Java Code Examples for org.bouncycastle.asn1.ASN1ObjectIdentifier#equals()

The following examples show how to use org.bouncycastle.asn1.ASN1ObjectIdentifier#equals() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SoftKeymasterBlob.java    From keystore-decryptor with Apache License 2.0 7 votes vote down vote up
private static ECPrivateKey toJcaPrivateKey(org.bouncycastle.asn1.sec.ECPrivateKey ecPrivateKey)
        throws GeneralSecurityException {
    String curveName = null;
    ASN1ObjectIdentifier curveId = (ASN1ObjectIdentifier) ecPrivateKey.getParameters();
    if (curveId.equals(secp224r1_OID)) {
        curveName = "secp224r1";
    } else if (curveId.equals(prime256v1_OID)) {
        curveName = "prime256v1";
    } else if (curveId.equals(secp384r1_OID)) {
        curveName = "secp384r1";
    } else if (curveId.equals(secp521r1_OID)) {
        curveName = "secp521r1";
    } else {
        throw new IllegalStateException("Unknown curve OID: " + curveId);
    }

    ECNamedCurveParameterSpec sp = ECNamedCurveTable.getParameterSpec(curveName);
    ECParameterSpec params = new ECNamedCurveSpec(sp.getName(), sp.getCurve(), sp.getG(),
            sp.getN(), sp.getH());

    ECPrivateKeySpec pkSpec = new ECPrivateKeySpec(ecPrivateKey.getKey(), params);
    KeyFactory kf = KeyFactory.getInstance("EC");
    ECPrivateKey privateKey = (ECPrivateKey) kf.generatePrivate(pkSpec);

    return privateKey;
}
 
Example 2
Source File: DialogHelper.java    From keystore-explorer with GNU General Public License v3.0 6 votes vote down vote up
private static void populateTextField(Attribute[] attrs, JTextField textField, ASN1ObjectIdentifier pkcs9Attr) {
	if (attrs != null) {
		for (Attribute attribute : attrs) {

			ASN1ObjectIdentifier attributeOid = attribute.getAttrType();

			if (attributeOid.equals(pkcs9Attr)) {
				ASN1Encodable challenge = attribute.getAttributeValues()[0];

				// data type can be one of IA5String or UTF8String
				if (challenge instanceof DERPrintableString) {
					textField.setText(((DERPrintableString) challenge).getString());
				} else if (challenge instanceof DERUTF8String) {
					textField.setText(((DERUTF8String) challenge).getString());
				}
				textField.setCaretPosition(0);
			}
		}
	}
}
 
Example 3
Source File: DPolicyQualifierInfoChooser.java    From keystore-explorer with GNU General Public License v3.0 6 votes vote down vote up
private void populate(PolicyQualifierInfo policyQualifierInfo) throws IOException {
	if (policyQualifierInfo == null) {
		jrbCps.setSelected(true);
	} else {
		ASN1ObjectIdentifier policyQualifierId = policyQualifierInfo.getPolicyQualifierId();

		if (policyQualifierId.equals(new ASN1ObjectIdentifier(PKIX_CPS_POINTER_QUALIFIER.oid()))) {
			jrbCps.setSelected(true);
			jtfCps.setText(((DERIA5String) policyQualifierInfo.getQualifier()).getString());
			jtfCps.setCaretPosition(0);
		} else if (policyQualifierId.equals(new ASN1ObjectIdentifier(PKIX_USER_NOTICE_QUALIFIER.oid()))) {
			jrbUserNotice.setSelected(true);

			ASN1Encodable userNoticeObj = policyQualifierInfo.getQualifier();

			UserNotice userNotice = UserNotice.getInstance(userNoticeObj);

			junUserNotice.setUserNotice(userNotice);
		} else {
			jrbCps.setSelected(true);
		}
	}
}
 
Example 4
Source File: DSSRevocationUtils.java    From dss with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * fix for certId.equals methods that doesn't work very well.
 *
 * @param certId
 *            {@code CertificateID}
 * @param singleResp
 *            {@code SingleResp}
 * @return true if the certificate matches this included in
 *         {@code SingleResp}
 */
public static boolean matches(final CertificateID certId, final SingleResp singleResp) {

	final CertificateID singleRespCertID = singleResp.getCertID();
	final ASN1ObjectIdentifier singleRespCertIDHashAlgOID = singleRespCertID.getHashAlgOID();
	final byte[] singleRespCertIDIssuerKeyHash = singleRespCertID.getIssuerKeyHash();
	final byte[] singleRespCertIDIssuerNameHash = singleRespCertID.getIssuerNameHash();
	final BigInteger singleRespCertIDSerialNumber = singleRespCertID.getSerialNumber();

	final ASN1ObjectIdentifier certIdHashAlgOID = certId.getHashAlgOID();
	final byte[] certIdIssuerKeyHash = certId.getIssuerKeyHash();
	final byte[] certIdIssuerNameHash = certId.getIssuerNameHash();
	final BigInteger certIdSerialNumber = certId.getSerialNumber();

	// certId.equals fails in comparing the algoIdentifier because
	// AlgoIdentifier params in null in one case and DERNull in another case
	return singleRespCertIDHashAlgOID.equals(certIdHashAlgOID) && Arrays.equals(singleRespCertIDIssuerKeyHash, certIdIssuerKeyHash)
			&& Arrays.equals(singleRespCertIDIssuerNameHash, certIdIssuerNameHash) && singleRespCertIDSerialNumber.equals(certIdSerialNumber);
}
 
Example 5
Source File: P12MacContentSignerBuilder.java    From xipki with Apache License 2.0 5 votes vote down vote up
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId,
    int parallelism, SecureRandom random) throws XiSecurityException {
  Args.notNull(signatureAlgId, "signatureAlgId");
  Args.positive(parallelism, "parallelism");

  List<XiContentSigner> signers = new ArrayList<>(parallelism);

  boolean gmac = false;
  ASN1ObjectIdentifier oid = signatureAlgId.getAlgorithm();
  if (oid.equals(NISTObjectIdentifiers.id_aes128_GCM)
      || oid.equals(NISTObjectIdentifiers.id_aes192_GCM)
      || oid.equals(NISTObjectIdentifiers.id_aes256_GCM)) {
    gmac = true;
  }

  for (int i = 0; i < parallelism; i++) {
    XiContentSigner signer;
    if (gmac) {
      signer = new AESGmacContentSigner(oid, key);
    } else {
      signer = new HmacContentSigner(signatureAlgId, key);
    }
    signers.add(signer);
  }

  final boolean mac = true;
  DfltConcurrentContentSigner concurrentSigner;
  try {
    concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
  } catch (NoSuchAlgorithmException ex) {
    throw new XiSecurityException(ex.getMessage(), ex);
  }
  concurrentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(key.getEncoded()));

  return concurrentSigner;
}
 
Example 6
Source File: Responder.java    From xipki with Apache License 2.0 5 votes vote down vote up
public boolean isPbmMacPermitted(AlgorithmIdentifier pbmMac) {
  ASN1ObjectIdentifier macOid = pbmMac.getAlgorithm();
  for (ASN1ObjectIdentifier oid : macAlgos) {
    if (oid.equals(macOid)) {
      return true;
    }
  }
  return false;
}
 
Example 7
Source File: Responder.java    From xipki with Apache License 2.0 5 votes vote down vote up
public boolean isPbmOwfPermitted(AlgorithmIdentifier pbmOwf) {
  ASN1ObjectIdentifier owfOid = pbmOwf.getAlgorithm();
  for (ASN1ObjectIdentifier oid : owfAlgos) {
    if (oid.equals(owfOid)) {
      return true;
    }
  }
  return false;
}
 
Example 8
Source File: ExtensionsChecker.java    From xipki with Apache License 2.0 5 votes vote down vote up
private void checkExtnValidityModel(StringBuilder failureMsg, byte[] extensionValue,
    Extensions requestedExtns, ExtensionControl extControl) {
  ASN1ObjectIdentifier conf = validityModelId;
  if (conf == null) {
    checkConstantExtnValue(Extn.id_extension_validityModel,
        failureMsg, extensionValue, requestedExtns, extControl);
  } else {
    ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue);
    ASN1ObjectIdentifier extValue = ASN1ObjectIdentifier.getInstance(seq.getObjectAt(0));
    if (!conf.equals(extValue)) {
      addViolation(failureMsg, "content", extValue, conf);
    }
  }
}
 
Example 9
Source File: CmpControl.java    From xipki with Apache License 2.0 5 votes vote down vote up
public boolean isRequestPbmMacPermitted(AlgorithmIdentifier pbmMac) {
  ASN1ObjectIdentifier macOid = pbmMac.getAlgorithm();
  for (ASN1ObjectIdentifier oid : requestPbmMacs) {
    if (oid.equals(macOid)) {
      return true;
    }
  }
  return false;
}
 
Example 10
Source File: CmpControl.java    From xipki with Apache License 2.0 5 votes vote down vote up
public boolean isRequestPbmOwfPermitted(AlgorithmIdentifier pbmOwf) {
  ASN1ObjectIdentifier owfOid = pbmOwf.getAlgorithm();
  for (ASN1ObjectIdentifier oid : requestPbmOwfs) {
    if (oid.equals(owfOid)) {
      return true;
    }
  }
  return false;
}
 
Example 11
Source File: SecurityUtil.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
public static ASN1Set getPkcs9ExtRequest(PKCS10CertificationRequest csr)
    throws CertificateException {
  for (Attribute attr : csr.getAttributes()) {
    ASN1ObjectIdentifier oid = attr.getAttrType();
    if (oid.equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
      return attr.getAttrValues();
    }
  }
  throw new CertificateException("No PKCS#9 extension found in CSR");
}
 
Example 12
Source File: AbstractRequirementChecks.java    From dss with GNU Lesser General Public License v2.1 5 votes vote down vote up
private int countInSet(ASN1ObjectIdentifier oid, ASN1Set set) {
	int counter = 0;
	if (set != null) {
		for (int i = 0; i < set.size(); i++) {
			ASN1Sequence attrSeq = ASN1Sequence.getInstance(set.getObjectAt(i));
			ASN1ObjectIdentifier attrOid = ASN1ObjectIdentifier.getInstance(attrSeq.getObjectAt(0));
			if (oid.equals(attrOid)) {
				counter++;
			}
		}
	}
	return counter;
}
 
Example 13
Source File: JCustomExtendedKeyUsage.java    From keystore-explorer with GNU General Public License v3.0 5 votes vote down vote up
private void selectCustomExtKeyUsageInTable(ASN1ObjectIdentifier objectId) {
	for (int i = 0; i < jtCustomExtKeyUsages.getRowCount(); i++) {
		if (objectId.equals(jtCustomExtKeyUsages.getValueAt(i, 0))) {
			jtCustomExtKeyUsages.changeSelection(i, 0, false, false);
			return;
		}
	}
}
 
Example 14
Source File: PublicKey.java    From hedera-sdk-java with Apache License 2.0 5 votes vote down vote up
public static PublicKey fromString(String keyString) {
    SubjectPublicKeyInfo pubKeyInfo;

    try {
        byte[] keyBytes = Hex.decode(keyString);

        // it could be a hex-encoded raw public key or a DER-encoded public key
        if (keyBytes.length == Ed25519.PUBLIC_KEY_SIZE) {
            return Ed25519PublicKey.fromBytes(keyBytes);
        }

        pubKeyInfo = SubjectPublicKeyInfo.getInstance(keyBytes);
    } catch (Exception e) {
        throw new IllegalArgumentException("Failed to parse public key", e);
    }

    ASN1ObjectIdentifier algId = pubKeyInfo.getAlgorithm()
        .getAlgorithm();

    if (algId.equals(EdECObjectIdentifiers.id_Ed25519)) {
        return Ed25519PublicKey.fromBytes(
            pubKeyInfo.getPublicKeyData()
                .getBytes());
    } else {
        throw new IllegalArgumentException("Unsupported public key type: " + algId.toString());
    }
}
 
Example 15
Source File: SslClientCertificateImpl.java    From hivemq-community-edition with Apache License 2.0 5 votes vote down vote up
private String certificateProperty(final ASN1ObjectIdentifier objectIdentifier) {

        try {
            final X509Certificate cert = (X509Certificate) certificate();

            //x500 name values may be here or in extension
            final String subjectProperty = subjectProperty(objectIdentifier, cert);

            if (subjectProperty != null) {
                return subjectProperty;
            }

            if (objectIdentifier.equals(BCStyle.SN)) {
                return cert.getSerialNumber().toString();
            }

            //x500 name values may be here or in subject
            final Extension extension = new JcaX509CertificateHolder(cert).getExtension(objectIdentifier);
            if (extension == null) {
                return null;
            }
            return extension.getParsedValue().toString();

        } catch (final Exception e) {
            throw new PropertyNotFoundException("Not able to get property from certificate", e);
        }
    }
 
Example 16
Source File: CmpAgent.java    From xipki with Apache License 2.0 4 votes vote down vote up
private X509CRLHolder evaluateCrlResponse(VerifiedPkiMessage response, Integer xipkiAction)
    throws CmpClientException, PkiErrorException {
  checkProtection(Args.notNull(response, "response"));

  PKIBody respBody = response.getPkiMessage().getBody();
  int bodyType = respBody.getType();

  if (PKIBody.TYPE_ERROR == bodyType) {
    ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
    throw new PkiErrorException(content.getPKIStatusInfo());
  } else if (PKIBody.TYPE_GEN_REP != bodyType) {
    throw new CmpClientException(String.format(
        "unknown PKI body type %s instead the expected [%s, %s]",
        bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
  }

  ASN1ObjectIdentifier expectedType = (xipkiAction == null)
      ? CMPObjectIdentifiers.it_currentCRL : ObjectIdentifiers.Xipki.id_xipki_cmp_cmpGenmsg;

  GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());

  InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
  InfoTypeAndValue itv = null;
  if (itvs != null && itvs.length > 0) {
    for (InfoTypeAndValue m : itvs) {
      if (expectedType.equals(m.getInfoType())) {
        itv = m;
        break;
      }
    }
  }

  if (itv == null) {
    throw new CmpClientException("the response does not contain InfoTypeAndValue "
        + expectedType);
  }

  ASN1Encodable certListAsn1Object = (xipkiAction == null) ? itv.getInfoValue()
      : extractXiActionContent(itv.getInfoValue(), xipkiAction);

  CertificateList certList = CertificateList.getInstance(certListAsn1Object);
  return new X509CRLHolder(certList);
}
 
Example 17
Source File: SubjectChecker.java    From xipki with Apache License 2.0 4 votes vote down vote up
private ValidationIssue checkSubjectAttributeMultiValued(ASN1ObjectIdentifier type,
    X500Name subject, X500Name requestedSubject) throws BadCertTemplateException {
  ValidationIssue issue = createSubjectIssue(type);

  RDN[] rdns = subject.getRDNs(type);
  int rdnsSize = (rdns == null) ? 0 : rdns.length;

  RDN[] requestedRdns = requestedSubject.getRDNs(type);

  if (rdnsSize != 1) {
    if (rdnsSize == 0) {
      // check optional attribute but is present in requestedSubject
      if (requestedRdns != null && requestedRdns.length > 0) {
        issue.setFailureMessage("is absent but expected present");
      }
    } else {
      issue.setFailureMessage("number of RDNs '" + rdnsSize + "' is not 1");
    }
    return issue;
  }

  // control
  final RdnControl rdnControl = subjectControl.getControl(type);

  // check the encoding
  StringType stringType = null;
  if (rdnControl != null) {
    stringType = rdnControl.getStringType();
  }
  List<String> requestedCoreAtvTextValues = new LinkedList<>();
  if (requestedRdns != null) {
    for (RDN requestedRdn : requestedRdns) {
      String textValue = getRdnTextValueOfRequest(requestedRdn);
      requestedCoreAtvTextValues.add(textValue);
    }
  }

  if (rdns == null) { // return always false, only to make the null checker happy
    return issue;
  }

  StringBuilder failureMsg = new StringBuilder();

  AttributeTypeAndValue[] li = rdns[0].getTypesAndValues();
  List<AttributeTypeAndValue> atvs = new LinkedList<>();
  for (AttributeTypeAndValue m : li) {
    if (type.equals(m.getType())) {
      atvs.add(m);
    }
  }

  final int atvsSize = atvs.size();

  int minOccurs = (rdnControl == null) ? 0 : rdnControl.getMinOccurs();
  int maxOccurs = (rdnControl == null) ? 0 : rdnControl.getMaxOccurs();

  if (atvsSize < minOccurs || atvsSize > maxOccurs) {
    issue.setFailureMessage("number of AttributeTypeAndValuess '" + atvsSize
        + "' is not within [" + minOccurs + ", " + maxOccurs + "]");
    return issue;
  }

  for (int i = 0; i < atvsSize; i++) {
    AttributeTypeAndValue atv = atvs.get(i);
    String atvTextValue = getAtvValueString("AttributeTypeAndValue[" + i + "]", atv,
        stringType, failureMsg);
    if (atvTextValue == null) {
      continue;
    }

    checkAttributeTypeAndValue("AttributeTypeAndValue[" + i + "]", type, atvTextValue,
        rdnControl, requestedCoreAtvTextValues, i, failureMsg);
  }

  int len = failureMsg.length();
  if (len > 2) {
    failureMsg.delete(len - 2, len);
    issue.setFailureMessage(failureMsg.toString());
  }

  return issue;
}
 
Example 18
Source File: SubjectChecker.java    From xipki with Apache License 2.0 4 votes vote down vote up
private void checkAttributeTypeAndValue(String name, ASN1ObjectIdentifier type,
    String atvTextValue, RdnControl rdnControl, List<String> requestedCoreAtvTextValues,
    int index, StringBuilder failureMsg) throws BadCertTemplateException {
  if (atvTextValue != null && ObjectIdentifiers.DN.emailAddress.equals(type)) {
    atvTextValue = atvTextValue.toLowerCase();
  }

  if (ObjectIdentifiers.DN.dateOfBirth.equals(type)) {
    if (!TextVadidator.DATE_OF_BIRTH.isValid(atvTextValue)) {
      throw new BadCertTemplateException(
          "Value of RDN dateOfBirth does not have format YYYMMDD000000Z");
    }
  } else if (rdnControl != null) {
    String prefix = rdnControl.getPrefix();
    if (prefix != null) {
      if (!atvTextValue.startsWith(prefix)) {
        failureMsg.append(name).append(" '").append(atvTextValue)
          .append("' does not start with prefix '").append(prefix).append("'; ");
        return;
      } else {
        atvTextValue = atvTextValue.substring(prefix.length());
      }
    }

    String suffix = rdnControl.getSuffix();
    if (suffix != null) {
      if (!atvTextValue.endsWith(suffix)) {
        failureMsg.append(name).append(" '").append(atvTextValue)
          .append("' does not end with suffix '").append(suffix).append("'; ");
        return;
      } else {
        atvTextValue = atvTextValue.substring(0,
            atvTextValue.length() - suffix.length());
      }
    }

    TextVadidator pattern = rdnControl.getPattern();
    if (pattern != null) {
      boolean matches = pattern.isValid(atvTextValue);
      if (!matches) {
        failureMsg.append(name).append(" '").append(atvTextValue)
          .append("' is not valid against regex '").append(pattern.pattern()).append("'; ");
        return;
      }
    }
  }

  if (CollectionUtil.isEmpty(requestedCoreAtvTextValues)) {
    if (!type.equals(ObjectIdentifiers.DN.serialNumber)) {
      failureMsg.append("is present but not contained in the request; ");
    }
  } else {
    String requestedCoreAtvTextValue = requestedCoreAtvTextValues.get(index);
    if (!type.equals(ObjectIdentifiers.DN.serialNumber)) {
      if (requestedCoreAtvTextValue != null && type.equals(ObjectIdentifiers.DN.emailAddress)) {
        requestedCoreAtvTextValue = requestedCoreAtvTextValue.toLowerCase();
      }

      if (!atvTextValue.equals(requestedCoreAtvTextValue)) {
        failureMsg.append("content '").append(atvTextValue)
          .append("' but expected '").append(requestedCoreAtvTextValue).append("'; ");
      }
    }
  }
}
 
Example 19
Source File: ExtensionsChecker.java    From xipki with Apache License 2.0 4 votes vote down vote up
private void checkExtnSubjectInfoAccess(StringBuilder failureMsg, byte[] extensionValue,
    Extensions requestedExtns, ExtensionControl extControl) {
  Map<ASN1ObjectIdentifier, Set<GeneralNameMode>> conf =
      certprofile.getSubjectInfoAccessModes();
  if (conf == null) {
    failureMsg.append("extension is present but not expected; ");
    return;
  }

  ASN1Encodable requestExtValue = null;
  if (requestedExtns != null) {
    requestExtValue = requestedExtns.getExtensionParsedValue(Extension.subjectInfoAccess);
  }
  if (requestExtValue == null) {
    failureMsg.append("extension is present but not expected; ");
    return;
  }

  ASN1Sequence requestSeq = ASN1Sequence.getInstance(requestExtValue);
  ASN1Sequence certSeq = ASN1Sequence.getInstance(extensionValue);

  int size = requestSeq.size();

  if (certSeq.size() != size) {
    addViolation(failureMsg, "size of GeneralNames", certSeq.size(), size);
    return;
  }

  for (int i = 0; i < size; i++) {
    AccessDescription ad = AccessDescription.getInstance(requestSeq.getObjectAt(i));
    ASN1ObjectIdentifier accessMethod = ad.getAccessMethod();
    Set<GeneralNameMode> generalNameModes = conf.get(accessMethod);

    if (generalNameModes == null) {
      failureMsg.append("accessMethod in requestedExtension ")
        .append(accessMethod.getId()).append(" is not allowed; ");
      continue;
    }

    AccessDescription certAccessDesc = AccessDescription.getInstance(
        certSeq.getObjectAt(i));
    ASN1ObjectIdentifier certAccessMethod = certAccessDesc.getAccessMethod();

    boolean bo = (accessMethod == null) ? (certAccessMethod == null)
        : accessMethod.equals(certAccessMethod);

    if (!bo) {
      addViolation(failureMsg, "accessMethod",
          (certAccessMethod == null) ? "null" : certAccessMethod.getId(),
          (accessMethod == null) ? "null" : accessMethod.getId());
      continue;
    }

    GeneralName accessLocation;
    try {
      accessLocation = createGeneralName(ad.getAccessLocation(), generalNameModes);
    } catch (BadCertTemplateException ex) {
      failureMsg.append("invalid requestedExtension: ").append(ex.getMessage()).append("; ");
      continue;
    }

    GeneralName certAccessLocation = certAccessDesc.getAccessLocation();
    if (!certAccessLocation.equals(accessLocation)) {
      failureMsg.append("accessLocation does not match the requested one; ");
    }
  }
}
 
Example 20
Source File: ExtensionsChecker.java    From xipki with Apache License 2.0 4 votes vote down vote up
private static void checkAia(StringBuilder failureMsg, AuthorityInformationAccess aia,
    ASN1ObjectIdentifier accessMethod, Set<String> expectedUris) {
  String typeDesc;
  if (X509ObjectIdentifiers.id_ad_ocsp.equals(accessMethod)) {
    typeDesc = "OCSP";
  } else if (X509ObjectIdentifiers.id_ad_caIssuers.equals(accessMethod)) {
    typeDesc = "caIssuer";
  } else {
    typeDesc = accessMethod.getId();
  }

  List<AccessDescription> isAccessDescriptions = new LinkedList<>();
  for (AccessDescription accessDescription : aia.getAccessDescriptions()) {
    if (accessMethod.equals(accessDescription.getAccessMethod())) {
      isAccessDescriptions.add(accessDescription);
    }
  }

  int size = isAccessDescriptions.size();
  if (size != expectedUris.size()) {
    addViolation(failureMsg, "number of AIA " + typeDesc + " URIs", size, expectedUris.size());
    return;
  }

  Set<String> isUris = new HashSet<>();
  for (int i = 0; i < size; i++) {
    GeneralName isAccessLocation = isAccessDescriptions.get(i).getAccessLocation();
    if (isAccessLocation.getTagNo() != GeneralName.uniformResourceIdentifier) {
      addViolation(failureMsg, "tag of accessLocation of AIA ",
          isAccessLocation.getTagNo(), GeneralName.uniformResourceIdentifier);
    } else {
      String isOcspUri = ((ASN1String) isAccessLocation.getName()).getString();
      isUris.add(isOcspUri);
    }
  }

  Set<String> diffs = strInBnotInA(expectedUris, isUris);
  if (CollectionUtil.isNotEmpty(diffs)) {
    failureMsg.append(typeDesc).append(" URIs ").append(diffs);
    failureMsg.append(" are present but not expected; ");
  }

  diffs = strInBnotInA(isUris, expectedUris);
  if (CollectionUtil.isNotEmpty(diffs)) {
    failureMsg.append(typeDesc).append(" URIs ").append(diffs);
    failureMsg.append(" are absent but are required; ");
  }
}