Example 26 with GeneralNames
use of sun.security.x509.GeneralNames in project fdroidclient by f-droid.
the class LocalRepoKeyStore method generateSelfSignedCertChain.
private Certificate generateSelfSignedCertChain(KeyPair kp, X500Name subject, String hostname) throws CertificateException, OperatorCreationException, IOException {
SecureRandom rand = new SecureRandom();
PrivateKey privKey = kp.getPrivate();
PublicKey pubKey = kp.getPublic();
ContentSigner sigGen = new JcaContentSignerBuilder(DEFAULT_SIG_ALG).build(privKey);
SubjectPublicKeyInfo subPubKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(pubKey.getEncoded()));
// now
Date now = new Date();
/* force it to use a English/Gregorian dates for the cert, hardly anyone
ever looks at the cert metadata anyway, and its very likely that they
understand English/Gregorian dates */
Calendar c = new GregorianCalendar(Locale.ENGLISH);
c.setTime(now);
c.add(Calendar.YEAR, 1);
Time startTime = new Time(now, Locale.ENGLISH);
Time endTime = new Time(c.getTime(), Locale.ENGLISH);
X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(subject, BigInteger.valueOf(rand.nextLong()), startTime, endTime, subject, subPubKeyInfo);
if (hostname != null) {
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.iPAddress, hostname));
v3CertGen.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
}
X509CertificateHolder certHolder = v3CertGen.build(sigGen);
return new JcaX509CertificateConverter().getCertificate(certHolder);
}
Also used :
PrivateKey(java.security.PrivateKey)
PublicKey(java.security.PublicKey)
JcaContentSignerBuilder(org.spongycastle.operator.jcajce.JcaContentSignerBuilder)
Calendar(java.util.Calendar)
GregorianCalendar(java.util.GregorianCalendar)
ContentSigner(org.spongycastle.operator.ContentSigner)
GregorianCalendar(java.util.GregorianCalendar)
SecureRandom(java.security.SecureRandom)
Time(org.spongycastle.asn1.x509.Time)
SubjectPublicKeyInfo(org.spongycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
GeneralNames(org.spongycastle.asn1.x509.GeneralNames)
X509v3CertificateBuilder(org.spongycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.spongycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.spongycastle.cert.X509CertificateHolder)
GeneralName(org.spongycastle.asn1.x509.GeneralName)
Example 27 with GeneralNames
use of sun.security.x509.GeneralNames in project xipki by xipki.
the class ExtensionsChecker method checkExtensionIssuerKeyIdentifier.
// method checkExtensionSubjectKeyIdentifier
private void checkExtensionIssuerKeyIdentifier(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
AuthorityKeyIdentifier asn1 = AuthorityKeyIdentifier.getInstance(extensionValue);
byte[] keyIdentifier = asn1.getKeyIdentifier();
if (keyIdentifier == null) {
failureMsg.append("keyIdentifier is 'absent' but expected 'present'; ");
} else if (!Arrays.equals(issuerInfo.getSubjectKeyIdentifier(), keyIdentifier)) {
addViolation(failureMsg, "keyIdentifier", hex(keyIdentifier), hex(issuerInfo.getSubjectKeyIdentifier()));
}
BigInteger serialNumber = asn1.getAuthorityCertSerialNumber();
GeneralNames names = asn1.getAuthorityCertIssuer();
if (certProfile.isIncludeIssuerAndSerialInAki()) {
if (serialNumber == null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
} else {
if (!issuerInfo.getCert().getSerialNumber().equals(serialNumber)) {
addViolation(failureMsg, "authorityCertSerialNumber", LogUtil.formatCsn(serialNumber), LogUtil.formatCsn(issuerInfo.getCert().getSerialNumber()));
}
}
if (names == null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
} else {
GeneralName[] genNames = names.getNames();
X500Name x500GenName = null;
for (GeneralName genName : genNames) {
if (genName.getTagNo() != GeneralName.directoryName) {
continue;
}
if (x500GenName != null) {
failureMsg.append("authorityCertIssuer contains at least two directoryName " + "but expected one; ");
break;
} else {
x500GenName = (X500Name) genName.getName();
}
}
if (x500GenName == null) {
failureMsg.append("authorityCertIssuer does not contain directoryName but expected one; ");
} else {
X500Name caSubject = issuerInfo.getBcCert().getTBSCertificate().getSubject();
if (!caSubject.equals(x500GenName)) {
addViolation(failureMsg, "authorityCertIssuer", x500GenName, caSubject);
}
}
}
} else {
if (serialNumber != null) {
failureMsg.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
}
if (names != null) {
failureMsg.append("authorityCertIssuer is 'absent' but expected 'present'; ");
}
}
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Example 28 with GeneralNames
use of sun.security.x509.GeneralNames in project xipki by xipki.
the class IdentifiedX509Certprofile method getExtensions.
/**
* TODO.
* @param requestedSubject
* Subject requested subject. Must not be {@code null}.
* @param grantedSubject
* Granted subject. Must not be {@code null}.
* @param requestedExtensions
* Extensions requested by the requestor. Could be {@code null}.
* @param publicKeyInfo
* Subject public key. Must not be {@code null}.
* @param publicCaInfo
* CA information. Must not be {@code null}.
* @param crlSignerCert
* CRL signer certificate. Could be {@code null}.
* @param notBefore
* NotBefore. Must not be {@code null}.
* @param notAfter
* NotAfter. Must not be {@code null}.
* @param caInfo
* CA information.
* @return the extensions of the certificate to be issued.
*/
public ExtensionValues getExtensions(X500Name requestedSubject, X500Name grantedSubject, Extensions requestedExtensions, SubjectPublicKeyInfo publicKeyInfo, PublicCaInfo publicCaInfo, X509Certificate crlSignerCert, Date notBefore, Date notAfter) throws CertprofileException, BadCertTemplateException {
ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
ExtensionValues values = new ExtensionValues();
Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls());
Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>();
Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>();
if (requestedExtensions != null) {
Extension reqExtension = requestedExtensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
if (reqExtension != null) {
ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue());
neededExtTypes.addAll(ee.getNeedExtensions());
wantedExtTypes.addAll(ee.getWantExtensions());
}
for (ASN1ObjectIdentifier oid : neededExtTypes) {
if (wantedExtTypes.contains(oid)) {
wantedExtTypes.remove(oid);
}
if (!controls.containsKey(oid)) {
throw new BadCertTemplateException("could not add needed extension " + oid.getId());
}
}
}
// SubjectKeyIdentifier
ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier;
ExtensionControl extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes();
byte[] skiValue = HashAlgo.SHA1.hash(encodedSpki);
SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// Authority key identifier
extType = Extension.authorityKeyIdentifier;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer();
AuthorityKeyIdentifier value = null;
if (ikiValue != null) {
if (certprofile.includesIssuerAndSerialInAki()) {
GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject()));
value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber());
} else {
value = new AuthorityKeyIdentifier(ikiValue);
}
}
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// IssuerAltName
extType = Extension.issuerAlternativeName;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
GeneralNames value = publicCaInfo.getSubjectAltName();
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// AuthorityInfoAccess
extType = Extension.authorityInfoAccess;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
List<String> caIssuers = null;
if (aiaControl == null || aiaControl.isIncludesCaIssuers()) {
caIssuers = publicCaInfo.getCaCertUris();
}
List<String> ocspUris = null;
if (aiaControl == null || aiaControl.isIncludesOcsp()) {
ocspUris = publicCaInfo.getOcspUris();
}
if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) {
AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) {
X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded());
X500Name x500CaPrincipal = publicCaInfo.getX500Subject();
// CRLDistributionPoints
extType = Extension.cRLDistributionPoints;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) {
CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
// FreshestCRL
extType = Extension.freshestCRL;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) {
CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
}
}
// BasicConstraints
extType = Extension.basicConstraints;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint());
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// KeyUsage
extType = Extension.keyUsage;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
Set<KeyUsage> usages = new HashSet<>();
Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage();
for (KeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getKeyUsage());
}
}
// the optional KeyUsage will only be set if requested explicitly
if (requestedExtensions != null && extControl.isRequest()) {
addRequestedKeyusage(usages, requestedExtensions, usageOccs);
}
org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// ExtendedKeyUsage
extType = Extension.extendedKeyUsage;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
List<ASN1ObjectIdentifier> usages = new LinkedList<>();
Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages();
for (ExtKeyUsageControl k : usageOccs) {
if (k.isRequired()) {
usages.add(k.getExtKeyUsage());
}
}
// the optional ExtKeyUsage will only be set if requested explicitly
if (requestedExtensions != null && extControl.isRequest()) {
addRequestedExtKeyusage(usages, requestedExtensions, usageOccs);
}
if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) {
extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest());
}
ExtendedKeyUsage value = X509Util.createExtendedUsage(usages);
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// ocsp-nocheck
extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
// the extension ocsp-nocheck will only be set if requested explicitly
DERNull value = DERNull.INSTANCE;
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// SubjectInfoAccess
extType = Extension.subjectInfoAccess;
extControl = controls.remove(extType);
if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) {
ASN1Sequence value = null;
if (requestedExtensions != null && extControl.isRequest()) {
value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes());
}
addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes);
}
// remove extensions that are not required frrom the list
List<ASN1ObjectIdentifier> listToRm = null;
for (ASN1ObjectIdentifier extnType : controls.keySet()) {
ExtensionControl ctrl = controls.get(extnType);
if (ctrl.isRequired()) {
continue;
}
if (neededExtTypes.contains(extnType) || wantedExtTypes.contains(extnType)) {
continue;
}
if (listToRm == null) {
listToRm = new LinkedList<>();
}
listToRm.add(extnType);
}
if (listToRm != null) {
for (ASN1ObjectIdentifier extnType : listToRm) {
controls.remove(extnType);
}
}
ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter, publicCaInfo);
Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet());
for (ASN1ObjectIdentifier type : extTypes) {
extControl = controls.remove(type);
boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes);
if (addMe) {
ExtensionValue value = null;
if (requestedExtensions != null && extControl.isRequest()) {
Extension reqExt = requestedExtensions.getExtension(type);
if (reqExt != null) {
value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue());
}
}
if (value == null) {
value = subvalues.getExtensionValue(type);
}
addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes);
}
}
Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>();
for (ASN1ObjectIdentifier type : controls.keySet()) {
if (controls.get(type).isRequired()) {
unprocessedExtTypes.add(type);
}
}
if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) {
throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes));
}
if (CollectionUtil.isNonEmpty(neededExtTypes)) {
throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes));
}
return values;
}
Also used :
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
AuthorityInfoAccessControl(org.xipki.ca.api.profile.x509.AuthorityInfoAccessControl)
HashMap(java.util.HashMap)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.xipki.security.KeyUsage)
KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
DERNull(org.bouncycastle.asn1.DERNull)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
HashSet(java.util.HashSet)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
ExtensionExistence(org.xipki.security.ExtensionExistence)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 29 with GeneralNames
use of sun.security.x509.GeneralNames in project apiRecord by tobecoder2015.
the class CertUtil method genCert.
/**
* 动态生成服务器证书,并进行CA签授
*
* @param issuer 颁发机构
* @param serverPubKey
* @param caPriKey
* @param caPubKey
* @param host
* @return
* @throws Exception
*/
public static X509Certificate genCert(String issuer, PublicKey serverPubKey, PrivateKey caPriKey, PublicKey caPubKey, String host) throws Exception {
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
/* String issuer = "C=CN, ST=GD, L=SZ, O=lee, OU=study, CN=ProxyeeRoot";
String subject = "C=CN, ST=GD, L=SZ, O=lee, OU=study, CN=" + host;*/
// 根据CA证书subject来动态生成目标服务器证书的issuer和subject
String subject = Arrays.stream(issuer.split(", ")).map((dn) -> {
String[] temp = dn.split("=");
if (temp[0].equalsIgnoreCase("CN")) {
return temp[0] + "=" + host;
}
return dn;
}).collect(Collectors.joining(", "));
v3CertGen.reset();
v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
v3CertGen.setIssuerDN(new X509Principal(issuer));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 10 * ONE_DAY));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + 3650 * ONE_DAY));
v3CertGen.setSubjectDN(new X509Principal(subject));
v3CertGen.setPublicKey(serverPubKey);
// SHA256 Chrome需要此哈希算法否则会出现不安全提示
v3CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
// SAN扩展 Chrome需要此扩展否则会出现不安全提示
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.dNSName, host));
v3CertGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
X509Certificate cert = v3CertGen.generateX509Certificate(caPriKey);
cert.checkValidity(new Date());
cert.verify(caPubKey);
return cert;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
IntStream(java.util.stream.IntStream)
java.security(java.security)
X509Principal(org.bouncycastle.jce.X509Principal)
Arrays(java.util.Arrays)
EncodedKeySpec(java.security.spec.EncodedKeySpec)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
CertificateFactory(java.security.cert.CertificateFactory)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
Files(java.nio.file.Files)
Date(java.util.Date)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
FileInputStream(java.io.FileInputStream)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
Collectors(java.util.stream.Collectors)
TimeUnit(java.util.concurrent.TimeUnit)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
List(java.util.List)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
Paths(java.nio.file.Paths)
BigInteger(java.math.BigInteger)
URI(java.net.URI)
InputStream(java.io.InputStream)
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509Principal(org.bouncycastle.jce.X509Principal)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
Example 30 with GeneralNames
use of sun.security.x509.GeneralNames in project Bytecoder by mirkosertic.
the class Pair method createV3Extensions.
/**
* Create X509v3 extensions from a string representation. Note that the
* SubjectKeyIdentifierExtension will always be created non-critical besides
* the extension requested in the <code>extstr</code> argument.
*
* @param requestedEx the requested extensions, can be null, used for -gencert
* @param existingEx the original extensions, can be null, used for -selfcert
* @param extstrs -ext values, Read keytool doc
* @param pkey the public key for the certificate
* @param akey the public key for the authority (issuer)
* @return the created CertificateExtensions
*/
private CertificateExtensions createV3Extensions(CertificateExtensions requestedEx, CertificateExtensions existingEx, List<String> extstrs, PublicKey pkey, PublicKey akey) throws Exception {
if (existingEx != null && requestedEx != null) {
// This should not happen
throw new Exception("One of request and original should be null.");
}
// A new extensions always using OID as key
CertificateExtensions result = new CertificateExtensions();
if (existingEx != null) {
for (Extension ex : existingEx.getAllExtensions()) {
setExt(result, ex);
}
}
try {
// Honoring requested extensions
if (requestedEx != null) {
// The existing requestedEx might use names as keys,
// translate to all-OID first.
CertificateExtensions request2 = new CertificateExtensions();
for (sun.security.x509.Extension ex : requestedEx.getAllExtensions()) {
request2.set(ex.getId(), ex);
}
for (String extstr : extstrs) {
if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) {
List<String> list = Arrays.asList(extstr.toLowerCase(Locale.ENGLISH).substring(8).split(","));
// First check existence of "all"
if (list.contains("all")) {
for (Extension ex : request2.getAllExtensions()) {
setExt(result, ex);
}
}
// one by one for others
for (String item : list) {
if (item.equals("all"))
continue;
// add or remove
boolean add;
// -1, unchanged, 0 critical, 1 non-critical
int action = -1;
String type = null;
if (item.startsWith("-")) {
add = false;
type = item.substring(1);
} else {
add = true;
int colonpos = item.indexOf(':');
if (colonpos >= 0) {
type = item.substring(0, colonpos);
action = oneOf(item.substring(colonpos + 1), "critical", "non-critical");
if (action == -1) {
throw new Exception(rb.getString("Illegal.value.") + item);
}
} else {
type = item;
}
}
String n = findOidForExtName(type).toString();
if (add) {
Extension e = request2.get(n);
if (!e.isCritical() && action == 0 || e.isCritical() && action == 1) {
e = Extension.newExtension(e.getExtensionId(), !e.isCritical(), e.getExtensionValue());
}
setExt(result, e);
} else {
result.delete(n);
}
}
break;
}
}
}
for (String extstr : extstrs) {
String name, value;
boolean isCritical = false;
int eqpos = extstr.indexOf('=');
if (eqpos >= 0) {
name = extstr.substring(0, eqpos);
value = extstr.substring(eqpos + 1);
} else {
name = extstr;
value = null;
}
int colonpos = name.indexOf(':');
if (colonpos >= 0) {
if (oneOf(name.substring(colonpos + 1), "critical") == 0) {
isCritical = true;
}
name = name.substring(0, colonpos);
}
if (name.equalsIgnoreCase("honored")) {
continue;
}
int exttype = oneOf(name, extSupported);
switch(exttype) {
case // BC
0:
int pathLen = -1;
boolean isCA = false;
if (value == null) {
isCA = true;
} else {
try {
// the abbr format
pathLen = Integer.parseInt(value);
isCA = true;
} catch (NumberFormatException ufe) {
// ca:true,pathlen:1
for (String part : value.split(",")) {
String[] nv = part.split(":");
if (nv.length != 2) {
throw new Exception(rb.getString("Illegal.value.") + extstr);
} else {
if (nv[0].equalsIgnoreCase("ca")) {
isCA = Boolean.parseBoolean(nv[1]);
} else if (nv[0].equalsIgnoreCase("pathlen")) {
pathLen = Integer.parseInt(nv[1]);
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
}
}
}
}
setExt(result, new BasicConstraintsExtension(isCritical, isCA, pathLen));
break;
case // KU
1:
if (value != null) {
boolean[] ok = new boolean[9];
for (String s : value.split(",")) {
int p = oneOf(s, // (0),
"digitalSignature", // (1)
"nonRepudiation", // (2),
"keyEncipherment", // (3),
"dataEncipherment", // (4),
"keyAgreement", // (5),
"keyCertSign", // (6),
"cRLSign", // (7),
"encipherOnly", // (8)
"decipherOnly", // also (1)
"contentCommitment");
if (p < 0) {
throw new Exception(rb.getString("Unknown.keyUsage.type.") + s);
}
if (p == 9)
p = 1;
ok[p] = true;
}
KeyUsageExtension kue = new KeyUsageExtension(ok);
// The above KeyUsageExtension constructor does not
// allow isCritical value, so...
setExt(result, Extension.newExtension(kue.getExtensionId(), isCritical, kue.getExtensionValue()));
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
break;
case // EKU
2:
if (value != null) {
Vector<ObjectIdentifier> v = new Vector<>();
for (String s : value.split(",")) {
int p = oneOf(s, "anyExtendedKeyUsage", // 1
"serverAuth", // 2
"clientAuth", // 3
"codeSigning", // 4
"emailProtection", // 5
"", // 6
"", // 7
"", // 8
"timeStamping", // 9
"OCSPSigning");
if (p < 0) {
try {
v.add(new ObjectIdentifier(s));
} catch (Exception e) {
throw new Exception(rb.getString("Unknown.extendedkeyUsage.type.") + s);
}
} else if (p == 0) {
v.add(new ObjectIdentifier("2.5.29.37.0"));
} else {
v.add(new ObjectIdentifier("1.3.6.1.5.5.7.3." + p));
}
}
setExt(result, new ExtendedKeyUsageExtension(isCritical, v));
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
break;
// SAN
case 3:
case // IAN
4:
if (value != null) {
String[] ps = value.split(",");
GeneralNames gnames = new GeneralNames();
for (String item : ps) {
colonpos = item.indexOf(':');
if (colonpos < 0) {
throw new Exception("Illegal item " + item + " in " + extstr);
}
String t = item.substring(0, colonpos);
String v = item.substring(colonpos + 1);
gnames.add(createGeneralName(t, v));
}
if (exttype == 3) {
setExt(result, new SubjectAlternativeNameExtension(isCritical, gnames));
} else {
setExt(result, new IssuerAlternativeNameExtension(isCritical, gnames));
}
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
break;
// SIA, always non-critical
case 5:
case // AIA, always non-critical
6:
if (isCritical) {
throw new Exception(rb.getString("This.extension.cannot.be.marked.as.critical.") + extstr);
}
if (value != null) {
List<AccessDescription> accessDescriptions = new ArrayList<>();
String[] ps = value.split(",");
for (String item : ps) {
colonpos = item.indexOf(':');
int colonpos2 = item.indexOf(':', colonpos + 1);
if (colonpos < 0 || colonpos2 < 0) {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
String m = item.substring(0, colonpos);
String t = item.substring(colonpos + 1, colonpos2);
String v = item.substring(colonpos2 + 1);
int p = oneOf(m, "", // 1
"ocsp", // 2
"caIssuers", // 3
"timeStamping", "", // 5
"caRepository");
ObjectIdentifier oid;
if (p < 0) {
try {
oid = new ObjectIdentifier(m);
} catch (Exception e) {
throw new Exception(rb.getString("Unknown.AccessDescription.type.") + m);
}
} else {
oid = new ObjectIdentifier("1.3.6.1.5.5.7.48." + p);
}
accessDescriptions.add(new AccessDescription(oid, createGeneralName(t, v)));
}
if (exttype == 5) {
setExt(result, new SubjectInfoAccessExtension(accessDescriptions));
} else {
setExt(result, new AuthorityInfoAccessExtension(accessDescriptions));
}
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
break;
case // CRL, experimental, only support 1 distributionpoint
8:
if (value != null) {
String[] ps = value.split(",");
GeneralNames gnames = new GeneralNames();
for (String item : ps) {
colonpos = item.indexOf(':');
if (colonpos < 0) {
throw new Exception("Illegal item " + item + " in " + extstr);
}
String t = item.substring(0, colonpos);
String v = item.substring(colonpos + 1);
gnames.add(createGeneralName(t, v));
}
setExt(result, new CRLDistributionPointsExtension(isCritical, Collections.singletonList(new DistributionPoint(gnames, null, null))));
} else {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
break;
case -1:
ObjectIdentifier oid = new ObjectIdentifier(name);
byte[] data = null;
if (value != null) {
data = new byte[value.length() / 2 + 1];
int pos = 0;
for (char c : value.toCharArray()) {
int hex;
if (c >= '0' && c <= '9') {
hex = c - '0';
} else if (c >= 'A' && c <= 'F') {
hex = c - 'A' + 10;
} else if (c >= 'a' && c <= 'f') {
hex = c - 'a' + 10;
} else {
continue;
}
if (pos % 2 == 0) {
data[pos / 2] = (byte) (hex << 4);
} else {
data[pos / 2] += hex;
}
pos++;
}
if (pos % 2 != 0) {
throw new Exception(rb.getString("Odd.number.of.hex.digits.found.") + extstr);
}
data = Arrays.copyOf(data, pos / 2);
} else {
data = new byte[0];
}
setExt(result, new Extension(oid, isCritical, new DerValue(DerValue.tag_OctetString, data).toByteArray()));
break;
default:
throw new Exception(rb.getString("Unknown.extension.type.") + extstr);
}
}
// always non-critical
setExt(result, new SubjectKeyIdentifierExtension(new KeyIdentifier(pkey).getIdentifier()));
if (akey != null && !pkey.equals(akey)) {
setExt(result, new AuthorityKeyIdentifierExtension(new KeyIdentifier(akey), null, null));
}
} catch (IOException e) {
throw new RuntimeException(e);
}
return result;
}
Also used :
DerValue(sun.security.util.DerValue)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
CertStoreException(java.security.cert.CertStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
sun.security.x509(sun.security.x509)
Aggregations
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)86
GeneralName (org.bouncycastle.asn1.x509.GeneralName)71
IOException (java.io.IOException)35
X509Certificate (java.security.cert.X509Certificate)27
X500Name (org.bouncycastle.asn1.x500.X500Name)24
ArrayList (java.util.ArrayList)21
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)19
ContentSigner (org.bouncycastle.operator.ContentSigner)18
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)18
BigInteger (java.math.BigInteger)16
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)16
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)16
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)15
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)15
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)15
X500Principal (javax.security.auth.x500.X500Principal)14
DERIA5String (org.bouncycastle.asn1.DERIA5String)14
GeneralNames (sun.security.x509.GeneralNames)14
List (java.util.List)13
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)13
