Example 1 with X509CertLevel
use of org.xipki.ca.api.profile.x509.X509CertLevel in project xipki by xipki.
the class X509SelfSignedCertBuilder method generateSelfSigned.
public static GenerateSelfSignedResult generateSelfSigned(SecurityFactory securityFactory, String signerType, String signerConf, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException, InvalidConfException {
ParamUtil.requireNonNull("securityFactory", securityFactory);
ParamUtil.requireNonBlank("signerType", signerType);
ParamUtil.requireNonNull("certprofile", certprofile);
ParamUtil.requireNonNull("csr", csr);
ParamUtil.requireNonNull("serialNumber", serialNumber);
if (serialNumber.compareTo(BigInteger.ZERO) != 1) {
throw new IllegalArgumentException("serialNumber must not be non-positive: " + serialNumber);
}
X509CertLevel level = certprofile.getCertLevel();
if (X509CertLevel.RootCA != level) {
throw new IllegalArgumentException("certprofile is not of level " + X509CertLevel.RootCA);
}
if (!securityFactory.verifyPopo(csr, null)) {
throw new InvalidConfException("could not validate POP for the CSR");
}
if ("pkcs12".equalsIgnoreCase(signerType) || "jks".equalsIgnoreCase(signerType)) {
ConfPairs keyValues = new ConfPairs(signerConf);
String keystoreConf = keyValues.value("keystore");
if (keystoreConf == null) {
throw new InvalidConfException("required parameter 'keystore' for types PKCS12 and JKS, is not specified");
}
}
ConcurrentContentSigner signer;
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
List<String> restrictedSigAlgos = certprofile.getSignatureAlgorithms();
String thisSignerConf = null;
if (CollectionUtil.isEmpty(restrictedSigAlgos)) {
thisSignerConf = signerConfs.get(0)[1];
} else {
for (String algo : restrictedSigAlgos) {
for (String[] m : signerConfs) {
if (m[0].equals(algo)) {
thisSignerConf = m[1];
break;
}
}
if (thisSignerConf != null) {
break;
}
}
}
if (thisSignerConf == null) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
}
signer = securityFactory.createSigner(signerType, new SignerConf(thisSignerConf), (X509Certificate[]) null);
} catch (XiSecurityException | ObjectCreationException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
SubjectPublicKeyInfo publicKeyInfo;
if (signer.getCertificate() != null) {
// this cert is the dummy one which can be considered only as public key container
Certificate bcCert;
try {
bcCert = Certificate.getInstance(signer.getCertificate().getEncoded());
} catch (Exception ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not reparse certificate: " + ex.getMessage());
}
publicKeyInfo = bcCert.getSubjectPublicKeyInfo();
} else {
PublicKey signerPublicKey = signer.getPublicKey();
try {
publicKeyInfo = KeyUtil.createSubjectPublicKeyInfo(signerPublicKey);
} catch (InvalidKeyException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "cannot generate SubjectPublicKeyInfo from publicKey: " + ex.getMessage());
}
}
X509Certificate newCert = generateCertificate(signer, certprofile, csr, serialNumber, publicKeyInfo, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
return new GenerateSelfSignedResult(signerConf, newCert);
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
InvalidConfException(org.xipki.common.InvalidConfException)
ConfPairs(org.xipki.common.ConfPairs)
SignerConf(org.xipki.security.SignerConf)
InvalidKeyException(java.security.InvalidKeyException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
InvalidKeyException(java.security.InvalidKeyException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
InvalidConfException(org.xipki.common.InvalidConfException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 2 with X509CertLevel
use of org.xipki.ca.api.profile.x509.X509CertLevel in project xipki by xipki.
the class IdentifiedX509Certprofile method validate.
public void validate() throws CertprofileException {
StringBuilder msg = new StringBuilder();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = getExtensionControls();
// make sure that non-request extensions are not permitted in requests
Set<ASN1ObjectIdentifier> set = new HashSet<>();
for (ASN1ObjectIdentifier type : NONE_REQUEST_EXTENSION_TYPES) {
ExtensionControl control = controls.get(type);
if (control != null && control.isRequest()) {
set.add(type);
}
}
if (CollectionUtil.isNonEmpty(set)) {
msg.append("extensions ").append(toString(set)).append(" must not be contained in request, ");
}
X509CertLevel level = getCertLevel();
boolean ca = (level == X509CertLevel.RootCA) || (level == X509CertLevel.SubCA);
// make sure that CA-only extensions are not permitted in EE certificate
set.clear();
if (!ca) {
set.clear();
for (ASN1ObjectIdentifier type : CA_ONLY_EXTENSION_TYPES) {
if (controls.containsKey(type)) {
set.add(type);
}
}
if (CollectionUtil.isNonEmpty(set)) {
msg.append("EE profile contains CA-only extensions ").append(toString(set)).append(", ");
}
}
// make sure that critical only extensions are not marked as non-critical.
set.clear();
for (ASN1ObjectIdentifier type : controls.keySet()) {
ExtensionControl control = controls.get(type);
if (CRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
if (!control.isCritical()) {
set.add(type);
}
}
if (ca && CA_CRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
if (!control.isCritical()) {
set.add(type);
}
}
}
if (CollectionUtil.isNonEmpty(set)) {
msg.append("critical only extensions are marked as non-critical ");
msg.append(toString(set)).append(", ");
}
// make sure that non-critical only extensions are not marked as critical.
set.clear();
for (ASN1ObjectIdentifier type : controls.keySet()) {
ExtensionControl control = controls.get(type);
if (NONCRITICAL_ONLY_EXTENSION_TYPES.contains(type)) {
if (control.isCritical()) {
set.add(type);
}
}
}
if (CollectionUtil.isNonEmpty(set)) {
msg.append("non-critical extensions are marked as critical ").append(toString(set)).append(", ");
}
// make sure that required extensions are present
set.clear();
Set<ASN1ObjectIdentifier> requiredTypes = ca ? REQUIRED_CA_EXTENSION_TYPES : REQUIRED_EE_EXTENSION_TYPES;
for (ASN1ObjectIdentifier type : requiredTypes) {
ExtensionControl extCtrl = controls.get(type);
if (extCtrl == null || !extCtrl.isRequired()) {
set.add(type);
}
}
if (level == X509CertLevel.SubCA) {
ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier;
ExtensionControl extCtrl = controls.get(type);
if (extCtrl == null || !extCtrl.isRequired()) {
set.add(type);
}
}
if (!set.isEmpty()) {
msg.append("required extensions are not marked as required ").append(toString(set)).append(", ");
}
// KeyUsage
Set<KeyUsageControl> usages = getKeyUsage();
if (ca) {
// make sure the CA certificate contains usage keyCertSign
if (!containsKeyusage(usages, KeyUsage.keyCertSign)) {
msg.append("CA profile does not contain keyUsage ").append(KeyUsage.keyCertSign).append(", ");
}
} else {
// make sure the EE certificate does not contain CA-only usages
KeyUsage[] caOnlyUsages = { KeyUsage.keyCertSign, KeyUsage.cRLSign };
Set<KeyUsage> setUsages = new HashSet<>();
for (KeyUsage caOnlyUsage : caOnlyUsages) {
if (containsKeyusage(usages, caOnlyUsage)) {
setUsages.add(caOnlyUsage);
}
}
if (CollectionUtil.isNonEmpty(set)) {
msg.append("EE profile contains CA-only keyUsage ").append(setUsages).append(", ");
}
}
final int len = msg.length();
if (len > 2) {
msg.delete(len - 2, len);
throw new CertprofileException(msg.toString());
}
}
Also used :
KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.xipki.security.KeyUsage)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel)
HashSet(java.util.HashSet)
Example 3 with X509CertLevel
use of org.xipki.ca.api.profile.x509.X509CertLevel in project xipki by xipki.
the class ExtensionsChecker method checkExtensionBasicConstraints.
// method createExtensionIssue
private void checkExtensionBasicConstraints(StringBuilder failureMsg, byte[] extensionValue) {
BasicConstraints bc = BasicConstraints.getInstance(extensionValue);
X509CertLevel certLevel = certProfile.getCertLevel();
boolean ca = (X509CertLevel.RootCA == certLevel) || (X509CertLevel.SubCA == certLevel);
if (ca != bc.isCA()) {
addViolation(failureMsg, "ca", bc.isCA(), ca);
}
if (bc.isCA()) {
BigInteger tmpPathLen = bc.getPathLenConstraint();
Integer pathLen = certProfile.getPathLen();
if (pathLen == null) {
if (tmpPathLen != null) {
addViolation(failureMsg, "pathLen", tmpPathLen, "absent");
}
} else {
if (tmpPathLen == null) {
addViolation(failureMsg, "pathLen", "null", pathLen);
} else if (!BigInteger.valueOf(pathLen).equals(tmpPathLen)) {
addViolation(failureMsg, "pathLen", tmpPathLen, pathLen);
}
}
}
}
Also used :
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
BigInteger(java.math.BigInteger)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel)
Aggregations
X509CertLevel (org.xipki.ca.api.profile.x509.X509CertLevel)3
CertprofileException (org.xipki.ca.api.profile.CertprofileException)2
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
InvalidKeyException (java.security.InvalidKeyException)1
PublicKey (java.security.PublicKey)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
DSAPublicKey (java.security.interfaces.DSAPublicKey)1
ECPublicKey (java.security.interfaces.ECPublicKey)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)1
HashSet (java.util.HashSet)1
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)1
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)1
Certificate (org.bouncycastle.asn1.x509.Certificate)1
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)1
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1
