Search in sources :

Example 11 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testPolicy.

/*
     * Tests matching on the policy constraints extension contained in the
     * certificate.
     */
private void testPolicy() throws IOException {
    System.out.println("X.509 Certificate Match on certificatePolicies");
    // test encoding of CertificatePoliciesExtension because we wrote the
    // code
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Set<String> s = new HashSet<>();
    s.add(new String("1.2.5.7.68"));
    selector.setPolicy(s);
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32"));
    CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString());
    List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
    // match on the first policy id
    PolicyInformation policyInfo = (PolicyInformation) policies.get(0);
    s.clear();
    s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString());
    selector.setPolicy(s);
    checkMatch(selector, cert, true);
}
Also used : PolicyInformation(sun.security.x509.PolicyInformation) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) HashSet(java.util.HashSet)

Example 12 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class PolicyChecker method processPolicies.

/**
     * Processes certificate policies in the certificate.
     *
     * @param certIndex the index of the certificate
     * @param initPolicies the initial policies required by the user
     * @param explicitPolicy an integer which indicates if a non-null
     * valid policy tree is required
     * @param policyMapping an integer which indicates if policy
     * mapping is inhibited
     * @param inhibitAnyPolicy an integer which indicates whether
     * "any-policy" is considered a match
     * @param rejectPolicyQualifiers a boolean indicating whether the
     * user wants to reject policies that have qualifiers
     * @param origRootNode the root node of the valid policy tree
     * @param currCert the Certificate to be processed
     * @param finalCert a boolean indicating whether currCert is the final
     * cert in the cert path
     * @return the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if an
     * error occurs while processing policies.
     */
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
    boolean policiesCritical = false;
    List<PolicyInformation> policyInfo;
    PolicyNodeImpl rootNode = null;
    Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
    if (origRootNode == null)
        rootNode = null;
    else
        rootNode = origRootNode.copyTree();
    // retrieve policyOIDs from currCert
    CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
    // PKIX: Section 6.1.3: Step (d)
    if ((currCertPolicies != null) && (rootNode != null)) {
        policiesCritical = currCertPolicies.isCritical();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
        try {
            policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
        } catch (IOException ioe) {
            throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
        }
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
        boolean foundAnyPolicy = false;
        // process each policy in cert
        for (PolicyInformation curPolInfo : policyInfo) {
            String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
            if (curPolicy.equals(ANY_POLICY)) {
                foundAnyPolicy = true;
                anyQuals = curPolInfo.getPolicyQualifiers();
            } else {
                // PKIX: Section 6.1.3: Step (d)(1)
                if (debug != null)
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
                // retrieve policy qualifiers from cert
                Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
                // the policyQualifiersRejected flag is set in the params
                if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
                    throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
                }
                // PKIX: Section 6.1.3: Step (d)(1)(i)
                boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
                if (!foundMatch) {
                    // PKIX: Section 6.1.3: Step (d)(1)(ii)
                    processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
                }
            }
        }
        // PKIX: Section 6.1.3: Step (d)(2)
        if (foundAnyPolicy) {
            if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
                if (debug != null) {
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
                }
                processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
            }
        }
        // PKIX: Section 6.1.3: Step (d)(3)
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    } else if (currCertPolicies == null) {
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
        // PKIX: Section 6.1.3: Step (e)
        rootNode = null;
    }
    // resulting in a null tree
    if (rootNode != null) {
        if (!finalCert) {
            // PKIX: Section 6.1.4: Steps (a)-(b)
            rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
        }
    }
    if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
        rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
        // PKIX: Section 6.1.5: Step (g)(iii)
        if ((rootNode != null) && finalCert) {
            // rewrite anyPolicy leaf nodes (see method comments)
            rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
        }
    }
    if (finalCert) {
        // PKIX: Section 6.1.5: Steps (a) and (b)
        explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
    }
    if ((explicitPolicy == 0) && (rootNode == null)) {
        throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) PolicyQualifierInfo(java.security.cert.PolicyQualifierInfo) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) IOException(java.io.IOException)

Example 13 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project jdk8u_jdk by JetBrains.

the class PolicyChecker method removeInvalidNodes.

/**
     * Removes those nodes which do not intersect with the initial policies
     * specified by the user.
     *
     * @param rootNode the root node of the valid policy tree
     * @param certIndex the index of the certificate being processed
     * @param initPolicies the Set of policies required by the user
     * @param currCertPolicies the CertificatePoliciesExtension of the
     * certificate being processed
     * @returns the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if error occurs.
     */
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, int certIndex, Set<String> initPolicies, CertificatePoliciesExtension currCertPolicies) throws CertPathValidatorException {
    List<PolicyInformation> policyInfo = null;
    try {
        policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
    } catch (IOException ioe) {
        throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
    }
    boolean childDeleted = false;
    for (PolicyInformation curPolInfo : policyInfo) {
        String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "processing policy second time: " + curPolicy);
        Set<PolicyNodeImpl> validNodes = rootNode.getPolicyNodesValid(certIndex, curPolicy);
        for (PolicyNodeImpl curNode : validNodes) {
            PolicyNodeImpl parentNode = (PolicyNodeImpl) curNode.getParent();
            if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
                if ((!initPolicies.contains(curPolicy)) && (!curPolicy.equals(ANY_POLICY))) {
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "before deleting: policy tree = " + rootNode);
                    parentNode.deleteChild(curNode);
                    childDeleted = true;
                    if (debug != null)
                        debug.println("PolicyChecker.processPolicies() " + "after deleting: policy tree = " + rootNode);
                }
            }
        }
    }
    if (childDeleted) {
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) IOException(java.io.IOException)

Example 14 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project nhin-d by DirectProject.

the class CertificatePolicyCpsUriExtensionField method injectReferenceValue.

/**
	 * {@inheritDoc}
	 */
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
    this.certificate = value;
    final DERObject exValue = getExtensionValue(value);
    if (exValue == null) {
        if (isRequired())
            throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
        else {
            final Collection<String> emptyList = Collections.emptyList();
            this.policyValue = PolicyValueFactory.getInstance(emptyList);
            return;
        }
    }
    final Collection<String> retVal = new ArrayList<String>();
    final ASN1Sequence seq = (ASN1Sequence) exValue;
    @SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
    while (pols.hasMoreElements()) {
        final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
        if (pol.getPolicyQualifiers() != null) {
            @SuppressWarnings("unchecked") final Enumeration<DEREncodable> polInfos = pol.getPolicyQualifiers().getObjects();
            while (polInfos.hasMoreElements()) {
                final PolicyQualifierInfo polInfo = PolicyQualifierInfo.getInstance(polInfos.nextElement());
                if (polInfo.getPolicyQualifierId().equals(PolicyQualifierId.id_qt_cps)) {
                    retVal.add(polInfo.getQualifier().toString());
                }
            }
        }
    }
    ///CLOVER:OFF
    if (retVal.isEmpty() && isRequired())
        throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
    ///CLOVER:ON	
    this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used : PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException) DERObject(org.bouncycastle.asn1.DERObject) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) DEREncodable(org.bouncycastle.asn1.DEREncodable) ArrayList(java.util.ArrayList) PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo)

Example 15 with PolicyInformation

use of org.bouncycastle.asn1.x509.PolicyInformation in project nhin-d by DirectProject.

the class CertificatePolicyIndentifierExtensionField method injectReferenceValue.

/**
	 * {@inheritDoc}
	 */
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
    this.certificate = value;
    final DERObject exValue = getExtensionValue(value);
    if (exValue == null) {
        if (isRequired())
            throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
        else {
            final Collection<String> emptyList = Collections.emptyList();
            this.policyValue = PolicyValueFactory.getInstance(emptyList);
            return;
        }
    }
    final Collection<String> retVal = new ArrayList<String>();
    final ASN1Sequence seq = (ASN1Sequence) exValue;
    @SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
    while (pols.hasMoreElements()) {
        final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
        retVal.add(pol.getPolicyIdentifier().getId());
    }
    this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used : PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException) DERObject(org.bouncycastle.asn1.DERObject) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) DEREncodable(org.bouncycastle.asn1.DEREncodable) ArrayList(java.util.ArrayList)

Aggregations

ArrayList (java.util.ArrayList)10 IOException (java.io.IOException)8 CertPathValidatorException (java.security.cert.CertPathValidatorException)8 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)8 PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)8 HashSet (java.util.HashSet)7 Enumeration (java.util.Enumeration)6 Iterator (java.util.Iterator)6 List (java.util.List)6 Set (java.util.Set)6 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)6 GeneralSecurityException (java.security.GeneralSecurityException)4 X509Certificate (java.security.cert.X509Certificate)4 DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)4 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)4 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)4 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)4 DERObject (org.bouncycastle.asn1.DERObject)3 PolicyInformation (sun.security.x509.PolicyInformation)3 CertPathBuilderException (java.security.cert.CertPathBuilderException)2