List of usage examples for org.bouncycastle.asn1 DERIA5String getInstance
public static DERIA5String getInstance(Object obj)
From source file:org.keycloak.common.util.CRLUtils.java
License:Apache License
/** * Retrieves a list of CRL distribution points from CRLDP v3 certificate extension * See <a href="www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-cchain-and-verify-clr-with-bouncy-castle/">CRL validation</a> * @param cert/* ww w . j av a 2 s . co m*/ * @return * @throws IOException */ public static List<String> getCRLDistributionPoints(X509Certificate cert) throws IOException { byte[] data = cert.getExtensionValue(CRL_DISTRIBUTION_POINTS_OID); if (data == null) { return Collections.emptyList(); } List<String> distributionPointUrls = new LinkedList<>(); DEROctetString octetString; try (ASN1InputStream crldpExtensionInputStream = new ASN1InputStream(new ByteArrayInputStream(data))) { octetString = (DEROctetString) crldpExtensionInputStream.readObject(); } byte[] octets = octetString.getOctets(); CRLDistPoint crlDP; try (ASN1InputStream crldpInputStream = new ASN1InputStream(new ByteArrayInputStream(octets))) { crlDP = CRLDistPoint.getInstance(crldpInputStream.readObject()); } for (DistributionPoint dp : crlDP.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] names = GeneralNames.getInstance(dpn.getName()).getNames(); for (GeneralName gn : names) { if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(gn.getName()).getString(); distributionPointUrls.add(url); } } } } return distributionPointUrls; }
From source file:org.keycloak.common.util.OCSPUtils.java
License:Apache License
/** * Extracts OCSP responder URI from X509 AIA v3 extension, if available. There can be * multiple responder URIs encoded in the certificate. * @param cert/*w w w . j a v a2 s . co m*/ * @return a list of available responder URIs. * @throws CertificateEncodingException */ private static List<String> getResponderURIs(X509Certificate cert) throws CertificateEncodingException { LinkedList<String> responderURIs = new LinkedList<>(); JcaX509CertificateHolder holder = new JcaX509CertificateHolder(cert); Extension aia = holder.getExtension(Extension.authorityInfoAccess); if (aia != null) { try { ASN1InputStream in = new ASN1InputStream(aia.getExtnValue().getOctetStream()); ASN1Sequence seq = (ASN1Sequence) in.readObject(); AuthorityInformationAccess authorityInfoAccess = AuthorityInformationAccess.getInstance(seq); for (AccessDescription ad : authorityInfoAccess.getAccessDescriptions()) { if (ad.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) { // See https://www.ietf.org/rfc/rfc2560.txt, 3.1 Certificate Content if (ad.getAccessLocation().getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String value = DERIA5String.getInstance(ad.getAccessLocation().getName()); responderURIs.add(value.getString()); } } } } catch (IOException e) { e.printStackTrace(); } } return responderURIs; }
From source file:org.opensc.pkcs15.asn1.ref.URL.java
License:Apache License
/** * @param obj The ASN.1 object to decode. * @return An URLWithDigest instance./*w w w. ja v a2s .co m*/ */ public static URL getInstance(Object obj) { if (obj instanceof URL) return (URL) obj; if (obj instanceof DERIA5String) { return new URL(DERIA5String.getInstance(obj).getString()); } if (obj instanceof DERPrintableString) { return new URL(DERPrintableString.getInstance(obj).getString()); } if (obj instanceof ASN1TaggedObject) { return URLWithDigest.getInstance(obj); } throw new IllegalArgumentException( "URL must be encoded as an ASN.1 IA5String, PrintableString or [3]URLWithDigest."); }
From source file:org.opensc.pkcs15.asn1.ref.URLWithDigest.java
License:Apache License
/** * @param obj The ASN.1 object to decode. * @return An URLWithDigest instance.//from w w w . j a v a2s. c o m */ public static URLWithDigest getInstance(Object obj) { if (obj instanceof URLWithDigest) return (URLWithDigest) obj; if (obj instanceof ASN1TaggedObject) { ASN1TaggedObject to = (ASN1TaggedObject) obj; if (to.getTagNo() != 3) throw new IllegalArgumentException("Invalid tag [" + to.getTagNo() + "] in URL."); ASN1Sequence seq = ASN1Sequence.getInstance(to.getObject()); Enumeration<Object> objs = seq.getObjects(); if (!objs.hasMoreElements()) throw new IllegalArgumentException("Missing url member in URLWithDigest SEQUENCE."); DERIA5String url = DERIA5String.getInstance(objs.nextElement()); if (!objs.hasMoreElements()) throw new IllegalArgumentException("Missing digest member in URLWithDigest SEQUENCE."); DigestInfo digest = DigestInfo.getInstance(objs.nextElement()); return new URLWithDigest(url.getString(), digest); } throw new IllegalArgumentException("AccessControlRule must be encoded as an ASN.1 tagged object."); }
From source file:org.tdmx.client.crypto.certificate.TdmxZoneInfo.java
License:Open Source License
public TdmxZoneInfo(ASN1Sequence seq) { Enumeration<?> e = seq.getObjects(); version = (ASN1Integer) e.nextElement(); zoneRoot = DERIA5String.getInstance(e.nextElement()); mrsUrl = DERIA5String.getInstance(e.nextElement()); }
From source file:org.wso2.carbon.identity.authenticator.pki.cert.validation.crl.CRLVerifier.java
License:Apache License
/** * Extracts all CRL distribution point URLs from the * "CRL Distribution Point"//w w w . j a v a 2 s. c om * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list. */ private List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateVerificationException { // Gets the DER-encoded OCTET string for the extension value for // CRLDistributionPoints byte[] crlDPExtensionValue = cert.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()); if (crlDPExtensionValue == null) throw new CertificateVerificationException("Certificate doesn't have CRL Distribution points"); // crlDPExtensionValue is encoded in ASN.1 format. ASN1InputStream asn1In = new ASN1InputStream(crlDPExtensionValue); // DER (Distinguished Encoding Rules) is one of ASN.1 encoding rules // defined in ITU-T X.690, 2002, specification. // ASN.1 encoding rules can be used to encode any data object into a // binary file. Read the object in octets. CRLDistPoint distPoint; try { DEROctetString crlDEROctetString = (DEROctetString) asn1In.readObject(); // Get Input stream in octets ASN1InputStream asn1InOctets = new ASN1InputStream(crlDEROctetString.getOctets()); DERObject crlDERObject = asn1InOctets.readObject(); distPoint = CRLDistPoint.getInstance(crlDERObject); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get CRL urls", e); } List<String> crlUrls = new ArrayList<String>(); // Loop through ASN1Encodable DistributionPoints for (DistributionPoint dp : distPoint.getDistributionPoints()) { // get ASN1Encodable DistributionPointName DistributionPointName dpn = dp.getDistributionPoint(); if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { // Create ASN1Encodable General Names GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for a URI // todo: May be able to check for OCSP url specifically. for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { // DERIA5String contains an ascii string. // A IA5String is a restricted character string type in // the ASN.1 notation String url = DERIA5String.getInstance(genName.getName()).getString().trim(); crlUrls.add(url); } } } } if (crlUrls.isEmpty()) throw new CertificateVerificationException("Cant get CRL urls from certificate"); return crlUrls; }
From source file:org.wso2.carbon.identity.authenticator.pki.cert.validation.ocsp.OCSPVerifier.java
License:Apache License
/** * Authority Information Access (AIA) is a non-critical extension in an X509 * Certificate. This contains the/* ww w . j a va2s . c o m*/ * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert * is the certificate * @return a lit of URLs in AIA extension of the certificate which will * hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { // Gets the DER-encoded OCTET string for the extension value for // Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (aiaExtensionValue == null) throw new CertificateVerificationException( "Certificate Doesnt have Authority Information Access points"); // might have to pass an ByteArrayInputStream(aiaExtensionValue) ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject()); ASN1InputStream asn1Inoctets = new ASN1InputStream(aiaDEROctetString.getOctets()); ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1Inoctets.readObject(); authorityInformationAccess = new AuthorityInformationAccess(aiaASN1Sequence); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) throw new CertificateVerificationException("Cant get OCSP urls from certificate"); return ocspUrlList; }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionQcStatements(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QcStatements conf = qcStatements;/* w w w.j av a 2s . c om*/ if (conf == null) { byte[] expected = getExpectedExtValue(Extension.qCStatements, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected)); } return; } final int expSize = conf.getQcStatement().size(); ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue); final int isSize = extValue.size(); if (isSize != expSize) { addViolation(failureMsg, "number of statements", isSize, expSize); return; } // extract the euLimit and pdsLocations data from request Map<String, int[]> reqQcEuLimits = new HashMap<>(); Extension reqExtension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(Extension.qCStatements); if (reqExtension != null) { ASN1Sequence seq = ASN1Sequence.getInstance(reqExtension.getParsedValue()); final int n = seq.size(); for (int j = 0; j < n; j++) { QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(j)); if (ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) { MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo()); int amount = monetaryValue.getAmount().intValue(); int exponent = monetaryValue.getExponent().intValue(); Iso4217CurrencyCode currency = monetaryValue.getCurrency(); String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric()); reqQcEuLimits.put(currencyS, new int[] { amount, exponent }); } } } for (int i = 0; i < expSize; i++) { QCStatement is = QCStatement.getInstance(extValue.getObjectAt(i)); QcStatementType exp = conf.getQcStatement().get(i); if (!is.getStatementId().getId().equals(exp.getStatementId().getValue())) { addViolation(failureMsg, "statmentId[" + i + "]", is.getStatementId().getId(), exp.getStatementId().getValue()); continue; } if (exp.getStatementValue() == null) { if (is.getStatementInfo() != null) { addViolation(failureMsg, "statmentInfo[" + i + "]", "present", "absent"); } continue; } if (is.getStatementInfo() == null) { addViolation(failureMsg, "statmentInfo[" + i + "]", "absent", "present"); continue; } QcStatementValueType expStatementValue = exp.getStatementValue(); try { if (expStatementValue.getConstant() != null) { byte[] expValue = expStatementValue.getConstant().getValue(); byte[] isValue = is.getStatementInfo().toASN1Primitive().getEncoded(); if (!Arrays.equals(isValue, expValue)) { addViolation(failureMsg, "statementInfo[" + i + "]", hex(isValue), hex(expValue)); } } else if (expStatementValue.getQcRetentionPeriod() != null) { String isValue = ASN1Integer.getInstance(is.getStatementInfo()).toString(); String expValue = expStatementValue.getQcRetentionPeriod().toString(); if (!isValue.equals(expValue)) { addViolation(failureMsg, "statementInfo[" + i + "]", isValue, expValue); } } else if (expStatementValue.getPdsLocations() != null) { Set<String> pdsLocations = new HashSet<>(); ASN1Sequence pdsLocsSeq = ASN1Sequence.getInstance(is.getStatementInfo()); int size = pdsLocsSeq.size(); for (int k = 0; k < size; k++) { ASN1Sequence pdsLocSeq = ASN1Sequence.getInstance(pdsLocsSeq.getObjectAt(k)); int size2 = pdsLocSeq.size(); if (size2 != 2) { throw new IllegalArgumentException("sequence size is " + size2 + " but expected 2"); } String url = DERIA5String.getInstance(pdsLocSeq.getObjectAt(0)).getString(); String lang = DERPrintableString.getInstance(pdsLocSeq.getObjectAt(1)).getString(); pdsLocations.add("url=" + url + ",lang=" + lang); } PdsLocationsType pdsLocationsConf = expStatementValue.getPdsLocations(); Set<String> expectedPdsLocations = new HashSet<>(); for (PdsLocationType m : pdsLocationsConf.getPdsLocation()) { expectedPdsLocations.add("url=" + m.getUrl() + ",lang=" + m.getLanguage()); } Set<String> diffs = strInBnotInA(expectedPdsLocations, pdsLocations); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("statementInfo[" + i + "]: ").append(diffs.toString()); failureMsg.append(" are present but not expected; "); } diffs = strInBnotInA(pdsLocations, expectedPdsLocations); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("statementInfo[" + i + "]: ").append(diffs.toString()); failureMsg.append(" are absent but are required; "); } } else if (expStatementValue.getQcEuLimitValue() != null) { QcEuLimitValueType euLimitConf = expStatementValue.getQcEuLimitValue(); String expCurrency = euLimitConf.getCurrency().toUpperCase(); int[] expAmountExp = reqQcEuLimits.get(expCurrency); Range2Type range = euLimitConf.getAmount(); int value; if (range.getMin() == range.getMax()) { value = range.getMin(); } else if (expAmountExp != null) { value = expAmountExp[0]; } else { failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; "); return; } // CHECKSTYLE:SKIP String expAmount = Integer.toString(value); range = euLimitConf.getExponent(); if (range.getMin() == range.getMax()) { value = range.getMin(); } else if (expAmountExp != null) { value = expAmountExp[1]; } else { failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; "); return; } String expExponent = Integer.toString(value); MonetaryValue monterayValue = MonetaryValue.getInstance(is.getStatementInfo()); Iso4217CurrencyCode currency = monterayValue.getCurrency(); String isCurrency = currency.isAlphabetic() ? currency.getAlphabetic() : Integer.toString(currency.getNumeric()); String isAmount = monterayValue.getAmount().toString(); String isExponent = monterayValue.getExponent().toString(); if (!isCurrency.equals(expCurrency)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.currency", isCurrency, expCurrency); } if (!isAmount.equals(expAmount)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.amount", isAmount, expAmount); } if (!isExponent.equals(expExponent)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.exponent", isExponent, expExponent); } } else { throw new RuntimeException("statementInfo[" + i + "]should not reach here"); } } catch (IOException ex) { failureMsg.append("statementInfo[").append(i).append("] has incorrect syntax; "); } } }
From source file:org.xwiki.crypto.pkix.params.x509certificate.extension.X509DnsName.java
License:Open Source License
/** * Create a new instance from a Bouncy Castle general name. * * @param name the Bouncy Castle general name. *//*from ww w. j a v a 2 s .c o m*/ public X509DnsName(GeneralName name) { if (name.getTagNo() != GeneralName.dNSName) { throw new IllegalArgumentException("Incompatible general name: " + name.getTagNo()); } this.domain = DERIA5String.getInstance(name.getName()).getString(); }
From source file:org.xwiki.crypto.pkix.params.x509certificate.extension.X509Rfc822Name.java
License:Open Source License
/** * Create a new instance from a Bouncy Castle general name. * * @param name the Bouncy Castle general name. *///w w w . j a v a 2 s .c om public X509Rfc822Name(GeneralName name) { this(DERIA5String.getInstance(name.getName()).getString()); if (name.getTagNo() != GeneralName.rfc822Name) { throw new IllegalArgumentException("Incompatible general name: " + name.getTagNo()); } }