Search in sources :

Example 26 with DEROctetString

use of com.github.zhenwei.core.asn1.DEROctetString in project keystore-explorer by kaikramer.

the class DAddExtensions method addPressed.

private void addPressed() {
    DAddExtensionType dAddExtensionType = new DAddExtensionType(this, extensions);
    dAddExtensionType.setLocationRelativeTo(this);
    dAddExtensionType.setVisible(true);
    X509ExtensionType extensionTypeToAdd = dAddExtensionType.getExtensionType();
    if (extensionTypeToAdd == null) {
        return;
    }
    boolean isCritical = dAddExtensionType.isExtensionCritical();
    DExtension dExtension = determineExtensionDialog(extensionTypeToAdd);
    if (dExtension == null) {
        return;
    }
    dExtension.setLocationRelativeTo(this);
    dExtension.setVisible(true);
    byte[] extensionValue = dExtension.getValue();
    String oid = dExtension.getOid();
    if (extensionValue == null || oid == null) {
        return;
    }
    // value has to be wrapped in a DER-encoded OCTET STRING
    byte[] extensionValueOctet = null;
    try {
        extensionValueOctet = new DEROctetString(extensionValue).getEncoded(ASN1Encoding.DER);
    } catch (IOException e) {
        return;
    }
    extensions.addExtension(oid, isCritical, extensionValueOctet);
    reloadExtensionsTable();
    selectExtensionInTable(oid);
    updateButtonControls();
}
Also used : X509ExtensionType(org.kse.crypto.x509.X509ExtensionType) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) IOException(java.io.IOException) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 27 with DEROctetString

use of com.github.zhenwei.core.asn1.DEROctetString in project xipki by xipki.

the class ProxyP11Identity method sign0.

@Override
protected byte[] sign0(long mechanism, P11Params parameters, byte[] content) throws P11TokenException {
    org.xipki.security.pkcs11.proxy.asn1.P11Params p11Param = null;
    if (parameters != null) {
        if (parameters instanceof P11RSAPkcsPssParams) {
            p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_RSA_PKCS_PSS, new RSAPkcsPssParams((P11RSAPkcsPssParams) parameters));
        } else if (parameters instanceof P11ByteArrayParams) {
            byte[] bytes = ((P11ByteArrayParams) parameters).getBytes();
            p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_OPAQUE, new DEROctetString(bytes));
        } else if (parameters instanceof P11IVParams) {
            p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_IV, new DEROctetString(((P11IVParams) parameters).getIV()));
        } else {
            throw new IllegalArgumentException("unkown parameter 'parameters'");
        }
    }
    SignTemplate signTemplate = new SignTemplate(((ProxyP11Slot) slot).getAsn1SlotId(), asn1KeyId, mechanism, p11Param, content);
    byte[] result = ((ProxyP11Slot) slot).getModule().send(P11ProxyConstants.ACTION_SIGN, signTemplate);
    ASN1OctetString octetString;
    try {
        octetString = DEROctetString.getInstance(result);
    } catch (IllegalArgumentException ex) {
        throw new P11TokenException("the returned result is not OCTET STRING");
    }
    return (octetString == null) ? null : octetString.getOctets();
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) P11TokenException(org.xipki.security.pkcs11.P11TokenException) P11Params(org.xipki.security.pkcs11.P11Params) DEROctetString(org.bouncycastle.asn1.DEROctetString) P11ByteArrayParams(org.xipki.security.pkcs11.P11Params.P11ByteArrayParams) SignTemplate(org.xipki.security.pkcs11.proxy.asn1.SignTemplate) P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11Params.P11RSAPkcsPssParams) P11IVParams(org.xipki.security.pkcs11.P11Params.P11IVParams) P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11Params.P11RSAPkcsPssParams) RSAPkcsPssParams(org.xipki.security.pkcs11.proxy.asn1.RSAPkcsPssParams)

Example 28 with DEROctetString

use of com.github.zhenwei.core.asn1.DEROctetString in project xipki by xipki.

the class X509Ca method generateCert0.

private CertificateInfo generateCert0(GrantedCertTemplate gct, RequestorInfo requestor, RequestType reqType, byte[] transactionId, AuditEvent event) throws OperationException {
    notNull(gct, "gct");
    event.addEventData(CaAuditConstants.NAME_req_subject, X509Util.getRfc4519Name(gct.requestedSubject));
    event.addEventData(CaAuditConstants.NAME_certprofile, gct.certprofile.getIdent().getName());
    event.addEventData(CaAuditConstants.NAME_not_before, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotBefore));
    event.addEventData(CaAuditConstants.NAME_not_after, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotAfter));
    IdentifiedCertprofile certprofile = gct.certprofile;
    ExtensionControl extnSctCtrl = certprofile.getExtensionControls().get(Extn.id_SCTs);
    boolean ctlogEnabled = caInfo.getCtlogControl() != null && caInfo.getCtlogControl().isEnabled();
    if (!ctlogEnabled) {
        if (extnSctCtrl != null && extnSctCtrl.isRequired()) {
            throw new OperationException(SYSTEM_FAILURE, "extension " + ObjectIdentifiers.getName(Extn.id_SCTs) + " is required but CTLog of the CA is not activated");
        }
    }
    String serialNumberMode = certprofile.getSerialNumberMode();
    BigInteger serialNumber = null;
    while (true) {
        if (StringUtil.isBlank(serialNumberMode) || "CA".equalsIgnoreCase(serialNumberMode)) {
            serialNumber = caInfo.nextSerial();
        } else if ("PROFILE".equalsIgnoreCase(serialNumberMode)) {
            try {
                BigInteger previousSerialNumber = serialNumber;
                ConfPairs extraControl = caInfo.getExtraControl();
                serialNumber = certprofile.generateSerialNumber(caInfo.getCert().getSubject(), caInfo.getCert().getSubjectPublicKeyInfo(), gct.requestedSubject, gct.grantedPublicKey, extraControl == null ? null : extraControl.unmodifiable());
                // do not repeat this process.
                if (serialNumber.equals(previousSerialNumber)) {
                    break;
                }
            } catch (CertprofileException ex) {
                LogUtil.error(LOG, ex, "error generateSerialNumber");
                throw new OperationException(SYSTEM_FAILURE, "unknown SerialNumberMode '" + serialNumberMode + "'");
            }
        } else {
            throw new OperationException(BAD_CERT_TEMPLATE, "unknown SerialNumberMode '" + serialNumberMode + "'");
        }
        if (certstore.getCertId(caIdent, serialNumber) == 0) {
            break;
        }
    }
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(caInfo.getPublicCaInfo().getSubject(), serialNumber, gct.grantedNotBefore, gct.grantedNotAfter, gct.grantedSubject, gct.grantedPublicKey);
    CertificateInfo ret;
    try {
        SignerEntryWrapper crlSigner = crlModule.getCrlSigner();
        X509Cert crlSignerCert = (crlSigner == null) ? null : crlSigner.getSigner().getCertificate();
        ExtensionValues extensionTuples = certprofile.getExtensions(gct.requestedSubject, gct.grantedSubject, gct.extensions, gct.grantedPublicKey, caInfo.getPublicCaInfo(), crlSignerCert, gct.grantedNotBefore, gct.grantedNotAfter);
        if (extensionTuples != null) {
            for (ASN1ObjectIdentifier extensionType : extensionTuples.getExtensionTypes()) {
                ExtensionValue extValue = extensionTuples.getExtensionValue(extensionType);
                certBuilder.addExtension(extensionType, extValue.isCritical(), extValue.getValue());
            }
        }
        boolean addCtlog = ctlogEnabled && extnSctCtrl != null;
        if (addCtlog) {
            certBuilder.addExtension(Extn.id_precertificate, true, DERNull.INSTANCE);
            ConcurrentBagEntrySigner signer0;
            try {
                signer0 = gct.signer.borrowSigner();
            } catch (NoIdleSignerException ex) {
                throw new OperationException(SYSTEM_FAILURE, ex);
            }
            X509CertificateHolder precert;
            try {
                precert = certBuilder.build(signer0.value());
            } finally {
                // returns the signer after the signing so that it can be used by others
                gct.signer.requiteSigner(signer0);
            }
            CtLogPublicKeyFinder finder = caManager.getCtLogPublicKeyFinder();
            if (finder == null) {
                throw new OperationException(SYSTEM_FAILURE, "ctLog not configured for CA " + caInfo.getIdent().getName());
            }
            SignedCertificateTimestampList scts = ctlogClient.getCtLogScts(precert, caCert, caInfo.getCertchain(), finder);
            // remove the precertificate extension
            certBuilder.removeExtension(Extn.id_precertificate);
            // add the SCTs extension
            DEROctetString extnValue;
            try {
                extnValue = new DEROctetString(new DEROctetString(scts.getEncoded()).getEncoded());
            } catch (IOException ex) {
                throw new CertIOException("could not encode SCT extension", ex);
            }
            certBuilder.addExtension(new Extension(Extn.id_SCTs, extnSctCtrl.isCritical(), extnValue));
        }
        ConcurrentBagEntrySigner signer0;
        try {
            signer0 = gct.signer.borrowSigner();
        } catch (NoIdleSignerException ex) {
            throw new OperationException(SYSTEM_FAILURE, ex);
        }
        X509CertificateHolder bcCert;
        try {
            bcCert = certBuilder.build(signer0.value());
        } finally {
            gct.signer.requiteSigner(signer0);
        }
        byte[] encodedCert = bcCert.getEncoded();
        int maxCertSize = gct.certprofile.getMaxCertSize();
        if (maxCertSize > 0) {
            int certSize = encodedCert.length;
            if (certSize > maxCertSize) {
                throw new OperationException(NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", certSize, maxCertSize));
            }
        }
        X509Cert cert = new X509Cert(bcCert, encodedCert);
        if (!verifySignature(cert)) {
            throw new OperationException(SYSTEM_FAILURE, "could not verify the signature of generated certificate");
        }
        CertWithDbId certWithMeta = new CertWithDbId(cert);
        ret = new CertificateInfo(certWithMeta, gct.privateKey, caIdent, caCert, gct.certprofile.getIdent(), requestor.getIdent());
        if (requestor instanceof RequestorInfo.ByUserRequestorInfo) {
            ret.setUser((((RequestorInfo.ByUserRequestorInfo) requestor).getUserId()));
        }
        ret.setReqType(reqType);
        ret.setTransactionId(transactionId);
        ret.setRequestedSubject(gct.requestedSubject);
        if (saveCert && publisherModule.publishCert(ret) == 1) {
            throw new OperationException(SYSTEM_FAILURE, "could not save certificate");
        }
    } catch (BadCertTemplateException ex) {
        throw new OperationException(BAD_CERT_TEMPLATE, ex);
    } catch (OperationException ex) {
        throw ex;
    } catch (Throwable th) {
        LogUtil.error(LOG, th, "could not generate certificate");
        throw new OperationException(SYSTEM_FAILURE, th);
    }
    if (gct.warning != null) {
        ret.setWarningMessage(gct.warning);
    }
    return ret;
}
Also used : DEROctetString(org.bouncycastle.asn1.DEROctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) ExtensionValue(org.xipki.ca.api.profile.ExtensionValue) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ExtensionControl(org.xipki.ca.api.profile.Certprofile.ExtensionControl) ExtensionValues(org.xipki.ca.api.profile.ExtensionValues) IOException(java.io.IOException) CertIOException(org.bouncycastle.cert.CertIOException) CertIOException(org.bouncycastle.cert.CertIOException) Extension(org.bouncycastle.asn1.x509.Extension) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) SignedCertificateTimestampList(org.xipki.security.ctlog.CtLog.SignedCertificateTimestampList) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 29 with DEROctetString

use of com.github.zhenwei.core.asn1.DEROctetString in project certmgr by hdecarne.

the class ASN1DataTest method testGeneralNames.

/**
 * Test encoding & decoding of {@link GeneralNames} object.
 */
@Test
public void testGeneralNames() {
    try {
        GeneralNames in = new GeneralNames();
        DirectoryName inNameA = new DirectoryName(new X500Principal("CN=localhost"));
        GenericName inNameB = new GenericName(GeneralNameType.X400_ADDRESS, new DEROctetString("test".getBytes()).getEncoded());
        IPAddressName inNameC = new IPAddressName(InetAddress.getByName("127.0.0.1"), null);
        IPAddressName inNameD = new IPAddressName(InetAddress.getByName("127.0.0.1"), InetAddress.getByName("255.255.255.255"));
        IPAddressName inNameE = new IPAddressName(InetAddress.getByName("::1"), null);
        IPAddressName inNameF = new IPAddressName(InetAddress.getByName("::1"), InetAddress.getByName("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"));
        OtherName inNameG = new OtherName("1.2.3.4", new DEROctetString("test".getBytes()).getEncoded());
        RegisteredIDName inNameH = new RegisteredIDName("1.2.3.4");
        StringName inNameI = new StringName(GeneralNameType.UNIFORM_RESOURCE_IDENTIFIER, "https://localhost/test.crl");
        in.addName(inNameA);
        in.addName(inNameB);
        in.addName(inNameC);
        in.addName(inNameD);
        in.addName(inNameE);
        in.addName(inNameF);
        in.addName(inNameG);
        in.addName(inNameH);
        in.addName(inNameI);
        byte[] inEncoded = in.getEncoded();
        GeneralNames out = GeneralNames.decode(decodeBytes(inEncoded));
        byte[] outEncoded = out.getEncoded();
        Assert.assertArrayEquals(inEncoded, outEncoded);
    } catch (IOException e) {
        e.printStackTrace();
        Assert.fail(e.getLocalizedMessage());
    }
}
Also used : GenericName(de.carne.certmgr.certs.x509.GenericName) GeneralNames(de.carne.certmgr.certs.x509.GeneralNames) IPAddressName(de.carne.certmgr.certs.x509.IPAddressName) RegisteredIDName(de.carne.certmgr.certs.x509.RegisteredIDName) StringName(de.carne.certmgr.certs.x509.StringName) OtherName(de.carne.certmgr.certs.x509.OtherName) X500Principal(javax.security.auth.x500.X500Principal) IOException(java.io.IOException) DirectoryName(de.carne.certmgr.certs.x509.DirectoryName) DEROctetString(org.bouncycastle.asn1.DEROctetString) Test(org.junit.Test)

Example 30 with DEROctetString

use of com.github.zhenwei.core.asn1.DEROctetString in project certmgr by hdecarne.

the class IPAddressName method encode.

@Override
public ASN1Encodable encode() throws IOException {
    byte[] addressBytes = this.address.getAddress();
    byte[] netmaskBytes = (this.netmask != null ? this.netmask.getAddress() : new byte[0]);
    byte[] encodedBytes = new byte[addressBytes.length + netmaskBytes.length];
    System.arraycopy(addressBytes, 0, encodedBytes, 0, addressBytes.length);
    System.arraycopy(netmaskBytes, 0, encodedBytes, addressBytes.length, netmaskBytes.length);
    return new DERTaggedObject(false, getType().value(), new DEROctetString(encodedBytes));
}
Also used : DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Aggregations

DEROctetString (org.bouncycastle.asn1.DEROctetString)139 IOException (java.io.IOException)104 DEROctetString (com.github.zhenwei.core.asn1.DEROctetString)86 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)49 DERSequence (org.bouncycastle.asn1.DERSequence)48 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)46 DERSequence (com.github.zhenwei.core.asn1.DERSequence)44 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)39 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)32 BigInteger (java.math.BigInteger)27 Extension (org.bouncycastle.asn1.x509.Extension)27 AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)26 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)26 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)24 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)23 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)21 ASN1Integer (com.github.zhenwei.core.asn1.ASN1Integer)20 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)19 Extensions (org.bouncycastle.asn1.x509.Extensions)19 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)18