Search in sources :

Example 76 with Certificate

use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.

the class AbstractOcspRequestor method buildRequest.

// method ask
private OCSPRequest buildRequest(X509Cert caCert, BigInteger[] serialNumbers, byte[] nonce, RequestOptions requestOptions) throws OcspRequestorException {
    HashAlgo hashAlgo = requestOptions.getHashAlgorithm();
    List<SignAlgo> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
    XiOCSPReqBuilder reqBuilder = new XiOCSPReqBuilder();
    List<Extension> extensions = new LinkedList<>();
    if (nonce != null) {
        extensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
    }
    if (prefSigAlgs != null && prefSigAlgs.size() > 0) {
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (SignAlgo algId : prefSigAlgs) {
            vec.add(new DERSequence(algId.getAlgorithmIdentifier()));
        }
        ASN1Sequence extnValue = new DERSequence(vec);
        Extension extn;
        try {
            extn = new Extension(ObjectIdentifiers.Extn.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
        } catch (IOException ex) {
            throw new OcspRequestorException(ex.getMessage(), ex);
        }
        extensions.add(extn);
    }
    if (CollectionUtil.isNotEmpty(extensions)) {
        reqBuilder.setRequestExtensions(new Extensions(extensions.toArray(new Extension[0])));
    }
    try {
        DEROctetString issuerNameHash = new DEROctetString(hashAlgo.hash(caCert.getSubject().getEncoded()));
        TBSCertificate tbsCert = caCert.toBcCert().toASN1Structure().getTBSCertificate();
        DEROctetString issuerKeyHash = new DEROctetString(hashAlgo.hash(tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
        for (BigInteger serialNumber : serialNumbers) {
            CertID certId = new CertID(hashAlgo.getAlgorithmIdentifier(), issuerNameHash, issuerKeyHash, new ASN1Integer(serialNumber));
            reqBuilder.addRequest(certId);
        }
        if (requestOptions.isSignRequest()) {
            synchronized (signerLock) {
                if (signer == null) {
                    if (StringUtil.isBlank(signerType)) {
                        throw new OcspRequestorException("signerType is not configured");
                    }
                    if (StringUtil.isBlank(signerConf)) {
                        throw new OcspRequestorException("signerConf is not configured");
                    }
                    X509Cert cert = null;
                    if (StringUtil.isNotBlank(signerCertFile)) {
                        try {
                            cert = X509Util.parseCert(new File(signerCertFile));
                        } catch (CertificateException ex) {
                            throw new OcspRequestorException("could not parse certificate " + signerCertFile + ": " + ex.getMessage());
                        }
                    }
                    try {
                        signer = getSecurityFactory().createSigner(signerType, new SignerConf(signerConf), cert);
                    } catch (Exception ex) {
                        throw new OcspRequestorException("could not create signer: " + ex.getMessage());
                    }
                }
            // end if
            }
            // end synchronized
            reqBuilder.setRequestorName(signer.getCertificate().getSubject());
            X509Cert[] certChain0 = signer.getCertificateChain();
            Certificate[] certChain = new Certificate[certChain0.length];
            for (int i = 0; i < certChain.length; i++) {
                certChain[i] = certChain0[i].toBcCert().toASN1Structure();
            }
            ConcurrentBagEntrySigner signer0;
            try {
                signer0 = signer.borrowSigner();
            } catch (NoIdleSignerException ex) {
                throw new OcspRequestorException("NoIdleSignerException: " + ex.getMessage());
            }
            try {
                return reqBuilder.build(signer0.value(), certChain);
            } finally {
                signer.requiteSigner(signer0);
            }
        } else {
            return reqBuilder.build();
        }
    // end if
    } catch (OCSPException | IOException ex) {
        throw new OcspRequestorException(ex.getMessage(), ex);
    }
}
Also used : CertID(org.bouncycastle.asn1.ocsp.CertID) CertificateException(java.security.cert.CertificateException) Extensions(org.bouncycastle.asn1.x509.Extensions) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate) IOException(java.io.IOException) LinkedList(java.util.LinkedList) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) CertificateEncodingException(java.security.cert.CertificateEncodingException) Extension(org.bouncycastle.asn1.x509.Extension) BigInteger(java.math.BigInteger) File(java.io.File) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 77 with Certificate

use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.

the class X509Cert method checkBcSignature.

private void checkBcSignature(PublicKey key, Signature signature) throws CertificateException, SignatureException, InvalidKeyException {
    Certificate c = bcInstance.toASN1Structure();
    if (!c.getSignatureAlgorithm().equals(c.getTBSCertificate().getSignature())) {
        throw new CertificateException("signature algorithm in TBS cert not same as outer cert");
    }
    signature.initVerify(key);
    try {
        signature.update(c.getTBSCertificate().getEncoded());
    } catch (IOException ex) {
        throw new CertificateException("error encoding TBSCertificate");
    }
    if (!signature.verify(c.getSignature().getBytes())) {
        throw new SignatureException("certificate does not verify with supplied key");
    }
}
Also used : CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 78 with Certificate

use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.

the class CrlStreamParserTest method parseCrlWithNoRevokedCerts.

@Test
public void parseCrlWithNoRevokedCerts() throws Exception {
    Certificate issuerSigner = getIssuerSigner();
    CrlStreamParser parser = getParser("no-revoked-certs.crl");
    Assert.assertEquals("version", 1, parser.getVersion());
    Assert.assertEquals("CRL number", BigInteger.valueOf(1), parser.getCrlNumber());
    Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
    int numRevokedCerts = 0;
    try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
        while (iterator.hasNext()) {
            iterator.next();
            numRevokedCerts++;
        }
    }
    Assert.assertEquals("#revokedCertificates", 0, numRevokedCerts);
}
Also used : CrlStreamParser(org.xipki.security.asn1.CrlStreamParser) RevokedCertsIterator(org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator) Certificate(org.bouncycastle.asn1.x509.Certificate) Test(org.junit.Test)

Example 79 with Certificate

use of com.android.apksig.internal.x509.Certificate in project TLS-Scanner by RUB-NDS.

the class TrustAnchorManager method getFullCaCertificateSet.

private Set<Certificate> getFullCaCertificateSet() {
    Set<Certificate> certificateSet = new HashSet<>();
    for (CertificateEntry entry : trustAnchors.values()) {
        InputStream resourceAsStream = TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + entry.getFingerprint() + ".pem");
        try {
            org.bouncycastle.crypto.tls.Certificate cert = PemUtil.readCertificate(resourceAsStream);
            certificateSet.add(cert.getCertificateAt(0));
        } catch (IOException | CertificateException ex) {
            LOGGER.error("Could not load Certificate:" + entry.getSubjectName() + "/" + entry.getFingerprint(), ex);
        }
    }
    return certificateSet;
}
Also used : BufferedInputStream(java.io.BufferedInputStream) InputStream(java.io.InputStream) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) HashSet(java.util.HashSet)

Example 80 with Certificate

use of com.android.apksig.internal.x509.Certificate in project cloud-security-xsuaa-integration by SAP.

the class SecurityContext method clearCertificate.

/**
 * Clears the current Certificate from thread wide storage.
 */
private static void clearCertificate() {
    final Certificate certificate = certificateStorage.get();
    if (certificate != null) {
        LOGGER.debug("Certificate removed from SecurityContext (thread-locally).");
        certificateStorage.remove();
    }
}
Also used : Certificate(com.sap.cloud.security.x509.Certificate)

Aggregations

Certificate (org.bouncycastle.asn1.x509.Certificate)53 IOException (java.io.IOException)40 X509Certificate (java.security.cert.X509Certificate)37 CertificateException (java.security.cert.CertificateException)27 File (java.io.File)12 Test (org.junit.Test)11 BigInteger (java.math.BigInteger)9 CertificateEncodingException (java.security.cert.CertificateEncodingException)9 TBSCertificate (org.bouncycastle.asn1.x509.TBSCertificate)9 Test (org.junit.jupiter.api.Test)9 Certificate (com.google.cloud.security.privateca.v1.Certificate)8 CertificateAuthorityServiceClient (com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient)8 SQLException (java.sql.SQLException)8 X500Name (org.bouncycastle.asn1.x500.X500Name)8 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)7 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7 Certificate (com.beanit.asn1bean.compiler.pkix1explicit88.Certificate)6 Extension (org.bouncycastle.asn1.x509.Extension)6 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)6 ArrayList (java.util.ArrayList)5