Example 21 with CertID
use of com.github.zhenwei.core.asn1.ocsp.CertID in project xipki by xipki.
the class AbstractOcspRequestor method buildRequest.
// method ask
private OCSPRequest buildRequest(X509Cert caCert, BigInteger[] serialNumbers, byte[] nonce, RequestOptions requestOptions) throws OcspRequestorException {
HashAlgo hashAlgo = requestOptions.getHashAlgorithm();
List<SignAlgo> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
XiOCSPReqBuilder reqBuilder = new XiOCSPReqBuilder();
List<Extension> extensions = new LinkedList<>();
if (nonce != null) {
extensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
}
if (prefSigAlgs != null && prefSigAlgs.size() > 0) {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (SignAlgo algId : prefSigAlgs) {
vec.add(new DERSequence(algId.getAlgorithmIdentifier()));
}
ASN1Sequence extnValue = new DERSequence(vec);
Extension extn;
try {
extn = new Extension(ObjectIdentifiers.Extn.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
} catch (IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
extensions.add(extn);
}
if (CollectionUtil.isNotEmpty(extensions)) {
reqBuilder.setRequestExtensions(new Extensions(extensions.toArray(new Extension[0])));
}
try {
DEROctetString issuerNameHash = new DEROctetString(hashAlgo.hash(caCert.getSubject().getEncoded()));
TBSCertificate tbsCert = caCert.toBcCert().toASN1Structure().getTBSCertificate();
DEROctetString issuerKeyHash = new DEROctetString(hashAlgo.hash(tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
for (BigInteger serialNumber : serialNumbers) {
CertID certId = new CertID(hashAlgo.getAlgorithmIdentifier(), issuerNameHash, issuerKeyHash, new ASN1Integer(serialNumber));
reqBuilder.addRequest(certId);
}
if (requestOptions.isSignRequest()) {
synchronized (signerLock) {
if (signer == null) {
if (StringUtil.isBlank(signerType)) {
throw new OcspRequestorException("signerType is not configured");
}
if (StringUtil.isBlank(signerConf)) {
throw new OcspRequestorException("signerConf is not configured");
}
X509Cert cert = null;
if (StringUtil.isNotBlank(signerCertFile)) {
try {
cert = X509Util.parseCert(new File(signerCertFile));
} catch (CertificateException ex) {
throw new OcspRequestorException("could not parse certificate " + signerCertFile + ": " + ex.getMessage());
}
}
try {
signer = getSecurityFactory().createSigner(signerType, new SignerConf(signerConf), cert);
} catch (Exception ex) {
throw new OcspRequestorException("could not create signer: " + ex.getMessage());
}
}
// end if
}
// end synchronized
reqBuilder.setRequestorName(signer.getCertificate().getSubject());
X509Cert[] certChain0 = signer.getCertificateChain();
Certificate[] certChain = new Certificate[certChain0.length];
for (int i = 0; i < certChain.length; i++) {
certChain[i] = certChain0[i].toBcCert().toASN1Structure();
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OcspRequestorException("NoIdleSignerException: " + ex.getMessage());
}
try {
return reqBuilder.build(signer0.value(), certChain);
} finally {
signer.requiteSigner(signer0);
}
} else {
return reqBuilder.build();
}
// end if
} catch (OCSPException | IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
}
Also used :
CertID(org.bouncycastle.asn1.ocsp.CertID)
CertificateException(java.security.cert.CertificateException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
IOException(java.io.IOException)
LinkedList(java.util.LinkedList)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
Extension(org.bouncycastle.asn1.x509.Extension)
BigInteger(java.math.BigInteger)
File(java.io.File)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 22 with CertID
use of com.github.zhenwei.core.asn1.ocsp.CertID in project jruby-openssl by jruby.
the class OCSPBasicResponse method find_response.
@JRubyMethod(name = "find_response")
public IRubyObject find_response(final ThreadContext context, IRubyObject certId) {
if (certId.isNil())
return context.nil;
OCSPCertificateId rubyCertId = (OCSPCertificateId) certId;
IRubyObject retResp = context.nil;
for (OCSPSingleResponse singleResp : singleResponses) {
CertID thisId = rubyCertId.getCertID();
CertID thatId = singleResp.getBCSingleResp().getCertID();
if (thisId.equals(thatId)) {
retResp = singleResp;
break;
}
}
return retResp;
}
Also used :
CertID(org.bouncycastle.asn1.ocsp.CertID)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 23 with CertID
use of com.github.zhenwei.core.asn1.ocsp.CertID in project LinLong-Java by zhenwei1108.
the class CertificateID method createCertID.
private static CertID createCertID(DigestCalculator digCalc, X509CertificateHolder issuerCert, ASN1Integer serialNumber) throws OCSPException {
try {
OutputStream dgOut = digCalc.getOutputStream();
dgOut.write(issuerCert.toASN1Structure().getSubject().getEncoded(ASN1Encoding.DER));
dgOut.close();
ASN1OctetString issuerNameHash = new DEROctetString(digCalc.getDigest());
SubjectPublicKeyInfo info = issuerCert.getSubjectPublicKeyInfo();
dgOut = digCalc.getOutputStream();
dgOut.write(info.getPublicKeyData().getBytes());
dgOut.close();
ASN1OctetString issuerKeyHash = new DEROctetString(digCalc.getDigest());
return new CertID(digCalc.getAlgorithmIdentifier(), issuerNameHash, issuerKeyHash, serialNumber);
} catch (Exception e) {
throw new OCSPException("problem creating ID: " + e, e);
}
}
Also used :
ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString)
CertID(com.github.zhenwei.core.asn1.ocsp.CertID)
OutputStream(java.io.OutputStream)
SubjectPublicKeyInfo(com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo)
DEROctetString(com.github.zhenwei.core.asn1.DEROctetString)
OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException)
Example 24 with CertID
use of com.github.zhenwei.core.asn1.ocsp.CertID in project LinLong-Java by zhenwei1108.
the class TimeStampToken method validate.
/**
* Validate the time stamp token.
* <p>
* To be valid the token must be signed by the passed in certificate and the certificate must be
* the one referred to by the SigningCertificate attribute included in the hashed attributes of
* the token. The certificate must also have the ExtendedKeyUsageExtension with only
* KeyPurposeId.id_kp_timeStamping and have been valid at the time the timestamp was created.
* </p>
* <p>
* A successful call to validate means all the above are true.
* </p>
*
* @param sigVerifier the content verifier create the objects required to verify the CMS object in
* the timestamp.
* @throws TSPException if an exception occurs in processing the token.
* @throws TSPValidationException if the certificate or signature fail to be valid.
* @throws IllegalArgumentException if the sigVerifierProvider has no associated certificate.
*/
public void validate(SignerInformationVerifier sigVerifier) throws TSPException, TSPValidationException {
if (!sigVerifier.hasAssociatedCertificate()) {
throw new IllegalArgumentException("verifier provider needs an associated certificate");
}
try {
X509CertificateHolder certHolder = sigVerifier.getAssociatedCertificate();
DigestCalculator calc = sigVerifier.getDigestCalculator(certID.getHashAlgorithm());
OutputStream cOut = calc.getOutputStream();
cOut.write(certHolder.getEncoded());
cOut.close();
if (!Arrays.constantTimeAreEqual(certID.getCertHash(), calc.getDigest())) {
throw new TSPValidationException("certificate hash does not match certID hash.");
}
if (certID.getIssuerSerial() != null) {
IssuerAndSerialNumber issuerSerial = new IssuerAndSerialNumber(certHolder.toASN1Structure());
if (!certID.getIssuerSerial().getSerial().equals(issuerSerial.getSerialNumber())) {
throw new TSPValidationException("certificate serial number does not match certID for signature.");
}
GeneralName[] names = certID.getIssuerSerial().getIssuer().getNames();
boolean found = false;
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == 4 && X500Name.getInstance(names[i].getName()).equals(X500Name.getInstance(issuerSerial.getName()))) {
found = true;
break;
}
}
if (!found) {
throw new TSPValidationException("certificate name does not match certID for signature. ");
}
}
TSPUtil.validateCertificate(certHolder);
if (!certHolder.isValidOn(tstInfo.getGenTime())) {
throw new TSPValidationException("certificate not valid when time stamp created.");
}
if (!tsaSignerInfo.verify(sigVerifier)) {
throw new TSPValidationException("signature not created by certificate.");
}
} catch (CMSException e) {
if (e.getUnderlyingException() != null) {
throw new TSPException(e.getMessage(), e.getUnderlyingException());
} else {
throw new TSPException("CMS exception: " + e, e);
}
} catch (IOException e) {
throw new TSPException("problem processing certificate: " + e, e);
} catch (OperatorCreationException e) {
throw new TSPException("unable to create digest: " + e.getMessage(), e);
}
}
Also used :
IssuerAndSerialNumber(com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
OutputStream(java.io.OutputStream)
DigestCalculator(com.github.zhenwei.pkix.operator.DigestCalculator)
IOException(java.io.IOException)
X509CertificateHolder(com.github.zhenwei.pkix.cert.X509CertificateHolder)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException)
CMSException(com.github.zhenwei.pkix.cms.CMSException)
Example 25 with CertID
use of com.github.zhenwei.core.asn1.ocsp.CertID in project LinLong-Java by zhenwei1108.
the class RevAnnContent method toASN1Primitive.
/**
* <pre>
* RevAnnContent ::= SEQUENCE {
* status PKIStatus,
* certId CertId,
* willBeRevokedAt GeneralizedTime,
* badSinceDate GeneralizedTime,
* crlDetails Extensions OPTIONAL
* -- extra CRL details (e.g., crl number, reason, location, etc.)
* }
* </pre>
*
* @return a basic ASN.1 object representation.
*/
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector v = new ASN1EncodableVector(5);
v.add(status);
v.add(certId);
v.add(willBeRevokedAt);
v.add(badSinceDate);
if (crlDetails != null) {
v.add(crlDetails);
}
return new DERSequence(v);
}
Also used :
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
Aggregations
IOException (java.io.IOException)19
CertID (org.bouncycastle.asn1.ocsp.CertID)15
ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)13
DERSequence (com.github.zhenwei.core.asn1.DERSequence)11
CertificateException (java.security.cert.CertificateException)7
X509Certificate (java.security.cert.X509Certificate)7
ASN1OctetString (com.github.zhenwei.core.asn1.ASN1OctetString)6
DEROctetString (com.github.zhenwei.core.asn1.DEROctetString)6
BigInteger (java.math.BigInteger)6
CertificateEncodingException (java.security.cert.CertificateEncodingException)6
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
NoSuchProviderException (java.security.NoSuchProviderException)5
ASN1BMPString (com.github.zhenwei.core.asn1.ASN1BMPString)4
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)4
DERBMPString (com.github.zhenwei.core.asn1.DERBMPString)4
Extension (org.bouncycastle.asn1.x509.Extension)4
ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)3
BEROctetString (com.github.zhenwei.core.asn1.BEROctetString)3
DERTaggedObject (com.github.zhenwei.core.asn1.DERTaggedObject)3
CertID (com.github.zhenwei.core.asn1.ocsp.CertID)3
