Search in sources :

Example 36 with SubjectKeyIdentifier

use of com.beanit.asn1bean.compiler.pkix1implicit88.SubjectKeyIdentifier in project LinLong-Java by zhenwei1108.

the class KeyAgreeRecipientInformation method getSenderPublicKeyInfo.

private SubjectPublicKeyInfo getSenderPublicKeyInfo(AlgorithmIdentifier recKeyAlgId, OriginatorIdentifierOrKey originator) throws CMSException, IOException {
    OriginatorPublicKey opk = originator.getOriginatorKey();
    if (opk != null) {
        return getPublicKeyInfoFromOriginatorPublicKey(recKeyAlgId, opk);
    }
    OriginatorId origID;
    IssuerAndSerialNumber iAndSN = originator.getIssuerAndSerialNumber();
    if (iAndSN != null) {
        origID = new OriginatorId(iAndSN.getName(), iAndSN.getSerialNumber().getValue());
    } else {
        SubjectKeyIdentifier ski = originator.getSubjectKeyIdentifier();
        origID = new OriginatorId(ski.getKeyIdentifier());
    }
    return getPublicKeyInfoFromOriginatorId(origID);
}
Also used : IssuerAndSerialNumber(com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber) SubjectKeyIdentifier(com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier) OriginatorPublicKey(com.github.zhenwei.pkix.util.asn1.cms.OriginatorPublicKey)

Example 37 with SubjectKeyIdentifier

use of com.beanit.asn1bean.compiler.pkix1implicit88.SubjectKeyIdentifier in project ref-GemLibPki by gematik.

the class TspInformationProvider method verifyAkiMatchesSki.

/**
 * Verify AKI (authority key identifier - an X.509 v3 certificate extension - derived from the public key of the given issuer certificate) must match with
 * SKI (subject key identifier - an X.509 v3 certificate extension - derived from the public key of the given end-entity certificate).
 *
 * @param x509EeCert     end-entity certificate
 * @param x509IssuerCert issuer certificate determined from TSL file
 * @return true when aki matches ski otherwise false
 */
private static boolean verifyAkiMatchesSki(final X509Certificate x509EeCert, @NonNull final X509Certificate x509IssuerCert) {
    final byte[] subjectKeyIdentifier = x509IssuerCert.getExtensionValue(Extension.subjectKeyIdentifier.getId());
    final Optional<ASN1OctetString> skiAsOctet = Optional.ofNullable(ASN1OctetString.getInstance(subjectKeyIdentifier));
    if (skiAsOctet.isEmpty()) {
        log.debug("Extension SUBJECT_KEY_IDENTIFIER_OID: {} konnte in {} nicht gefunden werden.", Extension.subjectKeyIdentifier.getId(), x509EeCert.getSubjectX500Principal());
        return false;
    }
    final SubjectKeyIdentifier subKeyIdentifier = SubjectKeyIdentifier.getInstance(skiAsOctet.get().getOctets());
    final byte[] authorityKeyIdentifier = x509EeCert.getExtensionValue(Extension.authorityKeyIdentifier.getId());
    final Optional<ASN1OctetString> akiAsOctet = Optional.ofNullable(ASN1OctetString.getInstance(authorityKeyIdentifier));
    if (akiAsOctet.isEmpty()) {
        log.debug("Extension AUTHORITY_KEY_IDENTIFIER_OID: {} konnte in {} nicht gefunden werden.", Extension.authorityKeyIdentifier.getId(), x509EeCert.getSubjectX500Principal());
        return false;
    }
    final ASN1Primitive akiSequenceAsOctet;
    try {
        akiSequenceAsOctet = ASN1Primitive.fromByteArray(akiAsOctet.get().getOctets());
    } catch (final IOException e) {
        log.debug("Octets des AUTHORITY_KEY_IDENTIFIER konnten in {} nicht gefunden werden.", x509EeCert.getSubjectX500Principal());
        log.trace(e.toString());
        return false;
    }
    final AuthorityKeyIdentifier authKeyIdentifier = AuthorityKeyIdentifier.getInstance(akiSequenceAsOctet);
    return Arrays.equals(subKeyIdentifier.getKeyIdentifier(), authKeyIdentifier.getKeyIdentifier());
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) IOException(java.io.IOException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)

Example 38 with SubjectKeyIdentifier

use of com.beanit.asn1bean.compiler.pkix1implicit88.SubjectKeyIdentifier in project kas-fleetshard by bf2fc6cc711aee1a0c2a.

the class SecurityUtils method generate.

private static X509Certificate generate(final KeyPair keyPair, final String hashAlgorithm, final String domain, final int days) throws OperatorCreationException, CertificateException, CertIOException {
    final Instant now = Instant.now();
    final Date notBefore = Date.from(now);
    final Date notAfter = Date.from(now.plus(Duration.ofDays(days)));
    final X500Name x500Issuer = new X500Name("CN=" + domain);
    final X500Name x500Name = new X500Name("CN=*." + domain);
    final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
    final DigestCalculator digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
    final SubjectKeyIdentifier subject = new X509ExtensionUtils(digCalc).createSubjectKeyIdentifier(publicKeyInfo);
    final AuthorityKeyIdentifier authority = new X509ExtensionUtils(digCalc).createAuthorityKeyIdentifier(publicKeyInfo);
    final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(x500Issuer, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic());
    certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, subject);
    certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, authority);
    certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    final ContentSigner contentSigner = new JcaContentSignerBuilder(hashAlgorithm).build(keyPair.getPrivate());
    return new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
}
Also used : BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) Instant(java.time.Instant) DigestCalculator(org.bouncycastle.operator.DigestCalculator) ContentSigner(org.bouncycastle.operator.ContentSigner) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 39 with SubjectKeyIdentifier

use of com.beanit.asn1bean.compiler.pkix1implicit88.SubjectKeyIdentifier in project SAMLRaider by CompassSecurity.

the class BurpCertificateBuilder method generateX509Certificate.

/**
 * Creates a X.509v3 Certificate. The values of "this" object are used for
 * the building process.
 *
 * @param privateKey
 *            which signes the certificates
 * @return certificate object
 * @throws CertificateEncodingException
 * @throws InvalidKeyException
 * @throws IllegalStateException
 * @throws NoSuchAlgorithmException
 * @throws SignatureException
 * @throws IOException
 */
private X509Certificate generateX509Certificate(PrivateKey privateKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException {
    if (version != 3) {
        throw new UnsupportedOperationException("Not implemented yet.");
    }
    certificateGenerator = new X509V3CertificateGenerator();
    certificateGenerator.setSerialNumber(serial);
    certificateGenerator.setIssuerDN(this.issuer);
    certificateGenerator.setNotBefore(notBefore);
    certificateGenerator.setNotAfter(notAfter);
    certificateGenerator.setSubjectDN(subject);
    certificateGenerator.setSignatureAlgorithm(signatureAlgorithm);
    certificateGenerator.setPublicKey(publicKey);
    if (hasBasicConstraints) {
        if (isCA && hasNoPathLimit) {
            certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
        } else if (isCA && !hasNoPathLimit) {
            certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(pathLimit));
        } else {
            certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
        }
    }
    if (keyUsage.size() > 0) {
        int allKeyUsages = 0;
        for (int i : keyUsage) {
            allKeyUsages |= i;
        }
        certificateGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(allKeyUsages));
    }
    if (extendedKeyUsage.size() > 0) {
        ASN1EncodableVector allExtendedKeyUsages = new ASN1EncodableVector();
        for (KeyPurposeId i : extendedKeyUsage) {
            allExtendedKeyUsages.add(i);
        }
        certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, false, new DERSequence(allExtendedKeyUsages));
    }
    if (subjectAlternativeName.size() > 0) {
        GeneralNames generalNames = new GeneralNames(subjectAlternativeName.toArray(new GeneralName[subjectAlternativeName.size()]));
        certificateGenerator.addExtension(X509Extensions.SubjectAlternativeName, true, generalNames);
    }
    if (setSubjectKeyIdentifier == true) {
        JcaX509ExtensionUtils j = new JcaX509ExtensionUtils();
        certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, j.createSubjectKeyIdentifier(publicKey));
    }
    if (!subjectKeyIdentifier.isEmpty() && setSubjectKeyIdentifier == false) {
        byte[] ski = CertificateHelper.hexStringToByteArray(subjectKeyIdentifier);
        SubjectKeyIdentifier aKI = new SubjectKeyIdentifier(ski);
        certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, true, aKI);
    }
    if (issuerAlternativeName.size() > 0) {
        GeneralNames generalNames = new GeneralNames(issuerAlternativeName.toArray(new GeneralName[issuerAlternativeName.size()]));
        certificateGenerator.addExtension(X509Extensions.IssuerAlternativeName, true, generalNames);
    }
    if (setAuthorityKeyIdentifier == true && issuerCertificate != null) {
        JcaX509ExtensionUtils j = new JcaX509ExtensionUtils();
        certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, true, j.createAuthorityKeyIdentifier(issuerCertificate));
    }
    if (!authorityKeyIdentifier.isEmpty() && setAuthorityKeyIdentifier == false) {
        byte[] aki = CertificateHelper.hexStringToByteArray(authorityKeyIdentifier);
        AuthorityKeyIdentifier aKI = new AuthorityKeyIdentifier(aki);
        certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, true, aKI);
    }
    for (BurpCertificateExtension e : burpCertificateExtensions) {
        // http://bouncycastle.sourcearchive.com/documentation/1.43/classorg_1_1bouncycastle_1_1x509_1_1X509V3CertificateGenerator_fd5118a4eaa4870e5fbf6efc02f10c00.html#fd5118a4eaa4870e5fbf6efc02f10c00
        // Finally!!!
        ASN1Encodable extension = X509ExtensionUtil.fromExtensionValue(e.getExtensionValue());
        certificateGenerator.addExtension(e.getOid(), e.isCritical(), extension);
    }
    return certificateGenerator.generate(privateKey);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator) DERSequence(org.bouncycastle.asn1.DERSequence) BurpCertificateExtension(model.BurpCertificateExtension) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Aggregations

SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)34 AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)14 X509Certificate (java.security.cert.X509Certificate)13 IOException (java.io.IOException)10 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)10 X500Name (org.bouncycastle.asn1.x500.X500Name)9 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)9 GeneralName (org.bouncycastle.asn1.x509.GeneralName)8 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)8 Date (java.util.Date)7 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)7 ContentSigner (org.bouncycastle.operator.ContentSigner)7 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)7 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)6 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)6 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)6 PrivateKey (java.security.PrivateKey)5 CertificateException (java.security.cert.CertificateException)5 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)5