Search in sources :

Example 51 with Extension

use of org.openecard.bouncycastle.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectInfoAccess.

private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
    if (conf == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Encodable requestExtValue = null;
    if (requestedExtensions != null) {
        requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
    }
    if (requestExtValue == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
    ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
    int size = requestSeq.size();
    if (certSeq.size() != size) {
        addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
        return;
    }
    for (int i = 0; i < size; i++) {
        AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
        ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
        Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
        if (generalNameModes == null) {
            failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
            continue;
        }
        AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
        ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
        boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
        if (!bo) {
            addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
            continue;
        }
        GeneralName accessLocation;
        try {
            accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
            continue;
        }
        GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
        if (!certAccessLocation.equals(accessLocation)) {
            failureMsg.append("accessLocation does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) Set(java.util.Set) HashSet(java.util.HashSet) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 52 with Extension

use of org.openecard.bouncycastle.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionAdmission.

// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    AdmissionSyntaxOption conf = certProfile.getAdmission();
    ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    List<List<String>> reqRegNumsList = null;
    if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
        Extension extension = requestedExtensions.getExtension(type);
        if (extension == null) {
            failureMsg.append("no Admission extension is contained in the request;");
            return;
        }
        Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
        final int n = reqAdmissions.length;
        reqRegNumsList = new ArrayList<>(n);
        for (int i = 0; i < n; i++) {
            Admissions reqAdmission = reqAdmissions[i];
            ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
            List<String> reqNums = new ArrayList<>(reqPis.length);
            reqRegNumsList.add(reqNums);
            for (ProfessionInfo reqPi : reqPis) {
                String reqNum = reqPi.getRegistrationNumber();
                reqNums.add(reqNum);
            }
        }
    }
    try {
        byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
        }
    } catch (IOException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("IOException while computing the expected extension value;");
        return;
    } catch (BadCertTemplateException ex) {
        LogUtil.error(LOG, ex);
        failureMsg.append("BadCertTemplateException while computing the expected extension value;");
    }
}
Also used : AdmissionSyntaxOption(org.xipki.ca.certprofile.commonpki.AdmissionSyntaxOption) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) Extension(org.bouncycastle.asn1.x509.Extension) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions) ArrayList(java.util.ArrayList) List(java.util.List) LinkedList(java.util.LinkedList) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)

Example 53 with Extension

use of org.openecard.bouncycastle.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionTlsFeature.

// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QaTlsFeature conf = tlsFeature;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    Set<String> isFeatures = new HashSet<>();
    ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
    final int n = seq.size();
    for (int i = 0; i < n; i++) {
        ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
        isFeatures.add(asn1Feature.getPositiveValue().toString());
    }
    Set<String> expFeatures = new HashSet<>();
    for (Integer m : conf.getFeatures()) {
        expFeatures.add(m.toString());
    }
    Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
    }
    diffs = strInBnotInA(isFeatures, expFeatures);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
    }
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) QaTlsFeature(org.xipki.ca.qa.internal.QaTlsFeature) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) HashSet(java.util.HashSet)

Example 54 with Extension

use of org.openecard.bouncycastle.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionExtendedKeyUsage.

// method checkExtensionKeyUsage
private void checkExtensionExtendedKeyUsage(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    Set<String> isUsages = new HashSet<>();
    org.bouncycastle.asn1.x509.ExtendedKeyUsage keyusage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extensionValue);
    KeyPurposeId[] usages = keyusage.getUsages();
    if (usages != null) {
        for (KeyPurposeId usage : usages) {
            isUsages.add(usage.getId());
        }
    }
    Set<String> expectedUsages = new HashSet<>();
    Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true);
    if (requiredExtKeyusage != null) {
        for (ExtKeyUsageControl usage : requiredExtKeyusage) {
            expectedUsages.add(usage.getExtKeyUsage().getId());
        }
    }
    Set<ExtKeyUsageControl> optionalExtKeyusage = getExtKeyusage(false);
    if (requestedExtensions != null && extControl.isRequest() && CollectionUtil.isNonEmpty(optionalExtKeyusage)) {
        Extension extension = requestedExtensions.getExtension(Extension.extendedKeyUsage);
        if (extension != null) {
            org.bouncycastle.asn1.x509.ExtendedKeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extension.getParsedValue());
            for (ExtKeyUsageControl k : optionalExtKeyusage) {
                if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) {
                    expectedUsages.add(k.getExtKeyUsage().getId());
                }
            }
        }
    }
    if (CollectionUtil.isEmpty(expectedUsages)) {
        byte[] constantExtValue = getConstantExtensionValue(Extension.keyUsage);
        if (constantExtValue != null) {
            expectedUsages = getExtKeyUsage(constantExtValue);
        }
    }
    Set<String> diffs = strInBnotInA(expectedUsages, isUsages);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("usages ").append(diffs.toString()).append(" are present but not expected; ");
    }
    diffs = strInBnotInA(isUsages, expectedUsages);
    if (CollectionUtil.isNonEmpty(diffs)) {
        failureMsg.append("usages ").append(diffs.toString()).append(" are absent but are required; ");
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) HashSet(java.util.HashSet)

Example 55 with Extension

use of org.openecard.bouncycastle.asn1.x509.Extension in project xipki by xipki.

the class ExtensionsChecker method checkExtensionIssuerAltNames.

// method checkExtensionSubjectInfoAccess
private void checkExtensionIssuerAltNames(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
    Extension caSubjectAltExtension = issuerInfo.getBcCert().getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName);
    if (caSubjectAltExtension == null) {
        failureMsg.append("issuerAlternativeName is present but expected 'none'; ");
        return;
    }
    byte[] caSubjectAltExtensionValue = caSubjectAltExtension.getExtnValue().getOctets();
    if (!Arrays.equals(caSubjectAltExtensionValue, extensionValue)) {
        addViolation(failureMsg, "issuerAltNames", hex(extensionValue), hex(caSubjectAltExtensionValue));
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension)

Aggregations

Extension (org.bouncycastle.asn1.x509.Extension)70 IOException (java.io.IOException)57 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)48 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)42 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)40 X509Certificate (java.security.cert.X509Certificate)39 ArrayList (java.util.ArrayList)39 Extensions (org.bouncycastle.asn1.x509.Extensions)38 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)36 Enumeration (java.util.Enumeration)35 DEROctetString (org.bouncycastle.asn1.DEROctetString)35 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)34 HashSet (java.util.HashSet)31 CertPathValidatorException (java.security.cert.CertPathValidatorException)29 List (java.util.List)29 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)29 GeneralSecurityException (java.security.GeneralSecurityException)28 CertificateExpiredException (java.security.cert.CertificateExpiredException)28 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)28 CertPathBuilderException (java.security.cert.CertPathBuilderException)26