Search in sources :

Example 1 with ValidationIssue

use of org.xipki.qa.ValidationIssue in project xipki by xipki.

the class ExtensionsChecker method checkExtensions.

public List<ValidationIssue> checkExtensions(Certificate cert, IssuerInfo issuerInfo, Extensions requestedExtns, X500Name requestedSubject) {
    notNull(cert, "cert");
    notNull(issuerInfo, "issuerInfo");
    X509Cert jceCert = new X509Cert(cert);
    List<ValidationIssue> result = new LinkedList<>();
    // detect the list of extension types in certificate
    Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtns);
    Extensions extensions = cert.getTBSCertificate().getExtensions();
    ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
    if (oids == null) {
        ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
        result.add(issue);
        issue.setFailureMessage("no extension is present");
        return result;
    }
    List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
    for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
        if (!certExtTypes.contains(extType)) {
            ValidationIssue issue = createExtensionIssue(extType);
            result.add(issue);
            issue.setFailureMessage("extension is absent but is required");
        }
    }
    Map<ASN1ObjectIdentifier, ExtensionControl> extnControls = certprofile.getExtensionControls();
    for (ASN1ObjectIdentifier oid : certExtTypes) {
        ValidationIssue issue = createExtensionIssue(oid);
        result.add(issue);
        if (!presentExtenionTypes.contains(oid)) {
            issue.setFailureMessage("extension is present but is not permitted");
            continue;
        }
        Extension ext = extensions.getExtension(oid);
        StringBuilder failureMsg = new StringBuilder();
        ExtensionControl extnControl = extnControls.get(oid);
        if (extnControl.isCritical() != ext.isCritical()) {
            addViolation(failureMsg, "critical", ext.isCritical(), extnControl.isCritical());
        }
        byte[] extnValue = ext.getExtnValue().getOctets();
        try {
            if (extensionSyntaxes != null && extensionSyntaxes.containsKey(oid)) {
                Extension requestedExtn = requestedExtns.getExtension(oid);
                if (!Arrays.equals(requestedExtn.getExtnValue().getOctets(), extnValue)) {
                    failureMsg.append("extension in certificate does not equal the one contained in the request");
                } else {
                    ExtnSyntax syntax = extensionSyntaxes.get(oid);
                    String extnName = "extension " + ObjectIdentifiers.oidToDisplayName(oid);
                    try {
                        ExtensionSyntaxChecker.checkExtension(extnName, ext.getParsedValue(), syntax);
                    } catch (BadCertTemplateException ex) {
                        failureMsg.append(ex.getMessage());
                    }
                }
            } else if (Extension.authorityKeyIdentifier.equals(oid)) {
                a2gChecker.checkExtnAuthorityKeyId(failureMsg, extnValue, issuerInfo);
            } else if (Extension.subjectKeyIdentifier.equals(oid)) {
                // SubjectKeyIdentifier
                o2tChecker.checkExtnSubjectKeyIdentifier(failureMsg, extnValue, cert.getSubjectPublicKeyInfo());
            } else if (Extension.keyUsage.equals(oid)) {
                h2nChecker.checkExtnKeyUsage(failureMsg, jceCert.getKeyUsage(), requestedExtns, extnControl);
            } else if (Extension.certificatePolicies.equals(oid)) {
                a2gChecker.checkExtnCertificatePolicies(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.policyMappings.equals(oid)) {
                o2tChecker.checkExtnPolicyMappings(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.subjectAlternativeName.equals(oid)) {
                o2tChecker.checkExtnSubjectAltNames(failureMsg, extnValue, requestedExtns, extnControl, requestedSubject);
            } else if (Extension.subjectDirectoryAttributes.equals(oid)) {
                o2tChecker.checkExtnSubjectDirAttrs(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.issuerAlternativeName.equals(oid)) {
                h2nChecker.checkExtnIssuerAltNames(failureMsg, extnValue, issuerInfo);
            } else if (Extension.basicConstraints.equals(oid)) {
                a2gChecker.checkExtnBasicConstraints(failureMsg, extnValue);
            } else if (Extension.nameConstraints.equals(oid)) {
                h2nChecker.checkExtnNameConstraints(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.policyConstraints.equals(oid)) {
                o2tChecker.checkExtnPolicyConstraints(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.extendedKeyUsage.equals(oid)) {
                a2gChecker.checkExtnExtendedKeyUsage(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.cRLDistributionPoints.equals(oid)) {
                a2gChecker.checkExtnCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
            } else if (Extension.inhibitAnyPolicy.equals(oid)) {
                h2nChecker.checkExtnInhibitAnyPolicy(failureMsg, extnValue, extensions, extnControl);
            } else if (Extension.freshestCRL.equals(oid)) {
                a2gChecker.checkExtnDeltaCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
            } else if (Extension.authorityInfoAccess.equals(oid)) {
                a2gChecker.checkExtnAuthorityInfoAccess(failureMsg, extnValue, issuerInfo);
            } else if (Extension.subjectInfoAccess.equals(oid)) {
                o2tChecker.checkExtnSubjectInfoAccess(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extn.id_extension_admission.equals(oid)) {
                a2gChecker.checkExtnAdmission(failureMsg, extnValue, requestedExtns, requestedSubject, extnControl);
            } else if (Extn.id_extension_pkix_ocsp_nocheck.equals(oid)) {
                o2tChecker.checkExtnOcspNocheck(failureMsg, extnValue);
            } else if (Extn.id_extension_restriction.equals(oid)) {
                o2tChecker.checkExtnRestriction(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extn.id_extension_additionalInformation.equals(oid)) {
                a2gChecker.checkExtnAdditionalInformation(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extn.id_extension_validityModel.equals(oid)) {
                u2zChecker.checkExtnValidityModel(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.privateKeyUsagePeriod.equals(oid)) {
                o2tChecker.checkExtnPrivateKeyUsagePeriod(failureMsg, extnValue, jceCert.getNotBefore(), jceCert.getNotAfter());
            } else if (Extension.qCStatements.equals(oid)) {
                o2tChecker.checkExtnQcStatements(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extension.biometricInfo.equals(oid)) {
                a2gChecker.checkExtnBiometricInfo(failureMsg, extnValue, requestedExtns);
            } else if (Extn.id_pe_tlsfeature.equals(oid)) {
                o2tChecker.checkExtnTlsFeature(failureMsg, extnValue, requestedExtns, extnControl);
            } else if (Extn.id_smimeCapabilities.equals(oid)) {
                o2tChecker.checkSmimeCapabilities(failureMsg, extnValue, extnControl);
            } else if (Extn.id_SCTs.equals(oid)) {
                o2tChecker.checkScts(failureMsg, extnValue, extnControl);
            } else if (Extn.id_GMT_0015_ICRegistrationNumber.equals(oid) || Extn.id_GMT_0015_InsuranceNumber.equals(oid) || Extn.id_GMT_0015_OrganizationCode.equals(oid) || Extn.id_GMT_0015_TaxationNumber.equals(oid) || Extn.id_GMT_0015_IdentityCode.equals(oid)) {
                a2gChecker.checkExtnGmt0015(failureMsg, extnValue, requestedExtns, extnControl, oid, requestedSubject);
            } else {
                byte[] expected = getExpectedExtValue(oid, requestedExtns, extnControl);
                if (!Arrays.equals(expected, extnValue)) {
                    addViolation(failureMsg, "extension value", hex(extnValue), (expected == null) ? "not present" : hex(expected));
                }
            }
            if (failureMsg.length() > 0) {
                issue.setFailureMessage(failureMsg.toString());
            }
        } catch (IllegalArgumentException | ClassCastException | IOException | ArrayIndexOutOfBoundsException ex) {
            LOG.debug("extension value does not have correct syntax", ex);
            issue.setFailureMessage("extension value does not have correct syntax");
        }
    }
    return result;
}
Also used : IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) ValidationIssue(org.xipki.qa.ValidationIssue) Extension(org.bouncycastle.asn1.x509.Extension) X509Cert(org.xipki.security.X509Cert) ExtensionControl(org.xipki.ca.api.profile.Certprofile.ExtensionControl) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)

Example 2 with ValidationIssue

use of org.xipki.qa.ValidationIssue in project xipki by xipki.

the class OcspQa method checkOcsp.

// method checkOcsp
public ValidationResult checkOcsp(OCSPResp response, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts, Map<BigInteger, OcspCertStatus> expectedOcspStatuses, Map<BigInteger, Date> expectedRevTimes, OcspResponseOption responseOption, boolean noSigVerify) {
    notNull(response, "response");
    notEmpty(serialNumbers, "serialNumbers");
    notEmpty(expectedOcspStatuses, "expectedOcspStatuses");
    notNull(responseOption, "responseOption");
    List<ValidationIssue> resultIssues = new LinkedList<>();
    int status = response.getStatus();
    // Response status
    ValidationIssue issue = new ValidationIssue("OCSP.STATUS", "response.status");
    resultIssues.add(issue);
    if (status != 0) {
        issue.setFailureMessage("is '" + Unsuccessful.getStatusText(status) + "', but expected 'successful'");
        return new ValidationResult(resultIssues);
    }
    ValidationIssue encodingIssue = new ValidationIssue("OCSP.ENCODING", "response encoding");
    resultIssues.add(encodingIssue);
    BasicOCSPResp basicResp;
    try {
        basicResp = (BasicOCSPResp) response.getResponseObject();
    } catch (OCSPException ex) {
        encodingIssue.setFailureMessage(ex.getMessage());
        return new ValidationResult(resultIssues);
    }
    SingleResp[] singleResponses = basicResp.getResponses();
    issue = new ValidationIssue("OCSP.RESPONSES.NUM", "number of single responses");
    resultIssues.add(issue);
    if (singleResponses == null || singleResponses.length == 0) {
        issue.setFailureMessage("received no status from server");
        return new ValidationResult(resultIssues);
    }
    final int n = singleResponses.length;
    if (n != serialNumbers.size()) {
        issue.setFailureMessage("is '" + n + "', but expected '" + serialNumbers.size() + "'");
        return new ValidationResult(resultIssues);
    }
    boolean hasSignature = basicResp.getSignature() != null;
    // check the signature if available
    if (noSigVerify) {
        issue = new ValidationIssue("OCSP.SIG", (hasSignature ? "signature presence (Ignore)" : "signature presence"));
    } else {
        issue = new ValidationIssue("OCSP.SIG", "signature presence");
    }
    resultIssues.add(issue);
    if (!hasSignature) {
        issue.setFailureMessage("response is not signed");
    }
    if (hasSignature && !noSigVerify) {
        // signature algorithm
        issue = new ValidationIssue("OCSP.SIG.ALG", "signature algorithm");
        resultIssues.add(issue);
        SignAlgo expectedSigalgo = responseOption.getSignatureAlg();
        if (expectedSigalgo != null) {
            try {
                SignAlgo signAlgo = SignAlgo.getInstance(basicResp.getSignatureAlgorithmID());
                if (signAlgo != expectedSigalgo) {
                    issue.setFailureMessage("is '" + signAlgo.getJceName() + "', but expected '" + expectedSigalgo.getJceName() + "'");
                }
            } catch (NoSuchAlgorithmException ex) {
                issue.setFailureMessage("could not extract the signature algorithm");
            }
        }
        // end if (expectedSigalgo != null)
        // signer certificate
        ValidationIssue sigSignerCertIssue = new ValidationIssue("OCSP.SIGNERCERT", "signer certificate");
        resultIssues.add(sigSignerCertIssue);
        // signature validation
        ValidationIssue sigValIssue = new ValidationIssue("OCSP.SIG.VALIDATION", "signature validation");
        resultIssues.add(sigValIssue);
        X509CertificateHolder respSigner = null;
        X509CertificateHolder[] responderCerts = basicResp.getCerts();
        if (responderCerts == null || responderCerts.length < 1) {
            sigSignerCertIssue.setFailureMessage("no responder certificate is contained in the response");
            sigValIssue.setFailureMessage("could not find certificate to validate signature");
        } else {
            ResponderID respId = basicResp.getResponderId().toASN1Primitive();
            X500Name respIdByName = respId.getName();
            byte[] respIdByKey = respId.getKeyHash();
            for (X509CertificateHolder cert : responderCerts) {
                if (respIdByName != null) {
                    if (cert.getSubject().equals(respIdByName)) {
                        respSigner = cert;
                    }
                } else {
                    byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
                    if (Arrays.equals(respIdByKey, spkiSha1)) {
                        respSigner = cert;
                    }
                }
                if (respSigner != null) {
                    break;
                }
            }
            if (respSigner == null) {
                sigSignerCertIssue.setFailureMessage("no responder certificate match the ResponderId");
                sigValIssue.setFailureMessage("could not find certificate matching the" + " ResponderId to validate signature");
            }
        }
        if (respSigner != null) {
            issue = new ValidationIssue("OCSP.SIGNERCERT.TRUST", "signer certificate validation");
            resultIssues.add(issue);
            for (int i = 0; i < singleResponses.length; i++) {
                SingleResp singleResp = singleResponses[i];
                if (!respSigner.isValidOn(singleResp.getThisUpdate())) {
                    issue.setFailureMessage(String.format("responder certificate is not valid on the thisUpdate[%d]: %s", i, singleResp.getThisUpdate()));
                }
            }
            // end for
            X509Cert respIssuer = responseOption.getRespIssuer();
            if (!issue.isFailed() && respIssuer != null) {
                X509Cert jceRespSigner;
                try {
                    jceRespSigner = new X509Cert(respSigner);
                    if (X509Util.issues(respIssuer, jceRespSigner)) {
                        jceRespSigner.verify(respIssuer.getPublicKey());
                    } else {
                        issue.setFailureMessage("responder signer is not trusted");
                    }
                } catch (Exception ex) {
                    issue.setFailureMessage("responder signer is not trusted");
                }
            }
            try {
                PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
                ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
                boolean sigValid = basicResp.isSignatureValid(cvp);
                if (!sigValid) {
                    sigValIssue.setFailureMessage("signature is invalid");
                }
            } catch (Exception ex) {
                sigValIssue.setFailureMessage("could not validate signature");
            }
        }
    // end if
    }
    // end if (hasSignature)
    // nonce
    Extension nonceExtn = basicResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
    resultIssues.add(checkOccurrence("OCSP.NONCE", nonceExtn, responseOption.getNonceOccurrence()));
    boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke) != null;
    for (int i = 0; i < singleResponses.length; i++) {
        SingleResp singleResp = singleResponses[i];
        BigInteger serialNumber = singleResp.getCertID().getSerialNumber();
        OcspCertStatus expectedStatus = expectedOcspStatuses.get(serialNumber);
        Date expectedRevTime = null;
        if (expectedRevTimes != null) {
            expectedRevTime = expectedRevTimes.get(serialNumber);
        }
        byte[] encodedCert = null;
        if (encodedCerts != null) {
            encodedCert = encodedCerts.get(serialNumber);
        }
        List<ValidationIssue> issues = checkSingleCert(i, singleResp, issuerHash, expectedStatus, encodedCert, expectedRevTime, extendedRevoke, responseOption.getNextUpdateOccurrence(), responseOption.getCerthashOccurrence(), responseOption.getCerthashAlg());
        resultIssues.addAll(issues);
    }
    return new ValidationResult(resultIssues);
}
Also used : ResponderID(org.bouncycastle.asn1.ocsp.ResponderID) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X500Name(org.bouncycastle.asn1.x500.X500Name) ValidationResult(org.xipki.qa.ValidationResult) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider) PublicKey(java.security.PublicKey) ValidationIssue(org.xipki.qa.ValidationIssue) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Extension(org.bouncycastle.asn1.x509.Extension) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger)

Example 3 with ValidationIssue

use of org.xipki.qa.ValidationIssue in project xipki by xipki.

the class CertprofileQa method checkCert.

// constructor
public ValidationResult checkCert(byte[] certBytes, IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
    notNull(certBytes, "certBytes");
    notNull(issuerInfo, "issuerInfo");
    notNull(requestedSubject, "requestedSubject");
    notNull(requestedPublicKey, "requestedPublicKey");
    List<ValidationIssue> resultIssues = new LinkedList<>();
    // certificate size
    ValidationIssue issue = new ValidationIssue("X509.SIZE", "certificate size");
    resultIssues.add(issue);
    certBytes = X509Util.toDerEncoded(certBytes);
    Integer maxSize = certprofile.getMaxSize();
    if (maxSize != 0) {
        int size = certBytes.length;
        if (size > maxSize) {
            issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
        }
    }
    // certificate encoding
    issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
    resultIssues.add(issue);
    Certificate bcCert = Certificate.getInstance(certBytes);
    TBSCertificate tbsCert = bcCert.getTBSCertificate();
    X509Cert cert = new X509Cert(bcCert, certBytes);
    // syntax version
    issue = new ValidationIssue("X509.VERSION", "certificate version");
    resultIssues.add(issue);
    int versionNumber = tbsCert.getVersion().intPositiveValueExact();
    X509CertVersion expVersion = certprofile.getVersion();
    if (versionNumber != expVersion.getVersionNumber()) {
        issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
    }
    // serialNumber
    issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
    resultIssues.add(issue);
    BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
    if (serialNumber.signum() != 1) {
        issue.setFailureMessage("not positive");
    } else {
        if (serialNumber.bitLength() >= 160) {
            issue.setFailureMessage("serial number has more than 20 octets");
        }
    }
    // signatureAlgorithm
    List<SignAlgo> signatureAlgorithms = certprofile.getSignatureAlgorithms();
    if (CollectionUtil.isNotEmpty(signatureAlgorithms)) {
        issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
        resultIssues.add(issue);
        AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
        AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
        if (!tbsSigAlgId.equals(sigAlgId)) {
            issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
        }
        try {
            if (!issue.isFailed()) {
                SignAlgo signAlgo = SignAlgo.getInstance(sigAlgId);
                if (!signatureAlgorithms.contains(signAlgo)) {
                    issue.setFailureMessage("signatureAlgorithm '" + signAlgo + "' is not allowed");
                }
                if (!issue.isFailed()) {
                    if (!sigAlgId.equals(signAlgo.getAlgorithmIdentifier())) {
                        issue.setFailureMessage("signatureAlgorithm has invalid content");
                    }
                }
            }
        } catch (NoSuchAlgorithmException ex) {
            issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
        }
    }
    // notBefore encoding
    issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
    checkTime(tbsCert.getStartDate(), issue);
    // notAfter encoding
    issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
    checkTime(tbsCert.getStartDate(), issue);
    if (certprofile.getNotBeforeOption().getMidNightTimeZone() != null) {
        issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
        resultIssues.add(issue);
        Calendar cal = Calendar.getInstance(UTC);
        cal.setTime(cert.getNotBefore());
        int minute = cal.get(Calendar.MINUTE);
        int second = cal.get(Calendar.SECOND);
        if (minute != 0 || second != 0) {
            issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time");
        }
    }
    // validity
    issue = new ValidationIssue("X509.VALIDITY", "cert validity");
    resultIssues.add(issue);
    if (cert.getNotAfter().before(cert.getNotBefore())) {
        issue.setFailureMessage("notAfter may not be before notBefore");
    } else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
        issue.setFailureMessage("notBefore may not be before CA's notBefore");
    } else {
        Validity validity = certprofile.getValidity();
        Date expectedNotAfter = validity.add(cert.getNotBefore());
        if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
            expectedNotAfter = new Date(MAX_CERT_TIME_MS);
        }
        if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
            expectedNotAfter = issuerInfo.getCaNotAfter();
        }
        if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
            issue.setFailureMessage("cert validity is not within " + validity.toString());
        }
    }
    // subjectPublicKeyInfo
    resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
    // Signature
    issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
    resultIssues.add(issue);
    try {
        cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
    } catch (NoSuchAlgorithmException ex) {
        try {
            cert.verify(issuerInfo.getCert().getPublicKey());
        } catch (Exception ex1) {
            issue.setFailureMessage("invalid signature");
        }
    } catch (Exception ex) {
        issue.setFailureMessage("invalid signature");
    }
    // issuer
    issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
    resultIssues.add(issue);
    if (!cert.getIssuer().equals(issuerInfo.getCert().getSubject())) {
        issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
    }
    // subject
    resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
    // issuerUniqueID
    issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
    resultIssues.add(issue);
    if (tbsCert.getIssuerUniqueId() != null) {
        issue.setFailureMessage("is present but not permitted");
    }
    // subjectUniqueID
    issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
    resultIssues.add(issue);
    if (tbsCert.getSubjectUniqueId() != null) {
        issue.setFailureMessage("is present but not permitted");
    }
    // extensions
    issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
    resultIssues.add(issue);
    resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
    return new ValidationResult(resultIssues);
}
Also used : NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ValidationResult(org.xipki.qa.ValidationResult) ValidationIssue(org.xipki.qa.ValidationIssue) CertprofileException(org.xipki.ca.api.profile.CertprofileException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) BigInteger(java.math.BigInteger) SignAlgo(org.xipki.security.SignAlgo) X509CertVersion(org.xipki.ca.api.profile.Certprofile.X509CertVersion) X509Cert(org.xipki.security.X509Cert) BigInteger(java.math.BigInteger)

Example 4 with ValidationIssue

use of org.xipki.qa.ValidationIssue in project xipki by xipki.

the class SubjectChecker method checkSubject.

public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
    notNull(subject, "subject");
    notNull(requestedSubject, "requestedSubject");
    // collect subject attribute types to check
    Set<ASN1ObjectIdentifier> oids = new HashSet<>();
    for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
        if (!subjectControl.getControl(oid).isNotInSubject()) {
            oids.add(oid);
        }
    }
    Collections.addAll(oids, subject.getAttributeTypes());
    List<ValidationIssue> result = new LinkedList<>();
    ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
    result.add(issue);
    if (isNotEmpty(subjectControl.getGroups())) {
        Set<String> groups = new HashSet<>(subjectControl.getGroups());
        for (String g : groups) {
            boolean toBreak = false;
            RDN rdn = null;
            for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
                RDN[] rdns = subject.getRDNs(type);
                if (rdns == null || rdns.length == 0) {
                    continue;
                }
                if (rdns.length > 1) {
                    issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
                    toBreak = true;
                    break;
                }
                if (rdn == null) {
                    rdn = rdns[0];
                } else if (rdn != rdns[0]) {
                    issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
                    toBreak = true;
                    break;
                }
            }
            if (toBreak) {
                break;
            }
        }
    }
    for (ASN1ObjectIdentifier type : oids) {
        ValidationIssue valIssue;
        try {
            valIssue = checkSubjectAttribute(type, subject, requestedSubject);
        } catch (BadCertTemplateException ex) {
            valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
            valIssue.setFailureMessage(ex.getMessage());
        }
        result.add(valIssue);
    }
    return result;
}
Also used : BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ValidationIssue(org.xipki.qa.ValidationIssue) RDN(org.bouncycastle.asn1.x500.RDN)

Example 5 with ValidationIssue

use of org.xipki.qa.ValidationIssue in project xipki by xipki.

the class SubjectChecker method createSubjectIssue.

// method getRdnTextValueOfRequest
private static ValidationIssue createSubjectIssue(ASN1ObjectIdentifier subjectAttrType) {
    ValidationIssue issue;
    String attrName = ObjectIdentifiers.getName(subjectAttrType);
    if (attrName == null) {
        attrName = subjectAttrType.getId().replace('.', '_');
        issue = new ValidationIssue("X509.SUBJECT." + attrName, "attribute " + subjectAttrType.getId());
    } else {
        issue = new ValidationIssue("X509.SUBJECT." + attrName, "attribute " + attrName + " (" + subjectAttrType.getId() + ")");
    }
    return issue;
}
Also used : ValidationIssue(org.xipki.qa.ValidationIssue)

Aggregations

ValidationIssue (org.xipki.qa.ValidationIssue)10 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 RDN (org.bouncycastle.asn1.x500.RDN)3 Extension (org.bouncycastle.asn1.x509.Extension)3 BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)3 ValidationResult (org.xipki.qa.ValidationResult)3 IOException (java.io.IOException)2 BigInteger (java.math.BigInteger)2 AttributeTypeAndValue (org.bouncycastle.asn1.x500.AttributeTypeAndValue)2 RdnControl (org.xipki.ca.api.profile.Certprofile.RdnControl)2 StringType (org.xipki.ca.api.profile.Certprofile.StringType)2 X509Cert (org.xipki.security.X509Cert)2 MessageDigest (java.security.MessageDigest)1 PublicKey (java.security.PublicKey)1 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)1 LinkedList (java.util.LinkedList)1 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 CertHash (org.bouncycastle.asn1.isismtt.ocsp.CertHash)1 ResponderID (org.bouncycastle.asn1.ocsp.ResponderID)1