Example 1 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project keystore-explorer by kaikramer.
the class X509Ext method getSubjectDirectoryAttributesStringValue.
private String getSubjectDirectoryAttributesStringValue(byte[] value) throws IOException {
// @formatter:off
/*
* SubjectDirectoryAttributes ::= ASN1Sequence SIZE (1..MAX) OF Attribute
*
* Attribute ::= ASN1Sequence
* {
* type AttributeType,
* values SET OF AttributeValue
* }
*/
// @formatter:on
StringBuilder sb = new StringBuilder();
SubjectDirectoryAttributes subjectDirectoryAttributes = SubjectDirectoryAttributes.getInstance(value);
for (Object attribute : subjectDirectoryAttributes.getAttributes()) {
ASN1ObjectIdentifier attributeType = ((Attribute) attribute).getAttrType();
String attributeTypeStr = attributeType.getId();
ASN1Encodable[] attributeValues = ((Attribute) attribute).getAttributeValues();
for (ASN1Encodable attributeValue : attributeValues) {
String attributeValueStr = getAttributeValueString(attributeType, attributeValue);
sb.append(MessageFormat.format("{0}={1}", attributeTypeStr, attributeValueStr));
sb.append(NEWLINE);
}
}
return sb.toString();
}
Also used :
Attribute(org.bouncycastle.asn1.x509.Attribute)
SubjectDirectoryAttributes(org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERGeneralString(org.bouncycastle.asn1.DERGeneralString)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 2 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class ExtensionsChecker method checkExtensions.
// constructor
public List<ValidationIssue> checkExtensions(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions, X500Name requestedSubject) {
ParamUtil.requireNonNull("cert", cert);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
X509Certificate jceCert;
try {
jceCert = X509Util.toX509Cert(cert);
} catch (CertificateException ex) {
throw new IllegalArgumentException("invalid cert: " + ex.getMessage());
}
List<ValidationIssue> result = new LinkedList<>();
// detect the list of extension types in certificate
Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions);
Extensions extensions = cert.getTBSCertificate().getExtensions();
ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
if (oids == null) {
ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
result.add(issue);
issue.setFailureMessage("no extension is present");
return result;
}
List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
if (!certExtTypes.contains(extType)) {
ValidationIssue issue = createExtensionIssue(extType);
result.add(issue);
issue.setFailureMessage("extension is absent but is required");
}
}
Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
for (ASN1ObjectIdentifier oid : certExtTypes) {
ValidationIssue issue = createExtensionIssue(oid);
result.add(issue);
if (!presentExtenionTypes.contains(oid)) {
issue.setFailureMessage("extension is present but is not permitted");
continue;
}
Extension ext = extensions.getExtension(oid);
StringBuilder failureMsg = new StringBuilder();
ExtensionControl extControl = extensionControls.get(oid);
if (extControl.isCritical() != ext.isCritical()) {
addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical());
}
byte[] extensionValue = ext.getExtnValue().getOctets();
try {
if (Extension.authorityKeyIdentifier.equals(oid)) {
// AuthorityKeyIdentifier
checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectKeyIdentifier.equals(oid)) {
// SubjectKeyIdentifier
checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo());
} else if (Extension.keyUsage.equals(oid)) {
// KeyUsage
checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl);
} else if (Extension.certificatePolicies.equals(oid)) {
// CertificatePolicies
checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.policyMappings.equals(oid)) {
// Policy Mappings
checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.subjectAlternativeName.equals(oid)) {
// SubjectAltName
checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject);
} else if (Extension.subjectDirectoryAttributes.equals(oid)) {
// SubjectDirectoryAttributes
checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.issuerAlternativeName.equals(oid)) {
// IssuerAltName
checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo);
} else if (Extension.basicConstraints.equals(oid)) {
// Basic Constraints
checkExtensionBasicConstraints(failureMsg, extensionValue);
} else if (Extension.nameConstraints.equals(oid)) {
// Name Constraints
checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.policyConstraints.equals(oid)) {
// PolicyConstrains
checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.extendedKeyUsage.equals(oid)) {
// ExtendedKeyUsage
checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.cRLDistributionPoints.equals(oid)) {
// CRL Distribution Points
checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.inhibitAnyPolicy.equals(oid)) {
// Inhibit anyPolicy
checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.freshestCRL.equals(oid)) {
// Freshest CRL
checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.authorityInfoAccess.equals(oid)) {
// Authority Information Access
checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectInfoAccess.equals(oid)) {
// SubjectInfoAccess
checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_admission.equals(oid)) {
// Admission
checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) {
// ocsp-nocheck
checkExtensionOcspNocheck(failureMsg, extensionValue);
} else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) {
// restriction
checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) {
// additionalInformation
checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) {
// validityModel
checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.privateKeyUsagePeriod.equals(oid)) {
// privateKeyUsagePeriod
checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter());
} else if (Extension.qCStatements.equals(oid)) {
// qCStatements
checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.biometricInfo.equals(oid)) {
// biometricInfo
checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) {
// tlsFeature
checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) {
// authorizationTemplate
checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl);
} else {
byte[] expected;
if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) {
// SMIMECapabilities
expected = smimeCapabilities.getValue();
} else {
expected = getExpectedExtValue(oid, requestedExtensions, extControl);
}
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
}
if (failureMsg.length() > 0) {
issue.setFailureMessage(failureMsg.toString());
}
} catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) {
LOG.debug("extension value does not have correct syntax", ex);
issue.setFailureMessage("extension value does not have correct syntax");
}
}
return result;
}
Also used :
CertificateException(java.security.cert.CertificateException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 3 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class XmlX509Certprofile method getExtensions.
@Override
public ExtensionValues getExtensions(Map<ASN1ObjectIdentifier, ExtensionControl> extensionOccurences, X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, Date notBefore, Date notAfter, PublicCaInfo caInfo) throws CertprofileException, BadCertTemplateException {
ExtensionValues values = new ExtensionValues();
if (CollectionUtil.isEmpty(extensionOccurences)) {
return values;
}
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("notBefore", notBefore);
ParamUtil.requireNonNull("notAfter", notAfter);
Set<ASN1ObjectIdentifier> occurences = new HashSet<>(extensionOccurences.keySet());
// AuthorityKeyIdentifier
// processed by the CA
// SubjectKeyIdentifier
// processed by the CA
// KeyUsage
// processed by the CA
// CertificatePolicies
ASN1ObjectIdentifier type = Extension.certificatePolicies;
if (certificatePolicies != null) {
if (occurences.remove(type)) {
values.addExtension(type, certificatePolicies);
}
}
// Policy Mappings
type = Extension.policyMappings;
if (policyMappings != null) {
if (occurences.remove(type)) {
values.addExtension(type, policyMappings);
}
}
// SubjectAltName
type = Extension.subjectAlternativeName;
if (occurences.contains(type)) {
GeneralNames genNames = createRequestedSubjectAltNames(requestedSubject, grantedSubject, requestedExtensions);
if (genNames != null) {
ExtensionValue value = new ExtensionValue(extensionControls.get(type).isCritical(), genNames);
values.addExtension(type, value);
occurences.remove(type);
}
}
// IssuerAltName
// processed by the CA
// Subject Directory Attributes
type = Extension.subjectDirectoryAttributes;
if (occurences.contains(type) && subjectDirAttrsControl != null) {
Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
if (extension == null) {
throw new BadCertTemplateException("no SubjectDirecotryAttributes extension is contained in the request");
}
ASN1GeneralizedTime dateOfBirth = null;
String placeOfBirth = null;
String gender = null;
List<String> countryOfCitizenshipList = new LinkedList<>();
List<String> countryOfResidenceList = new LinkedList<>();
Map<ASN1ObjectIdentifier, List<ASN1Encodable>> otherAttrs = new HashMap<>();
Vector<?> reqSubDirAttrs = SubjectDirectoryAttributes.getInstance(extension.getParsedValue()).getAttributes();
final int n = reqSubDirAttrs.size();
for (int i = 0; i < n; i++) {
Attribute attr = (Attribute) reqSubDirAttrs.get(i);
ASN1ObjectIdentifier attrType = attr.getAttrType();
ASN1Encodable attrVal = attr.getAttributeValues()[0];
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
dateOfBirth = ASN1GeneralizedTime.getInstance(attrVal);
} else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
placeOfBirth = DirectoryString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
gender = DERPrintableString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
countryOfCitizenshipList.add(country);
} else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
countryOfResidenceList.add(country);
} else {
List<ASN1Encodable> otherAttrVals = otherAttrs.get(attrType);
if (otherAttrVals == null) {
otherAttrVals = new LinkedList<>();
otherAttrs.put(attrType, otherAttrVals);
}
otherAttrVals.add(attrVal);
}
}
Vector<Attribute> attrs = new Vector<>();
for (ASN1ObjectIdentifier attrType : subjectDirAttrsControl.getTypes()) {
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
if (dateOfBirth != null) {
String timeStirng = dateOfBirth.getTimeString();
if (!SubjectDnSpec.PATTERN_DATE_OF_BIRTH.matcher(timeStirng).matches()) {
throw new BadCertTemplateException("invalid dateOfBirth " + timeStirng);
}
attrs.add(new Attribute(attrType, new DERSet(dateOfBirth)));
continue;
}
} else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
if (placeOfBirth != null) {
ASN1Encodable attrVal = new DERUTF8String(placeOfBirth);
attrs.add(new Attribute(attrType, new DERSet(attrVal)));
continue;
}
} else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
if (gender != null && !gender.isEmpty()) {
char ch = gender.charAt(0);
if (!(gender.length() == 1 && (ch == 'f' || ch == 'F' || ch == 'm' || ch == 'M'))) {
throw new BadCertTemplateException("invalid gender " + gender);
}
ASN1Encodable attrVal = new DERPrintableString(gender);
attrs.add(new Attribute(attrType, new DERSet(attrVal)));
continue;
}
} else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
if (!countryOfCitizenshipList.isEmpty()) {
for (String country : countryOfCitizenshipList) {
if (!SubjectDnSpec.isValidCountryAreaCode(country)) {
throw new BadCertTemplateException("invalid countryOfCitizenship code " + country);
}
ASN1Encodable attrVal = new DERPrintableString(country);
attrs.add(new Attribute(attrType, new DERSet(attrVal)));
}
continue;
}
} else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
if (!countryOfResidenceList.isEmpty()) {
for (String country : countryOfResidenceList) {
if (!SubjectDnSpec.isValidCountryAreaCode(country)) {
throw new BadCertTemplateException("invalid countryOfResidence code " + country);
}
ASN1Encodable attrVal = new DERPrintableString(country);
attrs.add(new Attribute(attrType, new DERSet(attrVal)));
}
continue;
}
} else if (otherAttrs.containsKey(attrType)) {
for (ASN1Encodable attrVal : otherAttrs.get(attrType)) {
attrs.add(new Attribute(attrType, new DERSet(attrVal)));
}
continue;
}
throw new BadCertTemplateException("could not process type " + attrType.getId() + " in extension SubjectDirectoryAttributes");
}
SubjectDirectoryAttributes subjDirAttrs = new SubjectDirectoryAttributes(attrs);
ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), subjDirAttrs);
values.addExtension(type, extValue);
occurences.remove(type);
}
// Basic Constraints
// processed by the CA
// Name Constraints
type = Extension.nameConstraints;
if (nameConstraints != null) {
if (occurences.remove(type)) {
values.addExtension(type, nameConstraints);
}
}
// PolicyConstrains
type = Extension.policyConstraints;
if (policyConstraints != null) {
if (occurences.remove(type)) {
values.addExtension(type, policyConstraints);
}
}
// ExtendedKeyUsage
// processed by CA
// CRL Distribution Points
// processed by the CA
// Inhibit anyPolicy
type = Extension.inhibitAnyPolicy;
if (inhibitAnyPolicy != null) {
if (occurences.remove(type)) {
values.addExtension(type, inhibitAnyPolicy);
}
}
// Freshest CRL
// processed by the CA
// Authority Information Access
// processed by the CA
// Subject Information Access
// processed by the CA
// Admission
type = ObjectIdentifiers.id_extension_admission;
if (occurences.contains(type) && admission != null) {
if (admission.isInputFromRequestRequired()) {
Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
if (extension == null) {
throw new BadCertTemplateException("No Admission extension is contained in the request");
}
Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
final int n = reqAdmissions.length;
List<List<String>> reqRegNumsList = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
Admissions reqAdmission = reqAdmissions[i];
ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
List<String> reqNums = new ArrayList<>(reqPis.length);
reqRegNumsList.add(reqNums);
for (ProfessionInfo reqPi : reqPis) {
String reqNum = reqPi.getRegistrationNumber();
reqNums.add(reqNum);
}
}
values.addExtension(type, admission.getExtensionValue(reqRegNumsList));
occurences.remove(type);
} else {
values.addExtension(type, admission.getExtensionValue(null));
occurences.remove(type);
}
}
// OCSP Nocheck
// processed by the CA
// restriction
type = ObjectIdentifiers.id_extension_restriction;
if (restriction != null) {
if (occurences.remove(type)) {
values.addExtension(type, restriction);
}
}
// AdditionalInformation
type = ObjectIdentifiers.id_extension_additionalInformation;
if (additionalInformation != null) {
if (occurences.remove(type)) {
values.addExtension(type, additionalInformation);
}
}
// ValidityModel
type = ObjectIdentifiers.id_extension_validityModel;
if (validityModel != null) {
if (occurences.remove(type)) {
values.addExtension(type, validityModel);
}
}
// PrivateKeyUsagePeriod
type = Extension.privateKeyUsagePeriod;
if (occurences.contains(type)) {
Date tmpNotAfter;
if (privateKeyUsagePeriod == null) {
tmpNotAfter = notAfter;
} else {
tmpNotAfter = privateKeyUsagePeriod.add(notBefore);
if (tmpNotAfter.after(notAfter)) {
tmpNotAfter = notAfter;
}
}
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new DERTaggedObject(false, 0, new DERGeneralizedTime(notBefore)));
vec.add(new DERTaggedObject(false, 1, new DERGeneralizedTime(tmpNotAfter)));
ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
values.addExtension(type, extValue);
occurences.remove(type);
}
// QCStatements
type = Extension.qCStatements;
if (occurences.contains(type) && (qcStatments != null || qcStatementsOption != null)) {
if (qcStatments != null) {
values.addExtension(type, qcStatments);
occurences.remove(type);
} else if (requestedExtensions != null && qcStatementsOption != null) {
// extract the euLimit data from request
Extension extension = requestedExtensions.getExtension(type);
if (extension == null) {
throw new BadCertTemplateException("No QCStatement extension is contained in the request");
}
ASN1Sequence seq = ASN1Sequence.getInstance(extension.getParsedValue());
Map<String, int[]> qcEuLimits = new HashMap<>();
final int n = seq.size();
for (int i = 0; i < n; i++) {
QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(i));
if (!ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) {
continue;
}
MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo());
int amount = monetaryValue.getAmount().intValue();
int exponent = monetaryValue.getExponent().intValue();
Iso4217CurrencyCode currency = monetaryValue.getCurrency();
String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric());
qcEuLimits.put(currencyS, new int[] { amount, exponent });
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (QcStatementOption m : qcStatementsOption) {
if (m.getStatement() != null) {
vec.add(m.getStatement());
continue;
}
MonetaryValueOption monetaryOption = m.getMonetaryValueOption();
String currencyS = monetaryOption.getCurrencyString();
int[] limit = qcEuLimits.get(currencyS);
if (limit == null) {
throw new BadCertTemplateException("no EuLimitValue is specified for currency '" + currencyS + "'");
}
int amount = limit[0];
Range2Type range = monetaryOption.getAmountRange();
if (amount < range.getMin() || amount > range.getMax()) {
throw new BadCertTemplateException("amount for currency '" + currencyS + "' is not within [" + range.getMin() + ", " + range.getMax() + "]");
}
int exponent = limit[1];
range = monetaryOption.getExponentRange();
if (exponent < range.getMin() || exponent > range.getMax()) {
throw new BadCertTemplateException("exponent for currency '" + currencyS + "' is not within [" + range.getMin() + ", " + range.getMax() + "]");
}
MonetaryValue monetaryVale = new MonetaryValue(monetaryOption.getCurrency(), amount, exponent);
QCStatement qcStatment = new QCStatement(m.getStatementId(), monetaryVale);
vec.add(qcStatment);
}
ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
values.addExtension(type, extValue);
occurences.remove(type);
} else {
throw new RuntimeException("should not reach here");
}
}
// BiometricData
type = Extension.biometricInfo;
if (occurences.contains(type) && biometricInfo != null) {
Extension extension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(type);
if (extension == null) {
throw new BadCertTemplateException("no biometricInfo extension is contained in the request");
}
ASN1Sequence seq = ASN1Sequence.getInstance(extension.getParsedValue());
final int n = seq.size();
if (n < 1) {
throw new BadCertTemplateException("biometricInfo extension in request contains empty sequence");
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (int i = 0; i < n; i++) {
BiometricData bd = BiometricData.getInstance(seq.getObjectAt(i));
TypeOfBiometricData bdType = bd.getTypeOfBiometricData();
if (!biometricInfo.isTypePermitted(bdType)) {
throw new BadCertTemplateException("biometricInfo[" + i + "].typeOfBiometricData is not permitted");
}
ASN1ObjectIdentifier hashAlgo = bd.getHashAlgorithm().getAlgorithm();
if (!biometricInfo.isHashAlgorithmPermitted(hashAlgo)) {
throw new BadCertTemplateException("biometricInfo[" + i + "].hashAlgorithm is not permitted");
}
int expHashValueSize;
try {
expHashValueSize = AlgorithmUtil.getHashOutputSizeInOctets(hashAlgo);
} catch (NoSuchAlgorithmException ex) {
throw new CertprofileException("should not happen, unknown hash algorithm " + hashAlgo);
}
byte[] hashValue = bd.getBiometricDataHash().getOctets();
if (hashValue.length != expHashValueSize) {
throw new BadCertTemplateException("biometricInfo[" + i + "].biometricDataHash has incorrect length");
}
DERIA5String sourceDataUri = bd.getSourceDataUri();
switch(biometricInfo.getSourceDataUriOccurrence()) {
case FORBIDDEN:
sourceDataUri = null;
break;
case REQUIRED:
if (sourceDataUri == null) {
throw new BadCertTemplateException("biometricInfo[" + i + "].sourceDataUri is not specified in request but is required");
}
break;
case OPTIONAL:
break;
default:
throw new BadCertTemplateException("could not reach here, unknown tripleState");
}
AlgorithmIdentifier newHashAlg = new AlgorithmIdentifier(hashAlgo, DERNull.INSTANCE);
BiometricData newBiometricData = new BiometricData(bdType, newHashAlg, new DEROctetString(hashValue), sourceDataUri);
vec.add(newBiometricData);
}
ExtensionValue extValue = new ExtensionValue(extensionControls.get(type).isCritical(), new DERSequence(vec));
values.addExtension(type, extValue);
occurences.remove(type);
}
// TlsFeature
type = ObjectIdentifiers.id_pe_tlsfeature;
if (tlsFeature != null) {
if (occurences.remove(type)) {
values.addExtension(type, tlsFeature);
}
}
// AuthorizationTemplate
type = ObjectIdentifiers.id_xipki_ext_authorizationTemplate;
if (authorizationTemplate != null) {
if (occurences.remove(type)) {
values.addExtension(type, authorizationTemplate);
}
}
// SMIME
type = ObjectIdentifiers.id_smimeCapabilities;
if (smimeCapabilities != null) {
if (occurences.remove(type)) {
values.addExtension(type, smimeCapabilities);
}
}
// constant extensions
if (constantExtensions != null) {
for (ASN1ObjectIdentifier m : constantExtensions.keySet()) {
if (!occurences.remove(m)) {
continue;
}
ExtensionValue extensionValue = constantExtensions.get(m);
if (extensionValue != null) {
values.addExtension(m, extensionValue);
}
}
}
ExtensionValues extraExtensions = getExtraExtensions(extensionOccurences, requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter, caInfo);
if (extraExtensions != null) {
for (ASN1ObjectIdentifier m : extraExtensions.getExtensionTypes()) {
values.addExtension(m, extraExtensions.getExtensionValue(m));
}
}
return values;
}
Also used :
BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData)
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DERSequence(org.bouncycastle.asn1.DERSequence)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime)
Range2Type(org.xipki.ca.certprofile.x509.jaxb.Range2Type)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
ArrayList(java.util.ArrayList)
List(java.util.List)
LinkedList(java.util.LinkedList)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
Vector(java.util.Vector)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
HashSet(java.util.HashSet)
LinkedList(java.util.LinkedList)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
Map(java.util.Map)
HashMap(java.util.HashMap)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement)
Attribute(org.bouncycastle.asn1.x509.Attribute)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
DERSet(org.bouncycastle.asn1.DERSet)
Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
SubjectDirectoryAttributes(org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)
MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
Example 4 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class XmlX509Certprofile method initialize0.
// method initialize
private void initialize0(X509ProfileType conf) throws CertprofileException {
if (conf.getVersion() != null) {
String versionText = conf.getVersion();
this.version = X509CertVersion.forName(versionText);
if (this.version == null) {
throw new CertprofileException(String.format("invalid version '%s'", versionText));
}
} else {
this.version = X509CertVersion.v3;
}
if (conf.getSignatureAlgorithms() != null) {
List<String> algoNames = conf.getSignatureAlgorithms().getAlgorithm();
List<String> list = new ArrayList<>(algoNames.size());
for (String algoName : algoNames) {
try {
list.add(AlgorithmUtil.canonicalizeSignatureAlgo(algoName));
} catch (NoSuchAlgorithmException ex) {
throw new CertprofileException(ex.getMessage(), ex);
}
}
this.signatureAlgorithms = Collections.unmodifiableList(list);
}
this.raOnly = conf.isRaOnly();
this.maxSize = conf.getMaxSize();
this.validity = CertValidity.getInstance(conf.getValidity());
String str = conf.getCertLevel();
if ("RootCA".equalsIgnoreCase(str)) {
this.certLevel = X509CertLevel.RootCA;
} else if ("SubCA".equalsIgnoreCase(str)) {
this.certLevel = X509CertLevel.SubCA;
} else if ("EndEntity".equalsIgnoreCase(str)) {
this.certLevel = X509CertLevel.EndEntity;
} else {
throw new CertprofileException("invalid CertLevel '" + str + "'");
}
str = conf.getNotBeforeTime();
if ("midnight".equalsIgnoreCase(str)) {
this.notBeforeMidnight = true;
} else if ("current".equalsIgnoreCase(str)) {
this.notBeforeMidnight = false;
} else {
throw new CertprofileException("invalid notBefore '" + str + "'");
}
String specBehavior = conf.getSpecialBehavior();
if (specBehavior != null) {
this.specialBehavior = SpecialX509CertprofileBehavior.forName(specBehavior);
}
this.duplicateKeyPermitted = conf.isDuplicateKey();
this.serialNumberInReqPermitted = conf.isSerialNumberInReq();
// KeyAlgorithms
KeyAlgorithms keyAlgos = conf.getKeyAlgorithms();
if (keyAlgos != null) {
this.keyAlgorithms = XmlX509CertprofileUtil.buildKeyAlgorithms(keyAlgos);
}
// parameters
Parameters confParams = conf.getParameters();
if (confParams == null) {
parameters = null;
} else {
Map<String, String> tmpMap = new HashMap<>();
for (NameValueType nv : confParams.getParameter()) {
tmpMap.put(nv.getName(), nv.getValue());
}
parameters = Collections.unmodifiableMap(tmpMap);
}
// Subject
Subject subject = conf.getSubject();
duplicateSubjectPermitted = subject.isDuplicateSubjectPermitted();
List<RdnControl> subjectDnControls = new LinkedList<>();
for (RdnType rdn : subject.getRdn()) {
ASN1ObjectIdentifier type = new ASN1ObjectIdentifier(rdn.getType().getValue());
List<Pattern> patterns = null;
if (CollectionUtil.isNonEmpty(rdn.getRegex())) {
patterns = new LinkedList<>();
for (String regex : rdn.getRegex()) {
Pattern pattern = Pattern.compile(regex);
patterns.add(pattern);
}
}
if (patterns == null) {
Pattern pattern = SubjectDnSpec.getPattern(type);
if (pattern != null) {
patterns = Arrays.asList(pattern);
}
}
Range range = (rdn.getMinLen() != null || rdn.getMaxLen() != null) ? new Range(rdn.getMinLen(), rdn.getMaxLen()) : null;
RdnControl rdnControl = new RdnControl(type, rdn.getMinOccurs(), rdn.getMaxOccurs());
subjectDnControls.add(rdnControl);
StringType stringType = XmlX509CertprofileUtil.convertStringType(rdn.getStringType());
rdnControl.setStringType(stringType);
rdnControl.setStringLengthRange(range);
rdnControl.setPatterns(patterns);
rdnControl.setPrefix(rdn.getPrefix());
rdnControl.setSuffix(rdn.getSuffix());
rdnControl.setGroup(rdn.getGroup());
SubjectDnSpec.fixRdnControl(rdnControl);
}
this.subjectControl = new SubjectControl(subjectDnControls, subject.isKeepRdnOrder());
this.incSerialNoIfSubjectExists = subject.isIncSerialNumber();
// Extensions
ExtensionsType extensionsType = conf.getExtensions();
// Extension controls
this.extensionControls = XmlX509CertprofileUtil.buildExtensionControls(extensionsType);
Set<ASN1ObjectIdentifier> extnIds = new HashSet<>(this.extensionControls.keySet());
// SubjectToSubjectAltName
initSubjectToSubjectAltNames(extensionsType);
// AdditionalInformation
initAdditionalInformation(extnIds, extensionsType);
// Admission
initAdmission(extnIds, extensionsType);
// AuthorityInfoAccess
initAuthorityInfoAccess(extnIds, extensionsType);
// AuthorityKeyIdentifier
initAuthorityKeyIdentifier(extnIds, extensionsType);
// AuthorizationTemplate
initAuthorizationTemplate(extnIds, extensionsType);
// BasicConstrains
initBasicConstraints(extnIds, extensionsType);
// BiometricInfo
initBiometricInfo(extnIds, extensionsType);
// Certificate Policies
initCertificatePolicies(extnIds, extensionsType);
// ExtendedKeyUsage
initExtendedKeyUsage(extnIds, extensionsType);
// Inhibit anyPolicy
initInhibitAnyPolicy(extnIds, extensionsType);
// KeyUsage
initKeyUsage(extnIds, extensionsType);
// Name Constrains
initNameConstraints(extnIds, extensionsType);
// Policy Constraints
initPolicyConstraints(extnIds, extensionsType);
// Policy Mappings
initPolicyMappings(extnIds, extensionsType);
// PrivateKeyUsagePeriod
initPrivateKeyUsagePeriod(extnIds, extensionsType);
// QCStatements
initQcStatements(extnIds, extensionsType);
// Restriction
initRestriction(extnIds, extensionsType);
// SMIMECapatibilities
initSmimeCapabilities(extnIds, extensionsType);
// SubjectAltNameMode
initSubjectAlternativeName(extnIds, extensionsType);
// SubjectInfoAccess
initSubjectInfoAccess(extnIds, extensionsType);
// TlsFeature
initTlsFeature(extnIds, extensionsType);
// validityModel
initValidityModel(extnIds, extensionsType);
// SubjectDirectoryAttributes
initSubjectDirAttrs(extnIds, extensionsType);
// constant extensions
this.constantExtensions = XmlX509CertprofileUtil.buildConstantExtesions(extensionsType);
if (this.constantExtensions != null) {
extnIds.removeAll(this.constantExtensions.keySet());
}
// validate the configuration
if (subjectToSubjectAltNameModes != null) {
ASN1ObjectIdentifier type = Extension.subjectAlternativeName;
if (!extensionControls.containsKey(type)) {
throw new CertprofileException("subjectToSubjectAltNames cannot be configured if extension" + " subjectAltNames is not permitted");
}
if (subjectAltNameModes != null) {
for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
GeneralNameTag nameTag = subjectToSubjectAltNameModes.get(attrType);
boolean allowed = false;
for (GeneralNameMode m : subjectAltNameModes) {
if (m.getTag() == nameTag) {
allowed = true;
break;
}
}
if (!allowed) {
throw new CertprofileException("target SubjectAltName type " + nameTag + " is not allowed");
}
}
}
}
// Remove the extension processed not be the CertProfile, but by the CA
extnIds.remove(Extension.issuerAlternativeName);
extnIds.remove(Extension.authorityInfoAccess);
extnIds.remove(Extension.cRLDistributionPoints);
extnIds.remove(Extension.freshestCRL);
extnIds.remove(Extension.subjectKeyIdentifier);
extnIds.remove(Extension.subjectInfoAccess);
extnIds.remove(ObjectIdentifiers.id_extension_pkix_ocsp_nocheck);
Set<ASN1ObjectIdentifier> copyOfExtnIds = new HashSet<>(extnIds);
for (ASN1ObjectIdentifier extnId : copyOfExtnIds) {
Object extnValue = getExtensionValue(extnId, extensionsType, Object.class);
boolean processed = initExtraExtension(extnId, extensionControls.get(extnId), extnValue);
if (processed) {
extnIds.remove(extnId);
}
}
if (!extnIds.isEmpty()) {
throw new CertprofileException("Cannot process the extensions: " + extnIds);
}
}
Also used :
NameValueType(org.xipki.ca.certprofile.x509.jaxb.NameValueType)
HashMap(java.util.HashMap)
DirectoryStringType(org.xipki.ca.api.profile.DirectoryStringType)
StringType(org.xipki.ca.api.profile.StringType)
ArrayList(java.util.ArrayList)
KeyAlgorithms(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.KeyAlgorithms)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
RdnControl(org.xipki.ca.api.profile.RdnControl)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
SubjectControl(org.xipki.ca.api.profile.x509.SubjectControl)
ExtensionsType(org.xipki.ca.certprofile.x509.jaxb.ExtensionsType)
HashSet(java.util.HashSet)
Pattern(java.util.regex.Pattern)
GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode)
Parameters(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.Parameters)
GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag)
Range(org.xipki.ca.api.profile.Range)
Subject(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.Subject)
LinkedList(java.util.LinkedList)
RdnType(org.xipki.ca.certprofile.x509.jaxb.RdnType)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 5 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class P12ComplexCsrGenCmd method getAdditionalExtensions.
@Override
protected List<Extension> getAdditionalExtensions() throws BadInputException {
List<Extension> extensions = new LinkedList<>();
// extension admission (Germany standard commonpki)
ASN1EncodableVector vec = new ASN1EncodableVector();
DirectoryString[] dummyItems = new DirectoryString[] { new DirectoryString("dummy") };
ProfessionInfo pi = new ProfessionInfo(null, dummyItems, null, "aaaab", null);
Admissions admissions = new Admissions(null, null, new ProfessionInfo[] { pi });
vec.add(admissions);
AdmissionSyntax adSyn = new AdmissionSyntax(null, new DERSequence(vec));
try {
extensions.add(new Extension(ObjectIdentifiers.id_extension_admission, false, adSyn.getEncoded()));
} catch (IOException ex) {
throw new BadInputException(ex.getMessage(), ex);
}
// extension subjectDirectoryAttributes (RFC 3739)
Vector<Attribute> attrs = new Vector<>();
ASN1GeneralizedTime dateOfBirth = new ASN1GeneralizedTime("19800122120000Z");
attrs.add(new Attribute(ObjectIdentifiers.DN_DATE_OF_BIRTH, new DERSet(dateOfBirth)));
DERPrintableString gender = new DERPrintableString("M");
attrs.add(new Attribute(ObjectIdentifiers.DN_GENDER, new DERSet(gender)));
DERUTF8String placeOfBirth = new DERUTF8String("Berlin");
attrs.add(new Attribute(ObjectIdentifiers.DN_PLACE_OF_BIRTH, new DERSet(placeOfBirth)));
String[] countryOfCitizenshipList = { "DE", "FR" };
for (String country : countryOfCitizenshipList) {
DERPrintableString val = new DERPrintableString(country);
attrs.add(new Attribute(ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP, new DERSet(val)));
}
String[] countryOfResidenceList = { "DE" };
for (String country : countryOfResidenceList) {
DERPrintableString val = new DERPrintableString(country);
attrs.add(new Attribute(ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE, new DERSet(val)));
}
SubjectDirectoryAttributes subjectDirAttrs = new SubjectDirectoryAttributes(attrs);
try {
extensions.add(new Extension(Extension.subjectDirectoryAttributes, false, subjectDirAttrs.getEncoded()));
} catch (IOException ex) {
throw new BadInputException(ex.getMessage(), ex);
}
return extensions;
}
Also used :
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
Attribute(org.bouncycastle.asn1.x509.Attribute)
SubjectDirectoryAttributes(org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
IOException(java.io.IOException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERSet(org.bouncycastle.asn1.DERSet)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
BadInputException(org.xipki.security.exception.BadInputException)
DERSequence(org.bouncycastle.asn1.DERSequence)
AdmissionSyntax(org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax)
Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
Vector(java.util.Vector)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)
Aggregations
LinkedList (java.util.LinkedList)6
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)5
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5
DERIA5String (org.bouncycastle.asn1.DERIA5String)4
DEROctetString (org.bouncycastle.asn1.DEROctetString)4
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)4
Attribute (org.bouncycastle.asn1.x509.Attribute)4
SubjectDirectoryAttributes (org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)4
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
ASN1GeneralizedTime (org.bouncycastle.asn1.ASN1GeneralizedTime)3
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3
Extension (org.bouncycastle.asn1.x509.Extension)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
ArrayList (java.util.ArrayList)2
Vector (java.util.Vector)2
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)2
DERBMPString (org.bouncycastle.asn1.DERBMPString)2
