List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(X500Name dirName)
From source file:org.xipki.pki.ca.client.impl.CmpRequestor.java
License:Open Source License
public CmpRequestor(final X509Certificate requestorCert, final CmpResponder responder, final SecurityFactory securityFactory) { ParamUtil.requireNonNull("requestorCert", requestorCert); this.responder = ParamUtil.requireNonNull("responder", responder); this.securityFactory = ParamUtil.requireNonNull("securityFactory", securityFactory); this.requestor = null; this.signRequest = false; X500Name x500Name = X500Name.getInstance(requestorCert.getSubjectX500Principal().getEncoded()); this.sender = new GeneralName(x500Name); X500Name subject = X500Name.getInstance(responder.getCert().getSubjectX500Principal().getEncoded()); this.recipient = new GeneralName(subject); this.recipientName = subject; }
From source file:org.xipki.pki.ca.client.impl.CmpRequestor.java
License:Open Source License
public CmpRequestor(ConcurrentContentSigner requestor, final CmpResponder responder, final SecurityFactory securityFactory, final boolean signRequest) { this.requestor = ParamUtil.requireNonNull("requestor", requestor); if (requestor.getCertificate() == null) { throw new IllegalArgumentException("requestor without certificate is not allowed"); }/*from w w w .j ava2 s .c om*/ this.responder = ParamUtil.requireNonNull("responder", responder); this.securityFactory = ParamUtil.requireNonNull("securityFactory", securityFactory); this.signRequest = signRequest; X500Name x500Name = X500Name.getInstance(requestor.getCertificate().getSubjectX500Principal().getEncoded()); this.sender = new GeneralName(x500Name); X500Name subject = X500Name.getInstance(responder.getCert().getSubjectX500Principal().getEncoded()); this.recipient = new GeneralName(subject); this.recipientName = subject; }
From source file:org.xipki.pki.ca.client.impl.X509CmpRequestor.java
License:Open Source License
private RevokeCertResultType parse(final PkiResponse response, final List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException { ParamUtil.requireNonNull("response", response); checkProtection(response);/*from ww w . jav a 2 s . c o m*/ PKIBody respBody = response.getPkiMessage().getBody(); int bodyType = respBody.getType(); if (PKIBody.TYPE_ERROR == bodyType) { ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent()); throw new PkiErrorException(content.getPKIStatusInfo()); } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) { throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR)); } RevRepContent content = RevRepContent.getInstance(respBody.getContent()); PKIStatusInfo[] statuses = content.getStatus(); if (statuses == null || statuses.length != reqEntries.size()) { int statusesLen = 0; if (statuses != null) { statusesLen = statuses.length; } throw new CmpRequestorException( String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size())); } CertId[] revCerts = content.getRevCerts(); RevokeCertResultType result = new RevokeCertResultType(); for (int i = 0; i < statuses.length; i++) { PKIStatusInfo statusInfo = statuses[i]; int status = statusInfo.getStatus().intValue(); IssuerSerialEntry re = reqEntries.get(i); if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) { PKIFreeText text = statusInfo.getStatusString(); String statusString = (text == null) ? null : text.getStringAt(0).getString(); ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString); result.addResultEntry(resultEntry); continue; } CertId certId = null; if (revCerts != null) { for (CertId entry : revCerts) { if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) { certId = entry; break; } } } if (certId == null) { LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber())); certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber()); continue; } ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId); result.addResultEntry(resultEntry); } return result; }
From source file:org.xipki.pki.ca.common.cmp.CmpUtil.java
License:Open Source License
public static PKIMessage addProtection(final PKIMessage pkiMessage, final ConcurrentContentSigner signer, final GeneralName signerName, final boolean addSignerCert) throws CMPException, NoIdleSignerException { ParamUtil.requireNonNull("pkiMessage", pkiMessage); ParamUtil.requireNonNull("signer", signer); final GeneralName tmpSignerName; if (signerName != null) { tmpSignerName = signerName;/*from ww w . j ava 2 s . c o m*/ } else { if (signer.getCertificate() == null) { throw new IllegalArgumentException("signer without certificate is not allowed"); } X500Name x500Name = X500Name .getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded()); tmpSignerName = new GeneralName(x500Name); } PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(tmpSignerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); } InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { builder.addGeneralInfo(gi); } } ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); } octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); } octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); } octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); } octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); } if (header.getMessageTime() != null) { builder.setMessageTime(new Date()); } builder.setBody(pkiMessage.getBody()); if (addSignerCert) { X509CertificateHolder signerCert = signer.getCertificateAsBcObject(); builder.addCMPCertificate(signerCert); } ProtectedPKIMessage signedMessage = signer.build(builder); return signedMessage.toASN1Structure(); }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionNameConstraintsSubtrees(final StringBuilder failureMsg, final String description, final GeneralSubtree[] subtrees, final List<QaGeneralSubtree> expectedSubtrees) { int isSize = (subtrees == null) ? 0 : subtrees.length; int expSize = (expectedSubtrees == null) ? 0 : expectedSubtrees.size(); if (isSize != expSize) { addViolation(failureMsg, "size of " + description, isSize, expSize); return;/* w w w.j a va 2s .c o m*/ } if (subtrees == null || expectedSubtrees == null) { return; } for (int i = 0; i < isSize; i++) { GeneralSubtree isSubtree = subtrees[i]; QaGeneralSubtree expSubtree = expectedSubtrees.get(i); BigInteger bigInt = isSubtree.getMinimum(); int isMinimum = (bigInt == null) ? 0 : bigInt.intValue(); Integer minimum = expSubtree.getMinimum(); int expMinimum = (minimum == null) ? 0 : minimum.intValue(); String desc = description + " [" + i + "]"; if (isMinimum != expMinimum) { addViolation(failureMsg, "minimum of " + desc, isMinimum, expMinimum); } bigInt = isSubtree.getMaximum(); Integer isMaximum = (bigInt == null) ? null : bigInt.intValue(); Integer expMaximum = expSubtree.getMaximum(); if (!CompareUtil.equalsObject(isMaximum, expMaximum)) { addViolation(failureMsg, "maxmum of " + desc, isMaximum, expMaximum); } GeneralName isBase = isSubtree.getBase(); GeneralName expBase; if (expSubtree.getDirectoryName() != null) { expBase = new GeneralName(X509Util.reverse(new X500Name(expSubtree.getDirectoryName()))); } else if (expSubtree.getDnsName() != null) { expBase = new GeneralName(GeneralName.dNSName, expSubtree.getDnsName()); } else if (expSubtree.getIpAddress() != null) { expBase = new GeneralName(GeneralName.iPAddress, expSubtree.getIpAddress()); } else if (expSubtree.getRfc822Name() != null) { expBase = new GeneralName(GeneralName.rfc822Name, expSubtree.getRfc822Name()); } else if (expSubtree.getUri() != null) { expBase = new GeneralName(GeneralName.uniformResourceIdentifier, expSubtree.getUri()); } else { throw new RuntimeException("should not reach here, unknown child of GeneralName"); } if (!isBase.equals(expBase)) { addViolation(failureMsg, "base of " + desc, isBase, expBase); } } }
From source file:org.xipki.pki.ca.server.impl.cmp.CmpResponderEntryWrapper.java
License:Open Source License
public void setDbEntry(final CmpResponderEntry dbEntry) { this.dbEntry = ParamUtil.requireNonNull("dbEntry", dbEntry); signer = null;/*from www .jav a 2 s. c o m*/ if (dbEntry.getCertificate() != null) { subjectAsX500Name = X500Name .getInstance(dbEntry.getCertificate().getSubjectX500Principal().getEncoded()); subjectAsGeneralName = new GeneralName(subjectAsX500Name); } }
From source file:org.xipki.pki.ca.server.impl.cmp.CmpResponderEntryWrapper.java
License:Open Source License
public void initSigner(final SecurityFactory securityFactory) throws ObjectCreationException { ParamUtil.requireNonNull("securityFactory", securityFactory); if (signer != null) { return;/*from w w w . ja va 2s.c o m*/ } if (dbEntry == null) { throw new ObjectCreationException("dbEntry is null"); } X509Certificate responderCert = dbEntry.getCertificate(); dbEntry.setConfFaulty(true); signer = securityFactory.createSigner(dbEntry.getType(), new SignerConf(dbEntry.getConf()), responderCert); if (signer.getCertificate() == null) { throw new ObjectCreationException("signer without certificate is not allowed"); } dbEntry.setConfFaulty(false); if (dbEntry.getBase64Cert() == null) { dbEntry.setCertificate(signer.getCertificate()); subjectAsX500Name = X500Name.getInstance(signer.getCertificateAsBcObject().getSubject()); subjectAsGeneralName = new GeneralName(subjectAsX500Name); } }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private PKIBody unRevokeRemoveCertificates(final PKIMessage request, final RevReqContent rr, final Permission permission, final CmpControl cmpControl, final String msgId) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the request for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {//from w w w. j a v a2s . c om X500Name caSubject = getCa().getCaInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } if (!issuer.equals(caSubject)) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA"); } if (serialNumber == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified"); } if (certDetails.getExtensions() == null) { if (cmpControl.isRrAkiRequired()) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } } else { Extensions exts = certDetails.getExtensions(); ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs(); if (oids != null) { for (ASN1ObjectIdentifier oid : oids) { if (!Extension.authorityKeyIdentifier.equals(oid)) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId()); } } } Extension ext = exts.getExtension(Extension.authorityKeyIdentifier); if (ext == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } else { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue()); if (aki.getKeyIdentifier() == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } boolean issuerMatched = true; byte[] caSki = getCa().getCaInfo().getCertificate().getSubjectKeyIdentifier(); if (Arrays.equals(caSki, aki.getKeyIdentifier())) { issuerMatched = false; } if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) { BigInteger caSerial = getCa().getCaInfo().getSerialNumber(); if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) { issuerMatched = false; } } if (issuerMatched && aki.getAuthorityCertIssuer() != null) { GeneralName[] names = aki.getAuthorityCertIssuer().getNames(); for (GeneralName name : names) { if (name.getTagNo() != GeneralName.directoryName) { issuerMatched = false; break; } if (!caSubject.equals(name.getName())) { issuerMatched = false; break; } } } if (!issuerMatched) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA"); } } } } catch (IllegalArgumentException ex) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } // end for byte[] encodedRequest = null; if (getCa().getCaInfo().isSaveRequest()) { try { encodedRequest = request.getEncoded(); } catch (IOException ex) { LOG.warn("could not encode request"); } } Long reqDbId = null; for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCa().getCaInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); PKIStatusInfo status; try { Object returnedObj = null; Long certDbId = null; X509Ca ca = getCa(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt, msgId); if (returnedObj != null) { certDbId = ((X509CertWithDbId) returnedObj).getCertId(); } } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt, msgId); } else { // revoke Date invalidityDate = null; CrlReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue(); reason = CrlReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate(); } catch (ParseException ex) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if (crlDetails) if (reason == null) { reason = CrlReason.UNSPECIFIED; } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId); if (returnedObj != null) { certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId(); } } // end if (permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } if (certDbId != null && ca.getCaInfo().isSaveRequest()) { if (reqDbId == null) { reqDbId = ca.addRequest(encodedRequest); } ca.addRequestCert(reqDbId, certDbId); } status = new PKIStatusInfo(PKIStatus.granted); } catch (OperationException ex) { ErrorCode code = ex.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", permission.name(), code.name(), ex.getErrorMessage()); String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + ex.getErrorMessage(); break; } // end switch code int failureInfo = getPKiFailureInfo(ex); status = generateRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }
From source file:org.xipki.pki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(@NonNull final X500Name requestedSubject, @NonNull final X500Name grantedSubject, @Nullable final Extensions requestedExtensions, @NonNull final SubjectPublicKeyInfo publicKeyInfo, @NonNull final PublicCaInfo publicCaInfo, @Nullable final X509Certificate crlSignerCert, @NonNull final Date notBefore, @NonNull final Date notAfter) throws CertprofileException, BadCertTemplateException { ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo); ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtTypes.addAll(ee.getNeedExtensions()); wantedExtTypes.addAll(ee.getWantExtensions()); }//from w w w.j av a2 s. c o m for (ASN1ObjectIdentifier oid : neededExtTypes) { if (wantedExtTypes.contains(oid)) { wantedExtTypes.remove(oid); } if (!controls.containsKey(oid)) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes(); byte[] skiValue = HashAlgoType.SHA1.hash(encodedSpki); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAki()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) { AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestedExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { List<ASN1ObjectIdentifier> usages = new LinkedList<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestedExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { ASN1Sequence value = null; if (requestedExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes); if (addMe) { ExtensionValue value = null; if (requestedExtensions != null && extControl.isRequest()) { Extension reqExt = requestedExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNonEmpty(neededExtTypes)) { throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes)); } return values; }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static Extension createCertificateIssuerExtension(final X500Name certificateIssuer) { try {/*from www . j a va 2s . c o m*/ GeneralNames generalNames = new GeneralNames(new GeneralName(certificateIssuer)); return new Extension(Extension.certificateIssuer, true, generalNames.getEncoded()); } catch (IOException ex) { throw new IllegalArgumentException("error encoding reason: " + ex.getMessage(), ex); } }