List of usage examples for org.bouncycastle.asn1.x509 GeneralName iPAddress
int iPAddress
To view the source code for org.bouncycastle.asn1.x509 GeneralName iPAddress.
Click Source Link
From source file:org.elasticsearch.xpack.core.ssl.CertGenUtilsTests.java
License:Open Source License
public void testSubjectAlternativeNames() throws Exception { final boolean resolveName = randomBoolean(); InetAddress address = InetAddresses.forString("127.0.0.1"); GeneralNames generalNames = CertGenUtils.getSubjectAlternativeNames(resolveName, Collections.singleton(address)); assertThat(generalNames, notNullValue()); GeneralName[] generalNameArray = generalNames.getNames(); assertThat(generalNameArray, notNullValue()); logger.info("resolve name [{}], address [{}], subject alt names [{}]", resolveName, NetworkAddress.format(address), generalNames); if (resolveName && isResolvable(address)) { assertThat(generalNameArray.length, is(2)); int firstType = generalNameArray[0].getTagNo(); if (firstType == GeneralName.iPAddress) { assertThat(generalNameArray[1].getTagNo(), is(GeneralName.dNSName)); } else if (firstType == GeneralName.dNSName) { assertThat(generalNameArray[1].getTagNo(), is(GeneralName.iPAddress)); } else {/*w w w . j a v a 2 s .co m*/ fail("unknown tag value: " + firstType); } } else { assertThat(generalNameArray.length, is(1)); assertThat(generalNameArray[0].getTagNo(), is(GeneralName.iPAddress)); } }
From source file:org.elasticsearch.xpack.core.ssl.CertificateGenerateTool.java
License:Open Source License
private static GeneralNames getSubjectAlternativeNamesValue(List<String> ipAddresses, List<String> dnsNames, List<String> commonNames) { Set<GeneralName> generalNameList = new HashSet<>(); for (String ip : ipAddresses) { generalNameList.add(new GeneralName(GeneralName.iPAddress, ip)); }//ww w . ja v a2s . c om for (String dns : dnsNames) { generalNameList.add(new GeneralName(GeneralName.dNSName, dns)); } for (String cn : commonNames) { generalNameList.add(CertGenUtils.createCommonName(cn)); } if (generalNameList.isEmpty()) { return null; } return new GeneralNames(generalNameList.toArray(new GeneralName[0])); }
From source file:org.elasticsearch.xpack.core.ssl.CertificateGenerateToolTests.java
License:Open Source License
private void assertSubjAltNames(GeneralNames subjAltNames, CertificateInformation certInfo) throws Exception { final int expectedCount = certInfo.ipAddresses.size() + certInfo.dnsNames.size() + certInfo.commonNames.size(); assertEquals(expectedCount, subjAltNames.getNames().length); Collections.sort(certInfo.dnsNames); Collections.sort(certInfo.ipAddresses); for (GeneralName generalName : subjAltNames.getNames()) { if (generalName.getTagNo() == GeneralName.dNSName) { String dns = ((ASN1String) generalName.getName()).getString(); assertTrue(certInfo.dnsNames.stream().anyMatch(dns::equals)); } else if (generalName.getTagNo() == GeneralName.iPAddress) { byte[] ipBytes = DEROctetString.getInstance(generalName.getName()).getOctets(); String ip = NetworkAddress.format(InetAddress.getByAddress(ipBytes)); assertTrue(certInfo.ipAddresses.stream().anyMatch(ip::equals)); } else if (generalName.getTagNo() == GeneralName.otherName) { ASN1Sequence seq = ASN1Sequence.getInstance(generalName.getName()); assertThat(seq.size(), equalTo(2)); assertThat(seq.getObjectAt(0), instanceOf(ASN1ObjectIdentifier.class)); assertThat(seq.getObjectAt(0).toString(), equalTo(CN_OID)); assertThat(seq.getObjectAt(1), instanceOf(DERTaggedObject.class)); DERTaggedObject taggedName = (DERTaggedObject) seq.getObjectAt(1); assertThat(taggedName.getTagNo(), equalTo(0)); assertThat(taggedName.getObject(), instanceOf(ASN1String.class)); assertThat(taggedName.getObject().toString(), Matchers.isIn(certInfo.commonNames)); } else {//from w w w.jav a2 s. c om fail("unknown general name with tag " + generalName.getTagNo()); } } }
From source file:org.elasticsearch.xpack.core.ssl.CertificateToolTests.java
License:Open Source License
private void assertSubjAltNames(GeneralNames subjAltNames, CertificateInformation certInfo) throws Exception { final int expectedCount = certInfo.ipAddresses.size() + certInfo.dnsNames.size() + certInfo.commonNames.size(); assertEquals(expectedCount, subjAltNames.getNames().length); Collections.sort(certInfo.dnsNames); Collections.sort(certInfo.ipAddresses); for (GeneralName generalName : subjAltNames.getNames()) { if (generalName.getTagNo() == GeneralName.dNSName) { String dns = ((ASN1String) generalName.getName()).getString(); assertTrue(certInfo.dnsNames.stream().anyMatch(dns::equals)); } else if (generalName.getTagNo() == GeneralName.iPAddress) { byte[] ipBytes = DEROctetString.getInstance(generalName.getName()).getOctets(); String ip = NetworkAddress.format(InetAddress.getByAddress(ipBytes)); assertTrue(certInfo.ipAddresses.stream().anyMatch(ip::equals)); } else if (generalName.getTagNo() == GeneralName.otherName) { ASN1Sequence seq = ASN1Sequence.getInstance(generalName.getName()); assertThat(seq.size(), equalTo(2)); assertThat(seq.getObjectAt(0), instanceOf(ASN1ObjectIdentifier.class)); assertThat(seq.getObjectAt(0).toString(), equalTo(CN_OID)); assertThat(seq.getObjectAt(1), instanceOf(ASN1TaggedObject.class)); ASN1TaggedObject tagged = (ASN1TaggedObject) seq.getObjectAt(1); assertThat(tagged.getObject(), instanceOf(ASN1String.class)); assertThat(tagged.getObject().toString(), Matchers.isIn(certInfo.commonNames)); } else {/* w w w . j a v a 2 s.c o m*/ fail("unknown general name with tag " + generalName.getTagNo()); } } }
From source file:org.glite.security.util.HostNameChecker.java
License:Apache License
/** * Checks whether the hostname is allowed by the certificate. Checks the certificate altnames and subject DN * according to the RFC 2818. Wildcard '*' is supported both in dnsName altName and in the DN. Service prefix in DN * CN format "[service name]/[hostname]" is recognized, but ignored. Localhost defined as "localhost", "127.0.0.1" * or "::1" bypasses the check.// w w w .j a v a 2s .co m * * @param inHostname * The hostname to check against the certificate. Can be a DNS name, IP address or an URL. * @param cert * The certificate the hostname is checked against. * @return True in case the hostname is allowed by the certificate. * @throws CertificateParsingException * Thrown in case the certificate parsing fails. */ public static boolean checkHostName(String inHostname, X509Certificate cert) throws CertificateParsingException { // Dig the hostname if the given string is an URL. String hostname = null; // check whether an URL is given (contains a slash). if (inHostname.indexOf('/') < 0) { // Not an URL, assume it's a hostname hostname = inHostname.trim().toLowerCase(); } else { // if not, assume an URL try { URL url = new URL(inHostname.trim()); hostname = url.getHost().toLowerCase(); } catch (MalformedURLException e) { throw new IllegalArgumentException( "Illegal URL given for the certificate host check: " + inHostname); } } // check if the input is ip address. boolean ipAsHostname = false; if (ipPattern.matcher(hostname).matches()) { ipAsHostname = true; } // Check if localhost. If yes, accept automatically. if (ipAsHostname) { byte[] hostnameIPBytes = IPAddressComparator.parseIP(hostname); if (hostnameIPBytes.length < 6) { if (IPAddressComparator.compare(hostnameIPBytes, localhostIPv4)) { LOGGER.debug("Localhost IPv4 address given, bypassing hostname - certificate matching."); return true; } } else { if (IPAddressComparator.compare(hostnameIPBytes, localhostIPv6)) { LOGGER.debug("Localhost IPv6 address given, bypassing hostname - certificate matching."); return true; } } } else { if (hostname.equals("localhost")) { LOGGER.debug("Localhost address given, bypassing hostname - certificate matching."); return true; } } // If there are subject alternative names, check the hostname against // them first. Collection<List<?>> collection = cert.getSubjectAlternativeNames(); if (collection != null) { // If there are, go through them and check for matches. Iterator<List<?>> collIter = collection.iterator(); while (collIter.hasNext()) { List<?> item = collIter.next(); int type = ((Integer) item.get(0)).intValue(); if (type == GeneralName.dNSName) { // check against DNS name if (!ipAsHostname) { // only if the hostname was not given // as IP address String dnsName = (String) item.get(1); if (checkDNS(hostname, dnsName)) { return true; } else { LOGGER.debug("Hostname \"" + hostname + "\" does not match \"" + dnsName + "\"."); } } } else { if (type == GeneralName.iPAddress) { // Check against IP // address if (ipAsHostname) { // only if hostname was given as IP // address String ipString = (String) item.get(1); if (checkIP(hostname, ipString)) { return true; } else { LOGGER.debug("Hostname \"" + hostname + "\" does not match \"" + ipString + "\"."); } } } } } } // If no match was found in subjectAltName, or they were not present, // check against the DN. if (checkBasedOnDN(hostname, cert)) { return true; } else { LOGGER.debug("Hostname \"" + hostname + "\" does not match DN \"" + DNHandler.getSubject(cert).getRFCDN() + "\"."); } return false; }
From source file:org.glite.security.util.proxy.ProxyRestrictionData.java
License:Apache License
/** * Adds a new permitted IP addressSpace to the data structure. * // w w w . j a va 2 s .c o m * @param address The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. * Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> * See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC 4632.</a> The restriction is of the format used * for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses. */ public void addPermittedIPAddressWithNetmask(String address) { m_permittedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:org.glite.security.util.proxy.ProxyRestrictionData.java
License:Apache License
/** * Adds a new excluded IP addressSpace to the data structure. * /*from w ww .j a va2 s . co m*/ * @param address The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. * Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> * See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC 4632.</a> The restriction is of the format used * for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses. */ public void addExcludedIPAddressWithNetmask(String address) { m_excludedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:org.glite.security.util.proxy.ProxyRestrictionData.java
License:Apache License
/** * Generates a string array of IP address spaces from the vector of GeneralSubtrees. * //from www . j a va2s . c o m * @param subtrees The vector of GeneralSubtrees to parse. Null as input will return null. * @return the array of IP address spaces. */ private static byte[][] subtreesIntoArray(Vector<GeneralSubtree> subtrees) { if (subtrees == null) { return null; } Vector<byte[]> ips = new Vector<byte[]>(); Enumeration<GeneralSubtree> enumGeneralNames = subtrees.elements(); while (enumGeneralNames.hasMoreElements()) { GeneralName item = enumGeneralNames.nextElement().getBase(); if (item.getTagNo() == GeneralName.iPAddress) { ASN1OctetString octets = (ASN1OctetString) item.getName(); byte[] bytes = octets.getOctets(); ips.add(bytes); } } return ips.toArray(new byte[0][0]); }
From source file:org.jruby.ext.openssl.X509Extension.java
License:LGPL
@SuppressWarnings("unchecked") private static boolean formatGeneralName(final GeneralName name, final ByteList out, final boolean slashed) { final ASN1Encodable obj = name.getName(); String val; boolean tagged = false; switch (name.getTagNo()) { case GeneralName.rfc822Name: if (!tagged) out.append('e').append('m').append('a').append('i').append('l').append(':'); tagged = true;/* w w w . j ava2s. c o m*/ case GeneralName.dNSName: if (!tagged) out.append('D').append('N').append('S').append(':'); tagged = true; case GeneralName.uniformResourceIdentifier: if (!tagged) out.append('U').append('R').append('I').append(':'); val = DERIA5String.getInstance(obj).getString(); out.append(ByteList.plain(val)); break; case GeneralName.directoryName: out.append('D').append('i').append('r').append('N').append('a').append('m').append('e').append(':'); final X500Name dirName = X500Name.getInstance(obj); if (slashed) { final RDN[] rdns = dirName.getRDNs(); final Hashtable defaultSymbols = getDefaultSymbols(); for (int i = 0; i < rdns.length; i++) { appendRDN(out.append('/'), rdns[i], defaultSymbols); } } else { out.append(ByteList.plain(dirName.toString())); } break; case GeneralName.iPAddress: out.append('I').append('P').append(':'); final byte[] ip = ((ASN1OctetString) name.getName()).getOctets(); int len = ip.length; boolean ip4 = len == 4; for (int i = 0; i < ip.length; i++) { out.append(ConvertBytes.intToCharBytes(((int) ip[i]) & 0xff)); if (i != len - 1) { if (ip4) out.append('.'); else out.append(':').append(':'); } } break; case GeneralName.otherName: out.append('o').append('t').append('h').append('e').append('r').append('N').append('a').append('m') .append('e').append(':'); out.append(ByteList.plain(obj.toString())); return true; //tagged = true; case GeneralName.registeredID: out.append('R').append('I').append('D').append(':'); //tagged = true; default: out.append(ByteList.plain(obj.toString())); } return false; }
From source file:org.jruby.ext.openssl.X509ExtensionFactory.java
License:LGPL
private static ASN1Encodable parseSubjectAltName(final String valuex) throws IOException { if (valuex.startsWith(DNS_)) { final String dns = valuex.substring(DNS_.length()); return new GeneralName(GeneralName.dNSName, dns); }/* ww w . j a va 2 s . c o m*/ if (valuex.startsWith(DNS_Name_)) { final String dns = valuex.substring(DNS_Name_.length()); return new GeneralName(GeneralName.dNSName, dns); } if (valuex.startsWith(URI_)) { final String uri = valuex.substring(URI_.length()); return new GeneralName(GeneralName.uniformResourceIdentifier, uri); } if (valuex.startsWith(RID_)) { final String rid = valuex.substring(RID_.length()); return new GeneralName(GeneralName.registeredID, rid); } if (valuex.startsWith(email_)) { final String mail = valuex.substring(email_.length()); return new GeneralName(GeneralName.rfc822Name, mail); } if (valuex.startsWith("IP:") || valuex.startsWith("IP Address:")) { final int idx = valuex.charAt(2) == ':' ? 3 : 11; String[] vals = valuex.substring(idx).split("\\.|::"); final byte[] ip = new byte[vals.length]; for (int i = 0; i < vals.length; i++) { ip[i] = (byte) (Integer.parseInt(vals[i]) & 0xff); } return new GeneralName(GeneralName.iPAddress, new DEROctetString(ip)); } if (valuex.startsWith("other")) { // otherName || othername final String other = valuex.substring(otherName_.length()); return new GeneralName(GeneralName.otherName, other); } if (valuex.startsWith("dir")) { // dirName || dirname final String dir = valuex.substring(dirName_.length()); return new GeneralName(GeneralName.directoryName, dir); } throw new IOException("could not parse SubjectAltName: " + valuex); }