Package org.apache.geronimo.util.asn1.x509

Examples of org.apache.geronimo.util.asn1.x509.BasicConstraints


            }

            if (idp != null)
            {
                IssuingDistributionPoint    p = IssuingDistributionPoint.getInstance(idp);
                BasicConstraints bc = null;
                try
                {
                    bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
                }
                catch (AnnotatedException ae)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlBCExtError");
                    throw new CertPathReviewerException(msg,ae);
                }
               
                if (p.onlyContainsUserCerts() && (bc != null && bc.isCA()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyUserCert");
                    throw new CertPathReviewerException(msg);
                }
               
                if (p.onlyContainsCACerts() && (bc == null || !bc.isCA()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyCaCert");
                    throw new CertPathReviewerException(msg);
                }
               
View Full Code Here


        certGen.setPublicKey(intKey);
        certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
   
        certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
        certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(intKey));
        certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
        certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));

        return certGen.generateX509Certificate(caKey, "BC");
    }
View Full Code Here

        certGen.setPublicKey(entityKey);
        certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
       
        certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
        certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
        certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
        certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));

        return certGen.generateX509Certificate(caKey, "BC");
    }
View Full Code Here

                        }

                        if (idp != null)
                        {
                            IssuingDistributionPoint    p = IssuingDistributionPoint.getInstance(idp);
                            BasicConstraints    bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
                           
                            if (p.onlyContainsUserCerts() && (bc == null || bc.isCA()))
                            {
                                throw new CertPathValidatorException("CA Cert CRL only contains user certificates");
                            }
                           
                            if (p.onlyContainsCACerts() && (bc == null || !bc.isCA()))
                            {
                                throw new CertPathValidatorException("End CRL only contains CA certificates");
                            }
                           
                            if (p.onlyContainsAttributeCerts())
                            {
                                throw new CertPathValidatorException("onlyContainsAttributeCerts boolean is asserted");
                            }
                        }
                    }
                }

                if (!tmpTest)
                {
                    throw new CertPathValidatorException("no valid CRL found", null, certPath, index);
                }
            }

            //
            // (a) (4) name chaining
            //
            if (!getEncodedIssuerPrincipal(cert).equals(workingIssuerName))
            {
                throw new CertPathValidatorException(
                            "IssuerName(" + getEncodedIssuerPrincipal(cert) +
                            ") does not match SubjectName(" + workingIssuerName +
                            ") of signing certificate", null, certPath, index);
            }

            //
            // (b), (c) permitted and excluded subtree checking.
            //
            if (!(isSelfIssued(cert) && (i < n)))
            {
                X500Principal principal = getSubjectPrincipal(cert);
                ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded()));
                ASN1Sequence    dns;

                try
                {
                    dns = (ASN1Sequence)aIn.readObject();
                }
                catch (IOException e)
                {
                    throw new CertPathValidatorException("exception extracting subject name when checking subtrees");
                }

                checkPermittedDN(permittedSubtreesDN, dns);

                checkExcludedDN(excludedSubtreesDN, dns);
       
                ASN1Sequence   altName = (ASN1Sequence)getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME);
                if (altName != null)
                {
                    for (int j = 0; j < altName.size(); j++)
                    {
                        ASN1TaggedObject o = (ASN1TaggedObject)altName.getObjectAt(j);

                        switch(o.getTagNo())
                        {
                        case 1:
                            String email = DERIA5String.getInstance(o, true).getString();

                            checkPermittedEmail(permittedSubtreesEmail, email);
                            checkExcludedEmail(excludedSubtreesEmail, email);
                            break;
                        case 4:
                            ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);

                            checkPermittedDN(permittedSubtreesDN, altDN);
                            checkExcludedDN(excludedSubtreesDN, altDN);
                            break;
                        case 7:
                            byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();

                            checkPermittedIP(permittedSubtreesIP, ip);
                            checkExcludedIP(excludedSubtreesIP, ip);
                        }
                    }
                }
            }

            //
            // (d) policy Information checking against initial policy and
            // policy mapping
            //
            ASN1Sequence   certPolicies = (ASN1Sequence)getExtensionValue(cert, CERTIFICATE_POLICIES);
            if (certPolicies != null && validPolicyTree != null)
            {
                //
                // (d) (1)
                //
                Enumeration e = certPolicies.getObjects();
                Set         pols = new HashSet();
                   
                while (e.hasMoreElements())
                {
                    PolicyInformation   pInfo = PolicyInformation.getInstance(e.nextElement());
                    DERObjectIdentifier pOid = pInfo.getPolicyIdentifier();
                   
                    pols.add(pOid.getId());

                    if (!ANY_POLICY.equals(pOid.getId()))
                    {
                        Set pq = getQualifierSet(pInfo.getPolicyQualifiers());
                       
                        boolean match = processCertD1i(i, policyNodes, pOid, pq);
                       
                        if (!match)
                        {
                            processCertD1ii(i, policyNodes, pOid, pq);
                        }
                    }
                }

                if (acceptablePolicies == null || acceptablePolicies.contains(ANY_POLICY))
                {
                    acceptablePolicies = pols;
                }
                else
                {
                    Iterator    it = acceptablePolicies.iterator();
                    Set         t1 = new HashSet();

                    while (it.hasNext())
                    {
                        Object  o = it.next();

                        if (pols.contains(o))
                        {
                            t1.add(o);
                        }
                    }

                    acceptablePolicies = t1;
                }

                //
                // (d) (2)
                //
                if ((inhibitAnyPolicy > 0) || ((i < n) && isSelfIssued(cert)))
                {
                    e = certPolicies.getObjects();

                    while (e.hasMoreElements())
                    {
                        PolicyInformation   pInfo = PolicyInformation.getInstance(e.nextElement());

                        if (ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId()))
                        {
                            Set    _apq   = getQualifierSet(pInfo.getPolicyQualifiers());
                            List      _nodes = policyNodes[i - 1];
                           
                            for (int k = 0; k < _nodes.size(); k++)
                            {
                                PKIXPolicyNode _node = (PKIXPolicyNode)_nodes.get(k);
                               
                                Iterator _policySetIter = _node.getExpectedPolicies().iterator();
                                while (_policySetIter.hasNext())
                                {
                                    Object _tmp = _policySetIter.next();
                                   
                                    String _policy;
                                    if (_tmp instanceof String)
                                    {
                                        _policy = (String)_tmp;
                                    }
                                    else if (_tmp instanceof DERObjectIdentifier)
                                    {
                                        _policy = ((DERObjectIdentifier)_tmp).getId();
                                    }
                                    else
                                    {
                                        continue;
                                    }
                                   
                                    boolean  _found        = false;
                                    Iterator _childrenIter = _node.getChildren();

                                    while (_childrenIter.hasNext())
                                    {
                                        PKIXPolicyNode _child = (PKIXPolicyNode)_childrenIter.next();

                                        if (_policy.equals(_child.getValidPolicy()))
                                        {
                                            _found = true;
                                        }
                                    }

                                    if (!_found)
                                    {
                                        Set _newChildExpectedPolicies = new HashSet();
                                        _newChildExpectedPolicies.add(_policy);

                                        PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(),
                                                                                      i,
                                                                                      _newChildExpectedPolicies,
                                                                                      _node,
                                                                                      _apq,
                                                                                      _policy,
                                                                                      false);
                                        _node.addChild(_newChild);
                                        policyNodes[i].add(_newChild);
                                    }
                                }
                            }
                            break;
                        }
                    }
                }
           
                //
                // (d) (3)
                //
                for (int j = (i - 1); j >= 0; j--)
                {
                    List      nodes = policyNodes[j];
                   
                    for (int k = 0; k < nodes.size(); k++)
                    {
                        PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k);
                        if (!node.hasChildren())
                        {
                            validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node);
                            if (validPolicyTree == null)
                            {
                                break;
                            }
                        }
                    }
                }
           
                //
                // d (4)
                //
                Set criticalExtensionOids = cert.getCriticalExtensionOIDs();
               
                if (criticalExtensionOids != null)
                {
                    boolean critical = criticalExtensionOids.contains(CERTIFICATE_POLICIES);
               
                    List      nodes = policyNodes[i];
                    for (int j = 0; j < nodes.size(); j++)
                    {
                        PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(j);
                        node.setCritical(critical);
                    }
                }
            }

            //
            // (e)
            //
            if (certPolicies == null)
            {
                validPolicyTree = null;
            }

            //
            // (f)
            //
            if (explicitPolicy <= 0 && validPolicyTree == null)
            {
                throw new CertPathValidatorException("No valid policy tree found when one expected.");
            }

            //
            // 6.1.4
            //

            if (i != n)
            {
                if (cert != null && cert.getVersion() == 1)
                {
                    throw new CertPathValidatorException(
                            "Version 1 certs can't be used as CA ones");
                }

                //
                // (a) check the policy mappings
                //
                DERObject   pm = getExtensionValue(cert, POLICY_MAPPINGS);
                if (pm != null)
                {
                    ASN1Sequence mappings = (ASN1Sequence)pm;
               
                    for (int j = 0; j < mappings.size(); j++)
                    {
                        ASN1Sequence    mapping = (ASN1Sequence)mappings.getObjectAt(j);

                        DERObjectIdentifier issuerDomainPolicy = (DERObjectIdentifier)mapping.getObjectAt(0);
                        DERObjectIdentifier subjectDomainPolicy = (DERObjectIdentifier)mapping.getObjectAt(1);

                        if (ANY_POLICY.equals(issuerDomainPolicy.getId()))
                        {
                       
                            throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy");
                        }
                   
                        if (ANY_POLICY.equals(subjectDomainPolicy.getId()))
                        {
                       
                            throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy");
                        }
                    }
                }
               
                //
                // (g) handle the name constraints extension
                //
                ASN1Sequence ncSeq = (ASN1Sequence)getExtensionValue(cert, NAME_CONSTRAINTS);
                if (ncSeq != null)
                {
                    NameConstraints nc = new NameConstraints(ncSeq);

                    //
                    // (g) (1) permitted subtrees
                    //
                    ASN1Sequence permitted = nc.getPermittedSubtrees();
                    if (permitted != null)
                    {
                        Enumeration e = permitted.getObjects();
                        while (e.hasMoreElements())
                        {
                            GeneralSubtree  subtree = GeneralSubtree.getInstance(e.nextElement());
                            GeneralName     base = subtree.getBase();

                            switch(base.getTagNo())
                            {
                                case 1:
                                    permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, DERIA5String.getInstance(base.getName()).getString());
                                    break;
                                case 4:
                                    permittedSubtreesDN = intersectDN(permittedSubtreesDN, (ASN1Sequence)base.getName());
                                    break;
                                case 7:
                                    permittedSubtreesIP = intersectIP(permittedSubtreesIP, ASN1OctetString.getInstance(base.getName()).getOctets());
                                    break;
                            }
                        }
                    }
               
                    //
                    // (g) (2) excluded subtrees
                    //
                    ASN1Sequence excluded = nc.getExcludedSubtrees();
                    if (excluded != null)
                    {
                        Enumeration e = excluded.getObjects();
                        while (e.hasMoreElements())
                        {
                            GeneralSubtree  subtree = GeneralSubtree.getInstance(e.nextElement());
                            GeneralName     base = subtree.getBase();

                            switch(base.getTagNo())
                            {
                            case 1:
                                excludedSubtreesEmail = unionEmail(excludedSubtreesEmail, DERIA5String.getInstance(base.getName()).getString());
                                break;
                            case 4:
                                excludedSubtreesDN = unionDN(excludedSubtreesDN, (ASN1Sequence)base.getName());
                                break;
                            case 7:
                                excludedSubtreesIP = unionIP(excludedSubtreesIP, ASN1OctetString.getInstance(base.getName()).getOctets());
                                break;
                            }
                        }
                    }
                }

                //
                // (h)
                //
                if (!isSelfIssued(cert))
                {
                    //
                    // (1)
                    //
                    if (explicitPolicy != 0)
                    {
                        explicitPolicy--;
                    }
               
                    //
                    // (2)
                    //
                    if (policyMapping != 0)
                    {
                        policyMapping--;
                    }
               
                    //
                    // (3)
                    //
                    if (inhibitAnyPolicy != 0)
                    {
                        inhibitAnyPolicy--;
                    }
                }
       
                //
                // (i)
                //
                ASN1Sequence pc = (ASN1Sequence)getExtensionValue(cert, POLICY_CONSTRAINTS);
           
                if (pc != null)
                {
                    Enumeration policyConstraints = pc.getObjects();

                    while (policyConstraints.hasMoreElements())
                    {
                        ASN1TaggedObject    constraint = (ASN1TaggedObject)policyConstraints.nextElement();
                        switch (constraint.getTagNo())
                        {
                        case 0:
                            tmpInt = DERInteger.getInstance(constraint).getValue().intValue();
                            if (tmpInt < explicitPolicy)
                            {
                                explicitPolicy = tmpInt;
                            }
                            break;
                        case 1:
                            tmpInt = DERInteger.getInstance(constraint).getValue().intValue();
                            if (tmpInt < policyMapping)
                            {
                                policyMapping = tmpInt;
                            }
                        break;
                        }
                    }
                }
       
                //
                // (j)
                //
                DERInteger iap = (DERInteger)getExtensionValue(cert, INHIBIT_ANY_POLICY);
           
                if (iap != null)
                {
                    int _inhibitAnyPolicy = iap.getValue().intValue();
               
                    if (_inhibitAnyPolicy < inhibitAnyPolicy)
                    {
                        inhibitAnyPolicy = _inhibitAnyPolicy;
                    }
                }
       
                //
                // (k)
                //
                BasicConstraints    bc = BasicConstraints.getInstance(
                                            getExtensionValue(cert, BASIC_CONSTRAINTS));
                if (bc != null)
                {
                    if (!(bc.isCA()))
                    {
                        throw new CertPathValidatorException("Not a CA certificate");
                    }
                }
                else
                {
                    throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
                }
           
                //
                // (l)
                //
                if (!isSelfIssued(cert))
                {
                    if (maxPathLength <= 0)
                    {
                        throw new CertPathValidatorException("Max path length not greater than zero");
                    }
               
                    maxPathLength--;
                }
       
                //
                // (m)
                //
                if (bc != null)
                {
                    BigInteger          _pathLengthConstraint = bc.getPathLenConstraint();
           
                    if (_pathLengthConstraint != null)
                    {
                        int _plc = _pathLengthConstraint.intValue();
View Full Code Here

                    buf.append("                       critical(" + ext.isCritical() + ") ");
                    try
                    {
                        if (oid.equals(X509Extensions.BasicConstraints))
                        {
                            buf.append(new BasicConstraints((ASN1Sequence)dIn.readObject()) + nl);
                        }
                        else if (oid.equals(X509Extensions.KeyUsage))
                        {
                            buf.append(new KeyUsage((DERBitString)dIn.readObject()) + nl);
                        }
View Full Code Here

                totalPathLength++;
            }

            // m)

            BasicConstraints bc;
            try
            {
                bc = BasicConstraints.getInstance(getExtensionValue(cert,
                        BASIC_CONSTRAINTS));
            }
            catch (AnnotatedException ae)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.processLengthConstError");
                addError(msg,index);
                bc = null;
            }

            if (bc != null)
            {
                BigInteger _pathLengthConstraint = bc.getPathLenConstraint();

                if (_pathLengthConstraint != null)
                {
                    int _plc = _pathLengthConstraint.intValue();
View Full Code Here

                    addError(msg,index);
                }

                // k)

                BasicConstraints bc;
                try
                {
                    bc = BasicConstraints.getInstance(getExtensionValue(cert,
                            BASIC_CONSTRAINTS));
                    if (bc != null)
                    {
                        if (!bc.isCA())
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCACert");
                            addError(msg,index);
                        }
                    }
View Full Code Here

            }

            if (idp != null)
            {
                IssuingDistributionPoint    p = IssuingDistributionPoint.getInstance(idp);
                BasicConstraints bc = null;
                try
                {
                    bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
                }
                catch (AnnotatedException ae)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlBCExtError");
                    throw new CertPathReviewerException(msg,ae);
                }
               
                if (p.onlyContainsUserCerts() && (bc != null && bc.isCA()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyUserCert");
                    throw new CertPathReviewerException(msg);
                }
               
                if (p.onlyContainsCACerts() && (bc == null || !bc.isCA()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyCaCert");
                    throw new CertPathReviewerException(msg);
                }
               
View Full Code Here

                    }
           
                    //
                    // (k)
                    //
                    BasicConstraints    bc = BasicConstraints.getInstance(
                            CertPathValidatorUtilities.getExtensionValue(cert, BASIC_CONSTRAINTS));
                    if (bc != null)
                    {
                        if (!(bc.isCA()))
                        {
                            throw new CertPathValidatorException("Not a CA certificate");
                        }
                    }
                    else
                    {
                        throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
                    }
               
                    //
                    // (l)
                    //
                    if (!CertPathValidatorUtilities.isSelfIssued(cert))
                    {
                        if (maxPathLength <= 0)
                        {
                            throw new CertPathValidatorException("Max path length not greater than zero");
                        }
                   
                        maxPathLength--;
                    }
           
                    //
                    // (m)
                    //
                    if (bc != null)
                    {
                        BigInteger          _pathLengthConstraint = bc.getPathLenConstraint();
               
                        if (_pathLengthConstraint != null)
                        {
                            int _plc = _pathLengthConstraint.intValue();
   
View Full Code Here

                }
   
                if (idp != null)
                {
                    IssuingDistributionPoint    p = IssuingDistributionPoint.getInstance(idp);
                    BasicConstraints    bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, BASIC_CONSTRAINTS));
                   
                    if (p.onlyContainsUserCerts() && (bc != null && bc.isCA()))
                    {
                        throw new AnnotatedException("CA Cert CRL only contains user certificates");
                    }
                   
                    if (p.onlyContainsCACerts() && (bc == null || !bc.isCA()))
                    {
                        throw new AnnotatedException("End CRL only contains CA certificates");
                    }
                   
                    if (p.onlyContainsAttributeCerts())
View Full Code Here

TOP

Related Classes of org.apache.geronimo.util.asn1.x509.BasicConstraints

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.