Java Code Examples for org.bouncycastle.asn1.x509.GeneralNames#getNames()

/**
 * Validates the SubjectAlternative names in the Certificate.
 *
 * @param ext - Extension - SAN, which allows us to get the SAN names.
 * @param profile - This profile.
 * @return - True if the request contains only SANs, General names that we
 * support. False otherwise.
 */
private static Boolean validateSubjectAlternativeName(Extension ext,
    PKIProfile profile) {
  if (ext.isCritical()) {
    // SAN extensions should not be marked as critical under ozone profile.
    LOG.error("SAN extension marked as critical in the Extension. {}",
        GeneralNames.getInstance(ext.getParsedValue()).toString());
    return false;
  }
  GeneralNames generalNames = GeneralNames.getInstance(ext.getParsedValue());
  for (GeneralName name : generalNames.getNames()) {
    try {
      if (!profile.validateGeneralName(name.getTagNo(),
          name.getName().toString())) {
        return false;
      }
    } catch (UnknownHostException e) {
      LOG.error("IP address validation failed."
          + name.getName().toString(), e);
      return false;
    }
  }
  return true;
}
 

public CRLDistributionPointsImpl(X509Certificate cert) throws CertificateException, IOException {
	URINames = new ArrayList<>();
	byte[] extVal = cert.getExtensionValue(Extension.cRLDistributionPoints.getId());
	if (extVal == null)
		return;
	CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
	DistributionPoint[] points = crlDistPoint.getDistributionPoints();
	for (DistributionPoint p : points) {
		GeneralNames tmp = p.getCRLIssuer();
		if (tmp != null) {
			GeneralName[] crlIssers = tmp.getNames();
			for (int i = 0; i < crlIssers.length; i++) {
				if (crlIssers[i].getTagNo() == GeneralName.uniformResourceIdentifier) {
					String issuerUrl = crlIssers[i].toString();
					URINames.add(issuerUrl);
				}
			}
		}
	}
}
 

/**
 * Get a formatted string value for the supplied general names object.
 *
 * @param generalNames General names
 * @param linkClass
 * @return Formatted string
 * @throws IOException
 */
private String getGeneralNamesString(GeneralNames generalNames, LinkClass linkClass)
    throws IOException
{
	GeneralName[] names = generalNames.getNames();
	StringBuilder strBuff = new StringBuilder();
	strBuff.append("<ul>");
	for (GeneralName name : names)
	{
		strBuff.append("<li>");
		strBuff.append(getGeneralNameString(name, linkClass));
		strBuff.append("</li>");
	}
	strBuff.append("</ul>");
	return strBuff.toString();
}
 

public static List<String> extractX509CSRIPAddresses(PKCS10CertificationRequest certReq) {

        List<String> ipAddresses = new ArrayList<>();
        Attribute[] attributes = certReq.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
        for (Attribute attribute : attributes) {
            for (ASN1Encodable value : attribute.getAttributeValues()) {
                Extensions extensions = Extensions.getInstance(value);
                GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
                ///CLOVER:OFF
                if (gns == null) {
                    continue;
                }
                ///CLOVER:ON
                for (GeneralName name : gns.getNames()) {
                    if (name.getTagNo() == GeneralName.iPAddress) {
                        try {
                            InetAddress addr = InetAddress.getByAddress(((DEROctetString) name.getName()).getOctets());
                            ipAddresses.add(addr.getHostAddress());
                        } catch (UnknownHostException ignored) {
                        }
                    }
                }
            }
        }
        return ipAddresses;
    }
 

private void okPressed() {
	GeneralNames alternativeName = jgnAlternativeName.getGeneralNames();

	if (alternativeName.getNames().length == 0) {
		JOptionPane.showMessageDialog(this, res.getString("DSubjectAlternativeName.ValueReq.message"), getTitle(),
				JOptionPane.WARNING_MESSAGE);
		return;
	}

	try {
		value = alternativeName.getEncoded(ASN1Encoding.DER);
	} catch (IOException e) {
		DError.displayError(this, e);
		return;
	}

	closeDialog();
}
 

private List<String> extractSanFromCsr(JcaPKCS10CertificationRequest csr) {
    List<String> sans = new ArrayList<>();
    Attribute[] certAttributes = csr.getAttributes();
    for (Attribute attribute : certAttributes) {
        if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
            Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
            GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
            GeneralName[] names = gns.getNames();
            for (GeneralName name : names) {
                logger.info("Type: " + name.getTagNo() + " | Name: " + name.getName());
                String title = "";
                if (name.getTagNo() == GeneralName.dNSName) {
                    title = "DNS";
                } else if (name.getTagNo() == GeneralName.iPAddress) {
                    title = "IP Address";
                    // name.toASN1Primitive();
                } else if (name.getTagNo() == GeneralName.otherName) {
                    title = "Other Name";
                }
                sans.add(title + ": " + name.getName());
            }
        }
    }

    return sans;
}
 

private String getIssuerAlternativeNameStringValue(byte[] value) throws IOException {
	// @formatter:off

	/*
	 * IssuerAltName ::= GeneralNames
	 *
	 * GeneralNames ::= ASN1Sequence SIZE (1..MAX) OF GeneralName
	 */

	// @formatter:on

	StringBuilder sb = new StringBuilder();

	GeneralNames issuerAltName = GeneralNames.getInstance(value);

	for (GeneralName generalName : issuerAltName.getNames()) {
		sb.append(GeneralNameUtil.toString(generalName));
		sb.append(NEWLINE);
	}

	return sb.toString();
}
 

private void okPressed() {
	GeneralNames issuerAlternativeName = jgnAlternativeName.getGeneralNames();

	if (issuerAlternativeName.getNames().length == 0) {
		JOptionPane.showMessageDialog(this, res.getString("DIssuerAlternativeName.ValueReq.message"), getTitle(),
				JOptionPane.WARNING_MESSAGE);
		return;
	}

	try {
		value = issuerAlternativeName.getEncoded(ASN1Encoding.DER);
	} catch (IOException e) {
		DError.displayError(this, e);
		return;
	}

	closeDialog();
}
 

/**
 * Transforms an object of class {@code IssuerSerial} into instance of
 * {@code CertificateIdentifier}
 * 
 * @param issuerAndSerial {@link IssuerSerial} to transform
 * @return {@link CertificateIdentifier}
 */
public static CertificateIdentifier toCertificateIdentifier(IssuerSerial issuerAndSerial) {
	if (issuerAndSerial == null) {
		return null;
	}
	try {
		CertificateIdentifier certificateIdentifier = new CertificateIdentifier();
		GeneralNames gnames = issuerAndSerial.getIssuer();
		if (gnames != null) {
			GeneralName[] names = gnames.getNames();
			if (names.length == 1) {
				certificateIdentifier.setIssuerName(new X500Principal(names[0].getName().toASN1Primitive().getEncoded(ASN1Encoding.DER)));
			} else {
				LOG.warn("More than one GeneralName");
			}
		}

		ASN1Integer serialNumber = issuerAndSerial.getSerial();
		if (serialNumber != null) {
			certificateIdentifier.setSerialNumber(serialNumber.getValue());
		}

		return certificateIdentifier;
	} catch (Exception e) {
		LOG.error("Unable to read the IssuerSerial object", e);
		return null;
	}
}
 

/**
 * Gives back the {@code List} of CRL URI meta-data found within the given X509 certificate.
 *
 * @param certificateToken
 *            the cert token certificate
 * @return the {@code List} of CRL URI, or empty list if the extension is not present
 */
public static List<String> getCrlUrls(final CertificateToken certificateToken) {
	final List<String> urls = new ArrayList<>();

	final byte[] crlDistributionPointsBytes = certificateToken.getCertificate().getExtensionValue(Extension.cRLDistributionPoints.getId());
	if (crlDistributionPointsBytes != null) {
		try {
			final ASN1Sequence asn1Sequence = DSSASN1Utils.getAsn1SequenceFromDerOctetString(crlDistributionPointsBytes);
			final CRLDistPoint distPoint = CRLDistPoint.getInstance(asn1Sequence);
			final DistributionPoint[] distributionPoints = distPoint.getDistributionPoints();
			for (final DistributionPoint distributionPoint : distributionPoints) {

				final DistributionPointName distributionPointName = distributionPoint.getDistributionPoint();
				if (DistributionPointName.FULL_NAME != distributionPointName.getType()) {
					continue;
				}
				final GeneralNames generalNames = (GeneralNames) distributionPointName.getName();
				final GeneralName[] names = generalNames.getNames();
				for (final GeneralName name : names) {
					String location = parseGn(name);
					if (location != null) {
						urls.add(location);
					}
				}
			}
		} catch (Exception e) {
			LOG.error("Unable to parse cRLDistributionPoints", e);
		}
	}

	return urls;
}
 

private String getUrl(DistributionPointName distributionPoint) {
	if ((distributionPoint != null) && (DistributionPointName.FULL_NAME == distributionPoint.getType())) {
		final GeneralNames generalNames = (GeneralNames) distributionPoint.getName();
		if ((generalNames != null) && (generalNames.getNames() != null && generalNames.getNames().length > 0)) {
			for (GeneralName generalName : generalNames.getNames()) {
				if (GeneralName.uniformResourceIdentifier == generalName.getTagNo()) {
					ASN1String str = (ASN1String) ((DERTaggedObject) generalName.toASN1Primitive()).getObject();
					return str.getString();
				}
			}
		}
	}
	return null;
}
 

/**
 * Load the GeneralNamesTableModel with general names.
 *
 * @param generalNames
 *            The general names
 */
public void load(GeneralNames generalNames) {
	GeneralName[] generalNamesArray = generalNames.getNames();

	data = new ArrayList<>(Arrays.asList(generalNamesArray));
	Collections.sort(data, new GeneralNameComparator());

	fireTableDataChanged();
}
 

public SubjectAlternativeNameImpl(X509Certificate cert) throws IOException {
	DNSNames = new ArrayList<>();
	byte[] extVal = cert.getExtensionValue(Extension.subjectAlternativeName.getId());
	if (extVal == null)
		return;
	GeneralNames gn = GeneralNames.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
	GeneralName[] names = gn.getNames();
	for (GeneralName name : names) {
		if (name.getTagNo() == GeneralName.dNSName) {
			String dns = name.getName().toString();
			DNSNames.add(dns);
		}
	}
}
 

public String getCrlUri(X509Certificate certificate) throws IOException {
	ASN1Primitive obj;
	try {
		obj = getExtensionValue(certificate, Extension.cRLDistributionPoints.getId());
	} catch (IOException ex) {
		log.error("Failed to get CRL URL", ex);
		return null;
	}

	if (obj == null) {
		return null;
	}

	CRLDistPoint distPoint = CRLDistPoint.getInstance(obj);

	DistributionPoint[] distributionPoints = distPoint.getDistributionPoints();
	for (DistributionPoint distributionPoint : distributionPoints) {
		DistributionPointName distributionPointName = distributionPoint.getDistributionPoint();
		if (DistributionPointName.FULL_NAME != distributionPointName.getType()) {
			continue;
		}

		GeneralNames generalNames = (GeneralNames) distributionPointName.getName();
		GeneralName[] names = generalNames.getNames();
		for (GeneralName name : names) {
			if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
				continue;
			}

			DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
			return derStr.getString();
		}
	}

	return null;
}
 

private GeneralName[] getRequestedSubjectAltNames(X500Name requestedSubject,
    Extensions requestedExtns) throws CertprofileException, BadCertTemplateException {
  ASN1Encodable extValue = (requestedExtns == null) ? null
      : requestedExtns.getExtensionParsedValue(Extension.subjectAlternativeName);

  Map<ASN1ObjectIdentifier, GeneralNameTag> subjectToSubjectAltNameModes =
      certprofile.getSubjectToSubjectAltNameModes();
  if (extValue == null && subjectToSubjectAltNameModes == null) {
    return null;
  }

  GeneralNames reqNames = (extValue == null) ? null : GeneralNames.getInstance(extValue);

  Set<GeneralNameMode> subjectAltNameModes = certprofile.getSubjectAltNameModes();
  if (subjectAltNameModes == null && subjectToSubjectAltNameModes == null) {
    return (reqNames == null) ? null : reqNames.getNames();
  }

  List<GeneralName> grantedNames = new LinkedList<>();
  // copy the required attributes of Subject
  if (subjectToSubjectAltNameModes != null) {
    X500Name grantedSubject = certprofile.getSubject(requestedSubject).getGrantedSubject();

    for (ASN1ObjectIdentifier attrType : subjectToSubjectAltNameModes.keySet()) {
      GeneralNameTag tag = subjectToSubjectAltNameModes.get(attrType);

      RDN[] rdns = grantedSubject.getRDNs(attrType);
      if (rdns == null || rdns.length == 0) {
        rdns = requestedSubject.getRDNs(attrType);
      }

      if (rdns == null || rdns.length == 0) {
        continue;
      }

      for (RDN rdn : rdns) {
        String rdnValue = X509Util.rdnValueToString(rdn.getFirst().getValue());
        switch (tag) {
          case rfc822Name:
            grantedNames.add(new GeneralName(tag.getTag(), rdnValue.toLowerCase()));
            break;
          case DNSName:
          case uniformResourceIdentifier:
          case IPAddress:
          case directoryName:
          case registeredID:
            grantedNames.add(new GeneralName(tag.getTag(), rdnValue));
            break;
          default:
            throw new IllegalStateException(
                "should not reach here, unknown GeneralName tag " + tag);
        } // end switch (tag)
      }
    }
  }

  // copy the requested SubjectAltName entries
  if (reqNames != null) {
    GeneralName[] reqL = reqNames.getNames();
    for (int i = 0; i < reqL.length; i++) {
      grantedNames.add(reqL[i]);
    }
  }

  return grantedNames.isEmpty() ? null : grantedNames.toArray(new GeneralName[0]);
}
 

private String getDistributionPointNameString(DistributionPointName distributionPointName, String baseIndent)
		throws IOException {
	// @formatter:off

	/*
	 * DistributionPointName ::= CHOICE {
	 * 		fullname [0] GeneralNames,
	 * 		nameRelativeToCRLIssuer [1] RelativeDistinguishedName
	 * }
	 *
	 * RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF
	 * AttributeTypeAndValue
	 *
	 * AttributeTypeAndValue ::= ASN1Sequence { type AttributeType, value
	 * AttributeValue }
	 */

	// @formatter: on

	StringBuilder sb = new StringBuilder();

	sb.append(baseIndent);
	sb.append(res.getString("DistributionPointName"));
	sb.append(NEWLINE);

	if (distributionPointName.getType() == DistributionPointName.FULL_NAME) {
		sb.append(baseIndent);
		sb.append(INDENT);
		sb.append(res.getString("DistributionPointFullName"));
		sb.append(NEWLINE);

		GeneralNames generalNames = GeneralNames.getInstance(distributionPointName.getName());

		for (GeneralName generalName : generalNames.getNames()) {
			sb.append(baseIndent);
			sb.append(INDENT);
			sb.append(INDENT);
			sb.append(GeneralNameUtil.toString(generalName));
			sb.append(NEWLINE);
		}
	} else {
		// DistributionPointName.TAG_NAMERELATIVETOCRLISSUER
		sb.append(baseIndent);
		sb.append(INDENT);
		sb.append(res.getString("DistributionPointNameRelativeToCrlIssuer"));
		sb.append(NEWLINE);

		RDN rdn = RDN.getInstance(distributionPointName.getName());

		for (AttributeTypeAndValue attributeTypeAndValue : rdn.getTypesAndValues()) {
			ASN1ObjectIdentifier attributeType = attributeTypeAndValue.getType();
			ASN1Encodable attributeValue = attributeTypeAndValue.getValue();

			String attributeTypeStr = getAttributeTypeString(attributeType);
			String attributeValueStr = getAttributeValueString(attributeType, attributeValue);

			sb.append(baseIndent);
			sb.append(INDENT);
			sb.append(INDENT);
			sb.append(MessageFormat.format("{0}={1}", attributeTypeStr, attributeValueStr));
			sb.append(NEWLINE);
		}
	}

	return sb.toString();
}
 

private void checkExtnDeltaCrlDistributionPoints(StringBuilder failureMsg,
    byte[] extensionValue, IssuerInfo issuerInfo) {
  CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue);
  DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints();
  if (isDistributionPoints == null) {
    addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", 0, 1);
    return;
  } else {
    int len = isDistributionPoints.length;
    if (len != 1) {
      addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", len, 1);
      return;
    }
  }

  Set<String> isCrlUrls = new HashSet<>();
  for (DistributionPoint entry : isDistributionPoints) {
    int asn1Type = entry.getDistributionPoint().getType();
    if (asn1Type != DistributionPointName.FULL_NAME) {
      addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints (deltaCRL)",
          asn1Type, DistributionPointName.FULL_NAME);
      continue;
    }

    GeneralNames isDistributionPointNames =
        GeneralNames.getInstance(entry.getDistributionPoint().getName());
    GeneralName[] names = isDistributionPointNames.getNames();

    for (int i = 0; i < names.length; i++) {
      GeneralName name = names[i];
      if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
        addViolation(failureMsg, "tag of deltaCRL URL", name.getTagNo(),
            GeneralName.uniformResourceIdentifier);
      } else {
        String uri = ((ASN1String) name.getName()).getString();
        isCrlUrls.add(uri);
      }
    }

    Set<String> expCrlUrls = issuerInfo.getCrlUrls();
    Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls);
    if (CollectionUtil.isNotEmpty(diffs)) {
      failureMsg.append("deltaCRL URLs ").append(diffs).append(" are present but not expected; ");
    }

    diffs = strInBnotInA(isCrlUrls, expCrlUrls);
    if (CollectionUtil.isNotEmpty(diffs)) {
      failureMsg.append("deltaCRL URLs ").append(diffs).append(" are absent but are required; ");
    }
  }
}
 

private String getAuthorityKeyIdentifierStringValue(byte[] value) throws IOException {
	// @formatter:off

	/*
	 * AuthorityKeyIdentifier ::= ASN1Sequence {
	 *   keyIdentifier [0] KeyIdentifier OPTIONAL,
	 *   authorityCertIssuer [1] GeneralNames OPTIONAL,
	 *   authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL
	 * }
	 *
	 * KeyIdentifier ::= OCTET STRING
	 *
	 * GeneralNames ::= ASN1Sequence SIZE (1..MAX) OF GeneralName
	 *
	 * CertificateSerialNumber ::= ASN1Integer
	 */

	// @formatter:on

	StringBuilder sb = new StringBuilder();

	AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value);

	byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
	GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
	BigInteger certificateSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();

	if (keyIdentifier != null) { // Optional
		// Output as a hex string
		sb.append(MessageFormat.format(res.getString("AuthorityKeyIdentifier"),
				HexUtil.getHexString(keyIdentifier)));
		sb.append(NEWLINE);
	}

	if (authorityCertIssuer != null) { // Optional
		sb.append(res.getString("CertificateIssuer"));
		sb.append(NEWLINE);

		for (GeneralName generalName : authorityCertIssuer.getNames()) {
			sb.append(INDENT);
			sb.append(GeneralNameUtil.toString(generalName));
			sb.append(NEWLINE);
		}
	}

	if (certificateSerialNumber != null) { // Optional
		// Output as an integer
		sb.append(MessageFormat.format(res.getString("CertificateSerialNumber"),
				HexUtil.getHexString(certificateSerialNumber)));
		sb.append(NEWLINE);
	}

	return sb.toString();
}
 

private Certificate generateCertificateUsingCsr(final String csr, final List<String> names, final List<String> ips, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
    final List<String> dnsNames = new ArrayList<>();
    final List<String> ipAddresses = new ArrayList<>();

    if (names != null) {
        dnsNames.addAll(names);
    }
    if (ips != null) {
        ipAddresses.addAll(ips);
    }

    PemObject pemObject = null;

    try {
        final PemReader pemReader = new PemReader(new StringReader(csr));
        pemObject = pemReader.readPemObject();
    } catch (IOException e) {
        LOG.error("Failed to read provided CSR string as a PEM object", e);
    }

    if (pemObject == null) {
        throw new CloudRuntimeException("Unable to read/process CSR: " + csr);
    }

    final JcaPKCS10CertificationRequest request = new JcaPKCS10CertificationRequest(pemObject.getContent());
    final String subject = request.getSubject().toString();
    for (final Attribute attribute : request.getAttributes()) {
        if (attribute == null) {
            continue;
        }
        if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
            final Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
            final GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
            if (gns != null && gns.getNames() != null && gns.getNames().length > 0) {
                for (final GeneralName name : gns.getNames()) {
                    if (name.getTagNo() == GeneralName.dNSName) {
                        dnsNames.add(name.getName().toString());
                    }
                    if (name.getTagNo() == GeneralName.iPAddress) {
                        final InetAddress address = InetAddress.getByAddress(DatatypeConverter.parseHexBinary(name.getName().toString().substring(1)));
                        ipAddresses.add(address.toString().replace("/", ""));
                    }
                }
            }
        }
    }

    final X509Certificate clientCertificate = CertUtils.generateV3Certificate(
            caCertificate, caKeyPair, request.getPublicKey(),
            subject, CAManager.CertSignatureAlgorithm.value(),
            validityDays, dnsNames, ipAddresses);
    return new Certificate(clientCertificate, null, Collections.singletonList(caCertificate));
}
 

private void checkExtnCrlDistributionPoints(StringBuilder failureMsg,
    byte[] extensionValue, IssuerInfo issuerInfo) {
  CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue);
  DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints();
  if (isDistributionPoints == null) {
    addViolation(failureMsg, "size of CRLDistributionPoints", 0, 1);
    return;
  } else {
    int len = isDistributionPoints.length;
    if (len != 1) {
      addViolation(failureMsg, "size of CRLDistributionPoints", len, 1);
      return;
    }
  }

  Set<String> isCrlUrls = new HashSet<>();
  for (DistributionPoint entry : isDistributionPoints) {
    int asn1Type = entry.getDistributionPoint().getType();
    if (asn1Type != DistributionPointName.FULL_NAME) {
      addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints",
          asn1Type, DistributionPointName.FULL_NAME);
      continue;
    }

    GeneralNames isDistributionPointNames =
        GeneralNames.getInstance(entry.getDistributionPoint().getName());
    GeneralName[] names = isDistributionPointNames.getNames();

    for (int i = 0; i < names.length; i++) {
      GeneralName name = names[i];
      if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
        addViolation(failureMsg, "tag of CRL URL", name.getTagNo(),
            GeneralName.uniformResourceIdentifier);
      } else {
        String uri = ((ASN1String) name.getName()).getString();
        isCrlUrls.add(uri);
      }
    }

    Set<String> expCrlUrls = issuerInfo.getCrlUrls();
    Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls);
    if (CollectionUtil.isNotEmpty(diffs)) {
      failureMsg.append("CRL URLs ").append(diffs).append(" are present but not expected; ");
    }

    diffs = strInBnotInA(isCrlUrls, expCrlUrls);
    if (CollectionUtil.isNotEmpty(diffs)) {
      failureMsg.append("CRL URLs ").append(diffs).append(" are absent but are required; ");
    }
  }
}