use of org.gudy.bouncycastle.asn1.x509.GeneralName in project jruby-openssl by jruby.
the class OCSPRequest method addNonceImpl.
// BC doesn't have support for nonces... gotta do things manually
private void addNonceImpl() {
GeneralName requestorName = null;
ASN1Sequence requestList = new DERSequence();
Extensions extensions = null;
Signature sig = null;
List<Extension> tmpExtensions = new ArrayList<Extension>();
if (asn1bcReq != null) {
TBSRequest currentTbsReq = asn1bcReq.getTbsRequest();
extensions = currentTbsReq.getRequestExtensions();
sig = asn1bcReq.getOptionalSignature();
Enumeration<ASN1ObjectIdentifier> oids = extensions.oids();
while (oids.hasMoreElements()) {
tmpExtensions.add(extensions.getExtension(oids.nextElement()));
}
}
tmpExtensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, nonce));
Extension[] exts = new Extension[tmpExtensions.size()];
Extensions newExtensions = new Extensions(tmpExtensions.toArray(exts));
TBSRequest newTbsReq = new TBSRequest(requestorName, requestList, newExtensions);
asn1bcReq = new org.bouncycastle.asn1.ocsp.OCSPRequest(newTbsReq, sig);
}
use of org.gudy.bouncycastle.asn1.x509.GeneralName in project jruby-openssl by jruby.
the class X509Utils method checkIfIssuedBy.
/**
* c: X509_check_issued
*/
public static int checkIfIssuedBy(final X509AuxCertificate issuer, final X509AuxCertificate subject) throws IOException {
if (!issuer.getSubjectX500Principal().equals(subject.getIssuerX500Principal())) {
return V_ERR_SUBJECT_ISSUER_MISMATCH;
}
if (subject.getExtensionValue("2.5.29.35") != null) {
// authorityKeyID
// I hate ASN1 and DER
Object key = get(subject.getExtensionValue("2.5.29.35"));
if (!(key instanceof ASN1Sequence))
key = get((DEROctetString) key);
final ASN1Sequence seq = (ASN1Sequence) key;
final AuthorityKeyIdentifier sakid;
if (seq.size() == 1 && (seq.getObjectAt(0) instanceof ASN1OctetString)) {
sakid = AuthorityKeyIdentifier.getInstance(new DLSequence(new DERTaggedObject(0, seq.getObjectAt(0))));
} else {
sakid = AuthorityKeyIdentifier.getInstance(seq);
}
if (sakid.getKeyIdentifier() != null) {
if (issuer.getExtensionValue("2.5.29.14") != null) {
DEROctetString der = (DEROctetString) get(issuer.getExtensionValue("2.5.29.14"));
SubjectKeyIdentifier iskid = SubjectKeyIdentifier.getInstance(get(der.getOctets()));
if (iskid.getKeyIdentifier() != null) {
if (!Arrays.equals(sakid.getKeyIdentifier(), iskid.getKeyIdentifier())) {
return V_ERR_AKID_SKID_MISMATCH;
}
}
}
}
final BigInteger serialNumber = sakid.getAuthorityCertSerialNumber();
if (serialNumber != null && !serialNumber.equals(issuer.getSerialNumber())) {
return V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
if (sakid.getAuthorityCertIssuer() != null) {
GeneralName[] gens = sakid.getAuthorityCertIssuer().getNames();
X500Name x500Name = null;
for (int i = 0; i < gens.length; i++) {
if (gens[i].getTagNo() == GeneralName.directoryName) {
ASN1Encodable name = gens[i].getName();
if (name instanceof X500Name) {
x500Name = (X500Name) name;
} else if (name instanceof ASN1Sequence) {
x500Name = X500Name.getInstance((ASN1Sequence) name);
} else {
throw new RuntimeException("unknown name type: " + name);
}
break;
}
}
if (x500Name != null) {
if (!new Name(x500Name).equalTo(issuer.getIssuerX500Principal())) {
return V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
}
}
}
final boolean[] keyUsage = issuer.getKeyUsage();
if (subject.getExtensionValue("1.3.6.1.5.5.7.1.14") != null) {
if (keyUsage != null && !keyUsage[0]) {
// KU_DIGITAL_SIGNATURE
return V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
}
} else if (keyUsage != null && !keyUsage[5]) {
// KU_KEY_CERT_SIGN
return V_ERR_KEYUSAGE_NO_CERTSIGN;
}
return V_OK;
}
use of org.gudy.bouncycastle.asn1.x509.GeneralName in project Openfire by igniterealtime.
the class CertificateManagerTest method testServerIdentitiesXmppAddrAndDNS.
/**
* {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
* <ul>
* <li>the DNS subjectAltName value</li>
* <li>the 'xmppAddr' subjectAltName value</li>
* <li>explicitly not the Common Name</li>
* </ul>
*
* when a certificate contains:
* <ul>
* <li>a subjectAltName entry of type DNS </li>
* <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"</li>
* </ul>
*/
@Test
public void testServerIdentitiesXmppAddrAndDNS() throws Exception {
// Setup fixture.
final String subjectCommonName = "MySubjectCommonName";
final String subjectAltNameXmppAddr = "MySubjectAltNameXmppAddr";
final String subjectAltNameDNS = "MySubjectAltNameDNS";
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
new X500Name("CN=MyIssuer"), // Random serial number
BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
final DERSequence otherName = new DERSequence(new ASN1Encodable[] { XMPP_ADDR_OID, new DERUTF8String(subjectAltNameXmppAddr) });
final GeneralNames subjectAltNames = new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.otherName, otherName), new GeneralName(GeneralName.dNSName, subjectAltNameDNS) });
builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
// Execute system under test
final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
// Verify result
assertEquals(2, serverIdentities.size());
assertTrue(serverIdentities.contains(subjectAltNameXmppAddr));
assertFalse(serverIdentities.contains(subjectCommonName));
}
use of org.gudy.bouncycastle.asn1.x509.GeneralName in project Openfire by igniterealtime.
the class CertificateManagerTest method testServerIdentitiesDnsSrv.
/**
* {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
* <ul>
* <li>the 'DNS SRV' subjectAltName value</li>
* <li>explicitly not the Common Name</li>
* </ul>
*
* when a certificate contains:
* <ul>
* <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-dnsSRV"</li>
* </ul>
*/
@Test
public void testServerIdentitiesDnsSrv() throws Exception {
// Setup fixture.
final String subjectCommonName = "MySubjectCommonName";
final String subjectAltNameDnsSrv = "MySubjectAltNameXmppAddr";
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
new X500Name("CN=MyIssuer"), // Random serial number
BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
final DERSequence otherName = new DERSequence(new ASN1Encodable[] { DNS_SRV_OID, new DERUTF8String("_xmpp-server." + subjectAltNameDnsSrv) });
final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
// Execute system under test
final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
// Verify result
assertEquals(1, serverIdentities.size());
assertTrue(serverIdentities.contains(subjectAltNameDnsSrv));
assertFalse(serverIdentities.contains(subjectCommonName));
}
use of org.gudy.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.
the class AuthorityKeyIdentifierStructure method fromCertificate.
private static ASN1Sequence fromCertificate(X509Certificate certificate) throws CertificateParsingException {
try {
if (certificate.getVersion() != 3) {
GeneralName genName = new GeneralName(PrincipalUtil.getIssuerX509Principal(certificate));
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(certificate.getPublicKey().getEncoded()).readObject());
return (ASN1Sequence) new AuthorityKeyIdentifier(info, new GeneralNames(genName), certificate.getSerialNumber()).toASN1Object();
} else {
GeneralName genName = new GeneralName(PrincipalUtil.getIssuerX509Principal(certificate));
byte[] ext = certificate.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId());
if (ext != null) {
ASN1OctetString str = (ASN1OctetString) X509ExtensionUtil.fromExtensionValue(ext);
return (ASN1Sequence) new AuthorityKeyIdentifier(str.getOctets(), new GeneralNames(genName), certificate.getSerialNumber()).toASN1Object();
} else {
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(certificate.getPublicKey().getEncoded()).readObject());
return (ASN1Sequence) new AuthorityKeyIdentifier(info, new GeneralNames(genName), certificate.getSerialNumber()).toASN1Object();
}
}
} catch (Exception e) {
throw new CertificateParsingException("Exception extracting certificate details: " + e.toString());
}
}
Aggregations