use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project OpenAM by OpenRock.
the class ApprovalCallback method approve.
/*
* Invoked by JSS protocol handler whenever ssl handshaking hits issue.
* It validates reported issue if it can be ignored.
*
* @return <code>true</code> if the reported issue can be ignored.
*/
public boolean approve(X509Certificate cert, SSLCertificateApprovalCallback.ValidityStatus status) {
ValidityItem item;
Enumeration errors = status.getReasons();
int reason;
if (trustAllServerCerts) {
return true;
}
if ((reqHost == null) && !errors.hasMoreElements()) {
return true;
}
boolean approve = true;
while (approve && errors.hasMoreElements()) {
item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
reason = item.getReason();
if (debug.messageEnabled()) {
debug.message("ApprovalCallback: reason " + reason);
}
// bad domain -12276
if (reason != ValidityStatus.BAD_CERT_DOMAIN) {
approve = false;
} else {
String cn = null;
try {
String subjectDN = cert.getSubjectDN().getName();
cn = new X500Name(subjectDN).getCommonName();
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback:", ex);
}
approve = false;
}
if (cn == null) {
return false;
}
if (!sslTrustHosts.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback: server cert CN : " + cn);
}
if (sslTrustHosts.contains(cn.toLowerCase())) {
return true;
}
}
if (resolveIPAddress) {
try {
approve = InetAddress.getByName(cn).getHostAddress().equals(InetAddress.getByName(reqHost).getHostAddress());
} catch (UnknownHostException ex) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback:", ex);
}
approve = false;
}
} else
approve = false;
if (!approve && checkSubjectAltName) {
try {
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
if (altNameExt != null) {
GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
Method meth = getMethod();
GeneralName generalname = null;
if (meth.getName().equals(OLD_METHOD_NAME)) {
// pre 1.4.2 implementation
Enumeration e = (Enumeration) meth.invoke(names, params);
for (; !approve && e.hasMoreElements(); ) {
approve = compareHosts((GeneralName) e.nextElement());
}
} else {
// post 1.4.2 implementation
Iterator i = (Iterator) meth.invoke(names, params);
for (; !approve && i.hasNext(); ) {
approve = compareHosts((GeneralName) i.next());
}
}
}
} catch (Exception ex) {
return false;
}
}
}
}
return approve;
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project candlepin by candlepin.
the class JSSPKIUtility method createX509Certificate.
@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws IOException {
// Ensure JSS is properly initialized before attempting any operations with it
JSSProviderLoader.initialize();
X509CertInfo certInfo = new X509CertInfo();
try {
X509Certificate caCert = reader.getCACert();
byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
certInfo.set(X509CertInfo.ISSUER, new CertificateIssuerName(new X500Name(caCert.getSubjectX500Principal().getEncoded())));
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity(startDate, endDate));
certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(dn)));
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(X509Key.parse(new DerValue(publicKeyEncoded))));
certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(SIGNING_ALG_ID)));
certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
CertificateExtensions certExtensions = buildStandardExtensions(new CertificateExtensions(), dn, clientKeyPair, extensions, caCert, alternateName);
certInfo.set(X509CertInfo.EXTENSIONS, certExtensions);
if (extensions != null) {
for (X509ExtensionWrapper wrapper : extensions) {
// Avoid null values. Set them to blank if they are null
String value = wrapper.getValue() == null ? "" : wrapper.getValue();
UTF8String der = new UTF8String(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
if (byteExtensions != null) {
for (X509ByteExtensionWrapper wrapper : byteExtensions) {
// Avoid null values. Set them to blank if they are null
byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
OCTET_STRING der = new OCTET_STRING(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
X509CertImpl certImpl = new X509CertImpl(certInfo);
certImpl.sign(reader.getCaKey(), SIGNING_ALG_ID);
// valid, it just won't have any extensions present in the object.
return new X509CertImpl(certImpl.getEncoded());
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not create X.509 certificate", e);
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project j2objc by google.
the class PKCS9Attribute method derEncode.
/**
* Write the DER encoding of this attribute to an output stream.
*
* <P> N.B.: This method always encodes values of
* ChallengePassword and UnstructuredAddress attributes as ASN.1
* <code>PrintableString</code>s, without checking whether they
* should be encoded as <code>T61String</code>s.
*/
public void derEncode(OutputStream out) throws IOException {
DerOutputStream temp = new DerOutputStream();
temp.putOID(oid);
switch(index) {
case // Unknown
-1:
temp.write((byte[]) value);
break;
// email address
case 1:
case // unstructured name
2:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putIA5String(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // content type
3:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOID((ObjectIdentifier) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // message digest
4:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOctetString((byte[]) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // signing time
5:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putUTCTime((Date) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // countersignature
6:
temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
break;
case // challenge password
7:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putPrintableString((String) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // unstructured address
8:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putPrintableString(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // extended-certificate attribute -- not supported
9:
throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
// break unnecessary
case // issuerAndserialNumber attribute -- not supported
10:
throw new IOException("PKCS9 IssuerAndSerialNumber" + "attribute not supported.");
// RSA DSI proprietary
case 11:
case // RSA DSI proprietary
12:
throw new IOException("PKCS9 RSA DSI attributes" + "11 and 12, not supported.");
// break unnecessary
case // S/MIME unused attribute
13:
throw new IOException("PKCS9 attribute #13 not supported.");
case // ExtensionRequest
14:
{
DerOutputStream temp2 = new DerOutputStream();
CertificateExtensions exts = (CertificateExtensions) value;
try {
exts.encode(temp2, true);
} catch (CertificateException ex) {
throw new IOException(ex.toString());
}
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // SMIMECapability
15:
throw new IOException("PKCS9 attribute #15 not supported.");
case // SigningCertificate
16:
throw new IOException("PKCS9 SigningCertificate attribute not supported.");
case // SignatureTimestampToken
17:
temp.write(DerValue.tag_Set, (byte[]) value);
break;
// can't happen
default:
}
DerOutputStream derOut = new DerOutputStream();
derOut.write(DerValue.tag_Sequence, temp.toByteArray());
out.write(derOut.toByteArray());
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project mockserver by mock-server.
the class X509Generator method updateWithCertificateExtensions.
private void updateWithCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey, final PublicKey caPublicKey, final Set<String> subjectAlternativeNames) throws IOException, CertificateException {
CertificateExtensions certificateExtensions = new CertificateExtensions();
GeneralNames generalNames = subjectAlternativeNames.stream().filter(StringUtils::isNotBlank).map(this::buildGeneralName).filter(Objects::nonNull).collect(Collector.of(GeneralNames::new, GeneralNames::add, // do nothing
(generalNames1, generalNames2) -> null));
if (!generalNames.isEmpty()) {
certificateExtensions.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(Boolean.FALSE, generalNames));
}
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(caPublicKey), null, null));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project mockserver by mock-server.
the class X509Generator method updateWithRootCertificateExtensions.
private void updateWithRootCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey) throws IOException, CertificateException {
CertificateExtensions certificateExtensions = new CertificateExtensions();
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
certificateExtensions.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(// is critical
true, // is CA
true, // path length
-1));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
boolean[] keyUsage = new boolean[9];
// keyCertSign
keyUsage[5] = true;
certificateExtensions.set(KeyUsageExtension.NAME, new KeyUsageExtension(keyUsage));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Aggregations