Example 1 with SubjectAlternativeNameExtension
use of org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method dnsAlternativeName.
public X509Builder dnsAlternativeName(String dns) {
try {
v3();
String alternativeName = dns;
if (dns.startsWith("dns:")) {
alternativeName = dns.substring(4);
}
DNSName dnsName = new DNSName(alternativeName);
if (alternativeNames == null) {
alternativeNames = new GeneralNames();
}
alternativeNames.add(new GeneralName(dnsName));
SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(san.getExtensionId().toString(), san);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "dnsAlternativeName(%s)", dns);
}
return this;
}
Also used :
GeneralNames(sun.security.x509.GeneralNames)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 2 with SubjectAlternativeNameExtension
use of org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension in project OpenAM by OpenRock.
the class Cert method getTokenFromSubjectAltExt.
private void getTokenFromSubjectAltExt(X509Certificate cert) throws AuthLoginException {
try {
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
if (altNameExt != null) {
GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName generalname = null;
ObjectIdentifier upnoid = new ObjectIdentifier(UPNOID);
Iterator itr = (Iterator) names.iterator();
while ((userTokenId == null) && itr.hasNext()) {
generalname = (GeneralName) itr.next();
if (generalname != null) {
if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("UPN") && (generalname.getType() == GeneralNameInterface.NAME_ANY)) {
OtherName othername = (OtherName) generalname.getName();
if (upnoid.equals((Object) (othername.getOID()))) {
byte[] nval = othername.getNameValue();
DerValue derValue = new DerValue(nval);
userTokenId = derValue.getData().getUTF8String();
}
} else if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("RFC822Name") && (generalname.getType() == GeneralNameInterface.NAME_RFC822)) {
RFC822Name email = (RFC822Name) generalname.getName();
userTokenId = email.getName();
}
}
}
}
} catch (Exception e) {
debug.error("Certificate - " + "Error in getTokenFromSubjectAltExt = ", e);
throw new AuthLoginException(amAuthCert, "CertNoReg", null);
}
}
Also used :
X509CertInfo(sun.security.x509.X509CertInfo)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
OtherName(sun.security.x509.OtherName)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
CertificateExtensions(sun.security.x509.CertificateExtensions)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
GeneralNames(sun.security.x509.GeneralNames)
RFC822Name(sun.security.x509.RFC822Name)
X509CertImpl(sun.security.x509.X509CertImpl)
DerValue(sun.security.util.DerValue)
Iterator(java.util.Iterator)
GeneralName(sun.security.x509.GeneralName)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 3 with SubjectAlternativeNameExtension
use of org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension in project jdk8u_jdk by JetBrains.
the class Builder method targetDistance.
/**
* Determine how close a given certificate gets you toward
* a given target.
*
* @param constraints Current NameConstraints; if null,
* then caller must verify NameConstraints
* independently, realizing that this certificate
* may not actually lead to the target at all.
* @param cert Candidate certificate for chain
* @param target GeneralNameInterface name of target
* @return distance from this certificate to target:
* <ul>
* <li>-1 means certificate could be CA for target, but
* there are no NameConstraints limiting how close
* <li> 0 means certificate subject or subjectAltName
* matches target
* <li> 1 means certificate is permitted to be CA for
* target.
* <li> 2 means certificate is permitted to be CA for
* parent of target.
* <li>>0 in general, means certificate is permitted
* to be a CA for this distance higher in the naming
* hierarchy than the target, plus 1.
* </ul>
* <p>Note that the subject and/or subjectAltName of the
* candidate cert does not have to be an ancestor of the
* target in order to be a CA that can issue a certificate to
* the target. In these cases, the target distance is calculated
* by inspecting the NameConstraints extension in the candidate
* certificate. For example, suppose the target is an X.500 DN with
* a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
* NameConstraints extension in the candidate certificate
* includes a permitted component of "O=sun,C=us", which implies
* that the candidate certificate is allowed to issue certs in
* the "O=sun,C=us" namespace. The target distance is 3
* ((distance of permitted NC from target) + 1).
* The (+1) is added to distinguish the result from the case
* which returns (0).
* @throws IOException if certificate does not get closer
*/
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
/* ensure that certificate satisfies existing name constraints */
if (constraints != null && !constraints.verify(cert)) {
throw new IOException("certificate does not satisfy existing name " + "constraints");
}
X509CertImpl certImpl;
try {
certImpl = X509CertImpl.toImpl(cert);
} catch (CertificateException e) {
throw new IOException("Invalid certificate", e);
}
/* see if certificate subject matches target */
X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
if (subject.equals(target)) {
/* match! */
return 0;
}
SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
if (altNameExt != null) {
GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
/* see if any alternative name matches target */
if (altNames != null) {
for (int j = 0, n = altNames.size(); j < n; j++) {
GeneralNameInterface altName = altNames.get(j).getName();
if (altName.equals(target)) {
return 0;
}
}
}
}
/* no exact match; see if certificate can get us to target */
/* first, get NameConstraints out of certificate */
NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
if (ncExt == null) {
return -1;
}
/* merge certificate's NameConstraints with current NameConstraints */
if (constraints != null) {
constraints.merge(ncExt);
} else {
// Make sure we do a clone here, because we're probably
// going to modify this object later and we don't want to
// be sharing it with a Certificate object!
constraints = (NameConstraintsExtension) ncExt.clone();
}
if (debug != null) {
debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
}
/* reduce permitted by excluded */
GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
if (permitted != null) {
permitted.reduce(excluded);
}
if (debug != null) {
debug.println("Builder.targetDistance() reduced constraints: " + permitted);
}
/* see if new merged constraints allow target */
if (!constraints.verify(target)) {
throw new IOException("New certificate not allowed to sign " + "certificate for target");
}
/* find distance to target, if any, in permitted */
if (permitted == null) {
/* certificate is unconstrained; could sign for anything */
return -1;
}
for (int i = 0, n = permitted.size(); i < n; i++) {
GeneralNameInterface perName = permitted.get(i).getName().getName();
int distance = distance(perName, target, -1);
if (distance >= 0) {
return (distance + 1);
}
}
/* no matching type in permitted; cert holder could certify target */
return -1;
}
Also used :
GeneralNameInterface(sun.security.x509.GeneralNameInterface)
GeneralNames(sun.security.x509.GeneralNames)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertImpl(sun.security.x509.X509CertImpl)
GeneralSubtrees(sun.security.x509.GeneralSubtrees)
IOException(java.io.IOException)
X500Name(sun.security.x509.X500Name)
NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)
Example 4 with SubjectAlternativeNameExtension
use of org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension in project jdk8u_jdk by JetBrains.
the class ForwardState method updateState.
/**
* Update the state with the next certificate added to the path.
*
* @param cert the certificate which is used to update the state
*/
@Override
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
if (cert == null)
return;
X509CertImpl icert = X509CertImpl.toImpl(cert);
/* see if certificate key has null parameters */
if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
keyParamsNeededFlag = true;
}
/* update certificate */
this.cert = icert;
/* update issuer DN */
issuerDN = cert.getIssuerX500Principal();
if (!X509CertImpl.isSelfIssued(cert)) {
/*
* update traversedCACerts only if this is a non-self-issued
* intermediate CA cert
*/
if (!init && cert.getBasicConstraints() != -1) {
traversedCACerts++;
}
}
/* update subjectNamesTraversed only if this is the EE cert or if
this cert is not self-issued */
if (init || !X509CertImpl.isSelfIssued(cert)) {
X500Principal subjName = cert.getSubjectX500Principal();
subjectNamesTraversed.add(X500Name.asX500Name(subjName));
try {
SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension();
if (subjAltNameExt != null) {
GeneralNames gNames = subjAltNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
for (GeneralName gName : gNames.names()) {
subjectNamesTraversed.add(gName.getName());
}
}
} catch (IOException e) {
if (debug != null) {
debug.println("ForwardState.updateState() unexpected " + "exception");
e.printStackTrace();
}
throw new CertPathValidatorException(e);
}
}
init = false;
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
GeneralNames(sun.security.x509.GeneralNames)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertImpl(sun.security.x509.X509CertImpl)
X500Principal(javax.security.auth.x500.X500Principal)
GeneralName(sun.security.x509.GeneralName)
IOException(java.io.IOException)
Example 5 with SubjectAlternativeNameExtension
use of org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubjectAltName.
/*
* Tests matching on the subject alternative name extension contained in the
* certificate.
*/
private void testSubjectAltName() throws IOException {
System.out.println("X.509 Certificate Match on subjectAltName");
// bad match
X509CertSelector selector = new X509CertSelector();
GeneralNameInterface dnsName = new DNSName("foo.com");
DerOutputStream tmp = new DerOutputStream();
dnsName.encode(tmp);
selector.addSubjectAlternativeName(2, tmp.toByteArray());
checkMatch(selector, cert, false);
// good match
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
byte[] encoded = in.getOctetString();
SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName name = (GeneralName) names.get(0);
selector.setSubjectAlternativeNames(null);
DerOutputStream tmp2 = new DerOutputStream();
name.getName().encode(tmp2);
selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
checkMatch(selector, cert, true);
// good match 2 (matches at least one)
selector.setMatchAllSubjectAltNames(false);
selector.addSubjectAlternativeName(2, "foo.com");
checkMatch(selector, cert, true);
}
Also used :
GeneralNameInterface(sun.security.x509.GeneralNameInterface)
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertSelector(java.security.cert.X509CertSelector)
DerInputStream(sun.security.util.DerInputStream)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Aggregations
SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)14
GeneralNames (sun.security.x509.GeneralNames)13
IOException (java.io.IOException)10
GeneralName (sun.security.x509.GeneralName)10
X509CertImpl (sun.security.x509.X509CertImpl)10
CertificateExtensions (sun.security.x509.CertificateExtensions)7
X500Name (sun.security.x509.X500Name)6
DNSName (sun.security.x509.DNSName)4
X509CertInfo (sun.security.x509.X509CertInfo)4
CertPathValidatorException (java.security.cert.CertPathValidatorException)3
X500Principal (javax.security.auth.x500.X500Principal)3
GeneralNameInterface (sun.security.x509.GeneralNameInterface)3
IPAddressName (sun.security.x509.IPAddressName)3
BigInteger (java.math.BigInteger)2
PrivateKey (java.security.PrivateKey)2
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
Date (java.util.Date)2
Iterator (java.util.Iterator)2
GeneralName (org.mozilla.jss.netscape.security.x509.GeneralName)2
