Search in sources :

Example 6 with GeneralNameMode

use of org.xipki.ca.api.profile.GeneralNameMode in project xipki by xipki.

the class ExtensionsChecker method checkExtensionSubjectAltName.

// method checkExtensionSubjectDirectoryAttributes
private void checkExtensionSubjectAltName(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl, X500Name requestedSubject) {
    Set<GeneralNameMode> conf = certProfile.getSubjectAltNameModes();
    GeneralName[] requested;
    try {
        requested = getRequestedSubjectAltNames(requestedSubject, requestedExtensions);
    } catch (CertprofileException | BadCertTemplateException ex) {
        String msg = "error while derive grantedSubject from requestedSubject";
        LogUtil.warn(LOG, ex, msg);
        failureMsg.append(msg);
        return;
    }
    if (requested == null) {
        failureMsg.append("extension is present but not expected; ");
        return;
    }
    GeneralName[] is = GeneralNames.getInstance(extensionValue).getNames();
    GeneralName[] expected = new GeneralName[requested.length];
    for (int i = 0; i < is.length; i++) {
        try {
            expected[i] = createGeneralName(is[i], conf);
        } catch (BadCertTemplateException ex) {
            failureMsg.append("could not process ").append(i + 1).append("-th name: ").append(ex.getMessage()).append("; ");
            return;
        }
    }
    if (is.length != expected.length) {
        addViolation(failureMsg, "size of GeneralNames", is.length, expected.length);
        return;
    }
    for (int i = 0; i < is.length; i++) {
        if (!is[i].equals(expected[i])) {
            failureMsg.append(i + 1).append("-th name does not match the requested one; ");
        }
    }
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 7 with GeneralNameMode

use of org.xipki.ca.api.profile.GeneralNameMode in project xipki by xipki.

the class ExtensionsChecker method getRequestedSubjectAltNames.

// method checkExtensionSubjectAltName
private GeneralName[] getRequestedSubjectAltNames(X500Name requestedSubject, Extensions requestedExtensions) throws CertprofileException, BadCertTemplateException {
    ASN1Encodable extValue = (requestedExtensions == null) ? null : requestedExtensions.getExtensionParsedValue(Extension.subjectAlternativeName);
    Map<ASN1ObjectIdentifier, GeneralNameTag> subjectToSubjectAltNameModes = certProfile.getSubjectToSubjectAltNameModes();
    if (extValue == null && subjectToSubjectAltNameModes == null) {
        return null;
    }
    GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);
    Set<GeneralNameMode> subjectAltNameModes = certProfile.getSubjectAltNameModes();
    if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
        return (reqNames == null) ? null : reqNames.getNames();
    }
    List<GeneralName> grantedNames = new LinkedList<>();
    // copy the required attributes of Subject
    if (subjectToSubjectAltNameModes != null) {
        X500Name grantedSubject;
        try {
            grantedSubject = certProfile.getSubject(requestedSubject).getGrantedSubject();
        } catch (CertprofileException | BadCertTemplateException ex) {
            if (certProfile.getSpecialCertprofileBehavior() == null) {
                throw ex;
            }
            LogUtil.warn(LOG, ex, "could not derive granted subject from requested subject");
            grantedSubject = requestedSubject;
        }
        for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
            GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);
            RDN[] rdns = grantedSubject.getRDNs(attrType);
            if (rdns == null) {
                rdns = requestedSubject.getRDNs(attrType);
            }
            if (rdns == null) {
                continue;
            }
            for (RDN rdn : rdns) {
                String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
                switch(tag) {
                    case rfc822Name:
                    case dNSName:
                    case uniformResourceIdentifier:
                    case iPAddress:
                    case directoryName:
                    case registeredID:
                        grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
                        break;
                    default:
                        throw new RuntimeException("should not reach here, unknown GeneralName tag " + tag);
                }
            // end switch (tag)
            }
        }
    }
    // copy the requested SubjectAltName entries
    if (reqNames != null) {
        GeneralName[] reqL = reqNames.getNames();
        for (int i = 0; i < reqL.length; i++) {
            grantedNames.add(reqL[i]);
        }
    }
    return grantedNames.isEmpty() ? null : grantedNames.toArray(new GeneralName[0]);
}
Also used : GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) GeneralNameTag(org.xipki.ca.api.profile.GeneralNameTag) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) LinkedList(java.util.LinkedList) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) GeneralName(org.bouncycastle.asn1.x509.GeneralName) RDN(org.bouncycastle.asn1.x500.RDN) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 8 with GeneralNameMode

use of org.xipki.ca.api.profile.GeneralNameMode in project xipki by xipki.

the class XmlX509CertprofileUtil method buildGeneralNameMode.

// method buildPolicyConstrains
public static Set<GeneralNameMode> buildGeneralNameMode(GeneralNameType name) throws CertprofileException {
    ParamUtil.requireNonNull("name", name);
    Set<GeneralNameMode> ret = new HashSet<>();
    if (name.getOtherName() != null) {
        List<OidWithDescType> list = name.getOtherName().getType();
        Set<ASN1ObjectIdentifier> set = new HashSet<>();
        for (OidWithDescType entry : list) {
            set.add(new ASN1ObjectIdentifier(entry.getValue()));
        }
        ret.add(new GeneralNameMode(GeneralNameTag.otherName, set));
    }
    if (name.getRfc822Name() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.rfc822Name));
    }
    if (name.getDnsName() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.dNSName));
    }
    if (name.getDirectoryName() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.directoryName));
    }
    if (name.getEdiPartyName() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.ediPartyName));
    }
    if (name.getUniformResourceIdentifier() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.uniformResourceIdentifier));
    }
    if (name.getIpAddress() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.iPAddress));
    }
    if (name.getRegisteredID() != null) {
        ret.add(new GeneralNameMode(GeneralNameTag.registeredID));
    }
    if (ret.isEmpty()) {
        throw new CertprofileException("GeneralNameType must not be empty");
    }
    return ret;
}
Also used : OidWithDescType(org.xipki.ca.certprofile.x509.jaxb.OidWithDescType) GeneralNameMode(org.xipki.ca.api.profile.GeneralNameMode) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) HashSet(java.util.HashSet)

Aggregations

GeneralNameMode (org.xipki.ca.api.profile.GeneralNameMode)8 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)7 GeneralName (org.bouncycastle.asn1.x509.GeneralName)6 BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)6 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)5 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)5 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)5 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)4 DERIA5String (org.bouncycastle.asn1.DERIA5String)4 DEROctetString (org.bouncycastle.asn1.DEROctetString)4 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)4 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)4 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)4 CertprofileException (org.xipki.ca.api.profile.CertprofileException)4 HashSet (java.util.HashSet)3 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)3 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3 ASN1String (org.bouncycastle.asn1.ASN1String)3 DERBMPString (org.bouncycastle.asn1.DERBMPString)3 DERSequence (org.bouncycastle.asn1.DERSequence)3