List of usage examples for org.bouncycastle.asn1.x509 Extension subjectAlternativeName
ASN1ObjectIdentifier subjectAlternativeName
To view the source code for org.bouncycastle.asn1.x509 Extension subjectAlternativeName.
Click Source Link
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
public X509CertprofileQAImpl(final byte[] dataBytes) throws CertprofileException { try {// w w w . j a v a2s .com X509ProfileType conf = XmlX509CertprofileUtil.parse(new ByteArrayInputStream(dataBytes)); this.version = X509CertVersion.getInstance(conf.getVersion()); if (this.version == null) { throw new CertprofileException("invalid version " + conf.getVersion()); } if (conf.getSignatureAlgorithms() != null) { this.signatureAlgorithms = new HashSet<>(); for (String algo : conf.getSignatureAlgorithms().getAlgorithm()) { String c14nAlgo; try { c14nAlgo = AlgorithmUtil.canonicalizeSignatureAlgo(algo); } catch (NoSuchAlgorithmException e) { throw new CertprofileException(e.getMessage(), e); } this.signatureAlgorithms.add(c14nAlgo); } } this.validity = CertValidity.getInstance(conf.getValidity()); this.ca = conf.isCa(); this.notBeforeMidnight = "midnight".equalsIgnoreCase(conf.getNotBeforeTime()); this.specialBehavior = conf.getSpecialBehavior(); if (this.specialBehavior != null && "gematik_gSMC_K".equalsIgnoreCase(this.specialBehavior) == false) { throw new CertprofileException("unknown special bahavior " + this.specialBehavior); } // KeyAlgorithms if (conf.getKeyAlgorithms() != null) { this.keyAlgorithms = XmlX509CertprofileUtil.buildKeyAlgorithms(conf.getKeyAlgorithms()); } // Subject if (conf.getSubject() != null) { Subject subject = conf.getSubject(); this.subjectDNControls = new HashSet<RDNControl>(); this.subjectDNOptions = new HashMap<>(); for (RdnType t : subject.getRdn()) { DirectoryStringType directoryStringEnum = XmlX509CertprofileUtil .convertDirectoryStringType(t.getDirectoryStringType()); ASN1ObjectIdentifier type = new ASN1ObjectIdentifier(t.getType().getValue()); RDNControl occ = new RDNControl(type, getInt(t.getMinOccurs(), 1), getInt(t.getMaxOccurs(), 1), directoryStringEnum); this.subjectDNControls.add(occ); List<Pattern> patterns = null; if (CollectionUtil.isNotEmpty(t.getRegex())) { patterns = new LinkedList<>(); for (String regex : t.getRegex()) { Pattern pattern = Pattern.compile(regex); patterns.add(pattern); } } SubjectDNOption option = new SubjectDNOption(t.getPrefix(), t.getSuffix(), patterns, t.getMinLen(), t.getMaxLen()); this.subjectDNOptions.put(type, option); } } // Extensions ExtensionsType extensionsType = conf.getExtensions(); // Extension controls this.extensionControls = XmlX509CertprofileUtil.buildExtensionControls(extensionsType); // BasicConstrains ASN1ObjectIdentifier type = Extension.basicConstraints; if (extensionControls.containsKey(type)) { org.xipki.ca.certprofile.x509.jaxb.BasicConstraints extConf = (org.xipki.ca.certprofile.x509.jaxb.BasicConstraints) getExtensionValue( type, extensionsType); if (extConf != null) { this.pathLen = extConf.getPathLen(); } } // Extension KeyUsage type = Extension.keyUsage; if (extensionControls.containsKey(type)) { org.xipki.ca.certprofile.x509.jaxb.KeyUsage extConf = (org.xipki.ca.certprofile.x509.jaxb.KeyUsage) getExtensionValue( type, extensionsType); if (extConf != null) { this.keyusages = XmlX509CertprofileUtil.buildKeyUsageOptions(extConf); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (extensionControls.containsKey(type)) { ExtendedKeyUsage extConf = (ExtendedKeyUsage) getExtensionValue(type, extensionsType); if (extConf != null) { this.extendedKeyusages = XmlX509CertprofileUtil.buildExtKeyUsageOptions(extConf); } } // AuthorityKeyIdentifier type = Extension.authorityKeyIdentifier; if (extensionControls.containsKey(type)) { org.xipki.ca.certprofile.x509.jaxb.AuthorityKeyIdentifier extConf = (org.xipki.ca.certprofile.x509.jaxb.AuthorityKeyIdentifier) getExtensionValue( type, extensionsType); if (extConf != null) { this.includeIssuerAndSerialInAKI = extConf.isIncludeIssuerAndSerial(); } } // Certificate Policies type = Extension.certificatePolicies; if (extensionControls.containsKey(type)) { org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies extConf = (org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies) getExtensionValue( type, extensionsType); if (extConf != null) { this.certificatePolicies = new QaCertificatePolicies(extConf); } } // Policy Mappings type = Extension.policyMappings; if (extensionControls.containsKey(type)) { PolicyMappings extConf = (PolicyMappings) getExtensionValue(type, extensionsType); if (extConf != null) { this.policyMappings = new QaPolicyMappingsOption(extConf); } } // Name Constrains // Name Constrains type = Extension.nameConstraints; if (extensionControls.containsKey(type)) { org.xipki.ca.certprofile.x509.jaxb.NameConstraints extConf = (org.xipki.ca.certprofile.x509.jaxb.NameConstraints) getExtensionValue( type, extensionsType); if (extConf != null) { this.nameConstraints = new QaNameConstraints(extConf); } } // Policy Constraints type = Extension.policyConstraints; if (extensionControls.containsKey(type)) { PolicyConstraints extConf = (PolicyConstraints) getExtensionValue(type, extensionsType); if (extConf != null) { this.policyConstraints = new QaPolicyConstraints(extConf); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (extensionControls.containsKey(type)) { InhibitAnyPolicy extConf = (InhibitAnyPolicy) getExtensionValue(type, extensionsType); if (extConf != null) { this.inhibitAnyPolicy = new QaInhibitAnyPolicy(extConf); } } // admission type = ObjectIdentifiers.id_extension_admission; if (extensionControls.containsKey(type)) { Admission extConf = (Admission) getExtensionValue(type, extensionsType); if (extConf != null) { this.admission = new QaAdmission(extConf); } } // SubjectAltNameMode type = Extension.subjectAlternativeName; if (extensionControls.containsKey(type)) { SubjectAltName extConf = (SubjectAltName) getExtensionValue(type, extensionsType); if (extConf != null) { this.allowedSubjectAltNameModes = XmlX509CertprofileUtil.buildGeneralNameMode(extConf); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (extensionControls.containsKey(type)) { SubjectInfoAccess extConf = (SubjectInfoAccess) getExtensionValue(type, extensionsType); if (extConf != null) { List<Access> list = extConf.getAccess(); this.allowedSubjectInfoAccessModes = new HashMap<>(); for (Access entry : list) { this.allowedSubjectInfoAccessModes.put( new ASN1ObjectIdentifier(entry.getAccessMethod().getValue()), XmlX509CertprofileUtil.buildGeneralNameMode(entry.getAccessLocation())); } } } // constant extensions this.constantExtensions = buildConstantExtesions(extensionsType); } catch (RuntimeException e) { final String message = "RuntimeException"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); throw new CertprofileException( "RuntimeException thrown while initializing certprofile: " + e.getMessage()); } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private List<ValidationIssue> checkExtensions(final Certificate bcCert, final X509Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestExtensions) { List<ValidationIssue> result = new LinkedList<>(); // detect the list of extension types in certificate Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(bcCert, issuerInfo, requestExtensions); Extensions extensions = bcCert.getTBSCertificate().getExtensions(); ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs(); if (oids == null) { ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general"); result.add(issue);// w w w . j a va2 s . co m issue.setFailureMessage("no extension is present"); return result; } List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids); for (ASN1ObjectIdentifier extType : presentExtenionTypes) { if (certExtTypes.contains(extType) == false) { ValidationIssue issue = createExtensionIssue(extType); result.add(issue); issue.setFailureMessage("extension is absent but is required"); } } for (ASN1ObjectIdentifier oid : certExtTypes) { ValidationIssue issue = createExtensionIssue(oid); result.add(issue); if (presentExtenionTypes.contains(oid) == false) { issue.setFailureMessage("extension is present but is not permitted"); continue; } Extension ext = extensions.getExtension(oid); StringBuilder failureMsg = new StringBuilder(); ExtensionControl extControl = extensionControls.get(oid); if (extControl.isCritical() != ext.isCritical()) { failureMsg.append( "critical is '" + ext.isCritical() + "' but expected '" + extControl.isCritical() + "'"); failureMsg.append("; "); } byte[] extensionValue = ext.getExtnValue().getOctets(); try { if (Extension.authorityKeyIdentifier.equals(oid)) { // AuthorityKeyIdentifier checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectKeyIdentifier.equals(oid)) { // SubjectKeyIdentifier checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, bcCert.getSubjectPublicKeyInfo()); } else if (Extension.keyUsage.equals(oid)) { // KeyUsage checkExtensionKeyUsage(failureMsg, extensionValue, cert.getKeyUsage(), requestExtensions, extControl); } else if (Extension.certificatePolicies.equals(oid)) { // CertificatePolicies checkExtensionCertificatePolicies(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.policyMappings.equals(oid)) { // Policy Mappings checkExtensionPolicyMappings(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.subjectAlternativeName.equals(oid)) { // SubjectAltName checkExtensionSubjectAltName(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.issuerAlternativeName.equals(oid)) { // IssuerAltName checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo); } else if (Extension.basicConstraints.equals(oid)) { // Basic Constraints checkExtensionBasicConstraints(failureMsg, extensionValue); } else if (Extension.nameConstraints.equals(oid)) { // Name Constraints checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl); } else if (Extension.policyConstraints.equals(oid)) { // PolicyConstrains checkExtensionPolicyConstraints(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.extendedKeyUsage.equals(oid)) { // ExtendedKeyUsage checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.cRLDistributionPoints.equals(oid)) { // CRL Distribution Points checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); continue; } else if (Extension.inhibitAnyPolicy.equals(oid)) { // Inhibit anyPolicy checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl); } else if (Extension.freshestCRL.equals(oid)) { // Freshest CRL checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.authorityInfoAccess.equals(oid)) { // Authority Information Access checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectInfoAccess.equals(oid)) { // SubjectInfoAccess checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestExtensions, extControl); } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) { // Admission checkExtensionAdmission(failureMsg, extensionValue, requestExtensions, extControl); } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) { // ocsp-nocheck checkExtensionOcspNocheck(failureMsg, extensionValue); } else { byte[] expected = getExpectedExtValue(oid, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '" + hex(extensionValue) + "' but expected '" + (expected == null ? "not present" : hex(expected)) + "'"); failureMsg.append("; "); } } if (failureMsg.length() > 0) { issue.setFailureMessage(failureMsg.toString()); } } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException e) { LOG.debug("extension value does not have correct syntax", e); issue.setFailureMessage("extension value does not have correct syntax"); } } return result; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private Set<ASN1ObjectIdentifier> getExensionTypes(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions) { Set<ASN1ObjectIdentifier> types = new HashSet<>(); // profile required extension types for (ASN1ObjectIdentifier oid : extensionControls.keySet()) { if (extensionControls.get(oid).isRequired()) { types.add(oid);// w ww .ja v a 2 s .co m } } Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); types.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); } } if (CollectionUtil.isEmpty(wantedExtensionTypes)) { return types; } // wanted extension types // Authority key identifier ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Subject key identifier type = Extension.subjectKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // KeyUsage type = Extension.keyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); if (CollectionUtil.isNotEmpty(requiredKeyusage)) { required = true; } } if (required) { types.add(type); } } // CertificatePolicies type = Extension.certificatePolicies; if (wantedExtensionTypes.contains(type)) { if (certificatePolicies != null) { types.add(type); } } // Policy Mappings type = Extension.policyMappings; if (wantedExtensionTypes.contains(type)) { if (policyMappings != null) { types.add(type); } } // SubjectAltNames type = Extension.subjectAlternativeName; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // IssuerAltName type = Extension.issuerAlternativeName; if (wantedExtensionTypes.contains(type)) { if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) { types.add(type); } } // BasicConstraints type = Extension.basicConstraints; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Name Constraints type = Extension.nameConstraints; if (wantedExtensionTypes.contains(type)) { if (nameConstraints != null) { types.add(type); } } // PolicyConstrains type = Extension.policyConstraints; if (wantedExtensionTypes.contains(type)) { if (policyConstraints != null) { types.add(type); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (CollectionUtil.isNotEmpty(requiredExtKeyusage)) { required = true; } } if (required) { types.add(type); } } // CRLDistributionPoints type = Extension.cRLDistributionPoints; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getCrlURLs() != null) { types.add(type); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (wantedExtensionTypes.contains(type)) { if (inhibitAnyPolicy != null) { types.add(type); } } // FreshestCRL type = Extension.freshestCRL; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getDeltaCrlURLs() != null) { types.add(type); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getOcspURLs() != null) { types.add(type); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // Admission type = ObjectIdentifiers.id_extension_admission; if (wantedExtensionTypes.contains(type)) { if (admission != null) { types.add(type); } } // ocsp-nocheck type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; if (wantedExtensionTypes.contains(type)) { types.add(type); } wantedExtensionTypes.removeAll(types); for (ASN1ObjectIdentifier oid : wantedExtensionTypes) { if (requestedExtensions.getExtension(oid) != null) { if (constantExtensions.containsKey(oid)) { types.add(oid); } } } return types; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionSubjectAltName(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestExtensions, final ExtensionControl extControl) { if (allowedSubjectAltNameModes == null) { byte[] expected = getExpectedExtValue(Extension.subjectAlternativeName, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '").append(hex(extensionValue)); failureMsg.append("' but expected '").append(expected == null ? "not present" : hex(expected)) .append("'"); failureMsg.append("; "); }//from ww w .jav a 2 s. co m return; } ASN1Encodable extInRequest = null; if (requestExtensions != null) { extInRequest = requestExtensions.getExtensionParsedValue(Extension.subjectAlternativeName); } if (extInRequest == null) { failureMsg.append("extension is present but not expected"); failureMsg.append("; "); return; } GeneralName[] requested = GeneralNames.getInstance(extInRequest).getNames(); GeneralName[] is = GeneralNames.getInstance(extensionValue).getNames(); GeneralName[] expected = new GeneralName[requested.length]; for (int i = 0; i < is.length; i++) { try { expected[i] = createGeneralName(is[i], allowedSubjectAltNameModes); } catch (BadCertTemplateException e) { failureMsg.append("error while processing ").append(i + 1).append("-th name: ") .append(e.getMessage()); failureMsg.append("; "); return; } } if (is.length != expected.length) { failureMsg.append("size of GeneralNames is '").append(is.length); failureMsg.append("' but expected '").append(expected.length).append("'"); failureMsg.append("; "); return; } for (int i = 0; i < is.length; i++) { if (is[i].equals(expected[i]) == false) { failureMsg.append(i + 1).append("-th name does not match the requested one"); failureMsg.append("; "); } } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionSubjectInfoAccess(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestExtensions, final ExtensionControl extControl) { if (allowedSubjectInfoAccessModes == null) { byte[] expected = getExpectedExtValue(Extension.subjectAlternativeName, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '").append(hex(extensionValue)); failureMsg.append("' but expected '").append(expected == null ? "not present" : hex(expected)) .append("'"); failureMsg.append("; "); }/* ww w. j ava 2s. c om*/ return; } ASN1Encodable requestExtValue = null; if (requestExtensions != null) { requestExtValue = requestExtensions.getExtensionParsedValue(Extension.subjectInfoAccess); } if (requestExtValue == null) { failureMsg.append("extension is present but not expected"); failureMsg.append("; "); return; } ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue); ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue); int n = requestSeq.size(); if (certSeq.size() != n) { failureMsg.append("size of GeneralNames is '").append(certSeq.size()); failureMsg.append("' but expected '").append(n).append("'"); failureMsg.append("; "); return; } for (int i = 0; i < n; i++) { AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i)); ASN1ObjectIdentifier accessMethod = ad.getAccessMethod(); Set<GeneralNameMode> generalNameModes; if (accessMethod == null) { generalNameModes = allowedSubjectInfoAccessModes.get(X509Certprofile.OID_ZERO); } else { generalNameModes = allowedSubjectInfoAccessModes.get(accessMethod); } if (generalNameModes == null) { failureMsg.append("accessMethod in requestExtension "); failureMsg.append(accessMethod == null ? "NULL" : accessMethod.getId()); failureMsg.append(" is not allowed"); failureMsg.append("; "); continue; } AccessDescription certAccessDesc = AccessDescription.getInstance(certSeq.getObjectAt(i)); ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod(); boolean b; if (accessMethod == null) { b = certAccessDesc == null; } else { b = accessMethod.equals(certAccessMethod); } if (b == false) { failureMsg.append("accessMethod is '") .append(certAccessMethod == null ? "null" : certAccessMethod.getId()); failureMsg.append("' but expected '").append(accessMethod == null ? "null" : accessMethod.getId()); failureMsg.append("; "); continue; } GeneralName accessLocation; try { accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes); } catch (BadCertTemplateException e) { failureMsg.append("invalid requestExtension: " + e.getMessage()); failureMsg.append("; "); continue; } GeneralName certAccessLocation = certAccessDesc.getAccessLocation(); if (certAccessLocation.equals(accessLocation) == false) { failureMsg.append("accessLocation does not match the requested one"); failureMsg.append("; "); } } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionIssuerAltNames(final StringBuilder failureMsg, final byte[] extensionValue, final X509IssuerInfo issuerInfo) { Extension caSubjectAltExtension = issuerInfo.getBcCert().getTBSCertificate().getExtensions() .getExtension(Extension.subjectAlternativeName); if (caSubjectAltExtension == null) { failureMsg.append("issuerAlternativeName is present but expected 'none'"); failureMsg.append("; "); return;/*from w w w . j a v a 2 s . c o m*/ } byte[] caSubjectAltExtensionValue = caSubjectAltExtension.getExtnValue().getOctets(); if (Arrays.equals(caSubjectAltExtensionValue, extensionValue) == false) { failureMsg.append( "is '" + hex(extensionValue) + "' but expected '" + hex(caSubjectAltExtensionValue) + "'"); failureMsg.append("; "); } }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(final X500Name requestedSubject, final Extensions requestExtensions, final SubjectPublicKeyInfo publicKeyInfo, final PublicCAInfo publicCaInfo, final X509Certificate crlSignerCert) throws CertprofileException, BadCertTemplateException { ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtensionTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestExtensions != null) { Extension reqExtension = requestExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtensionTypes.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); }// w w w. jav a 2 s . c o m for (ASN1ObjectIdentifier oid : neededExtensionTypes) { if (wantedExtensionTypes.contains(oid)) { wantedExtensionTypes.remove(oid); } if (controls.containsKey(oid) == false) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { MessageDigest sha1; try { sha1 = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException e) { throw new CertprofileException(e.getMessage(), e); } byte[] skiValue = sha1.digest(publicKeyInfo.getPublicKeyData().getBytes()); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAKI()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAIAControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } AuthorityInformationAccess value = X509CertUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = null; if (crlSignerCert != null) { crlSignerSubject = X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); } X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { BasicConstraints value = X509CertUtil.createBasicConstraints(certprofile.isCA(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<ASN1ObjectIdentifier> usages = new HashSet<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectAltName extType = Extension.subjectAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = null; if (requestExtensions != null && extControl.isRequest()) { value = createRequestedSubjectAltNames(requestExtensions, certprofile.getSubjectAltNameModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { ASN1Sequence value = null; if (requestExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, requestExtensions); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtensionTypes, wantedExtensionTypes); if (addMe) { ExtensionValue value = null; if (extControl.isRequest()) { Extension reqExt = requestExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNotEmpty(neededExtensionTypes)) { throw new BadCertTemplateException( "could not add requested extensions " + toString(neededExtensionTypes)); } return values; }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
private static GeneralNames createRequestedSubjectAltNames(final Extensions requestExtensions, final Set<GeneralNameMode> modes) throws BadCertTemplateException { ASN1Encodable extValue = requestExtensions.getExtensionParsedValue(Extension.subjectAlternativeName); if (extValue == null) { return null; }//w ww . jav a2 s.c o m GeneralNames reqNames = GeneralNames.getInstance(extValue); if (modes == null) { return reqNames; } GeneralName[] reqL = reqNames.getNames(); GeneralName[] l = new GeneralName[reqL.length]; for (int i = 0; i < reqL.length; i++) { l[i] = createGeneralName(reqL[i], modes); } return new GeneralNames(l); }
From source file:org.xipki.ca.server.impl.PublicCAInfo.java
License:Open Source License
public PublicCAInfo(final X509Certificate caCertificate, final List<String> caCertUris, final List<String> ocspUris, final List<String> crlUris, final List<String> deltaCrlUris) throws OperationException { ParamChecker.assertNotNull("caCertificate", caCertificate); this.caCertificate = new X509CertWithDBCertId(caCertificate); this.serialNumber = caCertificate.getSerialNumber(); this.subject = caCertificate.getSubjectX500Principal(); this.x500Subject = X500Name.getInstance(subject.getEncoded()); try {/* ww w . j ava 2 s. com*/ this.subjectKeyIdentifier = X509Util.extractSKI(caCertificate); } catch (CertificateEncodingException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, e.getMessage()); } this.caCertUris = CollectionUtil.unmodifiableList(caCertUris, true, true); this.ocspUris = CollectionUtil.unmodifiableList(ocspUris, true, true); this.crlUris = CollectionUtil.unmodifiableList(crlUris, true, true); this.deltaCrlUris = CollectionUtil.unmodifiableList(deltaCrlUris, true, true); byte[] encodedSubjectAltName = caCertificate.getExtensionValue(Extension.subjectAlternativeName.getId()); if (encodedSubjectAltName == null) { subjectAltName = null; } else { try { subjectAltName = GeneralNames .getInstance(X509ExtensionUtil.fromExtensionValue(encodedSubjectAltName)); } catch (IOException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid SubjectAltName extension in CA certificate"); } } }
From source file:org.xipki.commons.console.karaf.completer.ExtensionNameCompleter.java
License:Open Source License
public ExtensionNameCompleter() { List<ASN1ObjectIdentifier> oids = new LinkedList<>(); oids.add(ObjectIdentifiers.id_extension_pkix_ocsp_nocheck); oids.add(ObjectIdentifiers.id_extension_admission); oids.add(Extension.auditIdentity); oids.add(Extension.authorityInfoAccess); oids.add(Extension.authorityKeyIdentifier); oids.add(Extension.basicConstraints); oids.add(Extension.biometricInfo); oids.add(Extension.certificateIssuer); oids.add(Extension.certificatePolicies); oids.add(Extension.cRLDistributionPoints); oids.add(Extension.cRLNumber); oids.add(Extension.deltaCRLIndicator); oids.add(Extension.extendedKeyUsage); oids.add(Extension.freshestCRL); oids.add(Extension.inhibitAnyPolicy); oids.add(Extension.instructionCode); oids.add(Extension.invalidityDate); oids.add(Extension.issuerAlternativeName); oids.add(Extension.issuingDistributionPoint); oids.add(Extension.keyUsage); oids.add(Extension.logoType); oids.add(Extension.nameConstraints); oids.add(Extension.noRevAvail); oids.add(Extension.policyConstraints); oids.add(Extension.policyMappings); oids.add(Extension.privateKeyUsagePeriod); oids.add(Extension.qCStatements); oids.add(Extension.reasonCode); oids.add(Extension.subjectAlternativeName); oids.add(Extension.subjectDirectoryAttributes); oids.add(Extension.subjectInfoAccess); oids.add(Extension.subjectKeyIdentifier); oids.add(Extension.targetInformation); oids.add(ObjectIdentifiers.id_pe_tlsfeature); StringBuilder enums = new StringBuilder(); for (ASN1ObjectIdentifier oid : oids) { String name = ObjectIdentifiers.getName(oid); if (StringUtil.isBlank(name)) { name = oid.getId();//from ww w.j av a 2 s. co m } enums.append(name).append(","); } enums.deleteCharAt(enums.length() - 1); setTokens(enums.toString()); }