Example 21 with BadCertTemplateException
use of org.xipki.ca.api.BadCertTemplateException in project xipki by xipki.
the class ExtensionsChecker method checkExtensionSubjectAltName.
// method checkExtensionSubjectDirectoryAttributes
private void checkExtensionSubjectAltName(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl, X500Name requestedSubject) {
Set<GeneralNameMode> conf = certProfile.getSubjectAltNameModes();
GeneralName[] requested;
try {
requested = getRequestedSubjectAltNames(requestedSubject, requestedExtensions);
} catch (CertprofileException | BadCertTemplateException ex) {
String msg = "error while derive grantedSubject from requestedSubject";
LogUtil.warn(LOG, ex, msg);
failureMsg.append(msg);
return;
}
if (requested == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
GeneralName[] is = GeneralNames.getInstance(extensionValue).getNames();
GeneralName[] expected = new GeneralName[requested.length];
for (int i = 0; i < is.length; i++) {
try {
expected[i] = createGeneralName(is[i], conf);
} catch (BadCertTemplateException ex) {
failureMsg.append("could not process ").append(i + 1).append("-th name: ").append(ex.getMessage()).append("; ");
return;
}
}
if (is.length != expected.length) {
addViolation(failureMsg, "size of GeneralNames", is.length, expected.length);
return;
}
for (int i = 0; i < is.length; i++) {
if (!is[i].equals(expected[i])) {
failureMsg.append(i + 1).append("-th name does not match the requested one; ");
}
}
}
Also used :
GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 22 with BadCertTemplateException
use of org.xipki.ca.api.BadCertTemplateException in project xipki by xipki.
the class ExtensionsChecker method getRequestedSubjectAltNames.
// method checkExtensionSubjectAltName
private GeneralName[] getRequestedSubjectAltNames(X500Name requestedSubject, Extensions requestedExtensions) throws CertprofileException, BadCertTemplateException {
ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
Map<ASN1ObjectIdentifier, GeneralNameTag> subjectToSubjectAltNameModes = certProfile.getSubjectToSubjectAltNameModes();
if (extValue == null && subjectToSubjectAltNameModes == null) {
return null;
}
GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
Set<GeneralNameMode> subjectAltNameModes = certProfile.getSubjectAltNameModes();
if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
return (reqNames == null) ? null : reqNames.getNames();
}
List<GeneralName> grantedNames = new LinkedList<>();
// copy the required attributes of Subject
if (subjectToSubjectAltNameModes != null) {
X500Name grantedSubject;
try {
grantedSubject = certProfile.getSubject(requestedSubject).getGrantedSubject();
} catch (CertprofileException | BadCertTemplateException ex) {
if (certProfile.getSpecialCertprofileBehavior() == null) {
throw ex;
}
LogUtil.warn(LOG, ex, "could not derive granted subject from requested subject");
grantedSubject = requestedSubject;
}
for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
RDN[] rdns = grantedSubject.getRDNs(attrType);
if (rdns == null) {
rdns = requestedSubject.getRDNs(attrType);
}
if (rdns == null) {
continue;
}
for (RDN rdn : rdns) {
String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
switch(tag) {
case rfc822Name:
case dNSName:
case uniformResourceIdentifier:
case iPAddress:
case directoryName:
case registeredID:
grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
break;
default:
throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
}
// end switch (tag)
}
}
}
// copy the requested SubjectAltName entries
if (reqNames != null) {
GeneralName[] reqL = reqNames.getNames();
for (int i = 0; i < reqL.length; i++) {
grantedNames.add(reqL[i]);
}
}
return grantedNames.isEmpty() ? null : grantedNames.toArray(new GeneralName[0]);
}
Also used :
GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode)
GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
LinkedList(java.util.LinkedList)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
RDN(org.bouncycastle.asn1.x500.RDN)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 23 with BadCertTemplateException
use of org.xipki.ca.api.BadCertTemplateException in project xipki by xipki.
the class PublicKeyChecker method checkPublicKey.
public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
ParamUtil.requireNonNull("publicKey", publicKey);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<>();
if (keyAlgorithms != null) {
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
resultIssues.add(issue);
try {
checkPublicKey(publicKey);
} catch (BadCertTemplateException ex) {
issue.setFailureMessage(ex.getMessage());
}
}
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
resultIssues.add(issue);
SubjectPublicKeyInfo c14nRequestedPublicKey;
try {
c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
if (!c14nRequestedPublicKey.equals(publicKey)) {
issue.setFailureMessage("public key in the certificate does not equal the requested one");
}
} catch (InvalidKeySpecException ex) {
issue.setFailureMessage("public key in request is invalid");
}
return resultIssues;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
LinkedList(java.util.LinkedList)
Example 24 with BadCertTemplateException
use of org.xipki.ca.api.BadCertTemplateException in project xipki by xipki.
the class SubjectChecker method checkSubject.
public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
ParamUtil.requireNonNull("subject", subject);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
// collect subject attribute types to check
Set<ASN1ObjectIdentifier> oids = new HashSet<>();
for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
oids.add(oid);
}
for (ASN1ObjectIdentifier oid : subject.getAttributeTypes()) {
oids.add(oid);
}
List<ValidationIssue> result = new LinkedList<>();
ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
result.add(issue);
if (CollectionUtil.isNonEmpty(subjectControl.getGroups())) {
Set<String> groups = new HashSet<>(subjectControl.getGroups());
for (String g : groups) {
boolean toBreak = false;
RDN rdn = null;
for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
RDN[] rdns = subject.getRDNs(type);
if (rdns == null || rdns.length == 0) {
continue;
}
if (rdns.length > 1) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
if (rdn == null) {
rdn = rdns[0];
} else if (rdn != rdns[0]) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
}
if (toBreak) {
break;
}
}
}
for (ASN1ObjectIdentifier type : oids) {
ValidationIssue valIssue;
try {
valIssue = checkSubjectAttribute(type, subject, requestedSubject);
} catch (BadCertTemplateException ex) {
valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
valIssue.setFailureMessage(ex.getMessage());
}
result.add(valIssue);
}
return result;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
RDN(org.bouncycastle.asn1.x500.RDN)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
LinkedList(java.util.LinkedList)
HashSet(java.util.HashSet)
Example 25 with BadCertTemplateException
use of org.xipki.ca.api.BadCertTemplateException in project xipki by xipki.
the class BaseX509Certprofile method createRdnValue.
private static ASN1Encodable createRdnValue(String text, ASN1ObjectIdentifier type, RdnControl option, int index) throws BadCertTemplateException {
ParamUtil.requireNonNull("text", text);
ParamUtil.requireNonNull("type", type);
String tmpText = text.trim();
StringType stringType = null;
if (option != null) {
stringType = option.getStringType();
String prefix = option.getPrefix();
String suffix = option.getSuffix();
if (prefix != null || suffix != null) {
String locTmpText = tmpText.toLowerCase();
if (prefix != null && locTmpText.startsWith(prefix.toLowerCase())) {
tmpText = tmpText.substring(prefix.length());
locTmpText = tmpText.toLowerCase();
}
if (suffix != null && locTmpText.endsWith(suffix.toLowerCase())) {
tmpText = tmpText.substring(0, tmpText.length() - suffix.length());
}
}
List<Pattern> patterns = option.getPatterns();
if (patterns != null) {
Pattern pattern = patterns.get(index);
if (!pattern.matcher(tmpText).matches()) {
throw new BadCertTemplateException(String.format("invalid subject %s '%s' against regex '%s'", ObjectIdentifiers.oidToDisplayName(type), tmpText, pattern.pattern()));
}
}
tmpText = StringUtil.concat((prefix != null ? prefix : ""), tmpText, (suffix != null ? suffix : ""));
int len = tmpText.length();
Range range = option.getStringLengthRange();
Integer minLen = (range == null) ? null : range.getMin();
if (minLen != null && len < minLen) {
throw new BadCertTemplateException(String.format("subject %s '%s' is too short (length (%d) < minLen (%d))", ObjectIdentifiers.oidToDisplayName(type), tmpText, len, minLen));
}
Integer maxLen = (range == null) ? null : range.getMax();
if (maxLen != null && len > maxLen) {
throw new BadCertTemplateException(String.format("subject %s '%s' is too long (length (%d) > maxLen (%d))", ObjectIdentifiers.oidToDisplayName(type), tmpText, len, maxLen));
}
}
if (stringType == null) {
stringType = StringType.utf8String;
}
return stringType.createString(tmpText.trim());
}
Also used :
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Pattern(java.util.regex.Pattern)
StringType(org.xipki.ca.api.profile.StringType)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ASN1String(org.bouncycastle.asn1.ASN1String)
DERUniversalString(org.bouncycastle.asn1.DERUniversalString)
Range(org.xipki.ca.api.profile.Range)
Aggregations
BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)25
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)15
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)11
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)10
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)9
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)9
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)9
ASN1String (org.bouncycastle.asn1.ASN1String)8
RDN (org.bouncycastle.asn1.x500.RDN)8
LinkedList (java.util.LinkedList)7
DERIA5String (org.bouncycastle.asn1.DERIA5String)7
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)7
GeneralName (org.bouncycastle.asn1.x509.GeneralName)7
CertprofileException (org.xipki.ca.api.profile.CertprofileException)7
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)6
DERBMPString (org.bouncycastle.asn1.DERBMPString)6
DEROctetString (org.bouncycastle.asn1.DEROctetString)6
DERSequence (org.bouncycastle.asn1.DERSequence)6
DERT61String (org.bouncycastle.asn1.DERT61String)6
GeneralNameMode (org.xipki.ca.api.profile.GeneralNameMode)6
