List of usage examples for org.bouncycastle.asn1.x509 NameConstraints getExcludedSubtrees
public GeneralSubtree[] getExcludedSubtrees()
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.java
License:Open Source License
private void checkNameConstraints() { X509Certificate cert = null;//from w w w . ja v a2 s. c o m // // Setup // // (b) and (c) PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator(); // // process each certificate except the self issued which are not last in the path // int index; try { for (index = certs.size() - 1; index >= 0; index--) { // // certificate processing // cert = (X509Certificate) certs.get(index); // b),c) if (!(isSelfIssued(cert) && index != 0)) { X500Principal principal = getSubjectPrincipal(cert); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded())); ASN1Sequence dns; try { dns = (ASN1Sequence) aIn.readObject(); } catch (IOException e) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncSubjectNameError", new Object[] { new UntrustedInput(principal) }); throw new CertPathReviewerException(msg, e, certPath, index); } try { nameConstraintValidator.checkPermittedDN(dns); } catch (PKIXNameConstraintValidatorException cpve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedDN", new Object[] { new UntrustedInput(principal.getName()) }); throw new CertPathReviewerException(msg, cpve, certPath, index); } try { nameConstraintValidator.checkExcludedDN(dns); } catch (PKIXNameConstraintValidatorException cpve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.excludedDN", new Object[] { new UntrustedInput(principal.getName()) }); throw new CertPathReviewerException(msg, cpve, certPath, index); } //FIX (missing in orig cert path reviewer) Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress); for (Enumeration e = emails.elements(); e.hasMoreElements();) { String email = (String) e.nextElement(); GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email); try { nameConstraintValidator.checkPermitted(emailAsGeneralName); } catch (PKIXNameConstraintValidatorException cpve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedDN", new Object[] { new UntrustedInput(principal.getName()) }); throw new CertPathReviewerException(msg, cpve, certPath, index); } try { nameConstraintValidator.checkExcluded(emailAsGeneralName); } catch (PKIXNameConstraintValidatorException cpve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.excludedDN", new Object[] { new UntrustedInput(principal.getName()) }); throw new CertPathReviewerException(msg, cpve, certPath, index); } } ASN1Sequence altName; try { altName = (ASN1Sequence) getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME); } catch (AnnotatedException ae) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.subjAltNameExtError"); throw new CertPathReviewerException(msg, ae, certPath, index); } if (altName != null) { for (int j = 0; j < altName.size(); j++) { GeneralName name = GeneralName.getInstance(altName.getObjectAt(j)); try { nameConstraintValidator.checkPermitted(name); nameConstraintValidator.checkExcluded(name); } catch (PKIXNameConstraintValidatorException cpve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedEmail", new Object[] { new UntrustedInput(name) }); throw new CertPathReviewerException(msg, cpve, certPath, index); } } } } // // prepare for next certificate // // // (g) handle the name constraints extension // ASN1Sequence ncSeq; try { ncSeq = (ASN1Sequence) getExtensionValue(cert, NAME_CONSTRAINTS); } catch (AnnotatedException ae) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncExtError"); throw new CertPathReviewerException(msg, ae, certPath, index); } if (ncSeq != null) { NameConstraints nc = NameConstraints.getInstance(ncSeq); // // (g) (1) permitted subtrees // GeneralSubtree[] permitted = nc.getPermittedSubtrees(); if (permitted != null) { nameConstraintValidator.intersectPermittedSubtree(permitted); } // // (g) (2) excluded subtrees // GeneralSubtree[] excluded = nc.getExcludedSubtrees(); if (excluded != null) { for (int c = 0; c != excluded.length; c++) { nameConstraintValidator.addExcludedSubtree(excluded[c]); } } } } // for } catch (CertPathReviewerException cpre) { addError(cpre.getErrorMessage(), cpre.getIndex()); } }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getNameConstraintsStringValue(byte[] value) throws IOException { // @formatter:off /*//from w w w .ja v a 2 s. c o m * NameConstraints ::= ASN1Sequence { permittedSubtrees [0] * GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees * OPTIONAL } * * GeneralSubtrees ::= ASN1Sequence SIZE (1..MAX) OF GeneralSubtree * * GeneralSubtree ::= ASN1Sequence { base GeneralName, minimum [0] * BaseDistance DEFAULT nodistance, maximum [1] BaseDistance OPTIONAL } * * BaseDistance ::= ASN1Integer {nodistance(0) } (0..MAX) */ // @formatter:on StringBuilder sb = new StringBuilder(); NameConstraints nameConstraints = NameConstraints.getInstance(value); GeneralSubtrees permittedSubtrees = null; if (nameConstraints.getPermittedSubtrees() != null && nameConstraints.getPermittedSubtrees().length != 0) { permittedSubtrees = new GeneralSubtrees(nameConstraints.getPermittedSubtrees()); } sb.append(res.getString("PermittedSubtrees")); if (permittedSubtrees == null) { sb.append(" ").append(res.getString("NoValue")); sb.append(NEWLINE); } else { sb.append(NEWLINE); int permitted = 0; for (GeneralSubtree permittedSubtree : permittedSubtrees.getGeneralSubtrees()) { permitted++; sb.append(INDENT); sb.append(MessageFormat.format(res.getString("PermittedSubtree"), permitted)); sb.append(NEWLINE); sb.append(INDENT); sb.append(INDENT); sb.append(res.getString("Base")); sb.append(NEWLINE); GeneralName base = permittedSubtree.getBase(); sb.append(INDENT); sb.append(INDENT); sb.append(INDENT); sb.append(GeneralNameUtil.toString(base)); sb.append(NEWLINE); BigInteger minimum = permittedSubtree.getMinimum(); int minimumInt = 0; // Default 'nodistance' value if (minimum != null) { minimumInt = minimum.intValue(); } sb.append(INDENT); sb.append(INDENT); sb.append(MessageFormat.format(res.getString("Minimum"), minimumInt)); sb.append(NEWLINE); BigInteger maximum = permittedSubtree.getMaximum(); if (maximum != null) { int maximumInt = maximum.intValue(); sb.append(INDENT); sb.append(INDENT); sb.append(MessageFormat.format(res.getString("Maximum"), maximumInt)); sb.append(NEWLINE); } } } GeneralSubtree[] excludedSubtreeArray = nameConstraints.getExcludedSubtrees(); sb.append(res.getString("ExcludedSubtrees")); if (excludedSubtreeArray == null) { // Optional sb.append(" ").append(res.getString("NoValue")); sb.append(NEWLINE); } else { GeneralSubtrees excludedSubtrees = new GeneralSubtrees(excludedSubtreeArray); sb.append(NEWLINE); int excluded = 0; for (GeneralSubtree excludedSubtree : excludedSubtrees.getGeneralSubtrees()) { excluded++; sb.append(INDENT); sb.append(MessageFormat.format(res.getString("ExcludedSubtree"), excluded)); sb.append(NEWLINE); sb.append(INDENT); sb.append(INDENT); sb.append(res.getString("Base")); sb.append(NEWLINE); GeneralName base = excludedSubtree.getBase(); sb.append(INDENT); sb.append(INDENT); sb.append(INDENT); sb.append(GeneralNameUtil.toString(base)); sb.append(NEWLINE); BigInteger minimum = excludedSubtree.getMinimum(); int minimumInt = minimum.intValue(); sb.append(INDENT); sb.append(INDENT); sb.append(MessageFormat.format(res.getString("Minimum"), minimumInt)); sb.append(NEWLINE); BigInteger maximum = excludedSubtree.getMaximum(); if (maximum != null) { int maximumInt = maximum.intValue(); sb.append(INDENT); sb.append(INDENT); sb.append(MessageFormat.format(res.getString("Maximum"), maximumInt)); sb.append(NEWLINE); } } } return sb.toString(); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DNameConstraints.java
License:Open Source License
private void prepopulateWithValue(byte[] value) throws IOException { NameConstraints nameConstraints = NameConstraints.getInstance(value); if (nameConstraints.getPermittedSubtrees() != null) { jgsPermittedSubtrees.setGeneralSubtrees(new GeneralSubtrees(nameConstraints.getPermittedSubtrees())); }//from ww w . j ava2 s . co m if (nameConstraints.getExcludedSubtrees() != null) { jgsExcludedSubtrees.setGeneralSubtrees(new GeneralSubtrees(nameConstraints.getExcludedSubtrees())); } }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Checks that the given SubjectDN / SAN satisfies the Name Constraints of the given issuer (if there are any). * This method checks the Name Constraints in the given issuer only. A complete implementation of * name constraints should check the whole certificate chain. * // ww w.jav a2 s. c o m * @param issuer Issuing CA. * @param subjectDNName Subject DN to check. Optional. * @param subjectAltName Subject Alternative Name to check. Optional. * @throws CertificateExtensionException */ public static void checkNameConstraints(X509Certificate issuer, X500Name subjectDNName, GeneralNames subjectAltName) throws IllegalNameException { final byte[] ncbytes = issuer.getExtensionValue(Extension.nameConstraints.getId()); final ASN1OctetString ncstr = (ncbytes != null ? DEROctetString.getInstance(ncbytes) : null); final ASN1Sequence ncseq = (ncbytes != null ? DERSequence.getInstance(ncstr.getOctets()) : null); final NameConstraints nc = (ncseq != null ? NameConstraints.getInstance(ncseq) : null); if (nc != null) { if (subjectDNName != null) { // Skip check for root CAs final X500Name issuerDNName = X500Name.getInstance(issuer.getSubjectX500Principal().getEncoded()); if (issuerDNName.equals(subjectDNName)) { return; } } final PKIXNameConstraintValidator validator = new PKIXNameConstraintValidator(); GeneralSubtree[] permitted = nc.getPermittedSubtrees(); GeneralSubtree[] excluded = nc.getExcludedSubtrees(); if (permitted != null) { validator.intersectPermittedSubtree(permitted); } if (excluded != null) { for (GeneralSubtree subtree : excluded) { validator.addExcludedSubtree(subtree); } } if (subjectDNName != null) { GeneralName dngn = new GeneralName(subjectDNName); try { validator.checkPermitted(dngn); validator.checkExcluded(dngn); } catch (PKIXNameConstraintValidatorException e) { final String dnStr = subjectDNName.toString(); final boolean isLdapOrder = dnHasMultipleComponents(dnStr) && !isDNReversed(dnStr); if (isLdapOrder) { final String msg = intres.getLocalizedMessage("nameconstraints.x500dnorderrequired"); throw new IllegalNameException(msg); } else { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectdn", subjectDNName); throw new IllegalNameException(msg, e); } } } if (subjectAltName != null) { for (GeneralName sangn : subjectAltName.getNames()) { try { validator.checkPermitted(sangn); validator.checkExcluded(sangn); } catch (PKIXNameConstraintValidatorException e) { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectaltname", sangn); throw new IllegalNameException(msg, e); } } } } }
From source file:org.xipki.ca.certprofile.XmlX509CertprofileUtil.java
License:Open Source License
public static NameConstraints buildNameConstrains(final org.xipki.ca.certprofile.x509.jaxb.NameConstraints type) throws CertprofileException { GeneralSubtree[] permitted = buildGeneralSubtrees(type.getPermittedSubtrees()); GeneralSubtree[] excluded = buildGeneralSubtrees(type.getExcludedSubtrees()); if (permitted == null && excluded == null) { return null; }//from w w w .ja v a2 s .c o m return new NameConstraints(permitted, excluded); }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionNameConstraints(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestExtensions, final ExtensionControl extControl) { QaNameConstraints conf = nameConstraints; if (conf == null) { byte[] expected = getExpectedExtValue(Extension.nameConstraints, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '" + hex(extensionValue) + "' but expected '" + (expected == null ? "not present" : hex(expected)) + "'"); failureMsg.append("; "); }//from w w w .ja va 2 s . c om return; } org.bouncycastle.asn1.x509.NameConstraints iNameConstraints = org.bouncycastle.asn1.x509.NameConstraints .getInstance(extensionValue); checkExtensionNameConstraintsSubtrees(failureMsg, "PermittedSubtrees", iNameConstraints.getPermittedSubtrees(), conf.getPermittedSubtrees()); checkExtensionNameConstraintsSubtrees(failureMsg, "ExcludedSubtrees", iNameConstraints.getExcludedSubtrees(), conf.getExcludedSubtrees()); }
From source file:org.xipki.pki.ca.certprofile.XmlX509CertprofileUtil.java
License:Open Source License
public static NameConstraints buildNameConstrains( final org.xipki.pki.ca.certprofile.x509.jaxb.NameConstraints type) throws CertprofileException { ParamUtil.requireNonNull("type", type); GeneralSubtree[] permitted = buildGeneralSubtrees(type.getPermittedSubtrees()); GeneralSubtree[] excluded = buildGeneralSubtrees(type.getExcludedSubtrees()); return (permitted == null && excluded == null) ? null : new NameConstraints(permitted, excluded); }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionNameConstraints(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QaNameConstraints conf = nameConstraints; if (conf == null) { byte[] expected = getExpectedExtValue(Extension.nameConstraints, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected)); }//w ww . j av a 2 s . c o m return; } org.bouncycastle.asn1.x509.NameConstraints tmpNameConstraints = org.bouncycastle.asn1.x509.NameConstraints .getInstance(extensionValue); checkExtensionNameConstraintsSubtrees(failureMsg, "PermittedSubtrees", tmpNameConstraints.getPermittedSubtrees(), conf.getPermittedSubtrees()); checkExtensionNameConstraintsSubtrees(failureMsg, "ExcludedSubtrees", tmpNameConstraints.getExcludedSubtrees(), conf.getExcludedSubtrees()); }