use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class JcaContentVerifierProviderBuilder method createCompositeVerifier.
private ContentVerifier createCompositeVerifier(AlgorithmIdentifier compAlgId, PublicKey publicKey) throws OperatorCreationException {
if (publicKey instanceof CompositePublicKey) {
List<PublicKey> pubKeys = ((CompositePublicKey) publicKey).getPublicKeys();
ASN1Sequence keySeq = ASN1Sequence.getInstance(compAlgId.getParameters());
Signature[] sigs = new Signature[keySeq.size()];
for (int i = 0; i != keySeq.size(); i++) {
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
if (pubKeys.get(i) != null) {
sigs[i] = createSignature(sigAlg, (PublicKey) pubKeys.get(i));
} else {
sigs[i] = null;
}
}
return new CompositeVerifier(sigs);
} else {
ASN1Sequence keySeq = ASN1Sequence.getInstance(compAlgId.getParameters());
Signature[] sigs = new Signature[keySeq.size()];
for (int i = 0; i != keySeq.size(); i++) {
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
try {
sigs[i] = createSignature(sigAlg, publicKey);
} catch (Exception e) {
sigs[i] = null;
// continue
}
}
return new CompositeVerifier(sigs);
}
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class PKCS10CertificationRequestBuilder method build.
/**
* Generate an PKCS#10 request based on the past in signer.
*
* @param signer the content signer to be used to generate the signature validating the
* certificate.
* @return a holder containing the resulting PKCS#10 certification request.
*/
public PKCS10CertificationRequest build(ContentSigner signer) {
CertificationRequestInfo info;
if (attributes.isEmpty()) {
if (leaveOffEmpty) {
info = new CertificationRequestInfo(subject, publicKeyInfo, null);
} else {
info = new CertificationRequestInfo(subject, publicKeyInfo, new DERSet());
}
} else {
ASN1EncodableVector v = new ASN1EncodableVector();
for (Iterator it = attributes.iterator(); it.hasNext(); ) {
v.add(Attribute.getInstance(it.next()));
}
info = new CertificationRequestInfo(subject, publicKeyInfo, new DERSet(v));
}
try {
OutputStream sOut = signer.getOutputStream();
sOut.write(info.getEncoded(ASN1Encoding.DER));
sOut.close();
return new PKCS10CertificationRequest(new CertificationRequest(info, signer.getAlgorithmIdentifier(), new DERBitString(signer.getSignature())));
} catch (IOException e) {
throw new IllegalStateException("cannot produce certification request signature");
}
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class DefaultSignatureAlgorithmIdentifierFinder method generate.
private static AlgorithmIdentifier generate(String signatureAlgorithm) {
AlgorithmIdentifier sigAlgId;
String algorithmName = Strings.toUpperCase(signatureAlgorithm);
ASN1ObjectIdentifier sigOID = (ASN1ObjectIdentifier) algorithms.get(algorithmName);
if (sigOID == null) {
throw new IllegalArgumentException("Unknown signature type requested: " + algorithmName);
}
if (noParams.contains(sigOID)) {
sigAlgId = new AlgorithmIdentifier(sigOID);
} else if (params.containsKey(algorithmName)) {
sigAlgId = new AlgorithmIdentifier(sigOID, (ASN1Encodable) params.get(algorithmName));
} else {
sigAlgId = new AlgorithmIdentifier(sigOID, DERNull.INSTANCE);
}
return sigAlgId;
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class DefaultSignatureNameFinder method getAlgorithmName.
/**
* Return the signature name for the passed in algorithm identifier. For signatures that require
* parameters, like RSASSA-PSS, this is the best one to use.
*
* @param algorithmIdentifier the AlgorithmIdentifier of interest.
* @return a string representation of the name.
*/
public String getAlgorithmName(AlgorithmIdentifier algorithmIdentifier) {
ASN1Encodable params = algorithmIdentifier.getParameters();
if (params != null && !DERNull.INSTANCE.equals(params)) {
if (algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.id_RSASSA_PSS)) {
RSASSAPSSparams rsaParams = RSASSAPSSparams.getInstance(params);
AlgorithmIdentifier mgfAlg = rsaParams.getMaskGenAlgorithm();
if (mgfAlg.getAlgorithm().equals(PKCSObjectIdentifiers.id_mgf1)) {
AlgorithmIdentifier digAlg = rsaParams.getHashAlgorithm();
ASN1ObjectIdentifier mgfHashOid = AlgorithmIdentifier.getInstance(mgfAlg.getParameters()).getAlgorithm();
if (mgfHashOid.equals(digAlg.getAlgorithm())) {
return getDigestName(digAlg.getAlgorithm()) + "WITHRSAANDMGF1";
} else {
return getDigestName(digAlg.getAlgorithm()) + "WITHRSAANDMGF1USING" + getDigestName(mgfHashOid);
}
}
return getDigestName(rsaParams.getHashAlgorithm().getAlgorithm()) + "WITHRSAAND" + mgfAlg.getAlgorithm().getId();
}
}
if (oids.containsKey(algorithmIdentifier.getAlgorithm())) {
return (String) oids.get(algorithmIdentifier.getAlgorithm());
}
return algorithmIdentifier.getAlgorithm().getId();
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class TimeStampToken method validate.
/**
* Validate the time stamp token.
* <p>
* To be valid the token must be signed by the passed in certificate and the certificate must be
* the one referred to by the SigningCertificate attribute included in the hashed attributes of
* the token. The certificate must also have the ExtendedKeyUsageExtension with only
* KeyPurposeId.id_kp_timeStamping and have been valid at the time the timestamp was created.
* </p>
* <p>
* A successful call to validate means all the above are true.
* </p>
*
* @param sigVerifier the content verifier create the objects required to verify the CMS object in
* the timestamp.
* @throws TSPException if an exception occurs in processing the token.
* @throws TSPValidationException if the certificate or signature fail to be valid.
* @throws IllegalArgumentException if the sigVerifierProvider has no associated certificate.
*/
public void validate(SignerInformationVerifier sigVerifier) throws TSPException, TSPValidationException {
if (!sigVerifier.hasAssociatedCertificate()) {
throw new IllegalArgumentException("verifier provider needs an associated certificate");
}
try {
X509CertificateHolder certHolder = sigVerifier.getAssociatedCertificate();
DigestCalculator calc = sigVerifier.getDigestCalculator(certID.getHashAlgorithm());
OutputStream cOut = calc.getOutputStream();
cOut.write(certHolder.getEncoded());
cOut.close();
if (!Arrays.constantTimeAreEqual(certID.getCertHash(), calc.getDigest())) {
throw new TSPValidationException("certificate hash does not match certID hash.");
}
if (certID.getIssuerSerial() != null) {
IssuerAndSerialNumber issuerSerial = new IssuerAndSerialNumber(certHolder.toASN1Structure());
if (!certID.getIssuerSerial().getSerial().equals(issuerSerial.getSerialNumber())) {
throw new TSPValidationException("certificate serial number does not match certID for signature.");
}
GeneralName[] names = certID.getIssuerSerial().getIssuer().getNames();
boolean found = false;
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == 4 && X500Name.getInstance(names[i].getName()).equals(X500Name.getInstance(issuerSerial.getName()))) {
found = true;
break;
}
}
if (!found) {
throw new TSPValidationException("certificate name does not match certID for signature. ");
}
}
TSPUtil.validateCertificate(certHolder);
if (!certHolder.isValidOn(tstInfo.getGenTime())) {
throw new TSPValidationException("certificate not valid when time stamp created.");
}
if (!tsaSignerInfo.verify(sigVerifier)) {
throw new TSPValidationException("signature not created by certificate.");
}
} catch (CMSException e) {
if (e.getUnderlyingException() != null) {
throw new TSPException(e.getMessage(), e.getUnderlyingException());
} else {
throw new TSPException("CMS exception: " + e, e);
}
} catch (IOException e) {
throw new TSPException("problem processing certificate: " + e, e);
} catch (OperatorCreationException e) {
throw new TSPException("unable to create digest: " + e.getMessage(), e);
}
}
Aggregations