Examples with Extensions org.openecard.bouncycastle.asn1.x509.Extensions used on opensource projects
Example 31 with Extensions
use of org.openecard.bouncycastle.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectInfoAccess.
private void checkExtensionSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf = certProfile.getSubjectInfoAccessModes();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable requestExtValue = null;
if (requestedExtensions != null) {
requestExtValue = requestedExtensions.getExtensionParsedValue(Extension.subjectInfoAccess);
}
if (requestExtValue == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);
int size = requestSeq.size();
if (certSeq.size() != size) {
addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
return;
}
for (int i = 0; i < size; i++) {
AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);
if (generalNameModes == null) {
failureMsg.append("accessMethod in requestedExtension ").append(accessMethod.getId()).append(" is not allowed; ");
continue;
}
AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i));
ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();
boolean bo = (accessMethod == null) ? (certAccessMethod == null) : accessMethod.equals(certAccessMethod);
if (!bo) {
addViolation(failureMsg, "accessMethod", (certAccessMethod == null) ? "null" : certAccessMethod.getId(), (accessMethod == null) ? "null" : accessMethod.getId());
continue;
}
GeneralName accessLocation;
try {
accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
} catch (BadCertTemplateException ex) {
failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
continue;
}
GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
if (!certAccessLocation.equals(accessLocation)) {
failureMsg.append("accessLocation does not match the requested one; ");
}
}
}
Also used :
GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode)
Set(java.util.Set)
HashSet(java.util.HashSet)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 32 with Extensions
use of org.openecard.bouncycastle.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionAdmission.
// method checkExtensionDeltaCrlDistributionPoints
private void checkExtensionAdmission(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
AdmissionSyntaxOption conf = certProfile.getAdmission();
ASN1ObjectIdentifier type = ObjectIdentifiers.id_extension_admission;
if (conf == null) {
byte[] expected = getExpectedExtValue(type, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension value", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
List<List<String>> reqRegNumsList = null;
if (requestedExtensions != null && conf.isInputFromRequestRequired()) {
Extension extension = requestedExtensions.getExtension(type);
if (extension == null) {
failureMsg.append("no Admission extension is contained in the request;");
return;
}
Admissions[] reqAdmissions = org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
final int n = reqAdmissions.length;
reqRegNumsList = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
Admissions reqAdmission = reqAdmissions[i];
ProfessionInfo[] reqPis = reqAdmission.getProfessionInfos();
List<String> reqNums = new ArrayList<>(reqPis.length);
reqRegNumsList.add(reqNums);
for (ProfessionInfo reqPi : reqPis) {
String reqNum = reqPi.getRegistrationNumber();
reqNums.add(reqNum);
}
}
}
try {
byte[] expected = conf.getExtensionValue(reqRegNumsList).getValue().toASN1Primitive().getEncoded();
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), hex(expected));
}
} catch (IOException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("IOException while computing the expected extension value;");
return;
} catch (BadCertTemplateException ex) {
LogUtil.error(LOG, ex);
failureMsg.append("BadCertTemplateException while computing the expected extension value;");
}
}
Also used :
AdmissionSyntaxOption(org.xipki.ca.certprofile.commonpki.AdmissionSyntaxOption)
ArrayList(java.util.ArrayList)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
IOException(java.io.IOException)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Extension(org.bouncycastle.asn1.x509.Extension)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
Admissions(org.bouncycastle.asn1.isismtt.x509.Admissions)
ArrayList(java.util.ArrayList)
List(java.util.List)
LinkedList(java.util.LinkedList)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
ProfessionInfo(org.bouncycastle.asn1.isismtt.x509.ProfessionInfo)
Example 33 with Extensions
use of org.openecard.bouncycastle.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionTlsFeature.
// method checkExtensionExtendedKeyUsage
private void checkExtensionTlsFeature(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QaTlsFeature conf = tlsFeature;
if (conf == null) {
byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
Set<String> isFeatures = new HashSet<>();
ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
final int n = seq.size();
for (int i = 0; i < n; i++) {
ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i));
isFeatures.add(asn1Feature.getPositiveValue().toString());
}
Set<String> expFeatures = new HashSet<>();
for (Integer m : conf.getFeatures()) {
expFeatures.add(m.toString());
}
Set<String> diffs = strInBnotInA(expFeatures, isFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(isFeatures, expFeatures);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; ");
}
}
Also used :
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
QaTlsFeature(org.xipki.ca.qa.internal.QaTlsFeature)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
HashSet(java.util.HashSet)
Example 34 with Extensions
use of org.openecard.bouncycastle.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensionExtendedKeyUsage.
// method checkExtensionKeyUsage
private void checkExtensionExtendedKeyUsage(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
Set<String> isUsages = new HashSet<>();
org.bouncycastle.asn1.x509.ExtendedKeyUsage keyusage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extensionValue);
KeyPurposeId[] usages = keyusage.getUsages();
if (usages != null) {
for (KeyPurposeId usage : usages) {
isUsages.add(usage.getId());
}
}
Set<String> expectedUsages = new HashSet<>();
Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true);
if (requiredExtKeyusage != null) {
for (ExtKeyUsageControl usage : requiredExtKeyusage) {
expectedUsages.add(usage.getExtKeyUsage().getId());
}
}
Set<ExtKeyUsageControl> optionalExtKeyusage = getExtKeyusage(false);
if (requestedExtensions != null && extControl.isRequest() && CollectionUtil.isNonEmpty(optionalExtKeyusage)) {
Extension extension = requestedExtensions.getExtension(Extension.extendedKeyUsage);
if (extension != null) {
org.bouncycastle.asn1.x509.ExtendedKeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extension.getParsedValue());
for (ExtKeyUsageControl k : optionalExtKeyusage) {
if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) {
expectedUsages.add(k.getExtKeyUsage().getId());
}
}
}
}
if (CollectionUtil.isEmpty(expectedUsages)) {
byte[] constantExtValue = getConstantExtensionValue(Extension.keyUsage);
if (constantExtValue != null) {
expectedUsages = getExtKeyUsage(constantExtValue);
}
}
Set<String> diffs = strInBnotInA(expectedUsages, isUsages);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("usages ").append(diffs.toString()).append(" are present but not expected; ");
}
diffs = strInBnotInA(isUsages, expectedUsages);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("usages ").append(diffs.toString()).append(" are absent but are required; ");
}
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
HashSet(java.util.HashSet)
Example 35 with Extensions
use of org.openecard.bouncycastle.asn1.x509.Extensions in project xipki by xipki.
the class ExtensionsChecker method checkExtensions.
// constructor
public List<ValidationIssue> checkExtensions(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions, X500Name requestedSubject) {
ParamUtil.requireNonNull("cert", cert);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
X509Certificate jceCert;
try {
jceCert = X509Util.toX509Cert(cert);
} catch (CertificateException ex) {
throw new IllegalArgumentException("invalid cert: " + ex.getMessage());
}
List<ValidationIssue> result = new LinkedList<>();
// detect the list of extension types in certificate
Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions);
Extensions extensions = cert.getTBSCertificate().getExtensions();
ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
if (oids == null) {
ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
result.add(issue);
issue.setFailureMessage("no extension is present");
return result;
}
List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
if (!certExtTypes.contains(extType)) {
ValidationIssue issue = createExtensionIssue(extType);
result.add(issue);
issue.setFailureMessage("extension is absent but is required");
}
}
Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
for (ASN1ObjectIdentifier oid : certExtTypes) {
ValidationIssue issue = createExtensionIssue(oid);
result.add(issue);
if (!presentExtenionTypes.contains(oid)) {
issue.setFailureMessage("extension is present but is not permitted");
continue;
}
Extension ext = extensions.getExtension(oid);
StringBuilder failureMsg = new StringBuilder();
ExtensionControl extControl = extensionControls.get(oid);
if (extControl.isCritical() != ext.isCritical()) {
addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical());
}
byte[] extensionValue = ext.getExtnValue().getOctets();
try {
if (Extension.authorityKeyIdentifier.equals(oid)) {
// AuthorityKeyIdentifier
checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectKeyIdentifier.equals(oid)) {
// SubjectKeyIdentifier
checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo());
} else if (Extension.keyUsage.equals(oid)) {
// KeyUsage
checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl);
} else if (Extension.certificatePolicies.equals(oid)) {
// CertificatePolicies
checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.policyMappings.equals(oid)) {
// Policy Mappings
checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.subjectAlternativeName.equals(oid)) {
// SubjectAltName
checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject);
} else if (Extension.subjectDirectoryAttributes.equals(oid)) {
// SubjectDirectoryAttributes
checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.issuerAlternativeName.equals(oid)) {
// IssuerAltName
checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo);
} else if (Extension.basicConstraints.equals(oid)) {
// Basic Constraints
checkExtensionBasicConstraints(failureMsg, extensionValue);
} else if (Extension.nameConstraints.equals(oid)) {
// Name Constraints
checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.policyConstraints.equals(oid)) {
// PolicyConstrains
checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.extendedKeyUsage.equals(oid)) {
// ExtendedKeyUsage
checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.cRLDistributionPoints.equals(oid)) {
// CRL Distribution Points
checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.inhibitAnyPolicy.equals(oid)) {
// Inhibit anyPolicy
checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl);
} else if (Extension.freshestCRL.equals(oid)) {
// Freshest CRL
checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo);
} else if (Extension.authorityInfoAccess.equals(oid)) {
// Authority Information Access
checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo);
} else if (Extension.subjectInfoAccess.equals(oid)) {
// SubjectInfoAccess
checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_admission.equals(oid)) {
// Admission
checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) {
// ocsp-nocheck
checkExtensionOcspNocheck(failureMsg, extensionValue);
} else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) {
// restriction
checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) {
// additionalInformation
checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) {
// validityModel
checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.privateKeyUsagePeriod.equals(oid)) {
// privateKeyUsagePeriod
checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter());
} else if (Extension.qCStatements.equals(oid)) {
// qCStatements
checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (Extension.biometricInfo.equals(oid)) {
// biometricInfo
checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) {
// tlsFeature
checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl);
} else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) {
// authorizationTemplate
checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl);
} else {
byte[] expected;
if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) {
// SMIMECapabilities
expected = smimeCapabilities.getValue();
} else {
expected = getExpectedExtValue(oid, requestedExtensions, extControl);
}
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
}
if (failureMsg.length() > 0) {
issue.setFailureMessage(failureMsg.toString());
}
} catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) {
LOG.debug("extension value does not have correct syntax", ex);
issue.setFailureMessage("extension value does not have correct syntax");
}
}
return result;
}
Also used :
CertificateException(java.security.cert.CertificateException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Aggregations
Extensions (org.bouncycastle.asn1.x509.Extensions)55
Extension (org.bouncycastle.asn1.x509.Extension)52
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)44
DEROctetString (org.bouncycastle.asn1.DEROctetString)37
IOException (java.io.IOException)36
HashSet (java.util.HashSet)33
Enumeration (java.util.Enumeration)30
DERIA5String (org.bouncycastle.asn1.DERIA5String)26
Date (java.util.Date)23
X500Name (org.bouncycastle.asn1.x500.X500Name)23
Set (java.util.Set)21
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)21
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)21
GeneralName (org.bouncycastle.asn1.x509.GeneralName)21
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)20
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)20
BigInteger (java.math.BigInteger)19
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)19
CertificateException (java.security.cert.CertificateException)17
X509Certificate (java.security.cert.X509Certificate)17
