List of usage examples for org.bouncycastle.asn1.x509 X509Name equals
public boolean equals(Object obj)
From source file:be.fedict.eid.dss.spi.utils.XAdESUtils.java
License:Open Source License
public static void checkSigningCertificate(X509Certificate signingCertificate, SignedSignaturePropertiesType signedSignatureProperties) throws XAdESValidationException, CertificateEncodingException { CertIDListType signingCertificateCertIDList = signedSignatureProperties.getSigningCertificate(); List<CertIDType> signingCertificateCertIDs = signingCertificateCertIDList.getCert(); CertIDType signingCertificateCertID = signingCertificateCertIDs.get(0); DigestAlgAndValueType signingCertificateDigestAlgAndValue = signingCertificateCertID.getCertDigest(); String certXmlDigestAlgo = signingCertificateDigestAlgAndValue.getDigestMethod().getAlgorithm(); String certDigestAlgo = XAdESUtils.getDigestAlgo(certXmlDigestAlgo); byte[] certDigestValue = signingCertificateDigestAlgAndValue.getDigestValue(); MessageDigest messageDigest;// w w w . jav a 2 s . c om try { messageDigest = MessageDigest.getInstance(certDigestAlgo); } catch (NoSuchAlgorithmException e) { throw new XAdESValidationException("message digest algo error: " + e.getMessage(), e); } byte[] actualCertDigestValue = messageDigest.digest(signingCertificate.getEncoded()); if (!Arrays.equals(actualCertDigestValue, certDigestValue)) { throw new XAdESValidationException( "XAdES signing certificate not corresponding with actual signing certificate"); } X509IssuerSerialType issuerSerial = signingCertificateCertID.getIssuerSerial(); BigInteger serialNumber = issuerSerial.getX509SerialNumber(); if (false == signingCertificate.getSerialNumber().equals(serialNumber)) { throw new XAdESValidationException("xades:SigningCertificate serial number mismatch"); } X509Name issuerName; try { /*issuerName = new X509Name( (ASN1Sequence) new ASN1InputStream(signingCertificate .getIssuerX500Principal().getEncoded()) .readObject());*/ X509Principal sprin = new X509Principal(signingCertificate.getIssuerX500Principal().getEncoded()); //issuerName = new X509Name( signingCertificate.getIssuerX500Principal().getName(X500Principal.RFC1779) ); issuerName = new X509Name(sprin.getName()); } catch (IOException e) { throw new XAdESValidationException("error parsing xades:SigningCertificate ds:X509IssuerName: " + e); } X509Name xadesIssuerName = new X509Name(issuerSerial.getX509IssuerName()); if (false == issuerName.equals(xadesIssuerName)) { throw new XAdESValidationException("xades:SigningCertificate issuer name mismatch"); } LOG.debug("XAdES SigningCertificate OK"); }
From source file:eu.europa.ec.markt.tlmanager.core.validation.Validation.java
License:Open Source License
/** * History/*from w ww . ja v a 2s . c o m*/ * <p> * The service digital identifier must refer to the SDI described in the Service entity. */ private void checkRuleServiceDigitalIdentifier() { if (services != null) { for (TSPServiceType service : services) { DigitalIdentityListType sdi = service.getServiceInformation().getServiceDigitalIdentity(); byte[] certS = null, skiS = null; X509Name subjectName = null; for (DigitalIdentityType dit : sdi.getDigitalId()) { if (dit.getX509Certificate() != null) { certS = dit.getX509Certificate(); break; // get only the certificate } } X509Certificate certificate = null; try { certificate = CertificateUtils.read(new ByteArrayInputStream(certS)); subjectName = new X509Name(certificate.getSubjectDN().getName()); skiS = certificate.getExtensionValue(Configuration.SKI_OID); } catch (Exception ex) { // catch also potential npe's String message = uiKeys.getString("Validation.mandatory.certificate.invalid"); LOG.log(Level.SEVERE, message + " - " + ex.getMessage()); logger.error(message, service); } ServiceHistoryType serviceHistory = service.getServiceHistory(); if (serviceHistory != null) { List<ServiceHistoryInstanceType> serviceHistoryInstance = serviceHistory .getServiceHistoryInstance(); for (ServiceHistoryInstanceType history : serviceHistoryInstance) { sdi = history.getServiceDigitalIdentity(); byte[] certH = null, skiH = null; X509Name nameH = null; for (DigitalIdentityType dit : sdi.getDigitalId()) { if (dit.getX509Certificate() != null) { certH = dit.getX509Certificate(); } else if (dit.getX509SubjectName() != null) { subjectName = new X509Name(dit.getX509SubjectName()); } else if (dit.getX509SKI() != null) { skiH = dit.getX509SKI(); } } if (certH != null && !Arrays.equals(certH, certS)) { logger.error(uiKeys.getString("Validation.rule.serviceDigitalIdentifier.certMismatch"), history); } if (nameH != null && !nameH.equals(subjectName)) { logger.error(uiKeys.getString("Validation.rule.serviceDigitalIdentifier.snMismatch"), history); } if (skiH != null && skiS != null) { byte[] shorterSki = skiH; byte[] longerSki = skiS; if (skiH.length != skiS.length) { if (skiH.length > skiS.length) { shorterSki = skiS; longerSki = skiH; } longerSki = Arrays.copyOfRange(longerSki, longerSki.length - shorterSki.length, longerSki.length); } if (!Arrays.equals(shorterSki, longerSki)) { logger.error( uiKeys.getString("Validation.rule.serviceDigitalIdentifier.skiMismatch"), history); } } } } } } }
From source file:org.globus.gsi.bc.BouncyCastleUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> * The certificate type is {@link GSIConstants#CA GSIConstants.CA} * <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> * A certificate is a GSI-2 proxy when the subject DN of the certificate * ends with <I>"CN=proxy"</I> (certificate type {@link * GSIConstants#GSI_2_PROXY GSIConstants.GSI_2_PROXY}) or * <I>"CN=limited proxy"</I> (certificate type {@link * GSIConstants#GSI_2_LIMITED_PROXY GSIConstants.LIMITED_PROXY}) component * and the issuer DN of the certificate matches the subject DN without * the last proxy <I>CN</I> component.<BR> * A certificate is a GSI-3 proxy when the subject DN of the certificate * ends with a <I>CN</I> component, the issuer DN of the certificate * matches the subject DN without the last <I>CN</I> component and * the certificate contains {@link ProxyCertInfo ProxyCertInfo} critical * extension./*from w w w . jav a 2 s.co m*/ * The certificate type is {@link GSIConstants#GSI_3_IMPERSONATION_PROXY * GSIConstants.GSI_3_IMPERSONATION_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID. * The certificate type is {@link GSIConstants#GSI_3_LIMITED_PROXY * GSIConstants.GSI_3_LIMITED_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. * The certificate type is {@link GSIConstants#GSI_3_INDEPENDENT_PROXY * GSIConstants.GSI_3_INDEPENDENT_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. * The certificate type is {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * any other OID then the above.<BR> * The certificate type is {@link GSIConstants#EEC GSIConstants.EEC} * if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy. * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined * by rules described above. * @exception IOException if something goes wrong. * @exception CertificateException for proxy certificates, if * the issuer DN of the certificate does not match * the subject DN of the certificate without the * last <I>CN</I> component. Also, for GSI-3 proxies * when the <code>ProxyCertInfo</code> extension is * not marked as critical. */ private static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extension.basicConstraints); if (ext != null) { BasicConstraints basicExt = BasicConstraints.getInstance(ext); if (basicExt.isCA()) { return GSIConstants.CertificateType.CA; } } } GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC; // does not handle multiple AVAs X500Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (BCStyle.CN.equals(ava.getObjectAt(0))) { String value = ((ASN1String) ava.getObjectAt(1)).getString(); if (value.equalsIgnoreCase("proxy")) { type = GSIConstants.CertificateType.GSI_2_PROXY; } else if (value.equalsIgnoreCase("limited proxy")) { type = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY; } else if (extensions != null) { boolean gsi4 = true; // GSI_4 ext = extensions.getExtension(ProxyCertInfo.OID); if (ext == null) { // GSI_3 ext = extensions.getExtension(ProxyCertInfo.OLD_OID); gsi4 = false; } if (ext != null) { if (ext.isCritical()) { ProxyCertInfo proxyCertExt = getProxyCertInfo(ext); ProxyPolicy proxyPolicy = proxyCertExt.getProxyPolicy(); ASN1ObjectIdentifier oid = proxyPolicy.getPolicyLanguage(); if (ProxyPolicy.IMPERSONATION.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_IMPERSONATION_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY; } } else if (ProxyPolicy.INDEPENDENT.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_INDEPENDENT_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY; } } else if (ProxyPolicy.LIMITED.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_LIMITED_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_LIMITED_PROXY; } } else { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY; } } } else { String err = i18n.getMessage("proxyCertCritical"); throw new CertificateException(err); } } } if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper iss = new X509NameHelper(crt.getIssuer()); iss.add((ASN1Set) BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if (!issuer.equals(X509Name.getInstance(subject))) { String err = i18n.getMessage("proxyDNErr"); throw new CertificateException(err); } } } return type; }