List of usage examples for org.bouncycastle.asn1.x509 Extension getParsedValue
public ASN1Encodable getParsedValue()
From source file:org.tdmx.client.crypto.certificate.PKIXCertificate.java
License:Open Source License
public TdmxZoneInfo getTdmxZoneInfo() { Extension e = holder.getExtension(TdmxZoneInfo.tdmxZoneInfo); if (e != null) { TdmxZoneInfo ku = TdmxZoneInfo.getInstance(e.getParsedValue()); return ku; }//from w w w . ja v a 2s. c o m return null; }
From source file:org.tdmx.client.crypto.certificate.PKIXCertificate.java
License:Open Source License
public boolean isCA() { Extension e = holder.getExtension(Extension.basicConstraints); if (e != null && e.isCritical()) { BasicConstraints bc = BasicConstraints.getInstance(e.getParsedValue()); return bc.isCA(); }//from w w w. ja v a 2 s.com return false; }
From source file:org.tdmx.client.crypto.certificate.PKIXCertificate.java
License:Open Source License
public int getCAPathLengthConstraint() { Extension e = holder.getExtension(Extension.basicConstraints); if (e != null && e.isCritical()) { BasicConstraints bc = BasicConstraints.getInstance(e.getParsedValue()); if (bc.getPathLenConstraint() != null) { return bc.getPathLenConstraint().intValue(); }/*from w ww . j av a 2 s .c o m*/ } return -1; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private Set<ASN1ObjectIdentifier> getExensionTypes(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions) { Set<ASN1ObjectIdentifier> types = new HashSet<>(); // profile required extension types for (ASN1ObjectIdentifier oid : extensionControls.keySet()) { if (extensionControls.get(oid).isRequired()) { types.add(oid);/*from ww w . j a v a 2 s . com*/ } } Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); types.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); } } if (CollectionUtil.isEmpty(wantedExtensionTypes)) { return types; } // wanted extension types // Authority key identifier ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Subject key identifier type = Extension.subjectKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // KeyUsage type = Extension.keyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); if (CollectionUtil.isNotEmpty(requiredKeyusage)) { required = true; } } if (required) { types.add(type); } } // CertificatePolicies type = Extension.certificatePolicies; if (wantedExtensionTypes.contains(type)) { if (certificatePolicies != null) { types.add(type); } } // Policy Mappings type = Extension.policyMappings; if (wantedExtensionTypes.contains(type)) { if (policyMappings != null) { types.add(type); } } // SubjectAltNames type = Extension.subjectAlternativeName; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // IssuerAltName type = Extension.issuerAlternativeName; if (wantedExtensionTypes.contains(type)) { if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) { types.add(type); } } // BasicConstraints type = Extension.basicConstraints; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Name Constraints type = Extension.nameConstraints; if (wantedExtensionTypes.contains(type)) { if (nameConstraints != null) { types.add(type); } } // PolicyConstrains type = Extension.policyConstraints; if (wantedExtensionTypes.contains(type)) { if (policyConstraints != null) { types.add(type); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (CollectionUtil.isNotEmpty(requiredExtKeyusage)) { required = true; } } if (required) { types.add(type); } } // CRLDistributionPoints type = Extension.cRLDistributionPoints; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getCrlURLs() != null) { types.add(type); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (wantedExtensionTypes.contains(type)) { if (inhibitAnyPolicy != null) { types.add(type); } } // FreshestCRL type = Extension.freshestCRL; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getDeltaCrlURLs() != null) { types.add(type); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getOcspURLs() != null) { types.add(type); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // Admission type = ObjectIdentifiers.id_extension_admission; if (wantedExtensionTypes.contains(type)) { if (admission != null) { types.add(type); } } // ocsp-nocheck type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; if (wantedExtensionTypes.contains(type)) { types.add(type); } wantedExtensionTypes.removeAll(types); for (ASN1ObjectIdentifier oid : wantedExtensionTypes) { if (requestedExtensions.getExtension(oid) != null) { if (constantExtensions.containsKey(oid)) { types.add(oid); } } } return types; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionKeyUsage(final StringBuilder failureMsg, final byte[] extensionValue, final boolean[] usages, final Extensions requestExtensions, final ExtensionControl extControl) { int n = usages.length; if (n > 9) { failureMsg.append("invalid syntax: size of valid bits is larger than 9: " + n); failureMsg.append("; "); }/* w w w .j a va 2s . c o m*/ Set<String> isUsages = new HashSet<>(); for (int i = 0; i < n; i++) { if (usages[i]) { isUsages.add(allUsages.get(i)); } } Set<String> expectedUsages = new HashSet<>(); Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); for (KeyUsageControl usage : requiredKeyusage) { expectedUsages.add(usage.getKeyUsage().getName()); } Set<KeyUsageControl> optionalKeyusage = getKeyusage(false); if (extControl.isRequest() && requestExtensions != null && CollectionUtil.isNotEmpty(optionalKeyusage)) { Extension extension = requestExtensions.getExtension(Extension.keyUsage); if (extension != null) { org.bouncycastle.asn1.x509.KeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.KeyUsage .getInstance(extension.getParsedValue()); for (KeyUsageControl k : optionalKeyusage) { if (reqKeyUsage.hasUsages(k.getKeyUsage().getBcUsage())) { expectedUsages.add(k.getKeyUsage().getName()); } } } } if (CollectionUtil.isEmpty(expectedUsages)) { byte[] constantExtValue = getConstantExtensionValue(Extension.keyUsage); if (constantExtValue != null) { expectedUsages = getKeyUsage(constantExtValue); } } Set<String> diffs = str_in_b_not_in_a(expectedUsages, isUsages); if (CollectionUtil.isNotEmpty(diffs)) { failureMsg.append("usages " + diffs.toString() + " are present but not expected"); failureMsg.append("; "); } diffs = str_in_b_not_in_a(isUsages, expectedUsages); if (CollectionUtil.isNotEmpty(diffs)) { failureMsg.append("usages " + diffs.toString() + " are absent but are required"); failureMsg.append("; "); } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionExtendedKeyUsage(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestExtensions, final ExtensionControl extControl) { Set<String> isUsages = new HashSet<>(); {/*from w ww. j av a 2 s.co m*/ org.bouncycastle.asn1.x509.ExtendedKeyUsage keyusage = org.bouncycastle.asn1.x509.ExtendedKeyUsage .getInstance(extensionValue); KeyPurposeId[] usages = keyusage.getUsages(); if (usages != null) { for (KeyPurposeId usage : usages) { isUsages.add(usage.getId()); } } } Set<String> expectedUsages = new HashSet<>(); Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (requiredExtKeyusage != null) { for (ExtKeyUsageControl usage : requiredExtKeyusage) { expectedUsages.add(usage.getExtKeyUsage().getId()); } } Set<ExtKeyUsageControl> optionalExtKeyusage = getExtKeyusage(false); if (extControl.isRequest() && requestExtensions != null && CollectionUtil.isNotEmpty(optionalExtKeyusage)) { Extension extension = requestExtensions.getExtension(Extension.extendedKeyUsage); if (extension != null) { org.bouncycastle.asn1.x509.ExtendedKeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.ExtendedKeyUsage .getInstance(extension.getParsedValue()); for (ExtKeyUsageControl k : optionalExtKeyusage) { if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) { expectedUsages.add(k.getExtKeyUsage().getId()); } } } } if (CollectionUtil.isEmpty(expectedUsages)) { byte[] constantExtValue = getConstantExtensionValue(Extension.keyUsage); if (constantExtValue != null) { expectedUsages = getExtKeyUsage(constantExtValue); } } Set<String> diffs = str_in_b_not_in_a(expectedUsages, isUsages); if (CollectionUtil.isNotEmpty(diffs)) { failureMsg.append("usages " + diffs.toString() + " are present but not expected"); failureMsg.append("; "); } diffs = str_in_b_not_in_a(isUsages, expectedUsages); if (CollectionUtil.isNotEmpty(diffs)) { failureMsg.append("usages " + diffs.toString() + " are absent but are required"); failureMsg.append("; "); } }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(final X500Name requestedSubject, final Extensions requestExtensions, final SubjectPublicKeyInfo publicKeyInfo, final PublicCAInfo publicCaInfo, final X509Certificate crlSignerCert) throws CertprofileException, BadCertTemplateException { ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtensionTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestExtensions != null) { Extension reqExtension = requestExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtensionTypes.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); }/*from ww w. j a va 2 s. c o m*/ for (ASN1ObjectIdentifier oid : neededExtensionTypes) { if (wantedExtensionTypes.contains(oid)) { wantedExtensionTypes.remove(oid); } if (controls.containsKey(oid) == false) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { MessageDigest sha1; try { sha1 = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException e) { throw new CertprofileException(e.getMessage(), e); } byte[] skiValue = sha1.digest(publicKeyInfo.getPublicKeyData().getBytes()); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAKI()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAIAControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } AuthorityInformationAccess value = X509CertUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = null; if (crlSignerCert != null) { crlSignerSubject = X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); } X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { BasicConstraints value = X509CertUtil.createBasicConstraints(certprofile.isCA(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<ASN1ObjectIdentifier> usages = new HashSet<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectAltName extType = Extension.subjectAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = null; if (requestExtensions != null && extControl.isRequest()) { value = createRequestedSubjectAltNames(requestExtensions, certprofile.getSubjectAltNameModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { ASN1Sequence value = null; if (requestExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, requestExtensions); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtensionTypes, wantedExtensionTypes); if (addMe) { ExtensionValue value = null; if (extControl.isRequest()) { Extension reqExt = requestExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNotEmpty(neededExtensionTypes)) { throw new BadCertTemplateException( "could not add requested extensions " + toString(neededExtensionTypes)); } return values; }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
private static void addRequestedKeyusage(final Set<KeyUsage> usages, final Extensions requestExtensions, final Set<KeyUsageControl> usageOccs) { Extension extension = requestExtensions.getExtension(Extension.keyUsage); if (extension == null) { return;/*from w w w . jav a 2 s . c o m*/ } org.bouncycastle.asn1.x509.KeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.KeyUsage .getInstance(extension.getParsedValue()); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { continue; } if (reqKeyUsage.hasUsages(k.getKeyUsage().getBcUsage())) { usages.add(k.getKeyUsage()); } } }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
private static void addRequestedExtKeyusage(final Set<ASN1ObjectIdentifier> usages, final Extensions requestExtensions, final Set<ExtKeyUsageControl> usageOccs) { Extension extension = requestExtensions.getExtension(Extension.extendedKeyUsage); if (extension == null) { return;//from w w w . ja v a2s. co m } ExtendedKeyUsage reqKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue()); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { continue; } if (reqKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(k.getExtKeyUsage()))) { usages.add(k.getExtKeyUsage()); } } }
From source file:org.xipki.common.util.X509Util.java
License:Open Source License
public static byte[] extractSKI(final org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException { Extension encodedSkiValue = cert.getTBSCertificate().getExtensions() .getExtension(Extension.subjectKeyIdentifier); if (encodedSkiValue == null) { return null; }/*w ww .ja v a 2s . c o m*/ try { return ASN1OctetString.getInstance(encodedSkiValue.getParsedValue()).getOctets(); } catch (IllegalArgumentException e) { throw new CertificateEncodingException("invalid extension SubjectKeyIdentifier: " + e.getMessage()); } }