org.bouncycastle.asn1.x509.X509ObjectIdentifiers Java Examples

The following examples show how to use org.bouncycastle.asn1.x509.X509ObjectIdentifiers. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: Actions.java    From xipki with Apache License 2.0 6 votes vote down vote up
public static List<String> extractOcspUrls(AuthorityInformationAccess aia)
    throws CertificateEncodingException {
  AccessDescription[] accessDescriptions = aia.getAccessDescriptions();
  List<AccessDescription> ocspAccessDescriptions = new LinkedList<>();
  for (AccessDescription accessDescription : accessDescriptions) {
    if (accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp)) {
      ocspAccessDescriptions.add(accessDescription);
    }
  }

  final int n = ocspAccessDescriptions.size();
  List<String> ocspUris = new ArrayList<>(n);
  for (int i = 0; i < n; i++) {
    GeneralName accessLocation = ocspAccessDescriptions.get(i).getAccessLocation();
    if (accessLocation.getTagNo() == GeneralName.uniformResourceIdentifier) {
      String ocspUri = ((ASN1String) accessLocation.getName()).getString();
      ocspUris.add(ocspUri);
    }
  }

  return ocspUris;
}
 
Example #2
Source File: ExtensionsChecker.java    From xipki with Apache License 2.0 6 votes vote down vote up
private void checkExtnAuthorityInfoAccess(StringBuilder failureMsg,
    byte[] extensionValue, IssuerInfo issuerInfo) {
  AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
  Set<String> expCaIssuerUris = (aiaControl == null || aiaControl.isIncludesCaIssuers())
      ? issuerInfo.getCaIssuerUrls() : Collections.emptySet();

  Set<String> expOcspUris = (aiaControl == null || aiaControl.isIncludesOcsp())
      ? issuerInfo.getOcspUrls() : Collections.emptySet();

  if (CollectionUtil.isEmpty(expCaIssuerUris) && CollectionUtil.isEmpty(expOcspUris)) {
    failureMsg.append("AIA is present but expected is 'none'; ");
    return;
  }

  AuthorityInformationAccess isAia = AuthorityInformationAccess.getInstance(extensionValue);
  checkAia(failureMsg, isAia, X509ObjectIdentifiers.id_ad_caIssuers, expCaIssuerUris);
  checkAia(failureMsg, isAia, X509ObjectIdentifiers.id_ad_ocsp, expOcspUris);
}
 
Example #3
Source File: RequestOptions.java    From xipki with Apache License 2.0 6 votes vote down vote up
public static RSASSAPSSparams createPSSRSAParams(ASN1ObjectIdentifier digestAlgOid) {
  int saltSize;
  if (X509ObjectIdentifiers.id_SHA1.equals(digestAlgOid)) {
    saltSize = 20;
  } else if (NISTObjectIdentifiers.id_sha224.equals(digestAlgOid)) {
    saltSize = 28;
  } else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOid)) {
    saltSize = 32;
  } else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOid)) {
    saltSize = 48;
  } else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOid)) {
    saltSize = 64;
  } else {
    throw new IllegalStateException("unknown digest algorithm " + digestAlgOid);
  }

  AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(digestAlgOid, DERNull.INSTANCE);
  return new RSASSAPSSparams(digAlgId,
      new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, digAlgId),
      new ASN1Integer(saltSize), RSASSAPSSparams.DEFAULT_TRAILER_FIELD);
}
 
Example #4
Source File: X509Utils.java    From acme-client with Apache License 2.0 5 votes vote down vote up
public static String getCACertificateURL(X509Certificate certificate) throws IOException {
	byte[] bOctets = ((ASN1OctetString) ASN1Primitive.fromByteArray(certificate.getExtensionValue(Extension.authorityInfoAccess.getId()))).getOctets();
	AuthorityInformationAccess access = AuthorityInformationAccess.getInstance(ASN1Sequence.fromByteArray(bOctets));
	for (AccessDescription ad:access.getAccessDescriptions()){
		if (ad.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_caIssuers)){
			return ad.getAccessLocation().getName().toString();
		}
	}
	return null;
}
 
Example #5
Source File: OCSPCertificateVerifier.java    From oxAuth with MIT License 5 votes vote down vote up
@SuppressWarnings({ "deprecation", "resource" })
private String getOCSPUrl(X509Certificate certificate) throws IOException {
	ASN1Primitive obj;
	try {
		obj = getExtensionValue(certificate, Extension.authorityInfoAccess.getId());
	} catch (IOException ex) {
		log.error("Failed to get OCSP URL", ex);
		return null;
	}

	if (obj == null) {
		return null;
	}

	AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(obj);

	AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
	for (AccessDescription accessDescription : accessDescriptions) {
		boolean correctAccessMethod = accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod);
		if (!correctAccessMethod) {
			continue;
		}

		GeneralName name = accessDescription.getAccessLocation();
		if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
			continue;
		}

		DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
		return derStr.getString();
	}

	return null;

}
 
Example #6
Source File: ScepUtil.java    From xipki with Apache License 2.0 5 votes vote down vote up
public static ASN1ObjectIdentifier extractDigesetAlgorithmIdentifier(String sigOid,
    byte[] sigParams) throws NoSuchAlgorithmException {
  Args.notBlank(sigOid, "sigOid");

  ASN1ObjectIdentifier algOid = new ASN1ObjectIdentifier(sigOid);

  ASN1ObjectIdentifier digestAlgOid;
  if (PKCSObjectIdentifiers.md5WithRSAEncryption.equals(algOid)) {
    digestAlgOid = PKCSObjectIdentifiers.md5;
  } else if (PKCSObjectIdentifiers.sha1WithRSAEncryption.equals(algOid)) {
    digestAlgOid = X509ObjectIdentifiers.id_SHA1;
  } else if (PKCSObjectIdentifiers.sha224WithRSAEncryption.equals(algOid)) {
    digestAlgOid = NISTObjectIdentifiers.id_sha224;
  } else if (PKCSObjectIdentifiers.sha256WithRSAEncryption.equals(algOid)) {
    digestAlgOid = NISTObjectIdentifiers.id_sha256;
  } else if (PKCSObjectIdentifiers.sha384WithRSAEncryption.equals(algOid)) {
    digestAlgOid = NISTObjectIdentifiers.id_sha384;
  } else if (PKCSObjectIdentifiers.sha512WithRSAEncryption.equals(algOid)) {
    digestAlgOid = NISTObjectIdentifiers.id_sha512;
  } else if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algOid)) {
    RSASSAPSSparams param = RSASSAPSSparams.getInstance(sigParams);
    digestAlgOid = param.getHashAlgorithm().getAlgorithm();
  } else {
    throw new NoSuchAlgorithmException("unknown signature algorithm" + algOid.getId());
  }

  return digestAlgOid;
}
 
Example #7
Source File: ExtensionsChecker.java    From xipki with Apache License 2.0 4 votes vote down vote up
private static void checkAia(StringBuilder failureMsg, AuthorityInformationAccess aia,
    ASN1ObjectIdentifier accessMethod, Set<String> expectedUris) {
  String typeDesc;
  if (X509ObjectIdentifiers.id_ad_ocsp.equals(accessMethod)) {
    typeDesc = "OCSP";
  } else if (X509ObjectIdentifiers.id_ad_caIssuers.equals(accessMethod)) {
    typeDesc = "caIssuer";
  } else {
    typeDesc = accessMethod.getId();
  }

  List<AccessDescription> isAccessDescriptions = new LinkedList<>();
  for (AccessDescription accessDescription : aia.getAccessDescriptions()) {
    if (accessMethod.equals(accessDescription.getAccessMethod())) {
      isAccessDescriptions.add(accessDescription);
    }
  }

  int size = isAccessDescriptions.size();
  if (size != expectedUris.size()) {
    addViolation(failureMsg, "number of AIA " + typeDesc + " URIs", size, expectedUris.size());
    return;
  }

  Set<String> isUris = new HashSet<>();
  for (int i = 0; i < size; i++) {
    GeneralName isAccessLocation = isAccessDescriptions.get(i).getAccessLocation();
    if (isAccessLocation.getTagNo() != GeneralName.uniformResourceIdentifier) {
      addViolation(failureMsg, "tag of accessLocation of AIA ",
          isAccessLocation.getTagNo(), GeneralName.uniformResourceIdentifier);
    } else {
      String isOcspUri = ((ASN1String) isAccessLocation.getName()).getString();
      isUris.add(isOcspUri);
    }
  }

  Set<String> diffs = strInBnotInA(expectedUris, isUris);
  if (CollectionUtil.isNotEmpty(diffs)) {
    failureMsg.append(typeDesc).append(" URIs ").append(diffs);
    failureMsg.append(" are present but not expected; ");
  }

  diffs = strInBnotInA(isUris, expectedUris);
  if (CollectionUtil.isNotEmpty(diffs)) {
    failureMsg.append(typeDesc).append(" URIs ").append(diffs);
    failureMsg.append(" are absent but are required; ");
  }
}
 
Example #8
Source File: RequestOptions.java    From xipki with Apache License 2.0 4 votes vote down vote up
private static AlgorithmIdentifier createAlgId(String algoName) {
  algoName = algoName.toUpperCase();
  ASN1ObjectIdentifier algOid = null;
  if ("SHA1WITHRSA".equals(algoName)) {
    algOid = PKCSObjectIdentifiers.sha1WithRSAEncryption;
  } else if ("SHA256WITHRSA".equals(algoName)) {
    algOid = PKCSObjectIdentifiers.sha256WithRSAEncryption;
  } else if ("SHA384WITHRSA".equals(algoName)) {
    algOid = PKCSObjectIdentifiers.sha384WithRSAEncryption;
  } else if ("SHA512WITHRSA".equals(algoName)) {
    algOid = PKCSObjectIdentifiers.sha512WithRSAEncryption;
  } else if ("SHA1WITHECDSA".equals(algoName)) {
    algOid = X9ObjectIdentifiers.ecdsa_with_SHA1;
  } else if ("SHA256WITHECDSA".equals(algoName)) {
    algOid = X9ObjectIdentifiers.ecdsa_with_SHA256;
  } else if ("SHA384WITHECDSA".equals(algoName)) {
    algOid = X9ObjectIdentifiers.ecdsa_with_SHA384;
  } else if ("SHA512WITHECDSA".equals(algoName)) {
    algOid = X9ObjectIdentifiers.ecdsa_with_SHA512;
  } else if ("SHA1WITHRSAANDMGF1".equals(algoName) || "SHA256WITHRSAANDMGF1".equals(algoName)
      || "SHA384WITHRSAANDMGF1".equals(algoName) || "SHA512WITHRSAANDMGF1".equals(algoName)) {
    algOid = PKCSObjectIdentifiers.id_RSASSA_PSS;
  } else {
    throw new IllegalStateException("Unsupported algorithm " + algoName); // should not happen
  }

  ASN1Encodable params;
  if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algOid)) {
    ASN1ObjectIdentifier digestAlgOid = null;
    if ("SHA1WITHRSAANDMGF1".equals(algoName)) {
      digestAlgOid = X509ObjectIdentifiers.id_SHA1;
    } else if ("SHA256WITHRSAANDMGF1".equals(algoName)) {
      digestAlgOid = NISTObjectIdentifiers.id_sha256;
    } else if ("SHA384WITHRSAANDMGF1".equals(algoName)) {
      digestAlgOid = NISTObjectIdentifiers.id_sha384;
    } else { // if ("SHA512WITHRSAANDMGF1".equals(algoName))
      digestAlgOid = NISTObjectIdentifiers.id_sha512;
    }
    params = createPSSRSAParams(digestAlgOid);
  } else {
    params = DERNull.INSTANCE;
  }

  return new AlgorithmIdentifier(algOid, params);
}
 
Example #9
Source File: DSSASN1Utils.java    From dss with GNU Lesser General Public License v2.1 2 votes vote down vote up
/**
 * Gives back the CA URIs meta-data found within the given certificate.
 *
 * @param certificate
 *            the certificate token.
 * @return a list of CA URIs, or empty list if the extension is not present.
 */
public static List<String> getCAAccessLocations(final CertificateToken certificate) {
	return getAccessLocations(certificate, X509ObjectIdentifiers.id_ad_caIssuers);
}
 
Example #10
Source File: DSSASN1Utils.java    From dss with GNU Lesser General Public License v2.1 2 votes vote down vote up
/**
 * Gives back the OCSP URIs meta-data found within the given X509 cert.
 *
 * @param certificate
 *            the cert token.
 * @return a list of OCSP URIs, or empty list if the extension is not present.
 */
public static List<String> getOCSPAccessLocations(final CertificateToken certificate) {
	return getAccessLocations(certificate, X509ObjectIdentifiers.id_ad_ocsp);
}