List of usage examples for org.bouncycastle.asn1.x509 IssuingDistributionPoint getOnlySomeReasons
public ReasonFlags getOnlySomeReasons()
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
protected static ReasonsMask processCRLD2(X509CRL crl, DistributionPoint dp) throws SimpleValidationErrorException { IssuingDistributionPoint idp = null; try {//from w w w .ja v a2 s. c o m idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.distrPtExtError, e); } // (d) (1) if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null) { return new ReasonsMask(dp.getReasons().intValue()) .intersect(new ReasonsMask(idp.getOnlySomeReasons().intValue())); } // (d) (4) if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null) { return ReasonsMask.allReasons; } // (d) (2) and (d)(3) return (dp.getReasons() == null ? ReasonsMask.allReasons : new ReasonsMask(dp.getReasons().intValue())) .intersect(idp == null ? ReasonsMask.allReasons : new ReasonsMask(idp.getOnlySomeReasons().intValue())); }
From source file:eu.europa.ec.markt.dss.validation102853.crl.CommonCRLSource.java
License:Open Source License
private void checkCriticalExtensions(final X509CRL x509CRL, final List<String> dpUrlStringList, final CRLValidity crlValidity) { final Set<String> criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if (criticalExtensionOIDs == null || criticalExtensionOIDs.size() == 0) { crlValidity.unknownCriticalExtension = false; return;//from w w w . ja v a 2 s . c o m } final String issuingDistributionPointOid = PKIXExtensions.IssuingDistributionPoint_Id.toString(); for (final String criticalExtensionOID : criticalExtensionOIDs) { if (issuingDistributionPointOid.equals(criticalExtensionOID)) { final byte[] extensionValue = x509CRL.getExtensionValue(issuingDistributionPointOid); final ASN1OctetString asn1OctetStringExtensionValue = ASN1OctetString.getInstance(extensionValue); final IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint .getInstance(asn1OctetStringExtensionValue.getOctets()); final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts(); final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); final ReasonFlags reasonFlags = issuingDistributionPoint.getOnlySomeReasons(); final DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint(); boolean urlFound = false; if (FULL_NAME == distributionPointName.getType()) { final GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); if (generalNames != null) { final GeneralName[] names = generalNames.getNames(); if (names != null && names.length > 0) { for (final GeneralName generalName : names) { if (uniformResourceIdentifier == generalName.getTagNo()) { final String name = generalName.getName().toString(); if (DSSUtils.isNotEmpty(dpUrlStringList) && dpUrlStringList.contains(name)) { urlFound = true; } } } } } } if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && reasonFlags == null && urlFound) { crlValidity.unknownCriticalExtension = false; } continue; } crlValidity.unknownCriticalExtension = true; } }
From source file:eu.europa.esig.dss.x509.crl.CRLUtils.java
License:Open Source License
private static void checkCriticalExtensions(final X509CRL x509CRL, final CRLValidity crlValidity) { final Set<String> criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if ((criticalExtensionOIDs == null) || (criticalExtensionOIDs.size() == 0)) { crlValidity.setUnknownCriticalExtension(false); } else {/*from w w w. j a v a2 s .c o m*/ byte[] extensionValue = x509CRL.getExtensionValue(Extension.issuingDistributionPoint.getId()); IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint .getInstance(ASN1OctetString.getInstance(extensionValue).getOctets()); final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts(); final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); DistributionPointName distributionPoint = issuingDistributionPoint.getDistributionPoint(); boolean urlFound = false; if (DistributionPointName.FULL_NAME == distributionPoint.getType()) { final GeneralNames generalNames = (GeneralNames) distributionPoint.getName(); if ((generalNames != null) && (generalNames.getNames() != null) && (generalNames.getNames().length > 0)) { for (GeneralName generalName : generalNames.getNames()) { if (GeneralName.uniformResourceIdentifier == generalName.getTagNo()) { urlFound = true; } } } } if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && (onlySomeReasons == null) && urlFound) { crlValidity.setUnknownCriticalExtension(false); } } }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
License:Open Source License
private int getInterimReasonsMask(X509Certificate targetCertificate, X509CRL crl) throws IOException { IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); CRLDistPoint crlDistPoint = X509CertificateInspector.getCRLDistibutionPoints(targetCertificate); DistributionPoint[] dps = null;/*from ww w . j av a 2s .c o m*/ if (crlDistPoint != null) { dps = crlDistPoint.getDistributionPoints(); } int interimMask = 0; if (idp != null && idp.getOnlySomeReasons() != null) { ReasonFlags irf = idp.getOnlySomeReasons(); if (dps != null) { for (DistributionPoint dp : dps) { if (dp == null) { logger.debug("Distributionpoint is null."); continue; } /* 6.3.3 (d)(1) */ if (dp.getReasons() != null) { ReasonFlags drf = dp.getReasons(); int intersection = irf.intValue() & drf.intValue(); interimMask = interimMask | intersection; } /* 6.3.3 (d)(2) */ else { interimMask = interimMask | irf.intValue(); } } } else { /* 6.3.3 (d)(2) */ interimMask = interimMask | irf.intValue(); } } /* 6.3.3 (d)(3) */ else { if (dps != null) { for (DistributionPoint dp : dps) { if (dp == null) { logger.debug("Distributionpoint is null."); continue; } if (dp.getReasons() != null) { ReasonFlags drf = dp.getReasons(); interimMask = interimMask | drf.intValue(); } else { interimMask = interimMask | allReasons; } } } else { interimMask = interimMask | allReasons; } } return interimMask; }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getIssuingDistributionPointStringValue(byte[] value) throws IOException { // @formatter:off /*//from w w w . j a va 2 s . c om * IssuingDistributionPoint ::= ASN1Sequence { * distributionPoint [0] DistributionPointName OPTIONAL, * onlyContainsUserCerts [1] ASN1Boolean DEFAULT FALSE, * onlyContainsCACerts [2] ASN1Boolean DEFAULT FALSE, * onlySomeReasons [3] ReasonFlags OPTIONAL, * indirectCRL [4] ASN1Boolean DEFAULT FALSE, * onlyContainsAttributeCerts [5] ASN1Boolean DEFAULT FALSE } */ // @formatter:on /* * Getting any DEFAULTS returns a false ASN1Boolean when no value * present which saves the bother of a null check */ StringBuilder sb = new StringBuilder(); IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(value); DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint(); if (distributionPointName != null) { // Optional sb.append(getDistributionPointNameString(distributionPointName, "")); } boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsUserCerts"), onlyContainsUserCerts)); sb.append(NEWLINE); boolean onlyContainsCaCerts = issuingDistributionPoint.onlyContainsCACerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsCaCerts"), onlyContainsCaCerts)); sb.append(NEWLINE); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); if (onlySomeReasons != null) {// Optional sb.append(res.getString("OnlySomeReasons")); sb.append(NEWLINE); String[] reasonFlags = getReasonFlagsStrings(onlySomeReasons); for (String reasonFlag : reasonFlags) { sb.append(INDENT); sb.append(reasonFlag); sb.append(NEWLINE); } } boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); sb.append(MessageFormat.format(res.getString("IndirectCrl"), indirectCrl)); sb.append(NEWLINE); boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsAttributeCerts"), onlyContainsAttributeCerts)); sb.append(NEWLINE); return sb.toString(); }
From source file:org.glite.security.util.FileCRLChecker.java
License:Apache License
/** * Checks the issuerDistributionPoint extension, whether it contains unsupported information. * /*from www . j av a2s .c om*/ * @throws CertificateException thrown in case there is problems with the certificate handling. * @throws IOException thrown in case the extension parsing fails. */ private void checkIssuinDistributionPoint() throws CertificateException, IOException { byte extensionBytes[] = m_crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.toString()); ASN1Object object = ASN1Object.fromByteArray(extensionBytes); if (!(object instanceof DEROctetString)) { throw new CertificateException( "Invalid data in IssuingDistributionPoint extension, not DEROctetString"); } DEROctetString string = (DEROctetString) object; object = ASN1Object.fromByteArray(string.getOctets()); if (!(object instanceof ASN1Sequence)) { throw new CertificateException("Invalid data in IssuingDistributionPoint extension, not ASN1Sequence"); } IssuingDistributionPoint issuingDistributionPoint = new IssuingDistributionPoint((ASN1Sequence) object); if (issuingDistributionPoint.onlyContainsAttributeCerts()) { throw new CertificateException("CRL only contains attribute certs, not useful for authentication."); } if (issuingDistributionPoint.getOnlySomeReasons() != null) { throw new CertificateException( "CRL only contains some reasons of revocations, can't trust the certificates without other complementing CRL(s), which is not supported."); } }