Search in sources :

Example 1 with PolicyQualifier

use of org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier in project xipki by xipki.

the class ExtensionConfBuilder method createCertificatePolicies.

// method createValidityModel
public static CertificatePolicies createCertificatePolicies(Map<ASN1ObjectIdentifier, String> policies) {
    if (policies == null || policies.isEmpty()) {
        return null;
    }
    CertificatePolicies extValue = new CertificatePolicies();
    List<CertificatePolicyInformationType> pis = extValue.getCertificatePolicyInformations();
    for (ASN1ObjectIdentifier oid : policies.keySet()) {
        CertificatePolicyInformationType single = new CertificatePolicyInformationType();
        pis.add(single);
        single.setPolicyIdentifier(createOidType(oid));
        List<PolicyQualifier> qualifiers = new ArrayList<>(1);
        String cpsUri = policies.get(oid);
        if (cpsUri != null) {
            PolicyQualifier qualifier = new PolicyQualifier();
            qualifier.setType(PolicyQualfierType.cpsUri);
            qualifier.setValue(cpsUri);
            qualifiers.add(qualifier);
        }
        single.setPolicyQualifiers(qualifiers);
    }
    return extValue;
}
Also used : CertificatePolicyInformationType(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.CertificatePolicyInformationType) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) PolicyQualifier(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier)

Example 2 with PolicyQualifier

use of org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier in project xipki by xipki.

the class A2gChecker method checkExtnCertificatePolicies.

// method checkExtnBiometricInfo
void checkExtnCertificatePolicies(StringBuilder failureMsg, byte[] extnValue, Extensions requestedExtns, ExtensionControl extnControl) {
    CertificatePolicies certificatePolicies = caller.getCertificatePolicies();
    if (certificatePolicies == null) {
        caller.checkConstantExtnValue(Extension.certificatePolicies, failureMsg, extnValue, requestedExtns, extnControl);
        return;
    }
    Map<String, CertificatePolicyInformationType> expPoliciesMap = new HashMap<>();
    for (CertificatePolicyInformationType cp : caller.getCertificatePolicies().getCertificatePolicyInformations()) {
        expPoliciesMap.put(cp.getPolicyIdentifier().getOid(), cp);
    }
    Set<String> expPolicyIds = new HashSet<>(expPoliciesMap.keySet());
    org.bouncycastle.asn1.x509.CertificatePolicies asn1 = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(extnValue);
    PolicyInformation[] isPolicyInformations = asn1.getPolicyInformation();
    for (PolicyInformation isPolicyInformation : isPolicyInformations) {
        ASN1ObjectIdentifier isPolicyId = isPolicyInformation.getPolicyIdentifier();
        expPolicyIds.remove(isPolicyId.getId());
        CertificatePolicyInformationType expCp = expPoliciesMap.get(isPolicyId.getId());
        if (expCp == null) {
            failureMsg.append("certificate policy '").append(isPolicyId).append("' is not expected; ");
            continue;
        }
        List<PolicyQualifier> expCpPq = expCp.getPolicyQualifiers();
        if (isEmpty(expCpPq)) {
            continue;
        }
        ASN1Sequence isPolicyQualifiers = isPolicyInformation.getPolicyQualifiers();
        List<String> isCpsUris = new LinkedList<>();
        List<String> isUserNotices = new LinkedList<>();
        int size = isPolicyQualifiers.size();
        for (int i = 0; i < size; i++) {
            PolicyQualifierInfo isPolicyQualifierInfo = PolicyQualifierInfo.getInstance(isPolicyQualifiers.getObjectAt(i));
            ASN1ObjectIdentifier isPolicyQualifierId = isPolicyQualifierInfo.getPolicyQualifierId();
            ASN1Encodable isQualifier = isPolicyQualifierInfo.getQualifier();
            if (PolicyQualifierId.id_qt_cps.equals(isPolicyQualifierId)) {
                String isCpsUri = DERIA5String.getInstance(isQualifier).getString();
                isCpsUris.add(isCpsUri);
            } else if (PolicyQualifierId.id_qt_unotice.equals(isPolicyQualifierId)) {
                UserNotice isUserNotice = UserNotice.getInstance(isQualifier);
                if (isUserNotice.getExplicitText() != null) {
                    isUserNotices.add(isUserNotice.getExplicitText().getString());
                }
            }
        }
        for (PolicyQualifier qualifierInfo : expCpPq) {
            String value = qualifierInfo.getValue();
            switch(qualifierInfo.getType()) {
                case cpsUri:
                    if (!isCpsUris.contains(value)) {
                        failureMsg.append("CPSUri '").append(value).append("' is absent but is required; ");
                    }
                    continue;
                case userNotice:
                    if (!isUserNotices.contains(value)) {
                        failureMsg.append("userNotice '").append(value).append("' is absent but is required; ");
                    }
                    continue;
                default:
                    throw new IllegalStateException("should not reach here");
            }
        }
    }
    for (String policyId : expPolicyIds) {
        failureMsg.append("certificate policy '").append(policyId).append("' is absent but is required; ");
    }
}
Also used : PolicyQualifier(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier) org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509) CertificatePolicyInformationType(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.CertificatePolicyInformationType) CertificatePolicies(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies)

Example 3 with PolicyQualifier

use of org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier in project xipki by xipki.

the class ComplexProfileConfDemo method certprofileAppleWwdr.

// method certprofileFixedPartialSubject
private static void certprofileAppleWwdr(String destFilename) {
    X509ProfileType profile = getBaseProfile("certprofile apple WWDR", CertLevel.EndEntity, "395d");
    // Subject
    Subject subject = profile.getSubject();
    subject.setKeepRdnOrder(true);
    List<RdnType> rdnControls = subject.getRdns();
    rdnControls.add(createRdn(DN.C, 1, 1));
    rdnControls.add(createRdn(DN.O, 1, 1));
    rdnControls.add(createRdn(DN.OU, 1, 1));
    rdnControls.add(createRdn(DN.CN, 1, 1));
    rdnControls.add(createRdn(DN.UID, 1, 1));
    // Extensions
    List<ExtensionType> list = profile.getExtensions();
    list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null));
    // Extensions - basicConstraints
    list.add(createExtension(Extension.basicConstraints, true, true));
    // Extensions - AuthorityKeyIdentifier
    list.add(createExtension(Extension.authorityKeyIdentifier, true, false));
    list.add(createExtension(Extension.cRLDistributionPoints, true, false, null));
    // Extensions - CeritifcatePolicies
    // Certificate Policies
    list.add(createExtension(Extension.certificatePolicies, true, false));
    CertificatePolicies extValue = new CertificatePolicies();
    last(list).setCertificatePolicies(extValue);
    List<CertificatePolicyInformationType> pis = extValue.getCertificatePolicyInformations();
    CertificatePolicyInformationType single = new CertificatePolicyInformationType();
    pis.add(single);
    single.setPolicyIdentifier(createOidType(new ASN1ObjectIdentifier("1.2.840.113635.100.5.1")));
    List<PolicyQualifier> qualifiers = new ArrayList<>(1);
    single.setPolicyQualifiers(qualifiers);
    PolicyQualifier qualifier = new PolicyQualifier();
    qualifiers.add(qualifier);
    qualifier.setType(PolicyQualfierType.userNotice);
    qualifier.setValue("Reliance on this certificate by any party assumes acceptance of the then " + "applicable standard terms and conditions of use, certificate policy and certification " + "practice statements.");
    qualifier = new PolicyQualifier();
    qualifiers.add(qualifier);
    qualifier.setType(PolicyQualfierType.cpsUri);
    qualifier.setValue("http://www.apple.com/certificateauthority");
    // Extensions - keyUsage
    list.add(createExtension(Extension.keyUsage, true, true));
    last(list).setKeyUsage(createKeyUsage(new KeyUsage[] { KeyUsage.digitalSignature }, null));
    // Extensions - extenedKeyUsage
    list.add(createExtension(Extension.extendedKeyUsage, true, false));
    last(list).setExtendedKeyUsage(createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.XKU.id_kp_clientAuth }, null));
    // apple custom extension 1.2.840.113635.100.6.3.1
    list.add(createConstantExtension(new ASN1ObjectIdentifier("1.2.840.113635.100.6.3.1"), true, false, null, FieldType.NULL, null));
    // apple custom extension 1.2.840.113635.100.6.3.2
    list.add(createConstantExtension(new ASN1ObjectIdentifier("1.2.840.113635.100.6.3.2"), true, false, null, FieldType.NULL, null));
    // apple custom extension 1.2.840.113635.100.6.3.6
    list.add(createExtension(new ASN1ObjectIdentifier("1.2.840.113635.100.6.3.6"), true, false));
    ExtnSyntax syntax = new ExtnSyntax(FieldType.SEQUENCE);
    last(list).setSyntax(syntax);
    last(list).setPermittedInRequest(true);
    /*
     *  1. SEQUENCE or SET {
     *  2.    UTF8String # abc.def.myBlog EXPLICIT
     *  3.    SEQUENCE
     *  4.      UTF8String  # app
     *  5.    UTF8String  # abc.def.myBlog.voip EXPLICIT
     *  6.    SEQUENCE EXPLICIT
     *  7.      UTF8String  # voip
     *  8.    UTF8String  # abc.def.myBlog.complication IMPLICIT
     *  9.    SEQUENCE IMPLICIT
     * 10.      UTF8String  # complication
     * 11. }
     */
    List<SubFieldSyntax> subFields = new LinkedList<>();
    // Line 2
    SubFieldSyntax subField = new SubFieldSyntax(FieldType.UTF8String);
    subFields.add(subField);
    subField.setRequired(true);
    // Line 3-4
    subField = new SubFieldSyntax(FieldType.SEQUENCE);
    subFields.add(subField);
    subField.setRequired(true);
    SubFieldSyntax subsubField = new SubFieldSyntax(FieldType.UTF8String);
    subsubField.setRequired(true);
    subField.setSubFields(Collections.singletonList(subsubField));
    // Line 5
    subField = new SubFieldSyntax(FieldType.UTF8String);
    subField.setRequired(true);
    subFields.add(subField);
    // Line 6-7
    subField = new SubFieldSyntax(FieldType.SEQUENCE);
    subFields.add(subField);
    subField.setRequired(true);
    subsubField = new SubFieldSyntax(FieldType.UTF8String);
    subsubField.setRequired(true);
    subField.setSubFields(Collections.singletonList(subsubField));
    // Line 8
    subField = new SubFieldSyntax(FieldType.UTF8String);
    subFields.add(subField);
    subField.setRequired(true);
    // Line 9-10
    subField = new SubFieldSyntax(FieldType.SEQUENCE);
    subFields.add(subField);
    subField.setRequired(true);
    subsubField = new SubFieldSyntax(FieldType.UTF8String);
    subsubField.setRequired(true);
    subField.setSubFields(Collections.singletonList(subsubField));
    syntax.setSubFields(subFields);
    marshall(profile, destFilename, true);
}
Also used : KeyUsage(org.xipki.security.KeyUsage) PolicyQualifier(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier) RdnType(org.xipki.ca.certprofile.xijson.conf.Subject.RdnType) CertificatePolicyInformationType(org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.CertificatePolicyInformationType) TlsExtensionType(org.xipki.security.TlsExtensionType) SubFieldSyntax(org.xipki.ca.certprofile.xijson.conf.ExtnSyntax.SubFieldSyntax) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

CertificatePolicyInformationType (org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.CertificatePolicyInformationType)3 PolicyQualifier (org.xipki.ca.certprofile.xijson.conf.CertificatePolicies.PolicyQualifier)3 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2 org.bouncycastle.asn1.x509 (org.bouncycastle.asn1.x509)1 CertificatePolicies (org.xipki.ca.certprofile.xijson.conf.CertificatePolicies)1 SubFieldSyntax (org.xipki.ca.certprofile.xijson.conf.ExtnSyntax.SubFieldSyntax)1 RdnType (org.xipki.ca.certprofile.xijson.conf.Subject.RdnType)1 KeyUsage (org.xipki.security.KeyUsage)1 TlsExtensionType (org.xipki.security.TlsExtensionType)1