Search in sources :

Example 81 with GeneralName

use of org.openecard.bouncycastle.asn1.x509.GeneralName in project robovm by robovm.

the class X509ExtensionUtil method getAlternativeNames.

private static Collection getAlternativeNames(byte[] extVal) throws CertificateParsingException {
    if (extVal == null) {
        return Collections.EMPTY_LIST;
    }
    try {
        Collection temp = new ArrayList();
        Enumeration it = DERSequence.getInstance(fromExtensionValue(extVal)).getObjects();
        while (it.hasMoreElements()) {
            GeneralName genName = GeneralName.getInstance(it.nextElement());
            List list = new ArrayList();
            list.add(Integers.valueOf(genName.getTagNo()));
            switch(genName.getTagNo()) {
                case GeneralName.ediPartyName:
                case GeneralName.x400Address:
                case GeneralName.otherName:
                    list.add(genName.getName().toASN1Primitive());
                    break;
                case GeneralName.directoryName:
                    list.add(X500Name.getInstance(genName.getName()).toString());
                    break;
                case GeneralName.dNSName:
                case GeneralName.rfc822Name:
                case GeneralName.uniformResourceIdentifier:
                    list.add(((ASN1String) genName.getName()).getString());
                    break;
                case GeneralName.registeredID:
                    list.add(ASN1ObjectIdentifier.getInstance(genName.getName()).getId());
                    break;
                case GeneralName.iPAddress:
                    list.add(DEROctetString.getInstance(genName.getName()).getOctets());
                    break;
                default:
                    throw new IOException("Bad tag number: " + genName.getTagNo());
            }
            temp.add(list);
        }
        return Collections.unmodifiableCollection(temp);
    } catch (Exception e) {
        throw new CertificateParsingException(e.getMessage());
    }
}
Also used : Enumeration(java.util.Enumeration) CertificateParsingException(java.security.cert.CertificateParsingException) ArrayList(java.util.ArrayList) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) CertificateParsingException(java.security.cert.CertificateParsingException) IOException(java.io.IOException)

Example 82 with GeneralName

use of org.openecard.bouncycastle.asn1.x509.GeneralName in project OpenAttestation by OpenAttestation.

the class X509Builder method ipAlternativeName.

public X509Builder ipAlternativeName(String ip) {
    try {
        v3();
        String alternativeName = ip;
        if (ip.startsWith("ip:")) {
            alternativeName = ip.substring(3);
        }
        //                InetAddress ipAddress = new InetAddress.getByName(alternativeName.substring(3));
        //                IPAddressName ipAddressName = new IPAddressName(ipAddress.getAddress());
        IPAddressName ipAddressName = new IPAddressName(alternativeName);
        if (alternativeNames == null) {
            alternativeNames = new GeneralNames();
        }
        alternativeNames.add(new GeneralName(ipAddressName));
        SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(san.getExtensionId().toString(), san);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    //   ObjectIdentifier("2.5.29.17") , false, "ipaddress".getBytes()                            
    } catch (Exception e) {
        fault(e, "ipAlternativeName(%s)", ip);
    }
    return this;
}
Also used : GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) IPAddressName(sun.security.x509.IPAddressName) CertificateExtensions(sun.security.x509.CertificateExtensions) GeneralName(sun.security.x509.GeneralName)

Example 83 with GeneralName

use of org.openecard.bouncycastle.asn1.x509.GeneralName in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCRLIssuersFromDistributionPoint.

/**
     * Add the CRL issuers from the cRLIssuer field of the distribution point or
     * from the certificate if not given to the issuer criterion of the
     * <code>selector</code>.
     * <p>
     * The <code>issuerPrincipals</code> are a collection with a single
     * <code>X500Principal</code> for <code>X509Certificate</code>s. For
     * {@link X509AttributeCertificate}s the issuer may contain more than one
     * <code>X500Principal</code>.
     *
     * @param dp The distribution point.
     * @param issuerPrincipals The issuers of the certificate or attribute
     *            certificate which contains the distribution point.
     * @param selector The CRL selector.
     * @param pkixParams The PKIX parameters containing the cert stores.
     * @throws AnnotatedException if an exception occurs while processing.
     * @throws ClassCastException if <code>issuerPrincipals</code> does not
     * contain only <code>X500Principal</code>s.
     */
protected static void getCRLIssuersFromDistributionPoint(DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector, ExtendedPKIXParameters pkixParams) throws AnnotatedException {
    List issuers = new ArrayList();
    // indirect CRL
    if (dp.getCRLIssuer() != null) {
        GeneralName[] genNames = dp.getCRLIssuer().getNames();
        // look for a DN
        for (int j = 0; j < genNames.length; j++) {
            if (genNames[j].getTagNo() == GeneralName.directoryName) {
                try {
                    issuers.add(new X500Principal(genNames[j].getName().getDERObject().getEncoded()));
                } catch (IOException e) {
                    throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
    } else {
        /*
             * certificate issuer is CRL issuer, distributionPoint field MUST be
             * present.
             */
        if (dp.getDistributionPoint() == null) {
            throw new AnnotatedException("CRL issuer is omitted from distribution point but no distributionPoint field present.");
        }
        // add and check issuer principals
        for (Iterator it = issuerPrincipals.iterator(); it.hasNext(); ) {
            issuers.add((X500Principal) it.next());
        }
    }
    // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid
    // distributionPoint
    //        if (dp.getDistributionPoint() != null)
    //        {
    //            // look for nameRelativeToCRLIssuer
    //            if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER)
    //            {
    //                // append fragment to issuer, only one
    //                // issuer can be there, if this is given
    //                if (issuers.size() != 1)
    //                {
    //                    throw new AnnotatedException(
    //                        "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given.");
    //                }
    //                DEREncodable relName = dp.getDistributionPoint().getName();
    //                Iterator it = issuers.iterator();
    //                List issuersTemp = new ArrayList(issuers.size());
    //                while (it.hasNext())
    //                {
    //                    Enumeration e = null;
    //                    try
    //                    {
    //                        e = ASN1Sequence.getInstance(
    //                            new ASN1InputStream(((X500Principal) it.next())
    //                                .getEncoded()).readObject()).getObjects();
    //                    }
    //                    catch (IOException ex)
    //                    {
    //                        throw new AnnotatedException(
    //                            "Cannot decode CRL issuer information.", ex);
    //                    }
    //                    ASN1EncodableVector v = new ASN1EncodableVector();
    //                    while (e.hasMoreElements())
    //                    {
    //                        v.add((DEREncodable) e.nextElement());
    //                    }
    //                    v.add(relName);
    //                    issuersTemp.add(new X500Principal(new DERSequence(v)
    //                        .getDEREncoded()));
    //                }
    //                issuers.clear();
    //                issuers.addAll(issuersTemp);
    //            }
    //        }
    Iterator it = issuers.iterator();
    while (it.hasNext()) {
        try {
            selector.addIssuerName(((X500Principal) it.next()).getEncoded());
        } catch (IOException ex) {
            throw new AnnotatedException("Cannot decode CRL issuer information.", ex);
        }
    }
}
Also used : ArrayList(java.util.ArrayList) Iterator(java.util.Iterator) X500Principal(javax.security.auth.x500.X500Principal) List(java.util.List) ArrayList(java.util.ArrayList) CertificateList(org.bouncycastle.asn1.x509.CertificateList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 84 with GeneralName

use of org.openecard.bouncycastle.asn1.x509.GeneralName in project XobotOS by xamarin.

the class CertPathValidatorUtilities method addAdditionalStoresFromCRLDistributionPoint.

// BEGIN android-removed
// protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect,
//                                              List certStores)
// throws AnnotatedException
// {
//     Set certs = new HashSet();
//     Iterator iter = certStores.iterator();
//
//     while (iter.hasNext())
//     {
//         Object obj = iter.next();
//
//         if (obj instanceof X509Store)
//         {
//             X509Store certStore = (X509Store)obj;
//             try
//             {
//                 certs.addAll(certStore.getMatches(certSelect));
//             }
//             catch (StoreException e)
//             {
//                 throw
//
//                     new AnnotatedException(
//                         "Problem while picking certificates from X.509 store.", e);
//             }
//         }
//     }
//     return certs;
// }
// END android-removed
protected static void addAdditionalStoresFromCRLDistributionPoint(CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) throws AnnotatedException {
    if (crldp != null) {
        DistributionPoint[] dps = null;
        try {
            dps = crldp.getDistributionPoints();
        } catch (Exception e) {
            throw new AnnotatedException("Distribution points could not be read.", e);
        }
        for (int i = 0; i < dps.length; i++) {
            DistributionPointName dpn = dps[i].getDistributionPoint();
            // look for URIs in fullName
            if (dpn != null) {
                if (dpn.getType() == DistributionPointName.FULL_NAME) {
                    GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
                    // look for an URI
                    for (int j = 0; j < genNames.length; j++) {
                        if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
                            String location = DERIA5String.getInstance(genNames[j].getName()).getString();
                            CertPathValidatorUtilities.addAdditionalStoreFromLocation(location, pkixParams);
                        }
                    }
                }
            }
        }
    }
}
Also used : DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 85 with GeneralName

use of org.openecard.bouncycastle.asn1.x509.GeneralName in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method checkCRLs.

/**
     * Checks a certificate if it is revoked.
     *
     * @param paramsPKIX       PKIX parameters.
     * @param cert             Certificate to check if it is revoked.
     * @param validDate        The date when the certificate revocation status should be
     *                         checked.
     * @param sign             The issuer certificate of the certificate <code>cert</code>.
     * @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
     * @param certPathCerts    The certificates of the certification path.
     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
     *                            or some error occurs.
     */
protected static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts) throws AnnotatedException {
    AnnotatedException lastException = null;
    CRLDistPoint crldp = null;
    try {
        crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
    } catch (Exception e) {
        throw new AnnotatedException("CRL distribution point extension could not be read.", e);
    }
    try {
        CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
    } catch (AnnotatedException e) {
        throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
    }
    CertStatus certStatus = new CertStatus();
    ReasonsMask reasonsMask = new ReasonsMask();
    boolean validCrlFound = false;
    // for each distribution point
    if (crldp != null) {
        DistributionPoint[] dps = null;
        try {
            dps = crldp.getDistributionPoints();
        } catch (Exception e) {
            throw new AnnotatedException("Distribution points could not be read.", e);
        }
        if (dps != null) {
            for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
                ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
                try {
                    checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
                    validCrlFound = true;
                } catch (AnnotatedException e) {
                    lastException = e;
                }
            }
        }
    }
    if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
        try {
            /*
                 * assume a DP with both the reasons and the cRLIssuer fields
                 * omitted and a distribution point name of the certificate
                 * issuer.
                 */
            DERObject issuer = null;
            try {
                issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
            } catch (Exception e) {
                throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
            }
            DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
            ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
            checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
            validCrlFound = true;
        } catch (AnnotatedException e) {
            lastException = e;
        }
    }
    if (!validCrlFound) {
        if (lastException instanceof AnnotatedException) {
            throw lastException;
        }
        throw new AnnotatedException("No valid CRL found.", lastException);
    }
    if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
        String message = "Certificate revocation after " + certStatus.getRevocationDate();
        message += ", reason: " + crlReasons[certStatus.getCertStatus()];
        throw new AnnotatedException(message);
    }
    if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
        certStatus.setCertStatus(CertStatus.UNDETERMINED);
    }
    if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
        throw new AnnotatedException("Certificate status could not be determined.");
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) DERObject(org.bouncycastle.asn1.DERObject) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)59 IOException (java.io.IOException)49 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16