X509CRL(java.security.cert.X509CRL)
IOException(java.io.IOException)
DERInteger(org.bouncycastle.asn1.DERInteger)
Example 5 with IssuingDistributionPoint
use of org.bouncycastle.asn1.x509.IssuingDistributionPoint in project XobotOS by xamarin.
the class X509CRLObject method toString.
/**
* Returns a string representation of this CRL.
*
* @return a string representation of this CRL.
*/
public String toString() {
StringBuffer buf = new StringBuffer();
String nl = System.getProperty("line.separator");
buf.append(" Version: ").append(this.getVersion()).append(nl);
buf.append(" IssuerDN: ").append(this.getIssuerDN()).append(nl);
buf.append(" This update: ").append(this.getThisUpdate()).append(nl);
buf.append(" Next update: ").append(this.getNextUpdate()).append(nl);
buf.append(" Signature Algorithm: ").append(this.getSigAlgName()).append(nl);
byte[] sig = this.getSignature();
buf.append(" Signature: ").append(new String(Hex.encode(sig, 0, 20))).append(nl);
for (int i = 20; i < sig.length; i += 20) {
if (i < sig.length - 20) {
buf.append(" ").append(new String(Hex.encode(sig, i, 20))).append(nl);
} else {
buf.append(" ").append(new String(Hex.encode(sig, i, sig.length - i))).append(nl);
}
}
X509Extensions extensions = c.getTBSCertList().getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
if (e.hasMoreElements()) {
buf.append(" Extensions: ").append(nl);
}
while (e.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
X509Extension ext = extensions.getExtension(oid);
if (ext.getValue() != null) {
byte[] octs = ext.getValue().getOctets();
ASN1InputStream dIn = new ASN1InputStream(octs);
buf.append(" critical(").append(ext.isCritical()).append(") ");
try {
if (oid.equals(X509Extensions.CRLNumber)) {
buf.append(new CRLNumber(DERInteger.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(X509Extensions.DeltaCRLIndicator)) {
buf.append("Base CRL: " + new CRLNumber(DERInteger.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(X509Extensions.IssuingDistributionPoint)) {
buf.append(new IssuingDistributionPoint((ASN1Sequence) dIn.readObject())).append(nl);
} else if (oid.equals(X509Extensions.CRLDistributionPoints)) {
buf.append(new CRLDistPoint((ASN1Sequence) dIn.readObject())).append(nl);
} else if (oid.equals(X509Extensions.FreshestCRL)) {
buf.append(new CRLDistPoint((ASN1Sequence) dIn.readObject())).append(nl);
} else {
buf.append(oid.getId());
buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
}
} catch (Exception ex) {
buf.append(oid.getId());
buf.append(" value = ").append("*****").append(nl);
}
} else {
buf.append(nl);
}
}
}
Set set = getRevokedCertificates();
if (set != null) {
Iterator it = set.iterator();
while (it.hasNext()) {
buf.append(it.next());
buf.append(nl);
}
}
return buf.toString();
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
Enumeration(java.util.Enumeration)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
HashSet(java.util.HashSet)
Set(java.util.Set)
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CRLException(java.security.cert.CRLException)
NoSuchProviderException(java.security.NoSuchProviderException)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
Iterator(java.util.Iterator)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Aggregations
IOException (java.io.IOException)7
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)5
GeneralSecurityException (java.security.GeneralSecurityException)4
CertPathBuilderException (java.security.cert.CertPathBuilderException)4
CertPathValidatorException (java.security.cert.CertPathValidatorException)4
CertificateExpiredException (java.security.cert.CertificateExpiredException)4
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)4
ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)4
Enumeration (java.util.Enumeration)3
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3
X509CRL (java.security.cert.X509CRL)2
X509Certificate (java.security.cert.X509Certificate)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)2
DERInteger (org.bouncycastle.asn1.DERInteger)2
DERSequence (org.bouncycastle.asn1.DERSequence)2
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)2
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)2
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)2
