List of usage examples for org.bouncycastle.asn1.x500 X500Name getRDNs
public RDN[] getRDNs(ASN1ObjectIdentifier attributeType)
From source file:org.xipki.pki.ca.qa.SubjectChecker.java
License:Open Source License
public List<ValidationIssue> checkSubject(final X500Name subject, final X500Name requestedSubject) { ParamUtil.requireNonNull("subject", subject); ParamUtil.requireNonNull("requestedSubject", requestedSubject); // collect subject attribute types to check Set<ASN1ObjectIdentifier> oids = new HashSet<>(); for (ASN1ObjectIdentifier oid : subjectControl.getTypes()) { oids.add(oid);//w w w . ja v a 2 s . c o m } for (ASN1ObjectIdentifier oid : subject.getAttributeTypes()) { oids.add(oid); } List<ValidationIssue> result = new LinkedList<>(); ValidationIssue issue = new ValidationIssue("X509.SUBJECT.group", "X509 subject RDN group"); result.add(issue); if (CollectionUtil.isNonEmpty(subjectControl.getGroups())) { Set<String> groups = new HashSet<>(subjectControl.getGroups()); for (String g : groups) { boolean toBreak = false; RDN rdn = null; for (ASN1ObjectIdentifier type : subjectControl.getTypesForGroup(g)) { RDN[] rdns = subject.getRDNs(type); if (rdns == null || rdns.length == 0) { continue; } if (rdns.length > 1) { issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN"); toBreak = true; break; } if (rdn == null) { rdn = rdns[0]; } else if (rdn != rdns[0]) { issue.setFailureMessage("AttributeTypeAndValues of group " + g + " is not in one RDN"); toBreak = true; break; } } if (toBreak) { break; } } } for (ASN1ObjectIdentifier type : oids) { ValidationIssue valIssue; try { valIssue = checkSubjectAttribute(type, subject, requestedSubject); } catch (BadCertTemplateException ex) { valIssue = new ValidationIssue("X509.SUBJECT.REQUEST", "Subject in request"); valIssue.setFailureMessage(ex.getMessage()); } result.add(valIssue); } return result; }
From source file:org.xipki.pki.ca.qa.SubjectChecker.java
License:Open Source License
private ValidationIssue checkSubjectAttributeNotMultiValued(final ASN1ObjectIdentifier type, final X500Name subject, final X500Name requestedSubject) throws BadCertTemplateException { ValidationIssue issue = createSubjectIssue(type); // control//from w w w. j a va2 s .co m RdnControl rdnControl = subjectControl.getControl(type); int minOccurs = (rdnControl == null) ? 0 : rdnControl.getMinOccurs(); int maxOccurs = (rdnControl == null) ? 0 : rdnControl.getMaxOccurs(); RDN[] rdns = subject.getRDNs(type); int rdnsSize = (rdns == null) ? 0 : rdns.length; if (rdnsSize < minOccurs || rdnsSize > maxOccurs) { issue.setFailureMessage( "number of RDNs '" + rdnsSize + "' is not within [" + minOccurs + ", " + maxOccurs + "]"); return issue; } RDN[] requestedRdns = requestedSubject.getRDNs(type); if (rdnsSize == 0) { // check optional attribute but is present in requestedSubject if (maxOccurs > 0 && requestedRdns != null && requestedRdns.length > 0) { issue.setFailureMessage("is absent but expected present"); } return issue; } StringBuilder failureMsg = new StringBuilder(); // check the encoding StringType stringType = null; if (rdnControl != null) { stringType = rdnControl.getStringType(); } List<String> requestedCoreAtvTextValues = new LinkedList<>(); if (requestedRdns != null) { for (RDN requestedRdn : requestedRdns) { String textValue = getRdnTextValueOfRequest(requestedRdn); requestedCoreAtvTextValues.add(textValue); } if (rdnControl != null && rdnControl.getPatterns() != null) { // sort the requestedRDNs requestedCoreAtvTextValues = sort(requestedCoreAtvTextValues, rdnControl.getPatterns()); } } if (rdns == null) { // return always false, only to make the null checker happy return issue; } for (int i = 0; i < rdns.length; i++) { RDN rdn = rdns[i]; AttributeTypeAndValue[] atvs = rdn.getTypesAndValues(); if (atvs.length > 1) { failureMsg.append("size of RDN[" + i + "] is '" + atvs.length + "' but expected '1'"); failureMsg.append("; "); continue; } String atvTextValue = getAtvValueString("RDN[" + i + "]", atvs[0], stringType, failureMsg); if (atvTextValue == null) { continue; } checkAttributeTypeAndValue("RDN[" + i + "]", type, atvTextValue, rdnControl, requestedCoreAtvTextValues, i, failureMsg); } int len = failureMsg.length(); if (len > 2) { failureMsg.delete(len - 2, len); issue.setFailureMessage(failureMsg.toString()); } return issue; }
From source file:org.xipki.pki.ca.qa.SubjectChecker.java
License:Open Source License
private ValidationIssue checkSubjectAttributeMultiValued(final ASN1ObjectIdentifier type, final X500Name subject, final X500Name requestedSubject) throws BadCertTemplateException { ValidationIssue issue = createSubjectIssue(type); RDN[] rdns = subject.getRDNs(type); int rdnsSize = (rdns == null) ? 0 : rdns.length; RDN[] requestedRdns = requestedSubject.getRDNs(type); if (rdnsSize != 1) { if (rdnsSize == 0) { // check optional attribute but is present in requestedSubject if (requestedRdns != null && requestedRdns.length > 0) { issue.setFailureMessage("is absent but expected present"); }/*from w w w .ja va 2 s . com*/ } else { issue.setFailureMessage("number of RDNs '" + rdnsSize + "' is not 1"); } return issue; } // control final RdnControl rdnControl = subjectControl.getControl(type); // check the encoding StringType stringType = null; if (rdnControl != null) { stringType = rdnControl.getStringType(); } List<String> requestedCoreAtvTextValues = new LinkedList<>(); if (requestedRdns != null) { for (RDN requestedRdn : requestedRdns) { String textValue = getRdnTextValueOfRequest(requestedRdn); requestedCoreAtvTextValues.add(textValue); } if (rdnControl != null && rdnControl.getPatterns() != null) { // sort the requestedRDNs requestedCoreAtvTextValues = sort(requestedCoreAtvTextValues, rdnControl.getPatterns()); } } if (rdns == null) { // return always false, only to make the null checker happy return issue; } StringBuilder failureMsg = new StringBuilder(); AttributeTypeAndValue[] li = rdns[0].getTypesAndValues(); List<AttributeTypeAndValue> atvs = new LinkedList<>(); for (AttributeTypeAndValue m : li) { if (type.equals(m.getType())) { atvs.add(m); } } final int atvsSize = atvs.size(); int minOccurs = (rdnControl == null) ? 0 : rdnControl.getMinOccurs(); int maxOccurs = (rdnControl == null) ? 0 : rdnControl.getMaxOccurs(); if (atvsSize < minOccurs || atvsSize > maxOccurs) { issue.setFailureMessage("number of AttributeTypeAndValuess '" + atvsSize + "' is not within [" + minOccurs + ", " + maxOccurs + "]"); return issue; } for (int i = 0; i < atvsSize; i++) { AttributeTypeAndValue atv = atvs.get(i); String atvTextValue = getAtvValueString("AttributeTypeAndValue[" + i + "]", atv, stringType, failureMsg); if (atvTextValue == null) { continue; } checkAttributeTypeAndValue("AttributeTypeAndValue[" + i + "]", type, atvTextValue, rdnControl, requestedCoreAtvTextValues, i, failureMsg); } int len = failureMsg.length(); if (len > 2) { failureMsg.delete(len - 2, len); issue.setFailureMessage(failureMsg.toString()); } return issue; }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private GrantedCertTemplate createGrantedCertTemplate(final CertTemplateData certTemplate, final boolean requestedByRa, final RequestorInfo requestor, final boolean keyUpdate) throws OperationException { ParamUtil.requireNonNull("certTemplate", certTemplate); if (caInfo.getRevocationInfo() != null) { throw new OperationException(ErrorCode.NOT_PERMITTED, "CA is revoked"); }//from www. j ava 2 s . com IdentifiedX509Certprofile certprofile = getX509Certprofile(certTemplate.getCertprofileName()); if (certprofile == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT_PROFILE, "unknown cert profile " + certTemplate.getCertprofileName()); } ConcurrentContentSigner signer = caInfo.getSigner(certprofile.getSignatureAlgorithms()); if (signer == null) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile"); } final String certprofileName = certprofile.getName(); if (certprofile.getVersion() != X509CertVersion.v3) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "unknown cert version " + certprofile.getVersion()); } if (certprofile.isOnlyForRa() && !requestedByRa) { throw new OperationException(ErrorCode.NOT_PERMITTED, "profile " + certprofileName + " not applied to non-RA"); } X500Name requestedSubject = removeEmptyRdns(certTemplate.getSubject()); if (!certprofile.isSerialNumberInReqPermitted()) { RDN[] rdns = requestedSubject.getRDNs(ObjectIdentifiers.DN_SN); if (rdns != null && rdns.length > 0) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "subjectDN SerialNumber in request is not permitted"); } } Date now = new Date(); Date reqNotBefore; if (certTemplate.getNotBefore() != null && certTemplate.getNotBefore().after(now)) { reqNotBefore = certTemplate.getNotBefore(); } else { reqNotBefore = now; } Date grantedNotBefore = certprofile.getNotBefore(reqNotBefore); // notBefore in the past is not permitted if (grantedNotBefore.before(now)) { grantedNotBefore = now; } if (certprofile.hasMidnightNotBefore()) { grantedNotBefore = setToMidnight(grantedNotBefore, certprofile.getTimezone()); } if (grantedNotBefore.before(caInfo.getNotBefore())) { grantedNotBefore = caInfo.getNotBefore(); if (certprofile.hasMidnightNotBefore()) { grantedNotBefore = setToMidnight(grantedNotBefore, certprofile.getTimezone()); } } long time = caInfo.getNoNewCertificateAfter(); if (grantedNotBefore.getTime() > time) { throw new OperationException(ErrorCode.NOT_PERMITTED, "CA is not permitted to issue certifate after " + new Date(time)); } SubjectPublicKeyInfo grantedPublicKeyInfo; try { grantedPublicKeyInfo = X509Util.toRfc3279Style(certTemplate.getPublicKeyInfo()); } catch (InvalidKeySpecException ex) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "invalid SubjectPublicKeyInfo"); } // public key try { grantedPublicKeyInfo = certprofile.checkPublicKey(grantedPublicKeyInfo); } catch (BadCertTemplateException ex) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex); } Date gsmckFirstNotBefore = null; if (certprofile.getSpecialCertprofileBehavior() == SpecialX509CertprofileBehavior.gematik_gSMC_K) { gsmckFirstNotBefore = grantedNotBefore; RDN[] cnRdns = requestedSubject.getRDNs(ObjectIdentifiers.DN_CN); if (cnRdns != null && cnRdns.length > 0) { String requestedCn = X509Util.rdnValueToString(cnRdns[0].getFirst().getValue()); Long gsmckFirstNotBeforeInSecond = certstore .getNotBeforeOfFirstCertStartsWithCommonName(requestedCn, certprofileName); if (gsmckFirstNotBeforeInSecond != null) { gsmckFirstNotBefore = new Date(gsmckFirstNotBeforeInSecond * MS_PER_SECOND); } // append the commonName with '-' + yyyyMMdd SimpleDateFormat dateF = new SimpleDateFormat("yyyyMMdd"); dateF.setTimeZone(new SimpleTimeZone(0, "Z")); String yyyyMMdd = dateF.format(gsmckFirstNotBefore); String suffix = "-" + yyyyMMdd; // append the -yyyyMMdd to the commonName RDN[] rdns = requestedSubject.getRDNs(); for (int i = 0; i < rdns.length; i++) { if (ObjectIdentifiers.DN_CN.equals(rdns[i].getFirst().getType())) { rdns[i] = new RDN(ObjectIdentifiers.DN_CN, new DERUTF8String(requestedCn + suffix)); } } requestedSubject = new X500Name(rdns); } // end if } // end if // subject SubjectInfo subjectInfo; try { subjectInfo = certprofile.getSubject(requestedSubject); } catch (CertprofileException ex) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + certprofileName); } catch (BadCertTemplateException ex) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex); } X500Name grantedSubject = subjectInfo.getGrantedSubject(); // make sure that empty subject is not permitted ASN1ObjectIdentifier[] attrTypes = grantedSubject.getAttributeTypes(); if (attrTypes == null || attrTypes.length == 0) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "empty subject is not permitted"); } // make sure that the grantedSubject does not equal the CA's subject if (X509Util.canonicalizName(grantedSubject).equals(caInfo.getPublicCaInfo().getC14nSubject())) { throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the same subject as CA is not allowed"); } boolean duplicateKeyPermitted = caInfo.isDuplicateKeyPermitted(); if (duplicateKeyPermitted && !certprofile.isDuplicateKeyPermitted()) { duplicateKeyPermitted = false; } byte[] subjectPublicKeyData = grantedPublicKeyInfo.getPublicKeyData().getBytes(); long fpPublicKey = FpIdCalculator.hash(subjectPublicKeyData); if (keyUpdate) { CertStatus certStatus = certstore.getCertStatusForSubject(caInfo.getCertificate(), grantedSubject); if (certStatus == CertStatus.REVOKED) { throw new OperationException(ErrorCode.CERT_REVOKED); } else if (certStatus == CertStatus.UNKNOWN) { throw new OperationException(ErrorCode.UNKNOWN_CERT); } } else { if (!duplicateKeyPermitted) { if (certstore.isCertForKeyIssued(caInfo.getCertificate(), fpPublicKey)) { throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate for the given public key already issued"); } } // duplicateSubject check will be processed later } // end if(keyUpdate) StringBuilder msgBuilder = new StringBuilder(); if (subjectInfo.getWarning() != null) { msgBuilder.append(", ").append(subjectInfo.getWarning()); } CertValidity validity = certprofile.getValidity(); if (validity == null) { validity = caInfo.getMaxValidity(); } else if (validity.compareTo(caInfo.getMaxValidity()) > 0) { validity = caInfo.getMaxValidity(); } Date maxNotAfter = validity.add(grantedNotBefore); if (maxNotAfter.getTime() > MAX_CERT_TIME_MS) { maxNotAfter = new Date(MAX_CERT_TIME_MS); } // CHECKSTYLE:SKIP Date origMaxNotAfter = maxNotAfter; if (certprofile.getSpecialCertprofileBehavior() == SpecialX509CertprofileBehavior.gematik_gSMC_K) { String str = certprofile.getParameter(SpecialX509CertprofileBehavior.PARAMETER_MAXLIFTIME); long maxLifetimeInDays = Long.parseLong(str); @SuppressWarnings("null") Date maxLifetime = new Date( gsmckFirstNotBefore.getTime() + maxLifetimeInDays * DAY_IN_MS - MS_PER_SECOND); if (maxNotAfter.after(maxLifetime)) { maxNotAfter = maxLifetime; } } Date grantedNotAfter = certTemplate.getNotAfter(); if (grantedNotAfter != null) { if (grantedNotAfter.after(maxNotAfter)) { grantedNotAfter = maxNotAfter; msgBuilder.append(", notAfter modified"); } } else { grantedNotAfter = maxNotAfter; } if (grantedNotAfter.after(caInfo.getNotAfter())) { ValidityMode mode = caInfo.getValidityMode(); if (mode == ValidityMode.CUTOFF) { grantedNotAfter = caInfo.getNotAfter(); } else if (mode == ValidityMode.STRICT) { throw new OperationException(ErrorCode.NOT_PERMITTED, "notAfter outside of CA's validity is not permitted"); } else if (mode == ValidityMode.LAX) { // permitted } else { throw new RuntimeException("should not reach here, unknown CA ValidityMode " + mode); } // end if (mode) } // end if (notAfter) if (certprofile.hasMidnightNotBefore() && !maxNotAfter.equals(origMaxNotAfter)) { Calendar cal = Calendar.getInstance(certprofile.getTimezone()); cal.setTime(new Date(grantedNotAfter.getTime() - DAY_IN_MS)); cal.set(Calendar.HOUR_OF_DAY, 23); cal.set(Calendar.MINUTE, 59); cal.set(Calendar.SECOND, 59); cal.set(Calendar.MILLISECOND, 0); grantedNotAfter = cal.getTime(); } String warning = null; if (msgBuilder.length() > 2) { warning = msgBuilder.substring(2); } GrantedCertTemplate gct = new GrantedCertTemplate(certTemplate.getExtensions(), certprofile, grantedNotBefore, grantedNotAfter, requestedSubject, grantedPublicKeyInfo, fpPublicKey, subjectPublicKeyData, signer, warning); gct.setGrantedSubject(grantedSubject); return gct; }
From source file:view.CertificateManagementDialog.java
private String getCertificateCN(Certificate cert) { X509Certificate x509cert = (X509Certificate) cert; org.bouncycastle.asn1.x500.X500Name x500name = null; try {/*from w ww. j av a 2s .c o m*/ x500name = new JcaX509CertificateHolder(x509cert).getSubject(); } catch (CertificateEncodingException ex) { Logger.getLogger(CertificatePropertiesDialog.class.getName()).log(Level.SEVERE, null, ex); } RDN rdn = null; try { rdn = x500name.getRDNs(BCStyle.CN)[0]; } catch (Exception e) { return WordUtils.capitalize(x500name.toString()); } return WordUtils.capitalize(IETFUtils.valueToString(rdn.getFirst().getValue()).toLowerCase()); }
From source file:view.CertificatePropertiesDialog.java
License:Open Source License
private void setCertificateProperties(X509Certificate x509Certificate) { selectedCertificate = x509Certificate; jTextField1.setText(null);// ww w. java 2s.c o m jTextField2.setText(null); jTextField3.setText(null); jTextField4.setText(null); jTextField5.setText(null); jTextField6.setText(null); jTextField7.setText(null); jTextField9.setText(null); jTextField10.setText(null); jTextField11.setText(null); jTextField12.setText(null); X500Name x500subject = null; X500Name x500issuer = null; try { x500subject = new JcaX509CertificateHolder(x509Certificate).getSubject(); x500issuer = new JcaX509CertificateHolder(x509Certificate).getIssuer(); } catch (CertificateEncodingException ex) { controller.Logger.getLogger().addEntry(ex); } RDN subjectCN = null; if (x500subject.getRDNs(BCStyle.CN).length > 0) { subjectCN = x500subject.getRDNs(BCStyle.CN)[0]; } RDN subjectOU1 = null; if (x500subject.getRDNs(BCStyle.OU).length >= 1) { subjectOU1 = x500subject.getRDNs(BCStyle.OU)[0]; jTextField2.setText(IETFUtils.valueToString(subjectOU1.getFirst().getValue())); jTextField2.setCaretPosition(0); } RDN subjectOU2 = null; if (x500subject.getRDNs(BCStyle.OU).length >= 2) { subjectOU2 = x500subject.getRDNs(BCStyle.OU)[1]; jTextField3.setText(IETFUtils.valueToString(subjectOU2.getFirst().getValue())); jTextField3.setCaretPosition(0); } RDN subjectO = null; if (x500subject.getRDNs(BCStyle.O).length > 0) { subjectO = x500subject.getRDNs(BCStyle.O)[0]; } RDN subjectC = null; if (x500subject.getRDNs(BCStyle.C).length > 0) { subjectC = x500subject.getRDNs(BCStyle.C)[0]; } if (!x500issuer.equals(x500subject)) { RDN issuerCN = x500issuer.getRDNs(BCStyle.CN)[0]; if (1 == x500issuer.getRDNs(BCStyle.OU).length) { RDN issuerOU1 = x500issuer.getRDNs(BCStyle.OU)[0]; jTextField7.setText(IETFUtils.valueToString(issuerOU1.getFirst().getValue())); jTextField7.setCaretPosition(0); } RDN issuerO = x500issuer.getRDNs(BCStyle.O)[0]; RDN issuerC = x500issuer.getRDNs(BCStyle.C)[0]; jTextField6.setText(IETFUtils.valueToString(issuerCN.getFirst().getValue())); jTextField6.setCaretPosition(0); jTextField9.setText(IETFUtils.valueToString(issuerO.getFirst().getValue())); jTextField9.setCaretPosition(0); jTextField10.setText(IETFUtils.valueToString(issuerC.getFirst().getValue())); jTextField10.setCaretPosition(0); } Date since = x509Certificate.getNotBefore(); Date until = x509Certificate.getNotAfter(); jTextField1.setText( WordUtils.capitalize(IETFUtils.valueToString(subjectCN.getFirst().getValue()).toLowerCase())); jTextField1.setCaretPosition(0); if (subjectO != null) { jTextField4.setText(IETFUtils.valueToString(subjectO.getFirst().getValue())); } jTextField4.setCaretPosition(0); if (subjectC != null) { jTextField5.setText(IETFUtils.valueToString(subjectC.getFirst().getValue())); } jTextField5.setCaretPosition(0); jTextField11.setText(since.toLocaleString()); jTextField11.setCaretPosition(0); jTextField12.setText(until.toLocaleString()); jTextField12.setCaretPosition(0); boolean usage[] = x509Certificate.getKeyUsage(); if (null != usage) { boolean digitalSignature = usage[0]; boolean nonRepudiation = usage[1]; boolean keyEncipherment = usage[2]; boolean dataEncipherment = usage[3]; boolean keyAgreement = usage[4]; boolean keyCertSign = usage[5]; boolean cRLSign = usage[6]; boolean encipherOnly = usage[7]; boolean decipherOnly = usage[8]; String uso = (digitalSignature ? Bundle.getBundle().getString("digitalSignature") + ", " : "") + (nonRepudiation ? Bundle.getBundle().getString("nonRepudiation") + ", " : "") + (keyEncipherment ? Bundle.getBundle().getString("keyEncipherment") + ", " : "") + (dataEncipherment ? Bundle.getBundle().getString("dataEncipherment") + ", " : "") + (keyAgreement ? Bundle.getBundle().getString("keyAgreement") + ", " : "") + (keyCertSign ? Bundle.getBundle().getString("keyCertSign") + ", " : "") + (cRLSign ? Bundle.getBundle().getString("cRLSign") + ", " : "") + (encipherOnly ? Bundle.getBundle().getString("encipherOnly") + ", " : "") + (decipherOnly ? Bundle.getBundle().getString("decipherOnly") + ", " : ""); if (uso.length() == 0) { lblUso.setText(Bundle.getBundle().getString("label.none")); } else if (uso.endsWith(", ")) { lblUso.setText(uso.substring(0, uso.length() - 2)); } } else { lblUso.setText(Bundle.getBundle().getString("unknown")); } }
From source file:view.CertificatePropertiesDialog.java
License:Open Source License
private String getCertificateCN(Certificate cert) { X509Certificate x509cert = (X509Certificate) cert; org.bouncycastle.asn1.x500.X500Name x500name = null; try {/*w w w . ja va 2 s . co m*/ x500name = new JcaX509CertificateHolder(x509cert).getSubject(); } catch (CertificateEncodingException ex) { Logger.getLogger(CertificatePropertiesDialog.class.getName()).log(Level.SEVERE, null, ex); } RDN rdn = x500name.getRDNs(BCStyle.CN)[0]; return WordUtils.capitalize(IETFUtils.valueToString(rdn.getFirst().getValue()).toLowerCase()); }