Example 16 with DERIA5String
use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by yahoo.
the class ZTSClient method getAWSLambdaServiceCertificate.
/**
* For AWS Lambda functions generate a new private key, request a
* x.509 certificate based on the requested CSR and return both to
* the client in order to establish tls connections with other
* Athenz enabled services.
* @param domainName name of the domain
* @param serviceName name of the service
* @param account AWS account name that the function runs in
* @param provider name of the provider service for AWS Lambda
* @return AWSLambdaIdentity with private key and certificate
*/
public AWSLambdaIdentity getAWSLambdaServiceCertificate(String domainName, String serviceName, String account, String provider) {
if (domainName == null || serviceName == null) {
throw new IllegalArgumentException("Domain and Service must be specified");
}
if (account == null || provider == null) {
throw new IllegalArgumentException("AWS Account and Provider must be specified");
}
if (x509CsrDomain == null) {
throw new IllegalArgumentException("X509 CSR Domain must be specified");
}
// first we're going to generate a private key for the request
AWSLambdaIdentity lambdaIdentity = new AWSLambdaIdentity();
try {
lambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
} catch (CryptoException ex) {
throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
}
// we need to generate an csr with an instance register object
InstanceRegisterInformation info = new InstanceRegisterInformation();
info.setDomain(domainName.toLowerCase());
info.setService(serviceName.toLowerCase());
info.setProvider(provider.toLowerCase());
final String athenzService = info.getDomain() + "." + info.getService();
// generate our dn which will be based on our service name
StringBuilder dnBuilder = new StringBuilder(128);
dnBuilder.append("cn=");
dnBuilder.append(athenzService);
if (x509CsrDn != null) {
dnBuilder.append(',');
dnBuilder.append(x509CsrDn);
}
// now let's generate our dsnName field based on our principal's details
GeneralName[] sanArray = new GeneralName[3];
final String hostBuilder = info.getService() + '.' + info.getDomain().replace('.', '-') + '.' + x509CsrDomain;
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostBuilder));
final String instanceHostBuilder = "lambda-" + account + '-' + info.getService() + ".instanceid.athenz." + x509CsrDomain;
sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(instanceHostBuilder));
final String spiffeUri = SPIFFE_URI + info.getDomain() + SPIFFE_COMP_SERVICE + info.getService();
sanArray[2] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
try {
info.setCsr(Crypto.generateX509CSR(lambdaIdentity.getPrivateKey(), dnBuilder.toString(), sanArray));
} catch (OperatorCreationException | IOException ex) {
throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
}
// finally obtain attestation data for lambda
info.setAttestationData(getAWSLambdaAttestationData(athenzService, account));
// request the x.509 certificate from zts server
Map<String, List<String>> responseHeaders = new HashMap<>();
InstanceIdentity identity = postInstanceRegisterInformation(info, responseHeaders);
try {
lambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(identity.getX509Certificate()));
} catch (CryptoException ex) {
throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
}
lambdaIdentity.setCaCertificates(identity.getX509CertificateSigner());
return lambdaIdentity;
}
Also used :
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Example 17 with DERIA5String
use of com.github.zhenwei.core.asn1.DERIA5String in project xipki by xipki.
the class ExtensionsChecker method checkExtensionBiometricInfo.
// method checkExtensionQcStatements
private void checkExtensionBiometricInfo(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
BiometricInfoOption conf = certProfile.getBiometricInfo();
if (conf == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Encodable extInRequest = null;
if (requestedExtensions != null) {
extInRequest = requestedExtensions.getExtensionParsedValue(Extension.biometricInfo);
}
if (extInRequest == null) {
failureMsg.append("extension is present but not expected; ");
return;
}
ASN1Sequence extValueInReq = ASN1Sequence.getInstance(extInRequest);
final int expSize = extValueInReq.size();
ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue);
final int isSize = extValue.size();
if (isSize != expSize) {
addViolation(failureMsg, "number of biometricData", isSize, expSize);
return;
}
for (int i = 0; i < expSize; i++) {
BiometricData isData = BiometricData.getInstance(extValue.getObjectAt(i));
BiometricData expData = BiometricData.getInstance(extValueInReq.getObjectAt(i));
TypeOfBiometricData isType = isData.getTypeOfBiometricData();
TypeOfBiometricData expType = expData.getTypeOfBiometricData();
if (!isType.equals(expType)) {
String isStr = isType.isPredefined() ? Integer.toString(isType.getPredefinedBiometricType()) : isType.getBiometricDataOid().getId();
String expStr = expType.isPredefined() ? Integer.toString(expType.getPredefinedBiometricType()) : expType.getBiometricDataOid().getId();
addViolation(failureMsg, "biometricData[" + i + "].typeOfBiometricData", isStr, expStr);
}
ASN1ObjectIdentifier is = isData.getHashAlgorithm().getAlgorithm();
ASN1ObjectIdentifier exp = expData.getHashAlgorithm().getAlgorithm();
if (!is.equals(exp)) {
addViolation(failureMsg, "biometricData[" + i + "].hashAlgorithm", is.getId(), exp.getId());
}
ASN1Encodable isHashAlgoParam = isData.getHashAlgorithm().getParameters();
if (isHashAlgoParam == null) {
failureMsg.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present' but expected 'absent'; ");
} else {
try {
byte[] isBytes = isHashAlgoParam.toASN1Primitive().getEncoded();
if (!Arrays.equals(isBytes, DER_NULL)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash.parameters", hex(isBytes), hex(DER_NULL));
}
} catch (IOException ex) {
failureMsg.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
}
}
byte[] isBytes = isData.getBiometricDataHash().getOctets();
byte[] expBytes = expData.getBiometricDataHash().getOctets();
if (!Arrays.equals(isBytes, expBytes)) {
addViolation(failureMsg, "biometricData[" + i + "].biometricDataHash", hex(isBytes), hex(expBytes));
}
DERIA5String str = isData.getSourceDataUri();
String isSourceDataUri = (str == null) ? null : str.getString();
String expSourceDataUri = null;
if (conf.getSourceDataUriOccurrence() != TripleState.FORBIDDEN) {
str = expData.getSourceDataUri();
expSourceDataUri = (str == null) ? null : str.getString();
}
if (expSourceDataUri == null) {
if (isSourceDataUri != null) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", "present", "absent");
}
} else {
if (isSourceDataUri == null) {
failureMsg.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
failureMsg.append(" but expected 'present'; ");
} else if (!isSourceDataUri.equals(expSourceDataUri)) {
addViolation(failureMsg, "biometricData[" + i + "].sourceDataUri", isSourceDataUri, expSourceDataUri);
}
}
}
}
Also used :
BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData)
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
BiometricInfoOption(org.xipki.ca.certprofile.BiometricInfoOption)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
IOException(java.io.IOException)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 18 with DERIA5String
use of com.github.zhenwei.core.asn1.DERIA5String in project keystore-explorer by kaikramer.
the class DNetscapeBaseUrl method okPressed.
private void okPressed() {
String netscapeBaseUrlStr = jtfNetscapeBaseUrl.getText().trim();
if (netscapeBaseUrlStr.length() == 0) {
JOptionPane.showMessageDialog(this, res.getString("DNetscapeBaseUrl.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
DERIA5String netscapeBaseUrl = new DERIA5String(netscapeBaseUrlStr);
try {
value = netscapeBaseUrl.getEncoded(ASN1Encoding.DER);
} catch (IOException ex) {
DError dError = new DError(this, ex);
dError.setLocationRelativeTo(this);
dError.setVisible(true);
return;
}
closeDialog();
}
Also used :
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
DError(org.kse.gui.error.DError)
Example 19 with DERIA5String
use of com.github.zhenwei.core.asn1.DERIA5String in project keystore-explorer by kaikramer.
the class DNetscapeBaseUrl method prepopulateWithValue.
private void prepopulateWithValue(byte[] value) throws IOException {
DERIA5String netscapeBaseUrl = DERIA5String.getInstance(value);
jtfNetscapeBaseUrl.setText(netscapeBaseUrl.getString());
jtfNetscapeBaseUrl.setCaretPosition(0);
}
Also used :
DERIA5String(org.bouncycastle.asn1.DERIA5String)
Example 20 with DERIA5String
use of com.github.zhenwei.core.asn1.DERIA5String in project keystore-explorer by kaikramer.
the class DNetscapeCaPolicyUrl method okPressed.
private void okPressed() {
String netscapeCaPolicyUrlStr = jtfNetscapeCaPolicyUrl.getText().trim();
if (netscapeCaPolicyUrlStr.length() == 0) {
JOptionPane.showMessageDialog(this, res.getString("DNetscapeCaPolicyUrl.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
DERIA5String netscapeCaPolicyUrl = new DERIA5String(netscapeCaPolicyUrlStr);
try {
value = netscapeCaPolicyUrl.getEncoded(ASN1Encoding.DER);
} catch (IOException ex) {
DError dError = new DError(this, ex);
dError.setLocationRelativeTo(this);
dError.setVisible(true);
return;
}
closeDialog();
}
Also used :
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
DError(org.kse.gui.error.DError)
Aggregations
DERIA5String (org.bouncycastle.asn1.DERIA5String)80
IOException (java.io.IOException)55
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
DEROctetString (org.bouncycastle.asn1.DEROctetString)22
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)21
DERSequence (org.bouncycastle.asn1.DERSequence)17
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)15
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)14
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)14
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)12
DERBitString (org.bouncycastle.asn1.DERBitString)12
SignatureException (java.security.SignatureException)10
ArrayList (java.util.ArrayList)10
DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)10
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)10
HashSet (java.util.HashSet)9
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)9
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)9
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8
