use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.
the class AbstractOcspRequestor method buildRequest.
// method ask
private OCSPRequest buildRequest(X509Cert caCert, BigInteger[] serialNumbers, byte[] nonce, RequestOptions requestOptions) throws OcspRequestorException {
HashAlgo hashAlgo = requestOptions.getHashAlgorithm();
List<SignAlgo> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
XiOCSPReqBuilder reqBuilder = new XiOCSPReqBuilder();
List<Extension> extensions = new LinkedList<>();
if (nonce != null) {
extensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
}
if (prefSigAlgs != null && prefSigAlgs.size() > 0) {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (SignAlgo algId : prefSigAlgs) {
vec.add(new DERSequence(algId.getAlgorithmIdentifier()));
}
ASN1Sequence extnValue = new DERSequence(vec);
Extension extn;
try {
extn = new Extension(ObjectIdentifiers.Extn.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
} catch (IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
extensions.add(extn);
}
if (CollectionUtil.isNotEmpty(extensions)) {
reqBuilder.setRequestExtensions(new Extensions(extensions.toArray(new Extension[0])));
}
try {
DEROctetString issuerNameHash = new DEROctetString(hashAlgo.hash(caCert.getSubject().getEncoded()));
TBSCertificate tbsCert = caCert.toBcCert().toASN1Structure().getTBSCertificate();
DEROctetString issuerKeyHash = new DEROctetString(hashAlgo.hash(tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
for (BigInteger serialNumber : serialNumbers) {
CertID certId = new CertID(hashAlgo.getAlgorithmIdentifier(), issuerNameHash, issuerKeyHash, new ASN1Integer(serialNumber));
reqBuilder.addRequest(certId);
}
if (requestOptions.isSignRequest()) {
synchronized (signerLock) {
if (signer == null) {
if (StringUtil.isBlank(signerType)) {
throw new OcspRequestorException("signerType is not configured");
}
if (StringUtil.isBlank(signerConf)) {
throw new OcspRequestorException("signerConf is not configured");
}
X509Cert cert = null;
if (StringUtil.isNotBlank(signerCertFile)) {
try {
cert = X509Util.parseCert(new File(signerCertFile));
} catch (CertificateException ex) {
throw new OcspRequestorException("could not parse certificate " + signerCertFile + ": " + ex.getMessage());
}
}
try {
signer = getSecurityFactory().createSigner(signerType, new SignerConf(signerConf), cert);
} catch (Exception ex) {
throw new OcspRequestorException("could not create signer: " + ex.getMessage());
}
}
// end if
}
// end synchronized
reqBuilder.setRequestorName(signer.getCertificate().getSubject());
X509Cert[] certChain0 = signer.getCertificateChain();
Certificate[] certChain = new Certificate[certChain0.length];
for (int i = 0; i < certChain.length; i++) {
certChain[i] = certChain0[i].toBcCert().toASN1Structure();
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OcspRequestorException("NoIdleSignerException: " + ex.getMessage());
}
try {
return reqBuilder.build(signer0.value(), certChain);
} finally {
signer.requiteSigner(signer0);
}
} else {
return reqBuilder.build();
}
// end if
} catch (OCSPException | IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
}
use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.
the class X509Cert method checkBcSignature.
private void checkBcSignature(PublicKey key, Signature signature) throws CertificateException, SignatureException, InvalidKeyException {
Certificate c = bcInstance.toASN1Structure();
if (!c.getSignatureAlgorithm().equals(c.getTBSCertificate().getSignature())) {
throw new CertificateException("signature algorithm in TBS cert not same as outer cert");
}
signature.initVerify(key);
try {
signature.update(c.getTBSCertificate().getEncoded());
} catch (IOException ex) {
throw new CertificateException("error encoding TBSCertificate");
}
if (!signature.verify(c.getSignature().getBytes())) {
throw new SignatureException("certificate does not verify with supplied key");
}
}
use of com.android.apksig.internal.x509.Certificate in project xipki by xipki.
the class CrlStreamParserTest method parseCrlWithNoRevokedCerts.
@Test
public void parseCrlWithNoRevokedCerts() throws Exception {
Certificate issuerSigner = getIssuerSigner();
CrlStreamParser parser = getParser("no-revoked-certs.crl");
Assert.assertEquals("version", 1, parser.getVersion());
Assert.assertEquals("CRL number", BigInteger.valueOf(1), parser.getCrlNumber());
Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
int numRevokedCerts = 0;
try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
while (iterator.hasNext()) {
iterator.next();
numRevokedCerts++;
}
}
Assert.assertEquals("#revokedCertificates", 0, numRevokedCerts);
}
use of com.android.apksig.internal.x509.Certificate in project TLS-Scanner by RUB-NDS.
the class TrustAnchorManager method getFullCaCertificateSet.
private Set<Certificate> getFullCaCertificateSet() {
Set<Certificate> certificateSet = new HashSet<>();
for (CertificateEntry entry : trustAnchors.values()) {
InputStream resourceAsStream = TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + entry.getFingerprint() + ".pem");
try {
org.bouncycastle.crypto.tls.Certificate cert = PemUtil.readCertificate(resourceAsStream);
certificateSet.add(cert.getCertificateAt(0));
} catch (IOException | CertificateException ex) {
LOGGER.error("Could not load Certificate:" + entry.getSubjectName() + "/" + entry.getFingerprint(), ex);
}
}
return certificateSet;
}
use of com.android.apksig.internal.x509.Certificate in project cloud-security-xsuaa-integration by SAP.
the class SecurityContext method clearCertificate.
/**
* Clears the current Certificate from thread wide storage.
*/
private static void clearCertificate() {
final Certificate certificate = certificateStorage.get();
if (certificate != null) {
LOGGER.debug("Certificate removed from SecurityContext (thread-locally).");
certificateStorage.remove();
}
}
Aggregations