List of usage examples for org.bouncycastle.asn1.x509 Extension basicConstraints
ASN1ObjectIdentifier basicConstraints
To view the source code for org.bouncycastle.asn1.x509 Extension basicConstraints.
Click Source Link
From source file:org.xipki.pki.ca.certprofile.XmlX509Certprofile.java
License:Open Source License
private void initBasicConstraints(ExtensionsType extensionsType) throws CertprofileException { ASN1ObjectIdentifier type = Extension.basicConstraints; if (!extensionControls.containsKey(type)) { return;/*from w ww .j a va 2 s. c om*/ } BasicConstraints extConf = (BasicConstraints) getExtensionValue(type, extensionsType, BasicConstraints.class); if (extConf == null) { return; } this.pathLen = extConf.getPathLen(); }
From source file:org.xipki.pki.ca.dbtool.port.CaCertStoreDbImporter.java
License:Open Source License
private long doImportEntries(final CaDbEntryType type, final String entriesZipFile, final long minId, final File processLogFile, final ProcessLog processLog, final int numProcessedInLastProcess, final PreparedStatement[] statements, final String[] sqls) throws Exception { final int numEntriesPerCommit = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsPerCommit)); ZipFile zipFile = new ZipFile(new File(entriesZipFile)); ZipEntry entriesXmlEntry = zipFile.getEntry("overview.xml"); DbiXmlReader entries;//w w w.j a v a2s .com try { entries = createReader(type, zipFile.getInputStream(entriesXmlEntry)); } catch (Exception ex) { try { zipFile.close(); } catch (Exception e2) { LOG.error("could not close ZIP file {}: {}", entriesZipFile, e2.getMessage()); LOG.debug("could not close ZIP file " + entriesZipFile, e2); } throw ex; } disableAutoCommit(); try { int numEntriesInBatch = 0; long lastSuccessfulEntryId = 0; while (entries.hasNext()) { if (stopMe.get()) { throw new InterruptedException("interrupted by the user"); } IdentifidDbObjectType entry = (IdentifidDbObjectType) entries.next(); long id = entry.getId(); if (id < minId) { continue; } numEntriesInBatch++; if (CaDbEntryType.CERT == type) { CaCertType cert = (CaCertType) entry; int certArt = (cert.getArt() == null) ? 1 : cert.getArt(); String filename = cert.getFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); TBSCertificate tbsCert; try { Certificate cc = Certificate.getInstance(encodedCert); tbsCert = cc.getTBSCertificate(); } catch (RuntimeException ex) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, ex); throw new CertificateException(ex.getMessage(), ex); } byte[] encodedKey = tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); String b64Sha1FpCert = HashAlgoType.SHA1.base64Hash(encodedCert); // cert String subjectText = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen); PreparedStatement psCert = statements[0]; PreparedStatement psRawcert = statements[1]; try { int idx = 1; psCert.setLong(idx++, id); psCert.setInt(idx++, certArt); psCert.setLong(idx++, cert.getUpdate()); psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); psCert.setString(idx++, subjectText); long fpSubject = X509Util.fpCanonicalizedName(tbsCert.getSubject()); psCert.setLong(idx++, fpSubject); if (cert.getFpRs() != null) { psCert.setLong(idx++, cert.getFpRs()); } else { psCert.setNull(idx++, Types.BIGINT); } psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setBoolean(psCert, idx++, cert.getRev()); setInt(psCert, idx++, cert.getRr()); setLong(psCert, idx++, cert.getRt()); setLong(psCert, idx++, cert.getRit()); setInt(psCert, idx++, cert.getPid()); setInt(psCert, idx++, cert.getCaId()); setInt(psCert, idx++, cert.getRid()); psCert.setString(idx++, cert.getUser()); psCert.setLong(idx++, FpIdCalculator.hash(encodedKey)); Extension extension = tbsCert.getExtensions().getExtension(Extension.basicConstraints); boolean ee = true; if (extension != null) { ASN1Encodable asn1 = extension.getParsedValue(); ee = !BasicConstraints.getInstance(asn1).isCA(); } psCert.setInt(idx++, ee ? 1 : 0); psCert.setInt(idx++, cert.getReqType()); String tidS = null; if (cert.getTid() != null) { tidS = cert.getTid(); } psCert.setString(idx++, tidS); psCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CERT, ex); } try { int idx = 1; psRawcert.setLong(idx++, cert.getId()); psRawcert.setString(idx++, b64Sha1FpCert); psRawcert.setString(idx++, cert.getRs()); psRawcert.setString(idx++, Base64.toBase64String(encodedCert)); psRawcert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CRAW, ex); } } else if (CaDbEntryType.CRL == type) { PreparedStatement psAddCrl = statements[0]; CaCrlType crl = (CaCrlType) entry; String filename = crl.getFile(); // CRL ZipEntry zipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCrl = IoUtil.read(zipFile.getInputStream(zipEnty)); X509CRL x509crl = null; try { x509crl = X509Util.parseCrl(encodedCrl); } catch (Exception ex) { LOG.error("could not parse CRL in file {}", filename); LOG.debug("could not parse CRL in file " + filename, ex); if (ex instanceof CRLException) { throw (CRLException) ex; } else { throw new CRLException(ex.getMessage(), ex); } } try { byte[] octetString = x509crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString == null) { LOG.warn("CRL without CRL number, ignore it"); continue; } byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); // CHECKSTYLE:SKIP BigInteger crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); BigInteger baseCrlNumber = null; octetString = x509crl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString != null) { extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } int idx = 1; psAddCrl.setLong(idx++, crl.getId()); psAddCrl.setInt(idx++, crl.getCaId()); psAddCrl.setLong(idx++, crlNumber.longValue()); psAddCrl.setLong(idx++, x509crl.getThisUpdate().getTime() / 1000); if (x509crl.getNextUpdate() != null) { psAddCrl.setLong(idx++, x509crl.getNextUpdate().getTime() / 1000); } else { psAddCrl.setNull(idx++, Types.INTEGER); } if (baseCrlNumber == null) { setBoolean(psAddCrl, idx++, false); psAddCrl.setNull(idx++, Types.BIGINT); } else { setBoolean(psAddCrl, idx++, true); psAddCrl.setLong(idx++, baseCrlNumber.longValue()); } String str = Base64.toBase64String(encodedCrl); psAddCrl.setString(idx++, str); psAddCrl.addBatch(); } catch (SQLException ex) { System.err.println( "could not import CRL with ID=" + crl.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.USER == type) { PreparedStatement psAddUser = statements[0]; CaUserType user = (CaUserType) entry; try { int idx = 1; psAddUser.setLong(idx++, user.getId()); psAddUser.setString(idx++, user.getName()); psAddUser.setString(idx++, user.getPassword()); psAddUser.setString(idx++, user.getCnRegex()); psAddUser.addBatch(); } catch (SQLException ex) { System.err.println("could not import USERNAME with ID=" + user.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQUEST == type) { PreparedStatement psAddRequest = statements[0]; CaRequestType request = (CaRequestType) entry; String filename = request.getFile(); ZipEntry zipEnty = zipFile.getEntry(filename); byte[] encodedRequest = IoUtil.read(zipFile.getInputStream(zipEnty)); try { int idx = 1; psAddRequest.setLong(idx++, request.getId()); psAddRequest.setLong(idx++, request.getUpdate()); psAddRequest.setString(idx++, Base64.toBase64String(encodedRequest)); psAddRequest.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + request.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQCERT == type) { PreparedStatement psAddReqCert = statements[0]; CaRequestCertType reqCert = (CaRequestCertType) entry; try { int idx = 1; psAddReqCert.setLong(idx++, reqCert.getId()); psAddReqCert.setLong(idx++, reqCert.getRid()); psAddReqCert.setLong(idx++, reqCert.getCid()); psAddReqCert.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + reqCert.getId() + ", message: " + ex.getMessage()); throw ex; } } else { throw new RuntimeException("Unknown CaDbEntryType " + type); } boolean isLastBlock = !entries.hasNext(); if (numEntriesInBatch > 0 && (numEntriesInBatch % numEntriesPerCommit == 0 || isLastBlock)) { if (evaulateOnly) { for (PreparedStatement m : statements) { m.clearBatch(); } } else { String sql = null; try { for (int i = 0; i < sqls.length; i++) { sql = sqls[i]; statements[i].executeBatch(); } sql = null; commit("(commit import to CA)"); } catch (Throwable th) { rollback(); deleteFromTableWithLargerId(type.getTableName(), "ID", id, LOG); if (CaDbEntryType.CERT == type) { deleteFromTableWithLargerId("CRAW", "CID", id, LOG); } if (th instanceof SQLException) { throw translate(sql, (SQLException) th); } else if (th instanceof Exception) { throw (Exception) th; } else { throw new Exception(th); } } } lastSuccessfulEntryId = id; processLog.addNumProcessed(numEntriesInBatch); numEntriesInBatch = 0; echoToFile(type + ":" + (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulEntryId, processLogFile); processLog.printStatus(); } } // end while return lastSuccessfulEntryId; } finally { recoverAutoCommit(); zipFile.close(); } }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
public List<ValidationIssue> checkExtensions(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions, final X500Name requestedSubject) { ParamUtil.requireNonNull("cert", cert); ParamUtil.requireNonNull("issuerInfo", issuerInfo); X509Certificate jceCert;//from w w w. ja va 2 s .c o m try { jceCert = X509Util.toX509Cert(cert); } catch (CertificateException ex) { throw new IllegalArgumentException("invalid cert: " + ex.getMessage()); } List<ValidationIssue> result = new LinkedList<>(); // detect the list of extension types in certificate Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtensions); Extensions extensions = cert.getTBSCertificate().getExtensions(); ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs(); if (oids == null) { ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general"); result.add(issue); issue.setFailureMessage("no extension is present"); return result; } List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids); for (ASN1ObjectIdentifier extType : presentExtenionTypes) { if (!certExtTypes.contains(extType)) { ValidationIssue issue = createExtensionIssue(extType); result.add(issue); issue.setFailureMessage("extension is absent but is required"); } } Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls(); for (ASN1ObjectIdentifier oid : certExtTypes) { ValidationIssue issue = createExtensionIssue(oid); result.add(issue); if (!presentExtenionTypes.contains(oid)) { issue.setFailureMessage("extension is present but is not permitted"); continue; } Extension ext = extensions.getExtension(oid); StringBuilder failureMsg = new StringBuilder(); ExtensionControl extControl = extensionControls.get(oid); if (extControl.isCritical() != ext.isCritical()) { addViolation(failureMsg, "critical", ext.isCritical(), extControl.isCritical()); } byte[] extensionValue = ext.getExtnValue().getOctets(); try { if (Extension.authorityKeyIdentifier.equals(oid)) { // AuthorityKeyIdentifier checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectKeyIdentifier.equals(oid)) { // SubjectKeyIdentifier checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, cert.getSubjectPublicKeyInfo()); } else if (Extension.keyUsage.equals(oid)) { // KeyUsage checkExtensionKeyUsage(failureMsg, extensionValue, jceCert.getKeyUsage(), requestedExtensions, extControl); } else if (Extension.certificatePolicies.equals(oid)) { // CertificatePolicies checkExtensionCertificatePolicies(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.policyMappings.equals(oid)) { // Policy Mappings checkExtensionPolicyMappings(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.subjectAlternativeName.equals(oid)) { // SubjectAltName checkExtensionSubjectAltName(failureMsg, extensionValue, requestedExtensions, extControl, requestedSubject); } else if (Extension.subjectDirectoryAttributes.equals(oid)) { // SubjectDirectoryAttributes checkExtensionSubjectDirAttrs(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.issuerAlternativeName.equals(oid)) { // IssuerAltName checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo); } else if (Extension.basicConstraints.equals(oid)) { // Basic Constraints checkExtensionBasicConstraints(failureMsg, extensionValue); } else if (Extension.nameConstraints.equals(oid)) { // Name Constraints checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl); } else if (Extension.policyConstraints.equals(oid)) { // PolicyConstrains checkExtensionPolicyConstraints(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.extendedKeyUsage.equals(oid)) { // ExtendedKeyUsage checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.cRLDistributionPoints.equals(oid)) { // CRL Distribution Points checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.inhibitAnyPolicy.equals(oid)) { // Inhibit anyPolicy checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl); } else if (Extension.freshestCRL.equals(oid)) { // Freshest CRL checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.authorityInfoAccess.equals(oid)) { // Authority Information Access checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectInfoAccess.equals(oid)) { // SubjectInfoAccess checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) { // Admission checkExtensionAdmission(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) { // ocsp-nocheck checkExtensionOcspNocheck(failureMsg, extensionValue); } else if (ObjectIdentifiers.id_extension_restriction.equals(oid)) { // restriction checkExtensionRestriction(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_additionalInformation.equals(oid)) { // additionalInformation checkExtensionAdditionalInformation(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_extension_validityModel.equals(oid)) { // validityModel checkExtensionValidityModel(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.privateKeyUsagePeriod.equals(oid)) { // privateKeyUsagePeriod checkExtensionPrivateKeyUsagePeriod(failureMsg, extensionValue, jceCert.getNotBefore(), jceCert.getNotAfter()); } else if (Extension.qCStatements.equals(oid)) { // qCStatements checkExtensionQcStatements(failureMsg, extensionValue, requestedExtensions, extControl); } else if (Extension.biometricInfo.equals(oid)) { // biometricInfo checkExtensionBiometricInfo(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_pe_tlsfeature.equals(oid)) { // tlsFeature checkExtensionTlsFeature(failureMsg, extensionValue, requestedExtensions, extControl); } else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(oid)) { // authorizationTemplate checkExtensionAuthorizationTemplate(failureMsg, extensionValue, requestedExtensions, extControl); } else { byte[] expected; if (ObjectIdentifiers.id_smimeCapabilities.equals(oid)) { // SMIMECapabilities expected = smimeCapabilities.getValue(); } else { expected = getExpectedExtValue(oid, requestedExtensions, extControl); } if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension valus", hex(extensionValue), (expected == null) ? "not present" : hex(expected)); } } if (failureMsg.length() > 0) { issue.setFailureMessage(failureMsg.toString()); } } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException ex) { LOG.debug("extension value does not have correct syntax", ex); issue.setFailureMessage("extension value does not have correct syntax"); } } return result; }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private Set<ASN1ObjectIdentifier> getExensionTypes(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions) { Set<ASN1ObjectIdentifier> types = new HashSet<>(); // profile required extension types Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls(); for (ASN1ObjectIdentifier oid : extensionControls.keySet()) { if (extensionControls.get(oid).isRequired()) { types.add(oid);/*from w w w . j av a 2s . c o m*/ } } Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); types.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); } } if (CollectionUtil.isEmpty(wantedExtensionTypes)) { return types; } // wanted extension types // Authority key identifier ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Subject key identifier type = Extension.subjectKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // KeyUsage type = Extension.keyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { required = true; } if (!required) { Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); if (CollectionUtil.isNonEmpty(requiredKeyusage)) { required = true; } } if (required) { types.add(type); } } // CertificatePolicies type = Extension.certificatePolicies; if (wantedExtensionTypes.contains(type)) { if (certificatePolicies != null) { types.add(type); } } // Policy Mappings type = Extension.policyMappings; if (wantedExtensionTypes.contains(type)) { if (policyMappings != null) { types.add(type); } } // SubjectAltNames type = Extension.subjectAlternativeName; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { types.add(type); } } // IssuerAltName type = Extension.issuerAlternativeName; if (wantedExtensionTypes.contains(type)) { if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) { types.add(type); } } // BasicConstraints type = Extension.basicConstraints; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Name Constraints type = Extension.nameConstraints; if (wantedExtensionTypes.contains(type)) { if (nameConstraints != null) { types.add(type); } } // PolicyConstrains type = Extension.policyConstraints; if (wantedExtensionTypes.contains(type)) { if (policyConstraints != null) { types.add(type); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { required = true; } if (!required) { Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (CollectionUtil.isNonEmpty(requiredExtKeyusage)) { required = true; } } if (required) { types.add(type); } } // CRLDistributionPoints type = Extension.cRLDistributionPoints; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getCrlUrls() != null) { types.add(type); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (wantedExtensionTypes.contains(type)) { if (inhibitAnyPolicy != null) { types.add(type); } } // FreshestCRL type = Extension.freshestCRL; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getDeltaCrlUrls() != null) { types.add(type); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getOcspUrls() != null) { types.add(type); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) { types.add(type); } } // Admission type = ObjectIdentifiers.id_extension_admission; if (wantedExtensionTypes.contains(type)) { if (certProfile.getAdmission() != null) { types.add(type); } } // ocsp-nocheck type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; if (wantedExtensionTypes.contains(type)) { types.add(type); } wantedExtensionTypes.removeAll(types); for (ASN1ObjectIdentifier oid : wantedExtensionTypes) { if (requestedExtensions != null && requestedExtensions.getExtension(oid) != null) { if (constantExtensions.containsKey(oid)) { types.add(oid); } } } return types; }
From source file:org.xipki.pki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(@NonNull final X500Name requestedSubject, @NonNull final X500Name grantedSubject, @Nullable final Extensions requestedExtensions, @NonNull final SubjectPublicKeyInfo publicKeyInfo, @NonNull final PublicCaInfo publicCaInfo, @Nullable final X509Certificate crlSignerCert, @NonNull final Date notBefore, @NonNull final Date notAfter) throws CertprofileException, BadCertTemplateException { ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo); ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtTypes.addAll(ee.getNeedExtensions()); wantedExtTypes.addAll(ee.getWantExtensions()); }// ww w . j ava 2 s . co m for (ASN1ObjectIdentifier oid : neededExtTypes) { if (wantedExtTypes.contains(oid)) { wantedExtTypes.remove(oid); } if (!controls.containsKey(oid)) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes(); byte[] skiValue = HashAlgoType.SHA1.hash(encodedSpki); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAki()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) { AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestedExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { List<ASN1ObjectIdentifier> usages = new LinkedList<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestedExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { ASN1Sequence value = null; if (requestedExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes); if (addMe) { ExtensionValue value = null; if (requestedExtensions != null && extControl.isRequest()) { Extension reqExt = requestedExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNonEmpty(neededExtTypes)) { throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes)); } return values; }
From source file:org.xipki.pki.scep.serveremulator.CaEmulator.java
License:Open Source License
public Certificate generateCert(final SubjectPublicKeyInfo pubKeyInfo, final X500Name subjectDn, final Date notBefore) throws Exception { ParamUtil.requireNonNull("pubKeyInfo", pubKeyInfo); ParamUtil.requireNonNull("subjectDn", subjectDn); ParamUtil.requireNonNull("notBefore", notBefore); Date notAfter = new Date(notBefore.getTime() + 730 * DAY_IN_MS); BigInteger tmpSerialNumber = BigInteger.valueOf(serialNumber.getAndAdd(1)); X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(caSubject, tmpSerialNumber, notBefore, notAfter, subjectDn, pubKeyInfo); X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.dataEncipherment | X509KeyUsage.keyAgreement | X509KeyUsage.keyEncipherment); certGenerator.addExtension(Extension.keyUsage, true, ku); BasicConstraints bc = new BasicConstraints(false); certGenerator.addExtension(Extension.basicConstraints, true, bc); String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(caKey, ScepHashAlgoType.SHA256); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(caKey); Certificate asn1Cert = certGenerator.build(contentSigner).toASN1Structure(); serialCertMap.put(tmpSerialNumber, asn1Cert); reqSubjectCertMap.put(subjectDn, asn1Cert); return asn1Cert; }
From source file:org.xipki.pki.scep.serveremulator.ScepServer.java
License:Open Source License
private static Certificate issueSubCaCert(final PrivateKey rcaKey, final X500Name issuer, final SubjectPublicKeyInfo pubKeyInfo, final X500Name subject, final BigInteger serialNumber, final Date startTime) throws CertIOException, OperatorCreationException { Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650); X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo); X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); certGenerator.addExtension(Extension.keyUsage, true, ku); BasicConstraints bc = new BasicConstraints(0); certGenerator.addExtension(Extension.basicConstraints, true, bc); String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgoType.SHA256); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey); return certGenerator.build(contentSigner).toASN1Structure(); }
From source file:org.xwiki.crypto.pkix.internal.extension.DefaultX509ExtensionBuilder.java
License:Open Source License
@Override public X509ExtensionBuilder addBasicConstraints(boolean isCertificateAuthority) { return addExtension(Extension.basicConstraints, true, new BasicConstraints(isCertificateAuthority)); }
From source file:org.xwiki.crypto.pkix.internal.extension.DefaultX509ExtensionBuilder.java
License:Open Source License
@Override public X509ExtensionBuilder addBasicConstraints(int pathLen) { return addExtension(Extension.basicConstraints, true, new BasicConstraints(pathLen)); }
From source file:org.zaproxy.zap.extension.dynssl.SslCertificateUtils.java
License:Apache License
/** * Creates a new Root CA certificate and returns private and public key as * {@link KeyStore}. The {@link KeyStore#getDefaultType()} is used. * * @return//from w w w . j av a 2s . c o m * @throws NoSuchAlgorithmException If no providers are found * for 'RSA' key pair generator * or 'SHA1PRNG' Secure random number generator * @throws IllegalStateException in case of errors during assembling {@link KeyStore} */ public static final KeyStore createRootCA() throws NoSuchAlgorithmException { final Date startDate = Calendar.getInstance().getTime(); final Date expireDate = new Date(startDate.getTime() + (DEFAULT_VALID_DAYS * 24L * 60L * 60L * 1000L)); final KeyPairGenerator g = KeyPairGenerator.getInstance("RSA"); g.initialize(2048, SecureRandom.getInstance("SHA1PRNG")); final KeyPair keypair = g.genKeyPair(); final PrivateKey privKey = keypair.getPrivate(); final PublicKey pubKey = keypair.getPublic(); Security.addProvider(new BouncyCastleProvider()); Random rnd = new Random(); // using the hash code of the user's name and home path, keeps anonymity // but also gives user a chance to distinguish between each other X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE); namebld.addRDN(BCStyle.CN, "OWASP Zed Attack Proxy Root CA"); namebld.addRDN(BCStyle.L, Integer.toHexString(System.getProperty("user.name").hashCode()) + Integer.toHexString(System.getProperty("user.home").hashCode())); namebld.addRDN(BCStyle.O, "OWASP Root CA"); namebld.addRDN(BCStyle.OU, "OWASP ZAP Root CA"); namebld.addRDN(BCStyle.C, "xx"); X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(namebld.build(), BigInteger.valueOf(rnd.nextInt()), startDate, expireDate, namebld.build(), pubKey); KeyStore ks = null; try { certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded())); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign)); KeyPurposeId[] eku = { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage }; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(eku)); final ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC") .build(privKey); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certGen.build(sigGen)); ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, null); ks.setKeyEntry(SslCertificateService.ZAPROXY_JKS_ALIAS, privKey, SslCertificateService.PASSPHRASE, new Certificate[] { cert }); } catch (final Exception e) { throw new IllegalStateException("Errors during assembling root CA.", e); } return ks; }