Example 11 with ValidationIssue
use of org.xipki.common.qa.ValidationIssue in project xipki by xipki.
the class SubjectChecker method checkSubjectAttributeNotMultiValued.
private ValidationIssue checkSubjectAttributeNotMultiValued(ASN1ObjectIdentifier type, X500Name subject, X500Name requestedSubject) throws BadCertTemplateException {
ValidationIssue issue = createSubjectIssue(type);
// control
RdnControl rdnControl = subjectControl.getControl(type);
int minOccurs = (rdnControl == null) ? 0 : rdnControl.getMinOccurs();
int maxOccurs = (rdnControl == null) ? 0 : rdnControl.getMaxOccurs();
RDN[] rdns = subject.getRDNs(type);
int rdnsSize = (rdns == null) ? 0 : rdns.length;
if (rdnsSize < minOccurs || rdnsSize > maxOccurs) {
issue.setFailureMessage("number of RDNs '" + rdnsSize + "' is not within [" + minOccurs + ", " + maxOccurs + "]");
return issue;
}
RDN[] requestedRdns = requestedSubject.getRDNs(type);
if (rdnsSize == 0) {
// check optional attribute but is present in requestedSubject
if (maxOccurs > 0 && requestedRdns != null && requestedRdns.length > 0) {
issue.setFailureMessage("is absent but expected present");
}
return issue;
}
StringBuilder failureMsg = new StringBuilder();
// check the encoding
StringType stringType = null;
if (rdnControl != null) {
stringType = rdnControl.getStringType();
}
List<String> requestedCoreAtvTextValues = new LinkedList<>();
if (requestedRdns != null) {
for (RDN requestedRdn : requestedRdns) {
String textValue = getRdnTextValueOfRequest(requestedRdn);
requestedCoreAtvTextValues.add(textValue);
}
if (rdnControl != null && rdnControl.getPatterns() != null) {
// sort the requestedRDNs
requestedCoreAtvTextValues = sort(requestedCoreAtvTextValues, rdnControl.getPatterns());
}
}
if (rdns == null) {
// return always false, only to make the null checker happy
return issue;
}
for (int i = 0; i < rdns.length; i++) {
RDN rdn = rdns[i];
AttributeTypeAndValue[] atvs = rdn.getTypesAndValues();
if (atvs.length > 1) {
failureMsg.append("size of RDN[" + i + "] is '" + atvs.length + "' but expected '1'");
failureMsg.append("; ");
continue;
}
String atvTextValue = getAtvValueString("RDN[" + i + "]", atvs[0], stringType, failureMsg);
if (atvTextValue == null) {
continue;
}
checkAttributeTypeAndValue("RDN[" + i + "]", type, atvTextValue, rdnControl, requestedCoreAtvTextValues, i, failureMsg);
}
int len = failureMsg.length();
if (len > 2) {
failureMsg.delete(len - 2, len);
issue.setFailureMessage(failureMsg.toString());
}
return issue;
}
Also used :
RdnControl(org.xipki.ca.api.profile.RdnControl)
StringType(org.xipki.ca.api.profile.StringType)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
RDN(org.bouncycastle.asn1.x500.RDN)
LinkedList(java.util.LinkedList)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
Example 12 with ValidationIssue
use of org.xipki.common.qa.ValidationIssue in project xipki by xipki.
the class SubjectChecker method checkSubject.
public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
ParamUtil.requireNonNull("subject", subject);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
// collect subject attribute types to check
Set<ASN1ObjectIdentifier> oids = new HashSet<>();
for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
oids.add(oid);
}
for (ASN1ObjectIdentifier oid : subject.getAttributeTypes()) {
oids.add(oid);
}
List<ValidationIssue> result = new LinkedList<>();
ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
result.add(issue);
if (CollectionUtil.isNonEmpty(subjectControl.getGroups())) {
Set<String> groups = new HashSet<>(subjectControl.getGroups());
for (String g : groups) {
boolean toBreak = false;
RDN rdn = null;
for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
RDN[] rdns = subject.getRDNs(type);
if (rdns == null || rdns.length == 0) {
continue;
}
if (rdns.length > 1) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
if (rdn == null) {
rdn = rdns[0];
} else if (rdn != rdns[0]) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
}
if (toBreak) {
break;
}
}
}
for (ASN1ObjectIdentifier type : oids) {
ValidationIssue valIssue;
try {
valIssue = checkSubjectAttribute(type, subject, requestedSubject);
} catch (BadCertTemplateException ex) {
valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
valIssue.setFailureMessage(ex.getMessage());
}
result.add(valIssue);
}
return result;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
RDN(org.bouncycastle.asn1.x500.RDN)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
LinkedList(java.util.LinkedList)
HashSet(java.util.HashSet)
Example 13 with ValidationIssue
use of org.xipki.common.qa.ValidationIssue in project xipki by xipki.
the class X509CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
ParamUtil.requireNonNull("certBytes", certBytes);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
Certificate bcCert;
TBSCertificate tbsCert;
X509Certificate cert;
ValidationIssue issue;
// certificate size
issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
Integer maxSize = certProfile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
try {
bcCert = Certificate.getInstance(certBytes);
tbsCert = bcCert.getTBSCertificate();
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
issue.setFailureMessage("certificate is not corrected encoded");
return new ValidationResult(resultIssues);
}
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersionNumber();
X509CertVersion expVersion = certProfile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
if (!issue.isFailed()) {
if (!signatureAlgorithms.contains(sigAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
}
}
// check parameters
if (!issue.isFailed()) {
AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
if (!expSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("invalid parameters");
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
// notBefore
if (certProfile.isNotBeforeMidnight()) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (hourOfDay != 0 || minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter must not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore must not be before CA's notBefore");
} else {
CertValidity validity = certProfile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Calendar(java.util.Calendar)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion)
BigInteger(java.math.BigInteger)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Aggregations
ValidationIssue (org.xipki.common.qa.ValidationIssue)13
LinkedList (java.util.LinkedList)8
DERBMPString (org.bouncycastle.asn1.DERBMPString)5
DERIA5String (org.bouncycastle.asn1.DERIA5String)5
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)5
DERT61String (org.bouncycastle.asn1.DERT61String)5
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)5
ValidationResult (org.xipki.common.qa.ValidationResult)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
X509Certificate (java.security.cert.X509Certificate)3
Date (java.util.Date)3
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
RDN (org.bouncycastle.asn1.x500.RDN)3
Extension (org.bouncycastle.asn1.x509.Extension)3
BigInteger (java.math.BigInteger)2
CertificateException (java.security.cert.CertificateException)2
AttributeTypeAndValue (org.bouncycastle.asn1.x500.AttributeTypeAndValue)2
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)2
Extensions (org.bouncycastle.asn1.x509.Extensions)2
BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)2
