List of usage examples for org.bouncycastle.asn1.x509 Extension authorityInfoAccess
ASN1ObjectIdentifier authorityInfoAccess
To view the source code for org.bouncycastle.asn1.x509 Extension authorityInfoAccess.
Click Source Link
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileTlsWithIncSerial() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile TLSwithIncSN", X509CertLevel.EndEntity, "5y", false); profile.setDuplicateKey(true);/* w w w . ja v a2 s . c o m*/ // Subject Subject subject = profile.getSubject(); subject.setDuplicateSubjectPermitted(true); subject.setIncSerialNumber(true); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1, new String[] { REGEX_FQDN }, null, null)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); // Extensions - controls List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.DATA_ENCIPHERMENT, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth }); list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileGsmcK() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile gSMC_K", X509CertLevel.EndEntity, "5y", false); // SpecialBehavior profile.setSpecialBehavior(SpecialX509CertprofileBehavior.gematik_gSMC_K.name()); // Maximal life time Parameters profileParams = new Parameters(); profile.setParameters(profileParams); NameValueType nv = new NameValueType(); nv.setName(SpecialX509CertprofileBehavior.PARAMETER_MAXLIFTIME); nv.setValue(Integer.toString(20 * 365)); profileParams.getParameter().add(nv); // Subject/*from w ww . j a v a2 s . co m*/ Subject subject = profile.getSubject(); subject.setDuplicateSubjectPermitted(true); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_ST, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_L, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_POSTAL_CODE, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_STREET, 0, 1)); // regex: ICCSN-yyyyMMdd String regex = "80276[\\d]{15,15}-20\\d\\d(0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01])"; rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1, new String[] { regex }, null, null)); // Extensions ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages( new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth }); list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue)); // Extensions - Policy CertificatePolicies policies = new CertificatePolicies(); ASN1ObjectIdentifier[] policyIds = new ASN1ObjectIdentifier[] { ID_GEMATIK.branch("79"), ID_GEMATIK.branch("163") }; for (ASN1ObjectIdentifier id : policyIds) { CertificatePolicyInformationType policyInfo = new CertificatePolicyInformationType(); policies.getCertificatePolicyInformation().add(policyInfo); policyInfo.setPolicyIdentifier(createOidType(id)); } extensionValue = createExtensionValueType(policies); list.add(createExtension(Extension.certificatePolicies, true, false, extensionValue)); // Extension - Admission AdmissionSyntax admissionSyntax = new AdmissionSyntax(); AdmissionsType admissions = new AdmissionsType(); admissionSyntax.getContentsOfAdmissions().add(admissions); ProfessionInfoType pi = new ProfessionInfoType(); admissions.getProfessionInfo().add(pi); pi.getProfessionOid().add(createOidType(ID_GEMATIK.branch("103"))); pi.getProfessionItem().add("Anwendungskonnektor"); extensionValue = createExtensionValueType(admissionSyntax); // check the syntax XmlX509CertprofileUtil.buildAdmissionSyntax(false, admissionSyntax); list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue)); // SubjectAltNames extensionValue = null; list.add(createExtension(Extension.subjectAlternativeName, false, false, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileMultipleOus() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile Multiple OUs DEMO", X509CertLevel.EndEntity, "5y", false);//from w w w .j ava2 s . c o m // Subject Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); final String regexOu1 = "[A-Z]{1,1}[\\d]{5,5}"; final String regexOu2 = "[\\d]{5,5}"; rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 2, 2, new String[] { regexOu1, regexOu2 }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.CONTENT_COMMITMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileMultipleValuedRdn() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile Multiple Valued RDN", X509CertLevel.EndEntity, "5y", false);// w w w. j a v a 2 s . co m // Subject Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1, null, null, null, "group1")); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 1, 1, null, null, null, "group1")); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.CONTENT_COMMITMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileQc() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile QC", X509CertLevel.EndEntity, "5y", false); // Subject/* w w w . java 2 s. c om*/ Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_organizationIdentifier, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); // Extensions - controls List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, false, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.CONTENT_COMMITMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_timeStamping }, null); list.add(createExtension(Extension.extendedKeyUsage, true, true, extensionValue)); // privateKeyUsagePeriod extensionValue = createPrivateKeyUsagePeriod("3y"); list.add(createExtension(Extension.privateKeyUsagePeriod, true, false, extensionValue)); // QcStatements extensionValue = createQcStatements(false); list.add(createExtension(Extension.qCStatements, true, false, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileEeComplex() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile EE complex", X509CertLevel.EndEntity, "5y", true); // Subject/*from w w w .java 2 s. c o m*/ Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); subject.setKeepRdnOrder(true); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_DATE_OF_BIRTH, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_POSTAL_ADDRESS, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_UNIQUE_IDENTIFIER, 1, 1)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); // Extensions - controls List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, false, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.DATA_ENCIPHERMENT, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth }); list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue)); // Extension - subjectDirectoryAttributes SubjectDirectoryAttributs subjectDirAttrType = new SubjectDirectoryAttributs(); List<OidWithDescType> attrTypes = subjectDirAttrType.getType(); attrTypes.add(createOidType(ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP)); attrTypes.add(createOidType(ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE)); attrTypes.add(createOidType(ObjectIdentifiers.DN_GENDER)); attrTypes.add(createOidType(ObjectIdentifiers.DN_DATE_OF_BIRTH)); attrTypes.add(createOidType(ObjectIdentifiers.DN_PLACE_OF_BIRTH)); extensionValue = createExtensionValueType(subjectDirAttrType); list.add(createExtension(Extension.subjectDirectoryAttributes, true, false, extensionValue)); // Extension - Admission AdmissionSyntax admissionSyntax = new AdmissionSyntax(); admissionSyntax.setAdmissionAuthority( new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 1")).getEncoded()); AdmissionsType admissions = new AdmissionsType(); admissions.setAdmissionAuthority( new GeneralName(new X500Name("C=DE,CN=admissionAuthority level 2")).getEncoded()); NamingAuthorityType namingAuthorityL2 = new NamingAuthorityType(); namingAuthorityL2.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5"))); namingAuthorityL2.setUrl("http://naming-authority-level2.example.org"); namingAuthorityL2.setText("namingAuthrityText level 2"); admissions.setNamingAuthority(namingAuthorityL2); admissionSyntax.getContentsOfAdmissions().add(admissions); ProfessionInfoType pi = new ProfessionInfoType(); admissions.getProfessionInfo().add(pi); pi.getProfessionOid().add(createOidType(new ASN1ObjectIdentifier("1.2.3.4"), "demo oid")); pi.getProfessionItem().add("demo item"); NamingAuthorityType namingAuthorityL3 = new NamingAuthorityType(); namingAuthorityL3.setOid(createOidType(new ASN1ObjectIdentifier("1.2.3.4.5"))); namingAuthorityL3.setUrl("http://naming-authority-level3.example.org"); namingAuthorityL3.setText("namingAuthrityText level 3"); pi.setNamingAuthority(namingAuthorityL3); pi.setAddProfessionInfo(new byte[] { 1, 2, 3, 4 }); RegistrationNumber regNum = new RegistrationNumber(); pi.setRegistrationNumber(regNum); regNum.setRegex("a*b"); // check the syntax XmlX509CertprofileUtil.buildAdmissionSyntax(false, admissionSyntax); extensionValue = createExtensionValueType(admissionSyntax); list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue)); // restriction extensionValue = createRestriction(DirectoryStringType.UTF_8_STRING, "demo restriction"); list.add(createExtension(ObjectIdentifiers.id_extension_restriction, true, false, extensionValue)); // additionalInformation extensionValue = createAdditionalInformation(DirectoryStringType.UTF_8_STRING, "demo additional information"); list.add( createExtension(ObjectIdentifiers.id_extension_additionalInformation, true, false, extensionValue)); // validationModel extensionValue = createConstantExtValue(new ASN1ObjectIdentifier("1.3.6.1.4.1.8301.3.5.1").getEncoded(), "chain"); list.add(createExtension(ObjectIdentifiers.id_extension_validityModel, true, false, extensionValue)); // privateKeyUsagePeriod extensionValue = createPrivateKeyUsagePeriod("3y"); list.add(createExtension(Extension.privateKeyUsagePeriod, true, false, extensionValue)); // QcStatements extensionValue = createQcStatements(true); list.add(createExtension(Extension.qCStatements, true, false, extensionValue)); // biometricInfo extensionValue = createBiometricInfo(); list.add(createExtension(Extension.biometricInfo, true, false, extensionValue)); // authorizationTemplate extensionValue = createAuthorizationTemplate(); list.add( createExtension(ObjectIdentifiers.id_xipki_ext_authorizationTemplate, true, false, extensionValue)); // SubjectAltName SubjectAltName subjectAltNameMode = new SubjectAltName(); OtherName otherName = new OtherName(); otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.1"), "dummy oid 1")); otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.2"), "dummy oid 2")); subjectAltNameMode.setOtherName(otherName); subjectAltNameMode.setRfc822Name(""); subjectAltNameMode.setDnsName(""); subjectAltNameMode.setDirectoryName(""); subjectAltNameMode.setEdiPartyName(""); subjectAltNameMode.setUniformResourceIdentifier(""); subjectAltNameMode.setIpAddress(""); subjectAltNameMode.setRegisteredID(""); extensionValue = createExtensionValueType(subjectAltNameMode); list.add(createExtension(Extension.subjectAlternativeName, true, false, extensionValue)); // SubjectInfoAccess List<ASN1ObjectIdentifier> accessMethods = new LinkedList<>(); accessMethods.add(ObjectIdentifiers.id_ad_caRepository); for (int i = 0; i < 10; i++) { accessMethods.add(new ASN1ObjectIdentifier("2.3.4." + (i + 1))); } SubjectInfoAccess subjectInfoAccessMode = new SubjectInfoAccess(); for (ASN1ObjectIdentifier accessMethod : accessMethods) { SubjectInfoAccess.Access access = new SubjectInfoAccess.Access(); subjectInfoAccessMode.getAccess().add(access); access.setAccessMethod(createOidType(accessMethod)); GeneralNameType accessLocation = new GeneralNameType(); access.setAccessLocation(accessLocation); otherName = new OtherName(); otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.1"), "dummy oid 1")); otherName.getType().add(createOidType(new ASN1ObjectIdentifier("1.2.3.2"), "dummy oid 2")); accessLocation.setOtherName(otherName); accessLocation.setRfc822Name(""); accessLocation.setDnsName(""); accessLocation.setDirectoryName(""); accessLocation.setEdiPartyName(""); accessLocation.setUniformResourceIdentifier(""); accessLocation.setIpAddress(""); accessLocation.setRegisteredID(""); } extensionValue = createExtensionValueType(subjectInfoAccessMode); list.add(createExtension(Extension.subjectInfoAccess, true, false, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.test.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType certprofileMaxTime() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile MaxTime", X509CertLevel.EndEntity, "9999y", false); // Subject//from w w w. j a v a2s . co m Subject subject = profile.getSubject(); subject.setDuplicateSubjectPermitted(false); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRdn(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRdn(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRdn(ObjectIdentifiers.DN_CN, 1, 1, new String[] { REGEX_FQDN }, null, null)); // Extensions ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.DATA_ENCIPHERMENT, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); return profile; }
From source file:org.xipki.pki.ca.certprofile.XmlX509Certprofile.java
License:Open Source License
private void initAuthorityInfoAccess(ExtensionsType extensionsType) throws CertprofileException { ASN1ObjectIdentifier type = Extension.authorityInfoAccess; if (!extensionControls.containsKey(type)) { return;//from w w w. j a v a2 s . c o m } AuthorityInfoAccess extConf = (AuthorityInfoAccess) getExtensionValue(type, extensionsType, AuthorityInfoAccess.class); if (extConf == null) { return; } this.aiaControl = new AuthorityInfoAccessControl(extConf.isIncludeCaIssuers(), extConf.isIncludeOcsp()); }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
public List<ValidationIssue> checkExtensions(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions, final X500Name requestedSubject) { ParamUtil.requireNonNull("cert", cert); ParamUtil.requireNonNull("issuerInfo", issuerInfo); X509Certificate jceCert;/* w w w. j a v a 2s .c o m*/ try { jceCert = X509Util.toX509Cert(cert); } catch (CertificateException ex) { throw new IllegalArgumentException("invalid cert: " + ex.getMessage()); } List<ValidationIssue> result = new LinkedList<>(); // detect the list of extension types in certificate Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions); Extensions extensions = cert.getTBSCertificate().getExtensions(); ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs(); if (oids == null) { ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general"); result.add(issue); issue.setFailureMessage("no extension is present"); return result; } List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids); for (ASN1ObjectIdentifier extType : presentExtenionTypes) { if (!certExtTypes.contains(extType)) { ValidationIssue issue = createExtensionIssue(extType); result.add(issue); issue.setFailureMessage("extension is absent but is required"); } } Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls(); for (ASN1ObjectIdentifier oid : certExtTypes) { ValidationIssue issue = createExtensionIssue(oid); result.add(issue); if (!presentExtenionTypes.contains(oid)) { issue.setFailureMessage("extension is present but is not permitted"); continue; } Extension ext = extensions.getExtension(oid); StringBuilder failureMsg = new StringBuilder(); ExtensionControl extControl = extensionControls.get(oid); if (extControl.isCritical() != ext.isCritical()) { addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical()); } byte[] extensionValue = ext.getExtnValue().getOctets(); try { if (Extension.authorityKeyIdentifier.equals(oid)) { // AuthorityKeyIdentifier checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectKeyIdentifier.equals(oid)) { // SubjectKeyIdentifier checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo()); } else if (Extension.keyUsage.equals(oid)) { // KeyUsage checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl); } else if (Extension.certificatePolicies.equals(oid)) { // CertificatePolicies checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.policyMappings.equals(oid)) { // Policy Mappings checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.subjectAlternativeName.equals(oid)) { // SubjectAltName checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject); } else if (Extension.subjectDirectoryAttributes.equals(oid)) { // SubjectDirectoryAttributes checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.issuerAlternativeName.equals(oid)) { // IssuerAltName checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo); } else if (Extension.basicConstraints.equals(oid)) { // Basic Constraints checkExtensionBasicConstraints(failureMsg, extensionValue); } else if (Extension.nameConstraints.equals(oid)) { // Name Constraints checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl); } else if (Extension.policyConstraints.equals(oid)) { // PolicyConstrains checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.extendedKeyUsage.equals(oid)) { // ExtendedKeyUsage checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.cRLDistributionPoints.equals(oid)) { // CRL Distribution Points checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.inhibitAnyPolicy.equals(oid)) { // Inhibit anyPolicy checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl); } else if (Extension.freshestCRL.equals(oid)) { // Freshest CRL checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.authorityInfoAccess.equals(oid)) { // Authority Information Access checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectInfoAccess.equals(oid)) { // SubjectInfoAccess checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) { // Admission checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) { // ocsp-nocheck checkExtensionOcspNocheck(failureMsg, extensionValue); } else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) { // restriction checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) { // additionalInformation checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) { // validityModel checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.privateKeyUsagePeriod.equals(oid)) { // privateKeyUsagePeriod checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter()); } else if (Extension.qCStatements.equals(oid)) { // qCStatements checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.biometricInfo.equals(oid)) { // biometricInfo checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) { // tlsFeature checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) { // authorizationTemplate checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl); } else { byte[] expected; if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) { // SMIMECapabilities expected = smimeCapabilities.getValue(); } else { expected = getExpectedExtValue(oid, requestedExtensions, extControl); } if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected)); } } if (failureMsg.length() > 0) { issue.setFailureMessage(failureMsg.toString()); } } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) { LOG.debug("extension value does not have correct syntax", ex); issue.setFailureMessage("extension value does not have correct syntax"); } } return result; }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private Set<ASN1ObjectIdentifier> getExensionTypes(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions) { Set<ASN1ObjectIdentifier> types = new HashSet<>(); // profile required extension types Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls(); for (ASN1ObjectIdentifier oid : extensionControls.keySet()) { if (extensionControls.get(oid).isRequired()) { types.add(oid);/*from w w w . ja v a 2 s .c om*/ } } Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); types.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); } } if (CollectionUtil.isEmpty(wantedExtensionTypes)) { return types; } // wanted extension types // Authority key identifier ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Subject key identifier type = Extension.subjectKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // KeyUsage type = Extension.keyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { required = true; } if (!required) { Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); if (CollectionUtil.isNonEmpty(requiredKeyusage)) { required = true; } } if (required) { types.add(type); } } // CertificatePolicies type = Extension.certificatePolicies; if (wantedExtensionTypes.contains(type)) { if (certificatePolicies != null) { types.add(type); } } // Policy Mappings type = Extension.policyMappings; if (wantedExtensionTypes.contains(type)) { if (policyMappings != null) { types.add(type); } } // SubjectAltNames type = Extension.subjectAlternativeName; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { types.add(type); } } // IssuerAltName type = Extension.issuerAlternativeName; if (wantedExtensionTypes.contains(type)) { if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) { types.add(type); } } // BasicConstraints type = Extension.basicConstraints; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Name Constraints type = Extension.nameConstraints; if (wantedExtensionTypes.contains(type)) { if (nameConstraints != null) { types.add(type); } } // PolicyConstrains type = Extension.policyConstraints; if (wantedExtensionTypes.contains(type)) { if (policyConstraints != null) { types.add(type); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { required = true; } if (!required) { Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (CollectionUtil.isNonEmpty(requiredExtKeyusage)) { required = true; } } if (required) { types.add(type); } } // CRLDistributionPoints type = Extension.cRLDistributionPoints; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getCrlUrls() != null) { types.add(type); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (wantedExtensionTypes.contains(type)) { if (inhibitAnyPolicy != null) { types.add(type); } } // FreshestCRL type = Extension.freshestCRL; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getDeltaCrlUrls() != null) { types.add(type); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getOcspUrls() != null) { types.add(type); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { types.add(type); } } // Admission type = ObjectIdentifiers.id_extension_admission; if (wantedExtensionTypes.contains(type)) { if (certProfile.getAdmission() != null) { types.add(type); } } // ocsp-nocheck type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; if (wantedExtensionTypes.contains(type)) { types.add(type); } wantedExtensionTypes.removeAll(types); for (ASN1ObjectIdentifier oid : wantedExtensionTypes) { if (requestedExtensions != null && requestedExtensions.getExtension(oid) != null) { if (constantExtensions.containsKey(oid)) { types.add(oid); } } } return types; }