List of usage examples for org.bouncycastle.asn1.x509 AlgorithmIdentifier equals
public boolean equals(Object o)
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
@Override public ValidationResult checkCert(final byte[] certBytes, final X509IssuerInfo issuerInfo, final X500Name requestedSubject, final SubjectPublicKeyInfo requestedPublicKey, final Extensions requestedExtensions) { ParamChecker.assertNotNull("certBytes", certBytes); ParamChecker.assertNotNull("issuerInfo", issuerInfo); ParamChecker.assertNotNull("requestedSubject", requestedSubject); ParamChecker.assertNotNull("requestedPublicKey", requestedPublicKey); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); Certificate bcCert;/*from ww w .j a v a2 s. co m*/ X509Certificate cert; // certificate encoding { ValidationIssue issue = new ValidationIssue("X509.ENCODING", "certificate encoding"); resultIssues.add(issue); try { bcCert = Certificate.getInstance(certBytes); cert = X509Util.parseCert(certBytes); } catch (CertificateException | IOException e) { issue.setFailureMessage("certificate is not corrected encoded"); return new ValidationResult(resultIssues); } } // syntax version { ValidationIssue issue = new ValidationIssue("X509.VERSION", "certificate version"); resultIssues.add(issue); int versionNumber = cert.getVersion(); if (versionNumber != version.getVersion()) { issue.setFailureMessage("is '" + versionNumber + "' but expected '" + version.getVersion() + "'"); } } // signatureAlgorithm if (CollectionUtil.isNotEmpty(signatureAlgorithms)) { ValidationIssue issue = new ValidationIssue("X509.SIGALG", "signature algorithm"); resultIssues.add(issue); AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm(); AlgorithmIdentifier tbsSigAlgId = bcCert.getTBSCertificate().getSignature(); if (tbsSigAlgId.equals(sigAlgId) == false) { issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm"); } else { try { String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId); if (signatureAlgorithms.contains(sigAlgo) == false) { issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed"); } } catch (NoSuchAlgorithmException e) { issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId()); } } } // notBefore if (notBeforeMidnight) { ValidationIssue issue = new ValidationIssue("X509.NOTBEFORE", "not before midnight"); resultIssues.add(issue); Calendar c = Calendar.getInstance(UTC); c.setTime(cert.getNotBefore()); int hourOfDay = c.get(Calendar.HOUR_OF_DAY); int minute = c.get(Calendar.MINUTE); int second = c.get(Calendar.SECOND); if (hourOfDay != 0 || minute != 0 || second != 0) { issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)"); } } // validity { ValidationIssue issue = new ValidationIssue("X509.VALIDITY", "cert validity"); resultIssues.add(issue); Date expectedNotAfter = validity.add(cert.getNotBefore()); if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) { issue.setFailureMessage("cert validity is not within " + validity.toString()); } } // public key { SubjectPublicKeyInfo publicKey = bcCert.getSubjectPublicKeyInfo(); if (keyAlgorithms != null) { ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether public key is permitted"); resultIssues.add(issue); try { checkPublicKey(publicKey); } catch (BadCertTemplateException e) { issue.setFailureMessage(e.getMessage()); } } ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one"); resultIssues.add(issue); SubjectPublicKeyInfo c14nRequestedPublicKey; try { c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey); if (c14nRequestedPublicKey.equals(publicKey) == false) { issue.setFailureMessage("public key in the certificate does not equal the requested one"); } } catch (InvalidKeySpecException e) { issue.setFailureMessage("public key in request is invalid"); } } // Signature { ValidationIssue issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA"); resultIssues.add(issue); try { cert.verify(issuerInfo.getCert().getPublicKey(), "BC"); } catch (Exception e) { issue.setFailureMessage("invalid signature"); } } // issuer { ValidationIssue issue = new ValidationIssue("X509.ISSUER", "certificate issuer"); resultIssues.add(issue); if (cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal()) == false) { issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate"); } } // subject X500Name subject = bcCert.getTBSCertificate().getSubject(); resultIssues.addAll(checkSubject(subject, requestedSubject)); // extensions resultIssues.addAll(checkExtensions(bcCert, cert, issuerInfo, requestedExtensions)); return new ValidationResult(resultIssues); }
From source file:org.xipki.pki.ca.qa.X509CertprofileQa.java
License:Open Source License
public ValidationResult checkCert(final byte[] certBytes, final X509IssuerInfo issuerInfo, final X500Name requestedSubject, final SubjectPublicKeyInfo requestedPublicKey, final Extensions requestedExtensions) { ParamUtil.requireNonNull("certBytes", certBytes); ParamUtil.requireNonNull("issuerInfo", issuerInfo); ParamUtil.requireNonNull("requestedSubject", requestedSubject); ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); Certificate bcCert;/* w ww.j av a2 s .co m*/ TBSCertificate tbsCert; X509Certificate cert; ValidationIssue issue; // certificate size issue = new ValidationIssue("X509.SIZE", "certificate size"); resultIssues.add(issue); Integer maxSize = certProfile.getMaxSize(); if (maxSize != 0) { int size = certBytes.length; if (size > maxSize) { issue.setFailureMessage( String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize)); } } // certificate encoding issue = new ValidationIssue("X509.ENCODING", "certificate encoding"); resultIssues.add(issue); try { bcCert = Certificate.getInstance(certBytes); tbsCert = bcCert.getTBSCertificate(); cert = X509Util.parseCert(certBytes); } catch (CertificateException ex) { issue.setFailureMessage("certificate is not corrected encoded"); return new ValidationResult(resultIssues); } // syntax version issue = new ValidationIssue("X509.VERSION", "certificate version"); resultIssues.add(issue); int versionNumber = tbsCert.getVersionNumber(); X509CertVersion expVersion = certProfile.getVersion(); if (versionNumber != expVersion.getVersionNumber()) { issue.setFailureMessage( "is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'"); } // serialNumber issue = new ValidationIssue("X509.serialNumber", "certificate serial number"); resultIssues.add(issue); BigInteger serialNumber = tbsCert.getSerialNumber().getValue(); if (serialNumber.signum() != 1) { issue.setFailureMessage("not positive"); } else { if (serialNumber.bitLength() >= 160) { issue.setFailureMessage("serial number has more than 20 octets"); } } // signatureAlgorithm List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms(); if (CollectionUtil.isNonEmpty(signatureAlgorithms)) { issue = new ValidationIssue("X509.SIGALG", "signature algorithm"); resultIssues.add(issue); AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm(); AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature(); if (!tbsSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm"); } try { String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId); if (!issue.isFailed()) { if (!signatureAlgorithms.contains(sigAlgo)) { issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed"); } } // check parameters if (!issue.isFailed()) { AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo); if (!expSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("invalid parameters"); } } } catch (NoSuchAlgorithmException ex) { issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId()); } } // notBefore encoding issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding"); checkTime(tbsCert.getStartDate(), issue); // notAfter encoding issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding"); checkTime(tbsCert.getStartDate(), issue); // notBefore if (certProfile.isNotBeforeMidnight()) { issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight"); resultIssues.add(issue); Calendar cal = Calendar.getInstance(UTC); cal.setTime(cert.getNotBefore()); int hourOfDay = cal.get(Calendar.HOUR_OF_DAY); int minute = cal.get(Calendar.MINUTE); int second = cal.get(Calendar.SECOND); if (hourOfDay != 0 || minute != 0 || second != 0) { issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)"); } } // validity issue = new ValidationIssue("X509.VALIDITY", "cert validity"); resultIssues.add(issue); if (cert.getNotAfter().before(cert.getNotBefore())) { issue.setFailureMessage("notAfter must not be before notBefore"); } else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) { issue.setFailureMessage("notBefore must not be before CA's notBefore"); } else { CertValidity validity = certProfile.getValidity(); Date expectedNotAfter = validity.add(cert.getNotBefore()); if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) { expectedNotAfter = new Date(MAX_CERT_TIME_MS); } if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) { expectedNotAfter = issuerInfo.getCaNotAfter(); } if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) { issue.setFailureMessage("cert validity is not within " + validity.toString()); } } // subjectPublicKeyInfo resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey)); // Signature issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA"); resultIssues.add(issue); try { cert.verify(issuerInfo.getCert().getPublicKey(), "BC"); } catch (Exception ex) { issue.setFailureMessage("invalid signature"); } // issuer issue = new ValidationIssue("X509.ISSUER", "certificate issuer"); resultIssues.add(issue); if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) { issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate"); } // subject resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject)); // issuerUniqueID issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID"); resultIssues.add(issue); if (tbsCert.getIssuerUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // subjectUniqueID issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID"); resultIssues.add(issue); if (tbsCert.getSubjectUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // extensions issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject"); resultIssues.add(issue); resultIssues.addAll( extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject)); return new ValidationResult(resultIssues); }