Example 86 with X500Name
use of org.openecard.bouncycastle.asn1.x500.X500Name in project xipki by xipki.
the class ExtensionsChecker method checkExtensionIssuerKeyIdentifier.
// method checkExtensionSubjectKeyIdentifier
private void checkExtensionIssuerKeyIdentifier(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
AuthorityKeyIdentifier asn1 = AuthorityKeyIdentifier.getInstance(extensionValue);
byte[] keyIdentifier = asn1.getKeyIdentifier();
if (keyIdentifier == null) {
failureMsg.append("keyIdentifier is 'absent' but expected 'present'; ");
} else if (!Arrays.equals(issuerInfo.getSubjectKeyIdentifier(), keyIdentifier)) {
addViolation(failureMsg, "keyIdentifier", hex(keyIdentifier), hex(issuerInfo.getSubjectKeyIdentifier()));
}
BigInteger serialNumber = asn1.getAuthorityCertSerialNumber();
GeneralNames names = asn1.getAuthorityCertIssuer();
if (certProfile.isIncludeIssuerAndSerialInAki()) {
if (serialNumber == null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
} else {
if (!issuerInfo.getCert().getSerialNumber().equals(serialNumber)) {
addViolation(failureMsg, "authorityCertSerialNumber", LogUtil.formatCsn(serialNumber), LogUtil.formatCsn(issuerInfo.getCert().getSerialNumber()));
}
}
if (names == null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
} else {
GeneralName[] genNames = names.getNames();
X500Name x500GenName = null;
for (GeneralName genName : genNames) {
if (genName.getTagNo() != GeneralName.directoryName) {
continue;
}
if (x500GenName != null) {
failureMsg.append("authorityCertIssuer contains at least two directoryName " + "but expected one; ");
break;
} else {
x500GenName = (X500Name) genName.getName();
}
}
if (x500GenName == null) {
failureMsg.append("authorityCertIssuer does not contain directoryName but expected one; ");
} else {
X500Name caSubject = issuerInfo.getBcCert().getTBSCertificate().getSubject();
if (!caSubject.equals(x500GenName)) {
addViolation(failureMsg, "authorityCertIssuer", x500GenName, caSubject);
}
}
}
} else {
if (serialNumber != null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
}
if (names != null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
}
}
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Example 87 with X500Name
use of org.openecard.bouncycastle.asn1.x500.X500Name in project xipki by xipki.
the class SubjectChecker method checkSubjectAttributeMultiValued.
// method checkSubjectAttributeNotMultiValued
private ValidationIssue checkSubjectAttributeMultiValued(ASN1ObjectIdentifier type, X500Name subject, X500Name requestedSubject) throws BadCertTemplateException {
ValidationIssue issue = createSubjectIssue(type);
RDN[] rdns = subject.getRDNs(type);
int rdnsSize = (rdns == null) ? 0 : rdns.length;
RDN[] requestedRdns = requestedSubject.getRDNs(type);
if (rdnsSize != 1) {
if (rdnsSize == 0) {
// check optional attribute but is present in requestedSubject
if (requestedRdns != null && requestedRdns.length > 0) {
issue.setFailureMessage("is absent but expected present");
}
} else {
issue.setFailureMessage("number of RDNs '" + rdnsSize + "' is not 1");
}
return issue;
}
// control
final RdnControl rdnControl = subjectControl.getControl(type);
// check the encoding
StringType stringType = null;
if (rdnControl != null) {
stringType = rdnControl.getStringType();
}
List<String> requestedCoreAtvTextValues = new LinkedList<>();
if (requestedRdns != null) {
for (RDN requestedRdn : requestedRdns) {
String textValue = getRdnTextValueOfRequest(requestedRdn);
requestedCoreAtvTextValues.add(textValue);
}
if (rdnControl != null && rdnControl.getPatterns() != null) {
// sort the requestedRDNs
requestedCoreAtvTextValues = sort(requestedCoreAtvTextValues, rdnControl.getPatterns());
}
}
if (rdns == null) {
// return always false, only to make the null checker happy
return issue;
}
StringBuilder failureMsg = new StringBuilder();
AttributeTypeAndValue[] li = rdns[0].getTypesAndValues();
List<AttributeTypeAndValue> atvs = new LinkedList<>();
for (AttributeTypeAndValue m : li) {
if (type.equals(m.getType())) {
atvs.add(m);
}
}
final int atvsSize = atvs.size();
int minOccurs = (rdnControl == null) ? 0 : rdnControl.getMinOccurs();
int maxOccurs = (rdnControl == null) ? 0 : rdnControl.getMaxOccurs();
if (atvsSize < minOccurs || atvsSize > maxOccurs) {
issue.setFailureMessage("number of AttributeTypeAndValuess '" + atvsSize + "' is not within [" + minOccurs + ", " + maxOccurs + "]");
return issue;
}
for (int i = 0; i < atvsSize; i++) {
AttributeTypeAndValue atv = atvs.get(i);
String atvTextValue = getAtvValueString("AttributeTypeAndValue[" + i + "]", atv, stringType, failureMsg);
if (atvTextValue == null) {
continue;
}
checkAttributeTypeAndValue("AttributeTypeAndValue[" + i + "]", type, atvTextValue, rdnControl, requestedCoreAtvTextValues, i, failureMsg);
}
int len = failureMsg.length();
if (len > 2) {
failureMsg.delete(len - 2, len);
issue.setFailureMessage(failureMsg.toString());
}
return issue;
}
Also used :
StringType(org.xipki.ca.api.profile.StringType)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
RdnControl(org.xipki.ca.api.profile.RdnControl)
RDN(org.bouncycastle.asn1.x500.RDN)
Example 88 with X500Name
use of org.openecard.bouncycastle.asn1.x500.X500Name in project xipki by xipki.
the class ExtensionsChecker method checkExtensionNameConstraintsSubtrees.
// method checkExtensionNameConstraints
private void checkExtensionNameConstraintsSubtrees(StringBuilder failureMsg, String description, GeneralSubtree[] subtrees, List<QaGeneralSubtree> expectedSubtrees) {
int isSize = (subtrees == null) ? 0 : subtrees.length;
int expSize = (expectedSubtrees == null) ? 0 : expectedSubtrees.size();
if (isSize != expSize) {
addViolation(failureMsg, "size of " + description, isSize, expSize);
return;
}
if (subtrees == null || expectedSubtrees == null) {
return;
}
for (int i = 0; i < isSize; i++) {
GeneralSubtree isSubtree = subtrees[i];
QaGeneralSubtree expSubtree = expectedSubtrees.get(i);
BigInteger bigInt = isSubtree.getMinimum();
int isMinimum = (bigInt == null) ? 0 : bigInt.intValue();
Integer minimum = expSubtree.getMinimum();
int expMinimum = (minimum == null) ? 0 : minimum.intValue();
String desc = description + " [" + i + "]";
if (isMinimum != expMinimum) {
addViolation(failureMsg, "minimum of " + desc, isMinimum, expMinimum);
}
bigInt = isSubtree.getMaximum();
Integer isMaximum = (bigInt == null) ? null : bigInt.intValue();
Integer expMaximum = expSubtree.getMaximum();
if (!CompareUtil.equalsObject(isMaximum, expMaximum)) {
addViolation(failureMsg, "maxmum of " + desc, isMaximum, expMaximum);
}
GeneralName isBase = isSubtree.getBase();
GeneralName expBase;
if (expSubtree.getDirectoryName() != null) {
expBase = new GeneralName(X509Util.reverse(new X500Name(expSubtree.getDirectoryName())));
} else if (expSubtree.getDnsName() != null) {
expBase = new GeneralName(GeneralName.dNSName, expSubtree.getDnsName());
} else if (expSubtree.getIpAddress() != null) {
expBase = new GeneralName(GeneralName.iPAddress, expSubtree.getIpAddress());
} else if (expSubtree.getRfc822Name() != null) {
expBase = new GeneralName(GeneralName.rfc822Name, expSubtree.getRfc822Name());
} else if (expSubtree.getUri() != null) {
expBase = new GeneralName(GeneralName.uniformResourceIdentifier, expSubtree.getUri());
} else {
throw new RuntimeException("should not reach here, unknown child of GeneralName");
}
if (!isBase.equals(expBase)) {
addViolation(failureMsg, "base of " + desc, isBase, expBase);
}
}
}
Also used :
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
QaGeneralSubtree(org.xipki.ca.qa.internal.QaGeneralSubtree)
BigInteger(java.math.BigInteger)
QaGeneralSubtree(org.xipki.ca.qa.internal.QaGeneralSubtree)
GeneralSubtree(org.bouncycastle.asn1.x509.GeneralSubtree)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X500Name(org.bouncycastle.asn1.x500.X500Name)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 89 with X500Name
use of org.openecard.bouncycastle.asn1.x500.X500Name in project xipki by xipki.
the class IdentifiedX509Certprofile method getExtensions.
/**
* TODO.
* @param requestedSubject
* Subject requested subject. Must not be {@code null}.
* @param grantedSubject
* Granted subject. Must not be {@code null}.
* @param requestedExtensions
* Extensions requested by the requestor. Could be {@code null}.
* @param publicKeyInfo
* Subject public key. Must not be {@code null}.
* @param publicCaInfo
* CA information. Must not be {@code null}.
* @param crlSignerCert
* CRL signer certificate. Could be {@code null}.
* @param notBefore
* NotBefore. Must not be {@code null}.
* @param notAfter
* NotAfter. Must not be {@code null}.
* @param caInfo
* CA information.
* @return the extensions of the certificate to be issued.
*/
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Certificate crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
ExtensionValues values = new ExtensionValues();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>();
Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>();
if (requestedExtensions != null) {
Extension reqExtension = requestedExtensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
if (reqExtension != null) {
ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue());
neededExtTypes.addAll(ee.getNeedExtensions());
wantedExtTypes.addAll(ee.getWantExtensions());
}
for (ASN1ObjectIdentifier oid : neededExtTypes) {
if (wantedExtTypes.contains(oid)) {
wantedExtTypes.remove(oid);
}
if (!controls.containsKey(oid)) {
throw new BadCertTemplateException("could not add needed extension " + oid.getId());
}
}
}
// SubjectKeyIdentifier
ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
ExtensionControl extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes();
byte[] skiValue = HashAlgo.SHA1.hash(encodedSpki);
SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// Authority key identifier
extType = Extension.authorityKeyIdentifier;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
AuthorityKeyIdentifier value = null;
if (ikiValue != null) {
if (certprofile.includesIssuerAndSerialInAki()) {
GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject()));
value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber());
} else {
value = new AuthorityKeyIdentifier(ikiValue);
}
}
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// IssuerAltName
extType = Extension.issuerAlternativeName;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
GeneralNames value = publicCaInfo.getSubjectAltName();
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// AuthorityInfoAccess
extType = Extension.authorityInfoAccess;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
List<String> caIssuers = null;
if (aiaControl == null || aiaControl.isIncludesCaIssuers()) {
caIssuers = publicCaInfo.getCaCertUris();
}
List<String> ocspUris = null;
if (aiaControl == null || aiaControl.isIncludesOcsp()) {
ocspUris = publicCaInfo.getOcspUris();
}
if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) {
AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded());
X500Name x500CaPrincipal = publicCaInfo.getX500Subject();
// CRLDistributionPoints
extType = Extension.cRLDistributionPoints;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) {
CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
// FreshestCRL
extType = Extension.freshestCRL;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) {
CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
}
// BasicConstraints
extType = Extension.basicConstraints;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// KeyUsage
extType = Extension.keyUsage;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
Set<KeyUsage> usages = new HashSet<>();
Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
for (KeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getKeyUsage());
}
}
// the optional KeyUsage will only be set if requested explicitly
if (requestedExtensions != null && extControl.isRequest()) {
addRequestedKeyusage(usages, requestedExtensions, usageOccs);
}
org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// ExtendedKeyUsage
extType = Extension.extendedKeyUsage;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
List<ASN1ObjectIdentifier> usages = new LinkedList<>();
Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
for (ExtKeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getExtKeyUsage());
}
}
// the optional ExtKeyUsage will only be set if requested explicitly
if (requestedExtensions != null && extControl.isRequest()) {
addRequestedExtKeyusage(usages, requestedExtensions, usageOccs);
}
if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) {
extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
}
ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// ocsp-nocheck
extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
// the extension ocsp-nocheck will only be set if requested explicitly
DERNull value = DERNull.INSTANCE;
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// SubjectInfoAccess
extType = Extension.subjectInfoAccess;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
ASN1Sequence value = null;
if (requestedExtensions != null && extControl.isRequest()) {
value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes());
}
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// remove extensions that are not required frrom the list
List<ASN1ObjectIdentifier> listToRm = null;
for (ASN1ObjectIdentifier extnType : controls.keySet()) {
ExtensionControl ctrl = controls.get(extnType);
if (ctrl.isRequired()) {
continue;
}
if (neededExtTypes.contains(extnType) || wantedExtTypes.contains(extnType)) {
continue;
}
if (listToRm == null) {
listToRm = new LinkedList<>();
}
listToRm.add(extnType);
}
if (listToRm != null) {
for (ASN1ObjectIdentifier extnType : listToRm) {
controls.remove(extnType);
}
}
ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter, publicCaInfo);
Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
for (ASN1ObjectIdentifier type : extTypes) {
extControl = controls.remove(type);
boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes);
if (addMe) {
ExtensionValue value = null;
if (requestedExtensions != null && extControl.isRequest()) {
Extension reqExt = requestedExtensions.getExtension(type);
if (reqExt != null) {
value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue());
}
}
if (value == null) {
value = subvalues.getExtensionValue(type);
}
addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes);
}
}
Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
for (ASN1ObjectIdentifier type : controls.keySet()) {
if (controls.get(type).isRequired()) {
unprocessedExtTypes.add(type);
}
}
if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) {
throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes));
}
if (CollectionUtil.isNonEmpty(neededExtTypes)) {
throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes));
}
return values;
}
Also used :
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
AuthorityInfoAccessControl(org.xipki.ca.api.profile.x509.AuthorityInfoAccessControl)
HashMap(java.util.HashMap)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.xipki.security.KeyUsage)
KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
DERNull(org.bouncycastle.asn1.DERNull)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
HashSet(java.util.HashSet)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
ExtensionExistence(org.xipki.security.ExtensionExistence)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 90 with X500Name
use of org.openecard.bouncycastle.asn1.x500.X500Name in project xipki by xipki.
the class ScepResponder method servicePkiOperation0.
private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
TransactionId tid = req.getTransactionId();
PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
rep.setPkiStatus(PkiStatus.SUCCESS);
rep.setRecipientNonce(req.getSenderNonce());
if (req.getFailureMessage() != null) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Boolean bo = req.isSignatureValid();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
}
bo = req.isDecryptionSuccessful();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Date signingTime = req.getSigningTime();
if (maxSigningTimeBiasInMs > 0) {
boolean isTimeBad = false;
if (signingTime == null) {
isTimeBad = true;
} else {
long now = System.currentTimeMillis();
long diff = now - signingTime.getTime();
if (diff < 0) {
diff = -1 * diff;
}
isTimeBad = diff > maxSigningTimeBiasInMs;
}
if (isTimeBad) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
}
}
// check the digest algorithm
String oid = req.getDigestAlgorithm().getId();
ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
if (hashAlgo == null) {
LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
boolean supported = false;
if (hashAlgo == ScepHashAlgo.SHA1) {
if (caCaps.containsCapability(CaCapability.SHA1)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA256) {
if (caCaps.containsCapability(CaCapability.SHA256)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA512) {
if (caCaps.containsCapability(CaCapability.SHA512)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.MD5) {
if (control.isUseInsecureAlg()) {
supported = true;
}
}
if (!supported) {
LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
// check the content encryption algorithm
ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
if (!caCaps.containsCapability(CaCapability.DES3)) {
LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (AES_ENC_ALGS.contains(encOid)) {
if (!caCaps.containsCapability(CaCapability.AES)) {
LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
if (!control.isUseInsecureAlg()) {
LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else {
LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
return rep;
}
MessageType messageType = req.getMessageType();
switch(messageType) {
case PKCSReq:
boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
if (selfSigned) {
X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
}
String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
LOG.warn("challengePassword is not trusted");
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Certificate cert;
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null && control.isPendingCert()) {
rep.setPkiStatus(PkiStatus.PENDING);
} else if (cert != null) {
ContentInfo messageData = createSignedData(cert);
rep.setMessageData(messageData);
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case CertPoll:
IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case GetCert:
IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case RenewalReq:
if (!caCaps.containsCapability(CaCapability.Renewal)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badCertId);
}
}
break;
case UpdateReq:
if (!caCaps.containsCapability(CaCapability.Update)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
}
break;
case GetCRL:
isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
CertificateList crl;
try {
crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (crl != null) {
rep.setMessageData(createSignedData(crl));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
default:
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
return rep;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ASN1String(org.bouncycastle.asn1.ASN1String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject)
TransactionId(org.xipki.scep.transaction.TransactionId)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
MessageType(org.xipki.scep.transaction.MessageType)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Aggregations
X500Name (org.bouncycastle.asn1.x500.X500Name)193
X509Certificate (java.security.cert.X509Certificate)88
Date (java.util.Date)71
BigInteger (java.math.BigInteger)63
X500Name (sun.security.x509.X500Name)53
IOException (java.io.IOException)49
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)47
ContentSigner (org.bouncycastle.operator.ContentSigner)45
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)44
RDN (org.bouncycastle.asn1.x500.RDN)43
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)42
KeyPair (java.security.KeyPair)41
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)41
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)36
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)33
PrivateKey (java.security.PrivateKey)32
KeyPairGenerator (java.security.KeyPairGenerator)31
GeneralName (org.bouncycastle.asn1.x509.GeneralName)31
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)28
SecureRandom (java.security.SecureRandom)27
