Search in sources :

Example 1 with QaCertificatePolicies

use of org.xipki.ca.qa.internal.QaCertificatePolicies in project xipki by xipki.

the class ExtensionsChecker method checkExtensionCertificatePolicies.

// method checkExtensionTlsFeature
private void checkExtensionCertificatePolicies(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
    QaCertificatePolicies conf = certificatePolicies;
    if (conf == null) {
        byte[] expected = getExpectedExtValue(Extension.certificatePolicies, requestedExtensions, extControl);
        if (!Arrays.equals(expected, extensionValue)) {
            addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
        }
        return;
    }
    org.bouncycastle.asn1.x509.CertificatePolicies asn1 = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(extensionValue);
    PolicyInformation[] isPolicyInformations = asn1.getPolicyInformation();
    for (PolicyInformation isPolicyInformation : isPolicyInformations) {
        ASN1ObjectIdentifier isPolicyId = isPolicyInformation.getPolicyIdentifier();
        QaCertificatePolicyInformation expCp = conf.getPolicyInformation(isPolicyId.getId());
        if (expCp == null) {
            failureMsg.append("certificate policy '").append(isPolicyId).append("' is not expected; ");
            continue;
        }
        QaPolicyQualifiers expCpPq = expCp.getPolicyQualifiers();
        if (expCpPq == null) {
            continue;
        }
        ASN1Sequence isPolicyQualifiers = isPolicyInformation.getPolicyQualifiers();
        List<String> isCpsUris = new LinkedList<>();
        List<String> isUserNotices = new LinkedList<>();
        int size = isPolicyQualifiers.size();
        for (int i = 0; i < size; i++) {
            PolicyQualifierInfo isPolicyQualifierInfo = (PolicyQualifierInfo) isPolicyQualifiers.getObjectAt(i);
            ASN1ObjectIdentifier isPolicyQualifierId = isPolicyQualifierInfo.getPolicyQualifierId();
            ASN1Encodable isQualifier = isPolicyQualifierInfo.getQualifier();
            if (PolicyQualifierId.id_qt_cps.equals(isPolicyQualifierId)) {
                String isCpsUri = ((DERIA5String) isQualifier).getString();
                isCpsUris.add(isCpsUri);
            } else if (PolicyQualifierId.id_qt_unotice.equals(isPolicyQualifierId)) {
                UserNotice isUserNotice = UserNotice.getInstance(isQualifier);
                if (isUserNotice.getExplicitText() != null) {
                    isUserNotices.add(isUserNotice.getExplicitText().getString());
                }
            }
        }
        List<QaPolicyQualifierInfo> qualifierInfos = expCpPq.getPolicyQualifiers();
        for (QaPolicyQualifierInfo qualifierInfo : qualifierInfos) {
            if (qualifierInfo instanceof QaCpsUriPolicyQualifier) {
                String value = ((QaCpsUriPolicyQualifier) qualifierInfo).getCpsUri();
                if (!isCpsUris.contains(value)) {
                    failureMsg.append("CPSUri '").append(value).append("' is absent but is required; ");
                }
            } else if (qualifierInfo instanceof QaUserNoticePolicyQualifierInfo) {
                String value = ((QaUserNoticePolicyQualifierInfo) qualifierInfo).getUserNotice();
                if (!isUserNotices.contains(value)) {
                    failureMsg.append("userNotice '").append(value).append("' is absent but is required; ");
                }
            } else {
                throw new RuntimeException("should not reach here");
            }
        }
    }
    for (QaCertificatePolicyInformation cp : conf.getPolicyInformations()) {
        boolean present = false;
        for (PolicyInformation isPolicyInformation : isPolicyInformations) {
            if (isPolicyInformation.getPolicyIdentifier().getId().equals(cp.getPolicyId())) {
                present = true;
                break;
            }
        }
        if (present) {
            continue;
        }
        failureMsg.append("certificate policy '").append(cp.getPolicyId()).append("' is absent but is required; ");
    }
}
Also used : PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation) UserNotice(org.bouncycastle.asn1.x509.UserNotice) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERBMPString(org.bouncycastle.asn1.DERBMPString) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1String(org.bouncycastle.asn1.ASN1String) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERT61String(org.bouncycastle.asn1.DERT61String) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) QaPolicyQualifiers(org.xipki.ca.qa.internal.QaPolicyQualifiers) QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo) QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo) PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo) QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation) LinkedList(java.util.LinkedList) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo) QaCertificatePolicies(org.xipki.ca.qa.internal.QaCertificatePolicies) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) QaCpsUriPolicyQualifier(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaCpsUriPolicyQualifier)

Aggregations

LinkedList (java.util.LinkedList)1 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)1 ASN1String (org.bouncycastle.asn1.ASN1String)1 DERBMPString (org.bouncycastle.asn1.DERBMPString)1 DERIA5String (org.bouncycastle.asn1.DERIA5String)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)1 DERT61String (org.bouncycastle.asn1.DERT61String)1 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)1 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)1 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)1 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)1 PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)1 PolicyQualifierInfo (org.bouncycastle.asn1.x509.PolicyQualifierInfo)1 UserNotice (org.bouncycastle.asn1.x509.UserNotice)1 QaCertificatePolicies (org.xipki.ca.qa.internal.QaCertificatePolicies)1 QaCertificatePolicyInformation (org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation)1