Search in sources :

Example 16 with CertprofileException

use of org.xipki.ca.api.profile.CertprofileException in project xipki by xipki.

the class CaManagerImpl method createCertprofile.

// method createX509CrlSigner
IdentifiedX509Certprofile createCertprofile(CertprofileEntry dbEntry) throws CaMgmtException {
    ParamUtil.requireNonNull("dbEntry", dbEntry);
    try {
        X509Certprofile profile = x509CertProfileFactoryRegister.newCertprofile(dbEntry.getType());
        IdentifiedX509Certprofile ret = new IdentifiedX509Certprofile(dbEntry, profile);
        ret.setEnvParameterResolver(envParameterResolver);
        ret.validate();
        return ret;
    } catch (ObjectCreationException | CertprofileException ex) {
        String msg = "could not initialize Certprofile " + dbEntry.getIdent();
        LogUtil.error(LOG, ex, msg);
        throw new CaMgmtException(msg, ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) X509Certprofile(org.xipki.ca.api.profile.x509.X509Certprofile) ObjectCreationException(org.xipki.common.ObjectCreationException) CertprofileException(org.xipki.ca.api.profile.CertprofileException)

Example 17 with CertprofileException

use of org.xipki.ca.api.profile.CertprofileException in project xipki by xipki.

the class IdentifiedX509Certprofile method validate.

public void validate() throws CertprofileException {
    StringBuilder msg = new StringBuilder();
    Map<ASN1ObjectIdentifier, ExtensionControl> controls = getExtensionControls();
    // make sure that non-request extensions are not permitted in requests
    Set<ASN1ObjectIdentifier> set = new HashSet<>();
    for (ASN1ObjectIdentifier type : NONE_REQUEST_EXTENSION_TYPES) {
        ExtensionControl control = controls.get(type);
        if (control != null && control.isRequest()) {
            set.add(type);
        }
    }
    if (CollectionUtil.isNonEmpty(set)) {
        msg.append("extensions ").append(toString(set)).append(" must not be contained in request, ");
    }
    X509CertLevel level = getCertLevel();
    boolean ca = (level == X509CertLevel.RootCA) || (level == X509CertLevel.SubCA);
    // make sure that CA-only extensions are not permitted in EE certificate
    set.clear();
    if (!ca) {
        set.clear();
        for (ASN1ObjectIdentifier type : CA_ONLY_EXTENSION_TYPES) {
            if (controls.containsKey(type)) {
                set.add(type);
            }
        }
        if (CollectionUtil.isNonEmpty(set)) {
            msg.append("EE profile contains CA-only extensions ").append(toString(set)).append(", ");
        }
    }
    // make sure that critical only extensions are not marked as non-critical.
    set.clear();
    for (ASN1ObjectIdentifier type : controls.keySet()) {
        ExtensionControl control = controls.get(type);
        if (CRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
            if (!control.isCritical()) {
                set.add(type);
            }
        }
        if (ca && CA_CRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
            if (!control.isCritical()) {
                set.add(type);
            }
        }
    }
    if (CollectionUtil.isNonEmpty(set)) {
        msg.append("critical only extensions are marked as non-critical ");
        msg.append(toString(set)).append(", ");
    }
    // make sure that non-critical only extensions are not marked as critical.
    set.clear();
    for (ASN1ObjectIdentifier type : controls.keySet()) {
        ExtensionControl control = controls.get(type);
        if (NONCRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
            if (control.isCritical()) {
                set.add(type);
            }
        }
    }
    if (CollectionUtil.isNonEmpty(set)) {
        msg.append("non-critical extensions are marked as critical ").append(toString(set)).append(", ");
    }
    // make sure that required extensions are present
    set.clear();
    Set<ASN1ObjectIdentifier> requiredTypes = ca ? REQUIRED_CA_EXTENSION_TYPES : REQUIRED_EE_EXTENSION_TYPES;
    for (ASN1ObjectIdentifier type : requiredTypes) {
        ExtensionControl extCtrl = controls.get(type);
        if (extCtrl == null || !extCtrl.isRequired()) {
            set.add(type);
        }
    }
    if (level == X509CertLevel.SubCA) {
        ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier;
        ExtensionControl extCtrl = controls.get(type);
        if (extCtrl == null || !extCtrl.isRequired()) {
            set.add(type);
        }
    }
    if (!set.isEmpty()) {
        msg.append("required extensions are not marked as required ").append(toString(set)).append(", ");
    }
    // KeyUsage
    Set<KeyUsageControl> usages = getKeyUsage();
    if (ca) {
        // make sure the CA certificate contains usage keyCertSign
        if (!containsKeyusage(usages, KeyUsage.keyCertSign)) {
            msg.append("CA profile does not contain keyUsage ").append(KeyUsage.keyCertSign).append(", ");
        }
    } else {
        // make sure the EE certificate does not contain CA-only usages
        KeyUsage[] caOnlyUsages = { KeyUsage.keyCertSign, KeyUsage.cRLSign };
        Set<KeyUsage> setUsages = new HashSet<>();
        for (KeyUsage caOnlyUsage : caOnlyUsages) {
            if (containsKeyusage(usages, caOnlyUsage)) {
                setUsages.add(caOnlyUsage);
            }
        }
        if (CollectionUtil.isNonEmpty(set)) {
            msg.append("EE profile contains CA-only keyUsage ").append(setUsages).append(", ");
        }
    }
    final int len = msg.length();
    if (len > 2) {
        msg.delete(len - 2, len);
        throw new CertprofileException(msg.toString());
    }
}
Also used : KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl) ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.xipki.security.KeyUsage) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ExtensionControl(org.xipki.ca.api.profile.ExtensionControl) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel) HashSet(java.util.HashSet)

Example 18 with CertprofileException

use of org.xipki.ca.api.profile.CertprofileException in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectAltName.

// method checkExtensionSubjectDirectoryAttributes
private void checkExtensionSubjectAltName(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl, X500Name requestedSubject) {
    Set<GeneralNameMode> conf = certProfile.getSubjectAltNameModes();
    GeneralName[] requested;
    try {
        requested = getRequestedSubjectAltNames(requestedSubject, requestedExtensions);
    } catch (CertprofileException | BadCertTemplateException ex) {
        String msg = "error while derive grantedSubject from requestedSubject";
        LogUtil.warn(LOG, ex, msg);
        failureMsg.append(msg);
        return;
    }
    if (requested == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    GeneralName[] is = GeneralNames.getInstance(extensionValue).getNames();
    GeneralName[] expected = new GeneralName[requested.length];
    for (int i = 0; i < is.length; i++) {
        try {
            expected[i] = createGeneralName(is[i], conf);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("could not process ").append(i + 1).append("-th name: ").append(ex.getMessage()).append("; ");
            return;
        }
    }
    if (is.length != expected.length) {
        addViolation(failureMsg, "size of GeneralNames", is.length, expected.length);
        return;
    }
    for (int i = 0; i < is.length; i++) {
        if (!is[i].equals(expected[i])) {
            failureMsg.append(i + 1).append("-th name does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 19 with CertprofileException

use of org.xipki.ca.api.profile.CertprofileException in project xipki by xipki.

the class ExtensionsChecker method buildConstantExtesions.

// method getExtensionValue
public static Map<ASN1ObjectIdentifier, QaExtensionValue> buildConstantExtesions(ExtensionsType extensionsType) throws CertprofileException {
    if (extensionsType == null) {
        return null;
    }
    Map<ASN1ObjectIdentifier, QaExtensionValue> map = new HashMap<>();
    for (ExtensionType m : extensionsType.getExtension()) {
        if (m.getValue() == null || !(m.getValue().getAny() instanceof ConstantExtValue)) {
            continue;
        }
        ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(m.getType().getValue());
        if (Extension.subjectAlternativeName.equals(oid) || Extension.subjectInfoAccess.equals(oid) || Extension.biometricInfo.equals(oid)) {
            continue;
        }
        ConstantExtValue extConf = (ConstantExtValue) m.getValue().getAny();
        byte[] encodedValue = extConf.getValue();
        ASN1StreamParser parser = new ASN1StreamParser(encodedValue);
        try {
            parser.readObject();
        } catch (IOException ex) {
            throw new CertprofileException("could not parse the constant extension value", ex);
        }
        QaExtensionValue extension = new QaExtensionValue(m.isCritical(), encodedValue);
        map.put(oid, extension);
    }
    if (CollectionUtil.isEmpty(map)) {
        return null;
    }
    return Collections.unmodifiableMap(map);
}
Also used : QaExtensionValue(org.xipki.ca.qa.internal.QaExtensionValue) HashMap(java.util.HashMap) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ExtensionType(org.xipki.ca.certprofile.x509.jaxb.ExtensionType) IOException(java.io.IOException) ConstantExtValue(org.xipki.ca.certprofile.x509.jaxb.ConstantExtValue) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) ASN1StreamParser(org.bouncycastle.asn1.ASN1StreamParser)

Example 20 with CertprofileException

use of org.xipki.ca.api.profile.CertprofileException in project xipki by xipki.

the class ExtensionsChecker method getRequestedSubjectAltNames.

// method checkExtensionSubjectAltName
private GeneralName[] getRequestedSubjectAltNames(X500Name requestedSubject, Extensions requestedExtensions) throws CertprofileException, BadCertTemplateException {
    ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
    Map<ASN1ObjectIdentifier, GeneralNameTag> subjectToSubjectAltNameModes = certProfile.getSubjectToSubjectAltNameModes();
    if (extValue == null && subjectToSubjectAltNameModes == null) {
        return null;
    }
    GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
    Set<GeneralNameMode> subjectAltNameModes = certProfile.getSubjectAltNameModes();
    if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
        return (reqNames == null) ? null : reqNames.getNames();
    }
    List<GeneralName> grantedNames = new LinkedList<>();
    // copy the required attributes of Subject
    if (subjectToSubjectAltNameModes != null) {
        X500Name grantedSubject;
        try {
            grantedSubject = certProfile.getSubject(requestedSubject).getGrantedSubject();
        } catch (CertprofileException | BadCertTemplateException ex) {
            if (certProfile.getSpecialCertprofileBehavior() == null) {
                throw ex;
            }
            LogUtil.warn(LOG, ex, "could not derive granted subject from requested subject");
            grantedSubject = requestedSubject;
        }
        for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
            GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
            RDN[] rdns = grantedSubject.getRDNs(attrType);
            if (rdns == null) {
                rdns = requestedSubject.getRDNs(attrType);
            }
            if (rdns == null) {
                continue;
            }
            for (RDN rdn : rdns) {
                String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
                switch(tag) {
                    case rfc822Name:
                    case dNSName:
                    case uniformResourceIdentifier:
                    case iPAddress:
                    case directoryName:
                    case registeredID:
                        grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
                        break;
                    default:
                        throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
                }
            // end switch (tag)
            }
        }
    }
    // copy the requested SubjectAltName entries
    if (reqNames != null) {
        GeneralName[] reqL = reqNames.getNames();
        for (int i = 0; i < reqL.length; i++) {
            grantedNames.add(reqL[i]);
        }
    }
    return grantedNames.isEmpty() ? null : grantedNames.toArray(new GeneralName[0]);
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) LinkedList(java.util.LinkedList) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) RDN(org.bouncycastle.asn1.x500.RDN) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

CertprofileException (org.xipki.ca.api.profile.CertprofileException)27 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)18 HashMap (java.util.HashMap)8 IOException (java.io.IOException)7 HashSet (java.util.HashSet)7 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)6 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)6 BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)6 ExtensionValue (org.xipki.ca.api.profile.ExtensionValue)6 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)5 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)5 DERIA5String (org.bouncycastle.asn1.DERIA5String)5 DEROctetString (org.bouncycastle.asn1.DEROctetString)5 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)5 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5 X500Name (org.bouncycastle.asn1.x500.X500Name)5 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)5 BigInteger (java.math.BigInteger)4 ArrayList (java.util.ArrayList)4 LinkedList (java.util.LinkedList)4