List of usage examples for org.bouncycastle.asn1.x509 BasicConstraints isCA
public boolean isCA()
From source file:be.fedict.trust.linker.PublicKeyTrustLinker.java
License:Open Source License
private boolean isCa(X509Certificate certificate) { byte[] basicConstraintsValue = certificate.getExtensionValue(Extension.basicConstraints.getId()); if (null == basicConstraintsValue) { return false; }//from w w w . ja v a2 s. co m ASN1Encodable basicConstraintsDecoded; try { basicConstraintsDecoded = X509ExtensionUtil.fromExtensionValue(basicConstraintsValue); } catch (IOException e) { LOG.error("IO error", e); return false; } if (false == basicConstraintsDecoded instanceof ASN1Sequence) { LOG.debug("basic constraints extension is not an ASN1 sequence"); return false; } ASN1Sequence basicConstraintsSequence = (ASN1Sequence) basicConstraintsDecoded; BasicConstraints basicConstraints = BasicConstraints.getInstance(basicConstraintsSequence); return basicConstraints.isCA(); }
From source file:be.fedict.trust.PublicKeyTrustLinker.java
License:Open Source License
private boolean isCa(X509Certificate certificate) { byte[] basicConstraintsValue = certificate.getExtensionValue(X509Extensions.BasicConstraints.getId()); if (null == basicConstraintsValue) { return false; }/*from www.j a v a 2 s. com*/ ASN1Encodable basicConstraintsDecoded; try { basicConstraintsDecoded = X509ExtensionUtil.fromExtensionValue(basicConstraintsValue); } catch (IOException e) { LOG.error("IO error", e); return false; } if (false == basicConstraintsDecoded instanceof ASN1Sequence) { LOG.debug("basic constraints extension is not an ASN1 sequence"); return false; } ASN1Sequence basicConstraintsSequence = (ASN1Sequence) basicConstraintsDecoded; BasicConstraints basicConstraints = BasicConstraints.getInstance(basicConstraintsSequence); return basicConstraints.isCA(); }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.java
License:Open Source License
private void checkSignatures() { // 1.6.1 - Inputs // d)//from w ww . j a v a2 s . com TrustAnchor trust = null; X500Principal trustPrincipal = null; // validation date { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certPathValidDate", new Object[] { new TrustedInput(validDate), new TrustedInput(new Date()) }); addNotification(msg); } // find trust anchors try { X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1); Collection trustColl = getTrustAnchors(cert, pkixParams.getTrustAnchors()); if (trustColl.size() > 1) { // conflicting trust anchors ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.conflictingTrustAnchors", new Object[] { new Integer(trustColl.size()), new UntrustedInput(cert.getIssuerX500Principal()) }); addError(msg); } else if (trustColl.isEmpty()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noTrustAnchorFound", new Object[] { new UntrustedInput(cert.getIssuerX500Principal()), new Integer(pkixParams.getTrustAnchors().size()) }); addError(msg); } else { PublicKey trustPublicKey; trust = (TrustAnchor) trustColl.iterator().next(); if (trust.getTrustedCert() != null) { trustPublicKey = trust.getTrustedCert().getPublicKey(); } else { trustPublicKey = trust.getCAPublicKey(); } try { CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey, pkixParams.getSigProvider()); } catch (SignatureException e) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustButInvalidCert"); addError(msg); } catch (Exception e) { // do nothing, error occurs again later } } } catch (CertPathReviewerException cpre) { addError(cpre.getErrorMessage()); } catch (Throwable t) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.unknown", new Object[] { new UntrustedInput(t.getMessage()), new UntrustedInput(t) }); addError(msg); } if (trust != null) { // get the name of the trustAnchor X509Certificate sign = trust.getTrustedCert(); try { if (sign != null) { trustPrincipal = getSubjectPrincipal(sign); } else { trustPrincipal = new X500Principal(trust.getCAName()); } } catch (IllegalArgumentException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustDNInvalid", new Object[] { new UntrustedInput(trust.getCAName()) }); addError(msg); } // test key usages of the trust anchor if (sign != null) { boolean[] ku = sign.getKeyUsage(); if (ku != null && !ku[5]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage"); addNotification(msg); } } } // 1.6.2 - Initialization PublicKey workingPublicKey = null; X500Principal workingIssuerName = trustPrincipal; X509Certificate sign = null; if (trust != null) { sign = trust.getTrustedCert(); if (sign != null) { workingPublicKey = sign.getPublicKey(); } else { workingPublicKey = trust.getCAPublicKey(); } try { getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustPubKeyError"); addError(msg); } } // Basic cert checks X509Certificate cert = null; int i; for (int index = certs.size() - 1; index >= 0; index--) { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialied the // first time from the TrustAnchor // cert = (X509Certificate) certs.get(index); // verify signature if (workingPublicKey != null) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, pkixParams.getSigProvider()); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else if (isSelfIssued(cert)) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(), pkixParams.getSigProvider()); ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.rootKeyIsValidButNotATrustAnchor"); addError(msg, index); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.NoIssuerPublicKey"); // if there is an authority key extension add the serial and issuer of the missing certificate byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (akiBytes != null) { try { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier .getInstance(X509ExtensionUtil.fromExtensionValue(akiBytes)); GeneralNames issuerNames = aki.getAuthorityCertIssuer(); if (issuerNames != null) { GeneralName name = issuerNames.getNames()[0]; BigInteger serial = aki.getAuthorityCertSerialNumber(); if (serial != null) { Object[] extraArgs = { new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name, "\" ", new LocaleString(RESOURCE_NAME, "missingSerial"), " ", serial }; msg.setExtraArguments(extraArgs); } } } catch (IOException e) { // ignore } } addError(msg, index); } // certificate valid? try { cert.checkValidity(validDate); } catch (CertificateNotYetValidException cnve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateNotYetValid", new Object[] { new TrustedInput(cert.getNotBefore()) }); addError(msg, index); } catch (CertificateExpiredException cee) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateExpired", new Object[] { new TrustedInput(cert.getNotAfter()) }); addError(msg, index); } // certificate revoked? if (pkixParams.isRevocationEnabled()) { try { checkRevocation(pkixParams, cert, validDate, sign, workingPublicKey); } catch (SimpleValidationErrorException e) { addError(e, index); } } // certificate issuer correct if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName)) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certWrongIssuer", new Object[] { workingIssuerName.getName(), cert.getIssuerX500Principal().getName() }); addError(msg, index); } // // prepare for next certificate // if (i != n) { if (cert != null && cert.getVersion() == 1) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } // k) BasicConstraints bc; try { bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (bc != null) { if (!bc.isCA()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBasicConstraints"); addError(msg, index); } } catch (AnnotatedException ae) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.errorProcesingBC"); addError(msg, index); } // n) boolean[] _usage = cert.getKeyUsage(); if ((_usage != null) && !_usage[KEY_CERT_SIGN]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCertSign"); addError(msg, index); } } // if // set signing certificate for next round sign = cert; // c) workingIssuerName = cert.getSubjectX500Principal(); // d) e) f) try { workingPublicKey = getNextWorkingKey(certs, index); getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.pubKeyError"); addError(msg, index); } } // for trustAnchor = trust; subjectPublicKey = workingPublicKey; }
From source file:gov.nih.nci.cagrid.gts.service.ProxyPathValidator.java
License:Apache License
protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertificateStructure issuer, X509Certificate checkedProxy) throws ProxyPathValidatorException, IOException { logger.debug("enter: checkProxyConstraints"); X509Extensions extensions;//ww w .j av a 2s .c o m DERObjectIdentifier oid; X509Extension ext; X509Extension proxyKeyUsage = null; extensions = proxy.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { oid = (DERObjectIdentifier) e.nextElement(); ext = extensions.getExtension(oid); if (oid.equals(X509Extensions.SubjectAlternativeName) || oid.equals(X509Extensions.IssuerAlternativeName)) { // No Alt name extensions - 3.2 & 3.5 throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "Proxy certificate cannot contain subject or issuer alternative name extension"); } else if (oid.equals(X509Extensions.BasicConstraints)) { // Basic Constraint must not be true - 3.8 BasicConstraints basicExt = BouncyCastleUtil.getBasicConstraints(ext); if (basicExt.isCA()) { throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "Proxy certificate cannot have BasicConstraint CA=true"); } } else if (oid.equals(X509Extensions.KeyUsage)) { proxyKeyUsage = ext; boolean[] keyUsage = BouncyCastleUtil.getKeyUsage(ext); // these must not be asserted if (keyUsage[1] || keyUsage[5]) { throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "The keyCertSign and nonRepudiation bits must not be asserted in Proxy Certificate"); } boolean[] issuerKeyUsage = getKeyUsage(issuer); if (issuerKeyUsage != null) { for (int i = 0; i < 9; i++) { if (i == 1 || i == 5) { continue; } if (!issuerKeyUsage[i] && keyUsage[i]) { throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "Bad KeyUsage in Proxy Certificate"); } } } } } } extensions = issuer.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { oid = (DERObjectIdentifier) e.nextElement(); ext = extensions.getExtension(oid); if (oid.equals(X509Extensions.KeyUsage)) { // If issuer has it then proxy must have it also if (proxyKeyUsage == null) { throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "KeyUsage extension missing in Proxy Certificate"); } // If issuer has it as critical so does the proxy if (ext.isCritical() && !proxyKeyUsage.isCritical()) { throw new ProxyPathValidatorException(ProxyPathValidatorException.PROXY_VIOLATION, checkedProxy, "KeyUsage extension in Proxy Certificate is not critical"); } } } } logger.debug("exit: checkProxyConstraints"); }
From source file:gov.nih.nci.cagrid.gts.service.ProxyPathValidator.java
License:Apache License
protected int getCAPathConstraint(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return -1; }//w w w .j a va 2s.c o m X509Extension ext = extensions.getExtension(X509Extensions.BasicConstraints); if (ext != null) { BasicConstraints basicExt = BouncyCastleUtil.getBasicConstraints(ext); if (basicExt.isCA()) { BigInteger pathLen = basicExt.getPathLenConstraint(); return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue(); } else { return -1; } } return -1; }
From source file:mitm.common.security.certificate.X509CertificateInspector.java
License:Open Source License
/** * Returns true if the certificate is a CA certificate (returns isCA from the basic constraints) *//*from www . j a v a 2s . co m*/ public boolean isCA() throws IOException { BasicConstraints bc = getBasicConstraints(certificate); return bc != null && bc.isCA(); }
From source file:mitm.common.security.certificate.X509CertificateInspector.java
License:Open Source License
/** * Returns true if the certificate is a CA certificate (returns isCA from the basic constraints) *//*from w w w . java 2 s . com*/ public static boolean isCA(X509Certificate certificate) throws IOException { BasicConstraints bc = getBasicConstraints(certificate); return bc != null && bc.isCA(); }
From source file:mitm.common.security.certificate.X509ExtensionInspectorTest.java
License:Open Source License
@Test public void testBasicConstraint() throws Exception { X509Certificate certificate = TestUtils .loadCertificate("test/resources/testdata/certificates/" + "mitm-test-ca.cer"); BasicConstraints constraints = X509CertificateInspector.getBasicConstraints(certificate); assertTrue(constraints.isCA()); assertNull(constraints.getPathLenConstraint()); certificate = TestUtils.loadCertificate("test/resources/testdata/certificates/" + "ldap-crl.cer"); assertNull(X509CertificateInspector.getBasicConstraints(certificate)); }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
License:Open Source License
private boolean acceptCRL_6_3_3_b(X509Certificate targetCertificate, X509CRL crl) throws IOException { boolean match = false; if (X509CRLInspector.isDeltaCRL(crl)) { /* CRL is not complete because it's a delta CRL */ return false; }//from w w w .j a va2s. c o m if (!crl.getIssuerX500Principal().equals(targetCertificate.getIssuerX500Principal())) { logger.debug("CRL issuer and certificate issuer do not match."); return false; } IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); /* if there is no IssuingDistributionPoint there is always a match */ if (idp == null) { return true; } DistributionPointName idpn = idp.getDistributionPoint(); CRLDistPoint crlDistPoint = X509CertificateInspector.getCRLDistibutionPoints(targetCertificate); DistributionPoint[] dps = null; if (crlDistPoint != null) { dps = crlDistPoint.getDistributionPoints(); } if (dps != null) { for (DistributionPoint dp : dps) { if (dp == null) { logger.debug("Distributionpoint is null."); continue; } if (dp.getCRLIssuer() != null) { /* we do not support indirect CRLs */ logger.debug("CRL issuer should only be used for indirect CRLs."); continue; } DistributionPointName dpn = dp.getDistributionPoint(); if (idp != null) { if (idpn != null && dpn != null) { X500Principal issuer = targetCertificate.getIssuerX500Principal(); if (hasMatchingName(idpn, dpn, issuer)) { match = true; break; } } } } if (!match) { logger.debug("The CRL did not contain matching DistributionPoint names."); } } else { match = (idpn == null); } BasicConstraints basicConstraints = X509CertificateInspector.getBasicConstraints(targetCertificate); if (idp != null) { /* if basicConstraints is null assume it's a user certificate */ if (idp.onlyContainsCACerts() && ((basicConstraints != null && !basicConstraints.isCA()) | basicConstraints == null)) { logger.debug("Certificate is a user certificate but CRL only contains CA certificate."); match = false; } if (idp.onlyContainsUserCerts() && basicConstraints != null && basicConstraints.isCA()) { logger.debug("Certificate is a CA but CRL only contains user certificates."); match = false; } if (idp.onlyContainsAttributeCerts()) { logger.debug("Certificate only contains attribute certs."); match = false; } } return match; }
From source file:net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil.java
License:BSD License
public static boolean isCa(X509Certificate certificate) { try {// w w w . java 2 s. c o m byte[] basicConstraintsExtension = certificate .getExtensionValue(org.bouncycastle.asn1.x509.X509Extension.basicConstraints.getId()); if (basicConstraintsExtension == null) { /** * The Basic Constraints extension field [...] MUST be present when * the Subject is a CA, and MUST NOT be present otherwise. * http://tools.ietf.org/html/draft-ietf-sidr-res-certs-21#section-4.9.1 */ return false; } BasicConstraints constraints = BasicConstraints .getInstance(X509ExtensionUtil.fromExtensionValue(basicConstraintsExtension)); return constraints.isCA(); } catch (IOException e) { throw new X509CertificateOperationException(e); } }