Example 26 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project oxTrust by GluuFederation.
the class ResourceValidator method validateSchemasAttribute.
/**
* Inspects the {@link BaseScimResource#getSchemas() schemas} attribute of the resource passed in the constructor and
* checks the default schema <code>urn</code> associated to the resource type is present in the list. If some of the
* <code>urn</code>s part of the <code>Extension</code>s passed in the constructor are contained in the list, the validation is also
* successful.
* <p>This method should be called after a successful call to {@link #validateRequiredAttributes()}.</p>
* @throws SCIMException If there is no {@link BaseScimResource#getSchemas() schemas} in this resource or if some of
* the <code>urn</code>s there are not known.
*/
public void validateSchemasAttribute() throws SCIMException {
Set<String> schemaList = new HashSet<String>(resource.getSchemas());
if (schemaList.size() == 0)
throw new SCIMException(WRONG_SCHEMAS_ATTR);
Set<String> allSchemas = new HashSet<String>();
allSchemas.add(ScimResourceUtil.getDefaultSchemaUrn(resourceClass));
for (Extension ext : extensions) allSchemas.add(ext.getUrn());
schemaList.removeAll(allSchemas);
if (// means that some wrong extension urn is there
schemaList.size() > 0)
throw new SCIMException(WRONG_SCHEMAS_ATTR);
}
Also used :
Extension(org.gluu.oxtrust.model.scim2.extensions.Extension)
SCIMException(org.gluu.oxtrust.model.exception.SCIMException)
Example 27 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project xipki by xipki.
the class X509Util method extractSki.
public static byte[] extractSki(org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException {
ParamUtil.requireNonNull("cert", cert);
Extension encodedSkiValue = cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectKeyIdentifier);
if (encodedSkiValue == null) {
return null;
}
try {
return ASN1OctetString.getInstance(encodedSkiValue.getParsedValue()).getOctets();
} catch (IllegalArgumentException ex) {
throw new CertificateEncodingException("invalid extension SubjectKeyIdentifier: " + ex.getMessage());
}
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
Example 28 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project xipki by xipki.
the class OcspQa method checkSingleCert.
// method checkOcsp
private List<ValidationIssue> checkSingleCert(int index, SingleResp singleResp, IssuerHash issuerHash, OcspCertStatus expectedStatus, byte[] encodedCert, Date expectedRevTime, boolean extendedRevoke, Occurrence nextupdateOccurrence, Occurrence certhashOccurrence, ASN1ObjectIdentifier certhashAlg) {
if (expectedStatus == OcspCertStatus.unknown || expectedStatus == OcspCertStatus.issuerUnknown) {
certhashOccurrence = Occurrence.forbidden;
}
List<ValidationIssue> issues = new LinkedList<>();
// issuer hash
ValidationIssue issue = new ValidationIssue("OCSP.RESPONSE." + index + ".ISSUER", "certificate issuer");
issues.add(issue);
CertificateID certId = singleResp.getCertID();
HashAlgo hashAlgo = HashAlgo.getInstance(certId.getHashAlgOID());
if (hashAlgo == null) {
issue.setFailureMessage("unknown hash algorithm " + certId.getHashAlgOID().getId());
} else {
if (!issuerHash.match(hashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash())) {
issue.setFailureMessage("issuer not match");
}
}
// status
issue = new ValidationIssue("OCSP.RESPONSE." + index + ".STATUS", "certificate status");
issues.add(issue);
CertificateStatus singleCertStatus = singleResp.getCertStatus();
OcspCertStatus status = null;
Long revTimeSec = null;
if (singleCertStatus == null) {
status = OcspCertStatus.good;
} else if (singleCertStatus instanceof RevokedStatus) {
RevokedStatus revStatus = (RevokedStatus) singleCertStatus;
revTimeSec = revStatus.getRevocationTime().getTime() / 1000;
if (revStatus.hasRevocationReason()) {
int reason = revStatus.getRevocationReason();
if (extendedRevoke && reason == CrlReason.CERTIFICATE_HOLD.getCode() && revTimeSec == 0) {
status = OcspCertStatus.unknown;
revTimeSec = null;
} else {
CrlReason revocationReason = CrlReason.forReasonCode(reason);
switch(revocationReason) {
case UNSPECIFIED:
status = OcspCertStatus.unspecified;
break;
case KEY_COMPROMISE:
status = OcspCertStatus.keyCompromise;
break;
case CA_COMPROMISE:
status = OcspCertStatus.cACompromise;
break;
case AFFILIATION_CHANGED:
status = OcspCertStatus.affiliationChanged;
break;
case SUPERSEDED:
status = OcspCertStatus.superseded;
break;
case CERTIFICATE_HOLD:
status = OcspCertStatus.certificateHold;
break;
case REMOVE_FROM_CRL:
status = OcspCertStatus.removeFromCRL;
break;
case PRIVILEGE_WITHDRAWN:
status = OcspCertStatus.privilegeWithdrawn;
break;
case AA_COMPROMISE:
status = OcspCertStatus.aACompromise;
break;
case CESSATION_OF_OPERATION:
status = OcspCertStatus.cessationOfOperation;
break;
default:
issue.setFailureMessage("should not reach here, unknown CRLReason " + revocationReason);
break;
}
}
// end if
} else {
status = OcspCertStatus.rev_noreason;
}
// end if (revStatus.hasRevocationReason())
} else if (singleCertStatus instanceof UnknownStatus) {
status = extendedRevoke ? OcspCertStatus.issuerUnknown : OcspCertStatus.unknown;
} else {
issue.setFailureMessage("unknown certstatus: " + singleCertStatus.getClass().getName());
}
if (!issue.isFailed() && expectedStatus != status) {
issue.setFailureMessage("is='" + status + "', but expected='" + expectedStatus + "'");
}
// revocation time
issue = new ValidationIssue("OCSP.RESPONSE." + index + ".REVTIME", "certificate time");
issues.add(issue);
if (expectedRevTime != null) {
if (revTimeSec == null) {
issue.setFailureMessage("is='null', but expected='" + formatTime(expectedRevTime) + "'");
} else if (revTimeSec != expectedRevTime.getTime() / 1000) {
issue.setFailureMessage("is='" + formatTime(new Date(revTimeSec * 1000)) + "', but expected='" + formatTime(expectedRevTime) + "'");
}
}
// nextUpdate
Date nextUpdate = singleResp.getNextUpdate();
issue = checkOccurrence("OCSP.RESPONSE." + index + ".NEXTUPDATE", nextUpdate, nextupdateOccurrence);
issues.add(issue);
Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
issue = checkOccurrence("OCSP.RESPONSE." + index + ".CERTHASH", extension, certhashOccurrence);
issues.add(issue);
if (extension != null) {
ASN1Encodable extensionValue = extension.getParsedValue();
CertHash certHash = CertHash.getInstance(extensionValue);
ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm();
if (certhashAlg != null) {
// certHash algorithm
issue = new ValidationIssue("OCSP.RESPONSE." + index + ".CHASH.ALG", "certhash algorithm");
issues.add(issue);
ASN1ObjectIdentifier is = certHash.getHashAlgorithm().getAlgorithm();
if (!certhashAlg.equals(is)) {
issue.setFailureMessage("is '" + is.getId() + "', but expected '" + certhashAlg.getId() + "'");
}
}
byte[] hashValue = certHash.getCertificateHash();
if (encodedCert != null) {
issue = new ValidationIssue("OCSP.RESPONSE." + index + ".CHASH.VALIDITY", "certhash validity");
issues.add(issue);
try {
MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId());
byte[] expectedHashValue = md.digest(encodedCert);
if (!Arrays.equals(expectedHashValue, hashValue)) {
issue.setFailureMessage("certhash does not match the requested certificate");
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("NoSuchAlgorithm " + hashAlgOid.getId());
}
}
// end if(encodedCert != null)
}
return issues;
}
Also used :
CertHash(org.bouncycastle.asn1.isismtt.ocsp.CertHash)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
HashAlgo(org.xipki.security.HashAlgo)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
Date(java.util.Date)
UnknownStatus(org.bouncycastle.cert.ocsp.UnknownStatus)
Extension(org.bouncycastle.asn1.x509.Extension)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
CrlReason(org.xipki.security.CrlReason)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
MessageDigest(java.security.MessageDigest)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 29 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project xipki by xipki.
the class OcspBenchRequestor method init.
public void init(OcspBenchmark responseHandler, String responderUrl, Certificate issuerCert, RequestOptions requestOptions, int queueSize) throws Exception {
ParamUtil.requireNonNull("issuerCert", issuerCert);
ParamUtil.requireNonNull("responseHandler", responseHandler);
this.requestOptions = ParamUtil.requireNonNull("requestOptions", requestOptions);
HashAlgo hashAlgo = HashAlgo.getInstance(requestOptions.getHashAlgorithmId());
if (hashAlgo == null) {
throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId());
}
this.issuerhashAlg = hashAlgo.getAlgorithmIdentifier();
this.issuerNameHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubject().getEncoded()));
this.issuerKeyHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
List<AlgorithmIdentifier> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
if (prefSigAlgs == null || prefSigAlgs.size() == 0) {
this.extensions = null;
} else {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (AlgorithmIdentifier algId : prefSigAlgs) {
ASN1Sequence prefSigAlgObj = new DERSequence(algId);
vec.add(prefSigAlgObj);
}
ASN1Sequence extnValue = new DERSequence(vec);
Extension extn;
try {
extn = new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
} catch (IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
this.extensions = new Extension[] { extn };
}
URI uri = new URI(responderUrl);
this.responderRawPathPost = uri.getRawPath();
if (this.responderRawPathPost.endsWith("/")) {
this.responderRawPathGet = this.responderRawPathPost;
} else {
this.responderRawPathGet = this.responderRawPathPost + "/";
}
this.httpClient = new HttpClient(responderUrl, responseHandler, queueSize);
this.httpClient.start();
}
Also used :
OcspRequestorException(org.xipki.ocsp.client.api.OcspRequestorException)
Extension(org.bouncycastle.asn1.x509.Extension)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
HashAlgo(org.xipki.security.HashAlgo)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
IOException(java.io.IOException)
URI(java.net.URI)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 30 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project xipki by xipki.
the class AbstractOcspRequestor method ask.
@Override
public OCSPResp ask(X509Certificate issuerCert, BigInteger[] serialNumbers, URL responderUrl, RequestOptions requestOptions, RequestResponseDebug debug) throws OcspResponseException, OcspRequestorException {
ParamUtil.requireNonNull("issuerCert", issuerCert);
ParamUtil.requireNonNull("requestOptions", requestOptions);
ParamUtil.requireNonNull("responderUrl", responderUrl);
byte[] nonce = null;
if (requestOptions.isUseNonce()) {
nonce = nextNonce(requestOptions.getNonceLen());
}
OCSPRequest ocspReq = buildRequest(issuerCert, serialNumbers, nonce, requestOptions);
byte[] encodedReq;
try {
encodedReq = ocspReq.getEncoded();
} catch (IOException ex) {
throw new OcspRequestorException("could not encode OCSP request: " + ex.getMessage(), ex);
}
RequestResponsePair msgPair = null;
if (debug != null) {
msgPair = new RequestResponsePair();
debug.add(msgPair);
if (debug.saveRequest()) {
msgPair.setRequest(encodedReq);
}
}
byte[] encodedResp;
try {
encodedResp = send(encodedReq, responderUrl, requestOptions);
} catch (IOException ex) {
throw new ResponderUnreachableException("IOException: " + ex.getMessage(), ex);
}
if (msgPair != null && debug.saveResponse()) {
msgPair.setResponse(encodedResp);
}
OCSPResp ocspResp;
try {
ocspResp = new OCSPResp(encodedResp);
} catch (IOException ex) {
throw new InvalidOcspResponseException("IOException: " + ex.getMessage(), ex);
}
Object respObject;
try {
respObject = ocspResp.getResponseObject();
} catch (OCSPException ex) {
throw new InvalidOcspResponseException("responseObject is invalid");
}
if (ocspResp.getStatus() != 0) {
return ocspResp;
}
if (!(respObject instanceof BasicOCSPResp)) {
return ocspResp;
}
BasicOCSPResp basicOcspResp = (BasicOCSPResp) respObject;
if (nonce != null) {
Extension nonceExtn = basicOcspResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
if (nonceExtn == null) {
throw new OcspNonceUnmatchedException(nonce, null);
}
byte[] receivedNonce = nonceExtn.getExtnValue().getOctets();
if (!Arrays.equals(nonce, receivedNonce)) {
throw new OcspNonceUnmatchedException(nonce, receivedNonce);
}
}
SingleResp[] singleResponses = basicOcspResp.getResponses();
if (singleResponses == null || singleResponses.length == 0) {
String msg = StringUtil.concat("response with no singleResponse is returned, expected is ", Integer.toString(serialNumbers.length));
throw new OcspTargetUnmatchedException(msg);
}
final int countSingleResponses = singleResponses.length;
if (countSingleResponses != serialNumbers.length) {
String msg = StringUtil.concat("response with ", Integer.toString(countSingleResponses), " singleResponse", (countSingleResponses > 1 ? "s" : ""), " is returned, expected is ", Integer.toString(serialNumbers.length));
throw new OcspTargetUnmatchedException(msg);
}
Request reqAt0 = Request.getInstance(ocspReq.getTbsRequest().getRequestList().getObjectAt(0));
CertID certId = reqAt0.getReqCert();
ASN1ObjectIdentifier issuerHashAlg = certId.getHashAlgorithm().getAlgorithm();
byte[] issuerKeyHash = certId.getIssuerKeyHash().getOctets();
byte[] issuerNameHash = certId.getIssuerNameHash().getOctets();
if (serialNumbers.length == 1) {
SingleResp singleResp = singleResponses[0];
CertificateID cid = singleResp.getCertID();
boolean issuerMatch = issuerHashAlg.equals(cid.getHashAlgOID()) && Arrays.equals(issuerKeyHash, cid.getIssuerKeyHash()) && Arrays.equals(issuerNameHash, cid.getIssuerNameHash());
if (!issuerMatch) {
throw new OcspTargetUnmatchedException("the issuer is not requested");
}
BigInteger serialNumber = cid.getSerialNumber();
if (!serialNumbers[0].equals(serialNumber)) {
throw new OcspTargetUnmatchedException("the serialNumber is not requested");
}
} else {
List<BigInteger> tmpSerials1 = Arrays.asList(serialNumbers);
List<BigInteger> tmpSerials2 = new ArrayList<>(tmpSerials1);
for (int i = 0; i < countSingleResponses; i++) {
SingleResp singleResp = singleResponses[i];
CertificateID cid = singleResp.getCertID();
boolean issuerMatch = issuerHashAlg.equals(cid.getHashAlgOID()) && Arrays.equals(issuerKeyHash, cid.getIssuerKeyHash()) && Arrays.equals(issuerNameHash, cid.getIssuerNameHash());
if (!issuerMatch) {
throw new OcspTargetUnmatchedException("the issuer specified in singleResponse[" + i + "] is not requested");
}
BigInteger serialNumber = cid.getSerialNumber();
if (!tmpSerials2.remove(serialNumber)) {
if (tmpSerials1.contains(serialNumber)) {
throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + "is contained in at least two singleResponses");
} else {
throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + " specified in singleResponse[" + i + "] is not requested");
}
}
}
// end for
}
return ocspResp;
}
Also used :
CertID(org.bouncycastle.asn1.ocsp.CertID)
ArrayList(java.util.ArrayList)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
OcspNonceUnmatchedException(org.xipki.ocsp.client.api.OcspNonceUnmatchedException)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
OcspRequestorException(org.xipki.ocsp.client.api.OcspRequestorException)
RequestResponsePair(org.xipki.common.RequestResponsePair)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
Request(org.bouncycastle.asn1.ocsp.Request)
OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest)
IOException(java.io.IOException)
Extension(org.bouncycastle.asn1.x509.Extension)
ResponderUnreachableException(org.xipki.ocsp.client.api.ResponderUnreachableException)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
OcspTargetUnmatchedException(org.xipki.ocsp.client.api.OcspTargetUnmatchedException)
BigInteger(java.math.BigInteger)
InvalidOcspResponseException(org.xipki.ocsp.client.api.InvalidOcspResponseException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
OCSPRequest(org.bouncycastle.asn1.ocsp.OCSPRequest)
Aggregations
Extension (org.bouncycastle.asn1.x509.Extension)76
Extensions (org.bouncycastle.asn1.x509.Extensions)39
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)33
DEROctetString (org.bouncycastle.asn1.DEROctetString)28
IOException (java.io.IOException)27
Enumeration (java.util.Enumeration)22
HashSet (java.util.HashSet)21
Date (java.util.Date)18
X500Name (org.bouncycastle.asn1.x500.X500Name)17
BigInteger (java.math.BigInteger)15
ArrayList (java.util.ArrayList)15
Extension (org.gluu.oxtrust.model.scim2.extensions.Extension)14
Set (java.util.Set)13
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)12
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12
X509Certificate (java.security.cert.X509Certificate)11
LinkedList (java.util.LinkedList)11
DERIA5String (org.bouncycastle.asn1.DERIA5String)11
DERSequence (org.bouncycastle.asn1.DERSequence)11
CertificateEncodingException (java.security.cert.CertificateEncodingException)10
