Example 1 with ValidationIssue
use of org.xipki.qa.ValidationIssue in project xipki by xipki.
the class ExtensionsChecker method checkExtensions.
public List<ValidationIssue> checkExtensions(Certificate cert, IssuerInfo issuerInfo, Extensions requestedExtns, X500Name requestedSubject) {
notNull(cert, "cert");
notNull(issuerInfo, "issuerInfo");
X509Cert jceCert = new X509Cert(cert);
List<ValidationIssue> result = new LinkedList<>();
// detect the list of extension types in certificate
Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtns);
Extensions extensions = cert.getTBSCertificate().getExtensions();
ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
if (oids == null) {
ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
result.add(issue);
issue.setFailureMessage("no extension is present");
return result;
}
List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
if (!certExtTypes.contains(extType)) {
ValidationIssue issue = createExtensionIssue(extType);
result.add(issue);
issue.setFailureMessage("extension is absent but is required");
}
}
Map<ASN1ObjectIdentifier, ExtensionControl> extnControls = certprofile.getExtensionControls();
for (ASN1ObjectIdentifier oid : certExtTypes) {
ValidationIssue issue = createExtensionIssue(oid);
result.add(issue);
if (!presentExtenionTypes.contains(oid)) {
issue.setFailureMessage("extension is present but is not permitted");
continue;
}
Extension ext = extensions.getExtension(oid);
StringBuilder failureMsg = new StringBuilder();
ExtensionControl extnControl = extnControls.get(oid);
if (extnControl.isCritical() != ext.isCritical()) {
addViolation(failureMsg, "critical", ext.isCritical(), extnControl.isCritical());
}
byte[] extnValue = ext.getExtnValue().getOctets();
try {
if (extensionSyntaxes != null && extensionSyntaxes.containsKey(oid)) {
Extension requestedExtn = requestedExtns.getExtension(oid);
if (!Arrays.equals(requestedExtn.getExtnValue().getOctets(), extnValue)) {
failureMsg.append("extension in certificate does not equal the one contained in the request");
} else {
ExtnSyntax syntax = extensionSyntaxes.get(oid);
String extnName = "extension " + ObjectIdentifiers.oidToDisplayName(oid);
try {
ExtensionSyntaxChecker.checkExtension(extnName, ext.getParsedValue(), syntax);
} catch (BadCertTemplateException ex) {
failureMsg.append(ex.getMessage());
}
}
} else if (Extension.authorityKeyIdentifier.equals(oid)) {
a2gChecker.checkExtnAuthorityKeyId(failureMsg, extnValue, issuerInfo);
} else if (Extension.subjectKeyIdentifier.equals(oid)) {
// SubjectKeyIdentifier
o2tChecker.checkExtnSubjectKeyIdentifier(failureMsg, extnValue, cert.getSubjectPublicKeyInfo());
} else if (Extension.keyUsage.equals(oid)) {
h2nChecker.checkExtnKeyUsage(failureMsg, jceCert.getKeyUsage(), requestedExtns, extnControl);
} else if (Extension.certificatePolicies.equals(oid)) {
a2gChecker.checkExtnCertificatePolicies(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.policyMappings.equals(oid)) {
o2tChecker.checkExtnPolicyMappings(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.subjectAlternativeName.equals(oid)) {
o2tChecker.checkExtnSubjectAltNames(failureMsg, extnValue, requestedExtns, extnControl, requestedSubject);
} else if (Extension.subjectDirectoryAttributes.equals(oid)) {
o2tChecker.checkExtnSubjectDirAttrs(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.issuerAlternativeName.equals(oid)) {
h2nChecker.checkExtnIssuerAltNames(failureMsg, extnValue, issuerInfo);
} else if (Extension.basicConstraints.equals(oid)) {
a2gChecker.checkExtnBasicConstraints(failureMsg, extnValue);
} else if (Extension.nameConstraints.equals(oid)) {
h2nChecker.checkExtnNameConstraints(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.policyConstraints.equals(oid)) {
o2tChecker.checkExtnPolicyConstraints(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.extendedKeyUsage.equals(oid)) {
a2gChecker.checkExtnExtendedKeyUsage(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.cRLDistributionPoints.equals(oid)) {
a2gChecker.checkExtnCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
} else if (Extension.inhibitAnyPolicy.equals(oid)) {
h2nChecker.checkExtnInhibitAnyPolicy(failureMsg, extnValue, extensions, extnControl);
} else if (Extension.freshestCRL.equals(oid)) {
a2gChecker.checkExtnDeltaCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
} else if (Extension.authorityInfoAccess.equals(oid)) {
a2gChecker.checkExtnAuthorityInfoAccess(failureMsg, extnValue, issuerInfo);
} else if (Extension.subjectInfoAccess.equals(oid)) {
o2tChecker.checkExtnSubjectInfoAccess(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_admission.equals(oid)) {
a2gChecker.checkExtnAdmission(failureMsg, extnValue, requestedExtns, requestedSubject, extnControl);
} else if (Extn.id_extension_pkix_ocsp_nocheck.equals(oid)) {
o2tChecker.checkExtnOcspNocheck(failureMsg, extnValue);
} else if (Extn.id_extension_restriction.equals(oid)) {
o2tChecker.checkExtnRestriction(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_additionalInformation.equals(oid)) {
a2gChecker.checkExtnAdditionalInformation(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_validityModel.equals(oid)) {
u2zChecker.checkExtnValidityModel(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.privateKeyUsagePeriod.equals(oid)) {
o2tChecker.checkExtnPrivateKeyUsagePeriod(failureMsg, extnValue, jceCert.getNotBefore(), jceCert.getNotAfter());
} else if (Extension.qCStatements.equals(oid)) {
o2tChecker.checkExtnQcStatements(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.biometricInfo.equals(oid)) {
a2gChecker.checkExtnBiometricInfo(failureMsg, extnValue, requestedExtns);
} else if (Extn.id_pe_tlsfeature.equals(oid)) {
o2tChecker.checkExtnTlsFeature(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_smimeCapabilities.equals(oid)) {
o2tChecker.checkSmimeCapabilities(failureMsg, extnValue, extnControl);
} else if (Extn.id_SCTs.equals(oid)) {
o2tChecker.checkScts(failureMsg, extnValue, extnControl);
} else if (Extn.id_GMT_0015_ICRegistrationNumber.equals(oid) || Extn.id_GMT_0015_InsuranceNumber.equals(oid) || Extn.id_GMT_0015_OrganizationCode.equals(oid) || Extn.id_GMT_0015_TaxationNumber.equals(oid) || Extn.id_GMT_0015_IdentityCode.equals(oid)) {
a2gChecker.checkExtnGmt0015(failureMsg, extnValue, requestedExtns, extnControl, oid, requestedSubject);
} else {
byte[] expected = getExpectedExtValue(oid, requestedExtns, extnControl);
if (!Arrays.equals(expected, extnValue)) {
addViolation(failureMsg, "extension value", hex(extnValue), (expected == null) ? "not present" : hex(expected));
}
}
if (failureMsg.length() > 0) {
issue.setFailureMessage(failureMsg.toString());
}
} catch (IllegalArgumentException | ClassCastException | IOException | ArrayIndexOutOfBoundsException ex) {
LOG.debug("extension value does not have correct syntax", ex);
issue.setFailureMessage("extension value does not have correct syntax");
}
}
return result;
}
Also used :
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
ValidationIssue(org.xipki.qa.ValidationIssue)
Extension(org.bouncycastle.asn1.x509.Extension)
X509Cert(org.xipki.security.X509Cert)
ExtensionControl(org.xipki.ca.api.profile.Certprofile.ExtensionControl)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
Example 2 with ValidationIssue
use of org.xipki.qa.ValidationIssue in project xipki by xipki.
the class OcspQa method checkOcsp.
// method checkOcsp
public ValidationResult checkOcsp(OCSPResp response, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts, Map<BigInteger, OcspCertStatus> expectedOcspStatuses, Map<BigInteger, Date> expectedRevTimes, OcspResponseOption responseOption, boolean noSigVerify) {
notNull(response, "response");
notEmpty(serialNumbers, "serialNumbers");
notEmpty(expectedOcspStatuses, "expectedOcspStatuses");
notNull(responseOption, "responseOption");
List<ValidationIssue> resultIssues = new LinkedList<>();
int status = response.getStatus();
// Response status
ValidationIssue issue = new ValidationIssue("OCSP.STATUS", "response.status");
resultIssues.add(issue);
if (status != 0) {
issue.setFailureMessage("is '" + Unsuccessful.getStatusText(status) + "', but expected 'successful'");
return new ValidationResult(resultIssues);
}
ValidationIssue encodingIssue = new ValidationIssue("OCSP.ENCODING", "response encoding");
resultIssues.add(encodingIssue);
BasicOCSPResp basicResp;
try {
basicResp = (BasicOCSPResp) response.getResponseObject();
} catch (OCSPException ex) {
encodingIssue.setFailureMessage(ex.getMessage());
return new ValidationResult(resultIssues);
}
SingleResp[] singleResponses = basicResp.getResponses();
issue = new ValidationIssue("OCSP.RESPONSES.NUM", "number of single responses");
resultIssues.add(issue);
if (singleResponses == null || singleResponses.length == 0) {
issue.setFailureMessage("received no status from server");
return new ValidationResult(resultIssues);
}
final int n = singleResponses.length;
if (n != serialNumbers.size()) {
issue.setFailureMessage("is '" + n + "', but expected '" + serialNumbers.size() + "'");
return new ValidationResult(resultIssues);
}
boolean hasSignature = basicResp.getSignature() != null;
// check the signature if available
if (noSigVerify) {
issue = new ValidationIssue("OCSP.SIG", (hasSignature ? "signature presence (Ignore)" : "signature presence"));
} else {
issue = new ValidationIssue("OCSP.SIG", "signature presence");
}
resultIssues.add(issue);
if (!hasSignature) {
issue.setFailureMessage("response is not signed");
}
if (hasSignature && !noSigVerify) {
// signature algorithm
issue = new ValidationIssue("OCSP.SIG.ALG", "signature algorithm");
resultIssues.add(issue);
SignAlgo expectedSigalgo = responseOption.getSignatureAlg();
if (expectedSigalgo != null) {
try {
SignAlgo signAlgo = SignAlgo.getInstance(basicResp.getSignatureAlgorithmID());
if (signAlgo != expectedSigalgo) {
issue.setFailureMessage("is '" + signAlgo.getJceName() + "', but expected '" + expectedSigalgo.getJceName() + "'");
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("could not extract the signature algorithm");
}
}
// end if (expectedSigalgo != null)
// signer certificate
ValidationIssue sigSignerCertIssue = new ValidationIssue("OCSP.SIGNERCERT", "signer certificate");
resultIssues.add(sigSignerCertIssue);
// signature validation
ValidationIssue sigValIssue = new ValidationIssue("OCSP.SIG.VALIDATION", "signature validation");
resultIssues.add(sigValIssue);
X509CertificateHolder respSigner = null;
X509CertificateHolder[] responderCerts = basicResp.getCerts();
if (responderCerts == null || responderCerts.length < 1) {
sigSignerCertIssue.setFailureMessage("no responder certificate is contained in the response");
sigValIssue.setFailureMessage("could not find certificate to validate signature");
} else {
ResponderID respId = basicResp.getResponderId().toASN1Primitive();
X500Name respIdByName = respId.getName();
byte[] respIdByKey = respId.getKeyHash();
for (X509CertificateHolder cert : responderCerts) {
if (respIdByName != null) {
if (cert.getSubject().equals(respIdByName)) {
respSigner = cert;
}
} else {
byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
if (Arrays.equals(respIdByKey, spkiSha1)) {
respSigner = cert;
}
}
if (respSigner != null) {
break;
}
}
if (respSigner == null) {
sigSignerCertIssue.setFailureMessage("no responder certificate match the ResponderId");
sigValIssue.setFailureMessage("could not find certificate matching the" + " ResponderId to validate signature");
}
}
if (respSigner != null) {
issue = new ValidationIssue("OCSP.SIGNERCERT.TRUST", "signer certificate validation");
resultIssues.add(issue);
for (int i = 0; i < singleResponses.length; i++) {
SingleResp singleResp = singleResponses[i];
if (!respSigner.isValidOn(singleResp.getThisUpdate())) {
issue.setFailureMessage(String.format("responder certificate is not valid on the thisUpdate[%d]: %s", i, singleResp.getThisUpdate()));
}
}
// end for
X509Cert respIssuer = responseOption.getRespIssuer();
if (!issue.isFailed() && respIssuer != null) {
X509Cert jceRespSigner;
try {
jceRespSigner = new X509Cert(respSigner);
if (X509Util.issues(respIssuer, jceRespSigner)) {
jceRespSigner.verify(respIssuer.getPublicKey());
} else {
issue.setFailureMessage("responder signer is not trusted");
}
} catch (Exception ex) {
issue.setFailureMessage("responder signer is not trusted");
}
}
try {
PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
boolean sigValid = basicResp.isSignatureValid(cvp);
if (!sigValid) {
sigValIssue.setFailureMessage("signature is invalid");
}
} catch (Exception ex) {
sigValIssue.setFailureMessage("could not validate signature");
}
}
// end if
}
// end if (hasSignature)
// nonce
Extension nonceExtn = basicResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
resultIssues.add(checkOccurrence("OCSP.NONCE", nonceExtn, responseOption.getNonceOccurrence()));
boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke) != null;
for (int i = 0; i < singleResponses.length; i++) {
SingleResp singleResp = singleResponses[i];
BigInteger serialNumber = singleResp.getCertID().getSerialNumber();
OcspCertStatus expectedStatus = expectedOcspStatuses.get(serialNumber);
Date expectedRevTime = null;
if (expectedRevTimes != null) {
expectedRevTime = expectedRevTimes.get(serialNumber);
}
byte[] encodedCert = null;
if (encodedCerts != null) {
encodedCert = encodedCerts.get(serialNumber);
}
List<ValidationIssue> issues = checkSingleCert(i, singleResp, issuerHash, expectedStatus, encodedCert, expectedRevTime, extendedRevoke, responseOption.getNextUpdateOccurrence(), responseOption.getCerthashOccurrence(), responseOption.getCerthashAlg());
resultIssues.addAll(issues);
}
return new ValidationResult(resultIssues);
}
Also used :
ResponderID(org.bouncycastle.asn1.ocsp.ResponderID)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ValidationResult(org.xipki.qa.ValidationResult)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
ValidationIssue(org.xipki.qa.ValidationIssue)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Extension(org.bouncycastle.asn1.x509.Extension)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
Example 3 with ValidationIssue
use of org.xipki.qa.ValidationIssue in project xipki by xipki.
the class CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
notNull(certBytes, "certBytes");
notNull(issuerInfo, "issuerInfo");
notNull(requestedSubject, "requestedSubject");
notNull(requestedPublicKey, "requestedPublicKey");
List<ValidationIssue> resultIssues = new LinkedList<>();
// certificate size
ValidationIssue issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
certBytes = X509Util.toDerEncoded(certBytes);
Integer maxSize = certprofile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
Certificate bcCert = Certificate.getInstance(certBytes);
TBSCertificate tbsCert = bcCert.getTBSCertificate();
X509Cert cert = new X509Cert(bcCert, certBytes);
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersion().intPositiveValueExact();
X509CertVersion expVersion = certprofile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<SignAlgo> signatureAlgorithms = certprofile.getSignatureAlgorithms();
if (CollectionUtil.isNotEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
if (!issue.isFailed()) {
SignAlgo signAlgo = SignAlgo.getInstance(sigAlgId);
if (!signatureAlgorithms.contains(signAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + signAlgo + "' is not allowed");
}
if (!issue.isFailed()) {
if (!sigAlgId.equals(signAlgo.getAlgorithmIdentifier())) {
issue.setFailureMessage("signatureAlgorithm has invalid content");
}
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
if (certprofile.getNotBeforeOption().getMidNightTimeZone() != null) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter may not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore may not be before CA's notBefore");
} else {
Validity validity = certprofile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (NoSuchAlgorithmException ex) {
try {
cert.verify(issuerInfo.getCert().getPublicKey());
} catch (Exception ex1) {
issue.setFailureMessage("invalid signature");
}
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuer().equals(issuerInfo.getCert().getSubject())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.qa.ValidationResult)
ValidationIssue(org.xipki.qa.ValidationIssue)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
BigInteger(java.math.BigInteger)
SignAlgo(org.xipki.security.SignAlgo)
X509CertVersion(org.xipki.ca.api.profile.Certprofile.X509CertVersion)
X509Cert(org.xipki.security.X509Cert)
BigInteger(java.math.BigInteger)
Example 4 with ValidationIssue
use of org.xipki.qa.ValidationIssue in project xipki by xipki.
the class SubjectChecker method checkSubject.
public List<ValidationIssue> checkSubject(X500Name subject, X500Name requestedSubject) {
notNull(subject, "subject");
notNull(requestedSubject, "requestedSubject");
// collect subject attribute types to check
Set<ASN1ObjectIdentifier> oids = new HashSet<>();
for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) {
if (!subjectControl.getControl(oid).isNotInSubject()) {
oids.add(oid);
}
}
Collections.addAll(oids, subject.getAttributeTypes());
List<ValidationIssue> result = new LinkedList<>();
ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group");
result.add(issue);
if (isNotEmpty(subjectControl.getGroups())) {
Set<String> groups = new HashSet<>(subjectControl.getGroups());
for (String g : groups) {
boolean toBreak = false;
RDN rdn = null;
for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) {
RDN[] rdns = subject.getRDNs(type);
if (rdns == null || rdns.length == 0) {
continue;
}
if (rdns.length > 1) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
if (rdn == null) {
rdn = rdns[0];
} else if (rdn != rdns[0]) {
issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN");
toBreak = true;
break;
}
}
if (toBreak) {
break;
}
}
}
for (ASN1ObjectIdentifier type : oids) {
ValidationIssue valIssue;
try {
valIssue = checkSubjectAttribute(type, subject, requestedSubject);
} catch (BadCertTemplateException ex) {
valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request");
valIssue.setFailureMessage(ex.getMessage());
}
result.add(valIssue);
}
return result;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ValidationIssue(org.xipki.qa.ValidationIssue)
RDN(org.bouncycastle.asn1.x500.RDN)
Example 5 with ValidationIssue
use of org.xipki.qa.ValidationIssue in project xipki by xipki.
the class SubjectChecker method createSubjectIssue.
// method getRdnTextValueOfRequest
private static ValidationIssue createSubjectIssue(ASN1ObjectIdentifier subjectAttrType) {
ValidationIssue issue;
String attrName = ObjectIdentifiers.getName(subjectAttrType);
if (attrName == null) {
attrName = subjectAttrType.getId().replace('.', '_');
issue = new ValidationIssue("X509.SUBJECT." + attrName, "attribute " + subjectAttrType.getId());
} else {
issue = new ValidationIssue("X509.SUBJECT." + attrName, "attribute " + attrName + " (" + subjectAttrType.getId() + ")");
}
return issue;
}
Also used :
ValidationIssue(org.xipki.qa.ValidationIssue)
Aggregations
ValidationIssue (org.xipki.qa.ValidationIssue)10
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
RDN (org.bouncycastle.asn1.x500.RDN)3
Extension (org.bouncycastle.asn1.x509.Extension)3
BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)3
ValidationResult (org.xipki.qa.ValidationResult)3
IOException (java.io.IOException)2
BigInteger (java.math.BigInteger)2
AttributeTypeAndValue (org.bouncycastle.asn1.x500.AttributeTypeAndValue)2
RdnControl (org.xipki.ca.api.profile.Certprofile.RdnControl)2
StringType (org.xipki.ca.api.profile.Certprofile.StringType)2
X509Cert (org.xipki.security.X509Cert)2
MessageDigest (java.security.MessageDigest)1
PublicKey (java.security.PublicKey)1
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)1
LinkedList (java.util.LinkedList)1
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)1
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1
CertHash (org.bouncycastle.asn1.isismtt.ocsp.CertHash)1
ResponderID (org.bouncycastle.asn1.ocsp.ResponderID)1
