Example 6 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectDirAttrs.
// method checkExtensionInhibitAnyPolicy
private void checkExtensionSubjectDirAttrs(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
SubjectDirectoryAttributesControl conf = certProfile.getSubjectDirAttrsControl();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable extInRequest = null;
if (requestedExtensions != null) {
extInRequest = requestedExtensions.getExtensionParsedValue(Extension.subjectDirectoryAttributes);
}
if (extInRequest == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
SubjectDirectoryAttributes requested = SubjectDirectoryAttributes.getInstance(extInRequest);
Vector<?> reqSubDirAttrs = requested.getAttributes();
ASN1GeneralizedTime expDateOfBirth = null;
String expPlaceOfBirth = null;
String expGender = null;
Set<String> expCountryOfCitizenshipList = new HashSet<>();
Set<String> expCountryOfResidenceList = new HashSet<>();
Map<ASN1ObjectIdentifier, Set<ASN1Encodable>> expOtherAttrs = new HashMap<>();
final int expN = reqSubDirAttrs.size();
for (int i = 0; i < expN; i++) {
Attribute attr = Attribute.getInstance(reqSubDirAttrs.get(i));
ASN1ObjectIdentifier attrType = attr.getAttrType();
ASN1Encodable attrVal = attr.getAttributeValues()[0];
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
expDateOfBirth = ASN1GeneralizedTime.getInstance(attrVal);
} else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
expPlaceOfBirth = DirectoryString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
expGender = DERPrintableString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
expCountryOfCitizenshipList.add(country);
} else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
expCountryOfResidenceList.add(country);
} else {
Set<ASN1Encodable> otherAttrVals = expOtherAttrs.get(attrType);
if (otherAttrVals == null) {
otherAttrVals = new HashSet<>();
expOtherAttrs.put(attrType, otherAttrVals);
}
otherAttrVals.add(attrVal);
}
}
SubjectDirectoryAttributes ext = SubjectDirectoryAttributes.getInstance(extensionValue);
Vector<?> subDirAttrs = ext.getAttributes();
ASN1GeneralizedTime dateOfBirth = null;
String placeOfBirth = null;
String gender = null;
Set<String> countryOfCitizenshipList = new HashSet<>();
Set<String> countryOfResidenceList = new HashSet<>();
Map<ASN1ObjectIdentifier, Set<ASN1Encodable>> otherAttrs = new HashMap<>();
List<ASN1ObjectIdentifier> attrTypes = new LinkedList<>(conf.getTypes());
final int n = subDirAttrs.size();
for (int i = 0; i < n; i++) {
Attribute attr = Attribute.getInstance(subDirAttrs.get(i));
ASN1ObjectIdentifier attrType = attr.getAttrType();
if (!attrTypes.contains(attrType)) {
failureMsg.append("attribute of type " + attrType.getId()).append(" is present but not expected; ");
continue;
}
ASN1Encodable[] attrs = attr.getAttributeValues();
if (attrs.length != 1) {
failureMsg.append("attribute of type ").append(attrType.getId()).append(" does not single-value value: ").append(attrs.length).append("; ");
continue;
}
ASN1Encodable attrVal = attrs[0];
if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
dateOfBirth = ASN1GeneralizedTime.getInstance(attrVal);
} else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
placeOfBirth = DirectoryString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
gender = DERPrintableString.getInstance(attrVal).getString();
} else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
countryOfCitizenshipList.add(country);
} else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
String country = DERPrintableString.getInstance(attrVal).getString();
countryOfResidenceList.add(country);
} else {
Set<ASN1Encodable> otherAttrVals = otherAttrs.get(attrType);
if (otherAttrVals == null) {
otherAttrVals = new HashSet<>();
otherAttrs.put(attrType, otherAttrVals);
}
otherAttrVals.add(attrVal);
}
}
if (dateOfBirth != null) {
attrTypes.remove(ObjectIdentifiers.DN_DATE_OF_BIRTH);
}
if (placeOfBirth != null) {
attrTypes.remove(ObjectIdentifiers.DN_PLACE_OF_BIRTH);
}
if (gender != null) {
attrTypes.remove(ObjectIdentifiers.DN_GENDER);
}
if (!countryOfCitizenshipList.isEmpty()) {
attrTypes.remove(ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP);
}
if (!countryOfResidenceList.isEmpty()) {
attrTypes.remove(ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE);
}
attrTypes.removeAll(otherAttrs.keySet());
if (!attrTypes.isEmpty()) {
List<String> attrTypeTexts = new LinkedList<>();
for (ASN1ObjectIdentifier oid : attrTypes) {
attrTypeTexts.add(oid.getId());
}
failureMsg.append("required attributes of types ").append(attrTypeTexts).append(" are not present; ");
}
if (dateOfBirth != null) {
String timeStirng = dateOfBirth.getTimeString();
if (!SubjectDnSpec.PATTERN_DATE_OF_BIRTH.matcher(timeStirng).matches()) {
failureMsg.append("invalid dateOfBirth: " + timeStirng + "; ");
}
String exp = (expDateOfBirth == null) ? null : expDateOfBirth.getTimeString();
if (!timeStirng.equalsIgnoreCase(exp)) {
addViolation(failureMsg, "dateOfBirth", timeStirng, exp);
}
}
if (gender != null) {
if (!(gender.equalsIgnoreCase("F") || gender.equalsIgnoreCase("M"))) {
failureMsg.append("invalid gender: ").append(gender).append("; ");
}
if (!gender.equalsIgnoreCase(expGender)) {
addViolation(failureMsg, "gender", gender, expGender);
}
}
if (placeOfBirth != null) {
if (!placeOfBirth.equals(expPlaceOfBirth)) {
addViolation(failureMsg, "placeOfBirth", placeOfBirth, expPlaceOfBirth);
}
}
if (!countryOfCitizenshipList.isEmpty()) {
Set<String> diffs = strInBnotInA(expCountryOfCitizenshipList, countryOfCitizenshipList);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("countryOfCitizenship ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(countryOfCitizenshipList, expCountryOfCitizenshipList);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("countryOfCitizenship ").append(diffs.toString()).append(" are absent but are required; ");
}
}
if (!countryOfResidenceList.isEmpty()) {
Set<String> diffs = strInBnotInA(expCountryOfResidenceList, countryOfResidenceList);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("countryOfResidence ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(countryOfResidenceList, expCountryOfResidenceList);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("countryOfResidence ").append(diffs.toString()).append(" are absent but are required; ");
}
}
if (!otherAttrs.isEmpty()) {
for (ASN1ObjectIdentifier attrType : otherAttrs.keySet()) {
Set<ASN1Encodable> expAttrValues = expOtherAttrs.get(attrType);
if (expAttrValues == null) {
failureMsg.append("attribute of type ").append(attrType.getId()).append(" is present but not requested; ");
continue;
}
Set<ASN1Encodable> attrValues = otherAttrs.get(attrType);
if (!attrValues.equals(expAttrValues)) {
failureMsg.append("attribute of type ").append(attrType.getId()).append(" differs from the requested one; ");
continue;
}
}
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(org.bouncycastle.asn1.x509.Attribute)
SubjectDirectoryAttributes(org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
LinkedList(java.util.LinkedList)
SubjectDirectoryAttributesControl(org.xipki.ca.api.profile.x509.SubjectDirectoryAttributesControl)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
HashSet(java.util.HashSet)
Example 7 with SubjectDirectoryAttributes
use of org.bouncycastle.asn1.x509.SubjectDirectoryAttributes in project xipki by xipki.
the class ProfileConfCreatorDemo method certprofileEeComplex.
// method certprofileEeComplex
private static X509ProfileType certprofileEeComplex() throws Exception {
X509ProfileType profile = getBaseProfile("certprofile ee-complex", X509CertLevel.EndEntity, "5y", true);
// Subject
Subject subject = profile.getSubject();
subject.setIncSerialNumber(false);
subject.setKeepRdnOrder(true);
List<RdnType> rdnControls = subject.getRdn();
rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null));
rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null));
rdnControls.add(createRdn(ObjectIdentifiers.DN_DATE_OF_BIRTH, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_POSTAL_ADDRESS, 0, 1));
rdnControls.add(createRdn(ObjectIdentifiers.DN_UNIQUE_IDENTIFIER, 1, 1));
// Extensions
// Extensions - general
ExtensionsType extensions = profile.getExtensions();
// Extensions - controls
List<ExtensionType> list = extensions.getExtension();
list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null));
list.add(createExtension(Extension.cRLDistributionPoints, false, false, null));
list.add(createExtension(Extension.freshestCRL, false, false, null));
// Extensions - basicConstraints
ExtensionValueType extensionValue = null;
list.add(createExtension(Extension.basicConstraints, true, false, extensionValue));
// Extensions - AuthorityInfoAccess
extensionValue = createAuthorityInfoAccess();
list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue));
// Extensions - AuthorityKeyIdentifier
extensionValue = createAuthorityKeyIdentifier(true);
list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue));
// Extensions - keyUsage
extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.DATA_ENCIPHERMENT, KeyUsageEnum.KEY_ENCIPHERMENT }, null);
list.add(createExtension(Extension.keyUsage, true, true, extensionValue));
// Extensions - extenedKeyUsage
extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth });
list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue));
// Extension - subjectDirectoryAttributes
SubjectDirectoryAttributs subjectDirAttrType = new SubjectDirectoryAttributs();
List<OidWithDescType> attrTypes = subjectDirAttrType.getType();
attrTypes.add(createOidType(ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP));
attrTypes.add(createOidType(ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE));
attrTypes.add(createOidType(ObjectIdentifiers.DN_GENDER));
attrTypes.add(createOidType(ObjectIdentifiers.DN_DATE_OF_BIRTH));
attrTypes.add(createOidType(ObjectIdentifiers.DN_PLACE_OF_BIRTH));
extensionValue = createExtensionValueType(subjectDirAttrType);
list.add(createExtension(Extension.subjectDirectoryAttributes, true, false, extensionValue));
// Extension - Admission
AdmissionSyntax admissionSyntax = new AdmissionSyntax();
admissionSyntax.setAdmissionAuthority(new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 1")).getEncoded());
AdmissionsType admissions = new AdmissionsType();
admissions.setAdmissionAuthority(new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 2")).getEncoded());
NamingAuthorityType namingAuthorityL2 = new NamingAuthorityType();
namingAuthorityL2.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5")));
namingAuthorityL2.setUrl("http://naming-authority-level2.example.org");
namingAuthorityL2.setText("namingAuthrityText level 2");
admissions.setNamingAuthority(namingAuthorityL2);
admissionSyntax.getContentsOfAdmissions().add(admissions);
ProfessionInfoType pi = new ProfessionInfoType();
admissions.getProfessionInfo().add(pi);
pi.getProfessionOid().add(createOidType(new ASN1ObjectIdentifier("1.2.3.4"), "demo oid"));
pi.getProfessionItem().add("demo item");
NamingAuthorityType namingAuthorityL3 = new NamingAuthorityType();
namingAuthorityL3.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5")));
namingAuthorityL3.setUrl("http://naming-authority-level3.example.org");
namingAuthorityL3.setText("namingAuthrityText level 3");
pi.setNamingAuthority(namingAuthorityL3);
pi.setAddProfessionInfo(new byte[] { 1, 2, 3, 4 });
RegistrationNumber regNum = new RegistrationNumber();
pi.setRegistrationNumber(regNum);
regNum.setRegex("a*b");
// check the syntax
XmlX509CertprofileUtil.buildAdmissionSyntax(false, admissionSyntax);
extensionValue = createExtensionValueType(admissionSyntax);
list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue));
// restriction
extensionValue = createRestriction(DirectoryStringType.UTF_8_STRING, "demo restriction");
list.add(createExtension(ObjectIdentifiers.id_extension_restriction, true, false, extensionValue));
// additionalInformation
extensionValue = createAdditionalInformation(DirectoryStringType.UTF_8_STRING, "demo additional information");
list.add(createExtension(ObjectIdentifiers.id_extension_additionalInformation, true, false, extensionValue));
// validationModel
extensionValue = createConstantExtValue(new ASN1ObjectIdentifier("1.3.6.1.4.1.8301.3.5.1").getEncoded(), "chain");
list.add(createExtension(ObjectIdentifiers.id_extension_validityModel, true, false, extensionValue));
// privateKeyUsagePeriod
extensionValue = createPrivateKeyUsagePeriod("3y");
list.add(createExtension(Extension.privateKeyUsagePeriod, true, false, extensionValue));
// QcStatements
extensionValue = createQcStatements(true);
list.add(createExtension(Extension.qCStatements, true, false, extensionValue));
// biometricInfo
extensionValue = createBiometricInfo();
list.add(createExtension(Extension.biometricInfo, true, false, extensionValue));
// authorizationTemplate
extensionValue = createAuthorizationTemplate();
list.add(createExtension(ObjectIdentifiers.id_xipki_ext_authorizationTemplate, true, false, extensionValue));
// SubjectAltName
SubjectAltName subjectAltNameMode = new SubjectAltName();
OtherName otherName = new OtherName();
otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.1"), "dummy oid 1"));
otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.2"), "dummy oid 2"));
subjectAltNameMode.setOtherName(otherName);
subjectAltNameMode.setRfc822Name("");
subjectAltNameMode.setDnsName("");
subjectAltNameMode.setDirectoryName("");
subjectAltNameMode.setEdiPartyName("");
subjectAltNameMode.setUniformResourceIdentifier("");
subjectAltNameMode.setIpAddress("");
subjectAltNameMode.setRegisteredID("");
extensionValue = createExtensionValueType(subjectAltNameMode);
list.add(createExtension(Extension.subjectAlternativeName, true, false, extensionValue));
// SubjectInfoAccess
List<ASN1ObjectIdentifier> accessMethods = new LinkedList<>();
accessMethods.add(ObjectIdentifiers.id_ad_caRepository);
for (int i = 0; i < 10; i++) {
accessMethods.add(new ASN1ObjectIdentifier("2.3.4." + (i + 1)));
}
SubjectInfoAccess subjectInfoAccessMode = new SubjectInfoAccess();
for (ASN1ObjectIdentifier accessMethod : accessMethods) {
SubjectInfoAccess.Access access = new SubjectInfoAccess.Access();
subjectInfoAccessMode.getAccess().add(access);
access.setAccessMethod(createOidType(accessMethod));
GeneralNameType accessLocation = new GeneralNameType();
access.setAccessLocation(accessLocation);
otherName = new OtherName();
otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.1"), "dummy oid 1"));
otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.2"), "dummy oid 2"));
accessLocation.setOtherName(otherName);
accessLocation.setRfc822Name("");
accessLocation.setDnsName("");
accessLocation.setDirectoryName("");
accessLocation.setEdiPartyName("");
accessLocation.setUniformResourceIdentifier("");
accessLocation.setIpAddress("");
accessLocation.setRegisteredID("");
}
extensionValue = createExtensionValueType(subjectInfoAccessMode);
list.add(createExtension(Extension.subjectInfoAccess, true, false, extensionValue));
return profile;
}
Also used :
OidWithDescType(org.xipki.ca.certprofile.x509.jaxb.OidWithDescType)
AuthorityInfoAccess(org.xipki.ca.certprofile.x509.jaxb.AuthorityInfoAccess)
SubjectInfoAccess(org.xipki.ca.certprofile.x509.jaxb.SubjectInfoAccess)
X509ProfileType(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType)
ExtensionValueType(org.xipki.ca.certprofile.x509.jaxb.ExtensionValueType)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyUsageEnum(org.xipki.ca.certprofile.x509.jaxb.KeyUsageEnum)
AdmissionsType(org.xipki.ca.certprofile.x509.jaxb.AdmissionsType)
SubjectAltName(org.xipki.ca.certprofile.x509.jaxb.SubjectAltName)
SubjectInfoAccess(org.xipki.ca.certprofile.x509.jaxb.SubjectInfoAccess)
ExtensionsType(org.xipki.ca.certprofile.x509.jaxb.ExtensionsType)
ProfessionInfoType(org.xipki.ca.certprofile.x509.jaxb.ProfessionInfoType)
RegistrationNumber(org.xipki.ca.certprofile.x509.jaxb.ProfessionInfoType.RegistrationNumber)
GeneralNameType(org.xipki.ca.certprofile.x509.jaxb.GeneralNameType)
OtherName(org.xipki.ca.certprofile.x509.jaxb.GeneralNameType.OtherName)
SubjectDirectoryAttributs(org.xipki.ca.certprofile.x509.jaxb.SubjectDirectoryAttributs)
Subject(org.xipki.ca.certprofile.x509.jaxb.X509ProfileType.Subject)
LinkedList(java.util.LinkedList)
RdnType(org.xipki.ca.certprofile.x509.jaxb.RdnType)
AdmissionSyntax(org.xipki.ca.certprofile.x509.jaxb.AdmissionSyntax)
ExtensionType(org.xipki.ca.certprofile.x509.jaxb.ExtensionType)
TlsExtensionType(org.xipki.security.TlsExtensionType)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
NamingAuthorityType(org.xipki.ca.certprofile.x509.jaxb.NamingAuthorityType)
Aggregations
LinkedList (java.util.LinkedList)6
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)5
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5
DERIA5String (org.bouncycastle.asn1.DERIA5String)4
DEROctetString (org.bouncycastle.asn1.DEROctetString)4
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)4
Attribute (org.bouncycastle.asn1.x509.Attribute)4
SubjectDirectoryAttributes (org.bouncycastle.asn1.x509.SubjectDirectoryAttributes)4
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
ASN1GeneralizedTime (org.bouncycastle.asn1.ASN1GeneralizedTime)3
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3
Extension (org.bouncycastle.asn1.x509.Extension)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
ArrayList (java.util.ArrayList)2
Vector (java.util.Vector)2
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)2
DERBMPString (org.bouncycastle.asn1.DERBMPString)2
