use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class X509CertificateImpl method doVerify.
private void doVerify(PublicKey key, SignatureCreator signatureCreator) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchProviderException {
if (key instanceof CompositePublicKey && X509SignatureUtil.isCompositeAlgorithm(c.getSignatureAlgorithm())) {
List<PublicKey> pubKeys = ((CompositePublicKey) key).getPublicKeys();
ASN1Sequence keySeq = ASN1Sequence.getInstance(c.getSignatureAlgorithm().getParameters());
ASN1Sequence sigSeq = ASN1Sequence.getInstance(DERBitString.getInstance(c.getSignature()).getBytes());
boolean success = false;
for (int i = 0; i != pubKeys.size(); i++) {
if (pubKeys.get(i) == null) {
continue;
}
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
String sigName = X509SignatureUtil.getSignatureName(sigAlg);
Signature signature = signatureCreator.createSignature(sigName);
SignatureException sigExc = null;
try {
checkSignature((PublicKey) pubKeys.get(i), signature, sigAlg.getParameters(), DERBitString.getInstance(sigSeq.getObjectAt(i)).getBytes());
success = true;
} catch (SignatureException e) {
sigExc = e;
}
if (sigExc != null) {
throw sigExc;
}
}
if (!success) {
throw new InvalidKeyException("no matching key found");
}
} else if (X509SignatureUtil.isCompositeAlgorithm(c.getSignatureAlgorithm())) {
ASN1Sequence keySeq = ASN1Sequence.getInstance(c.getSignatureAlgorithm().getParameters());
ASN1Sequence sigSeq = ASN1Sequence.getInstance(DERBitString.getInstance(c.getSignature()).getBytes());
boolean success = false;
for (int i = 0; i != sigSeq.size(); i++) {
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
String sigName = X509SignatureUtil.getSignatureName(sigAlg);
SignatureException sigExc = null;
try {
Signature signature = signatureCreator.createSignature(sigName);
checkSignature(key, signature, sigAlg.getParameters(), DERBitString.getInstance(sigSeq.getObjectAt(i)).getBytes());
success = true;
} catch (InvalidKeyException e) {
// ignore
} catch (NoSuchAlgorithmException e) {
// ignore
} catch (SignatureException e) {
sigExc = e;
}
if (sigExc != null) {
throw sigExc;
}
}
if (!success) {
throw new InvalidKeyException("no matching key found");
}
} else {
String sigName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm());
Signature signature = signatureCreator.createSignature(sigName);
if (key instanceof CompositePublicKey) {
List<PublicKey> keys = ((CompositePublicKey) key).getPublicKeys();
for (int i = 0; i != keys.size(); i++) {
try {
checkSignature((PublicKey) keys.get(i), signature, c.getSignatureAlgorithm().getParameters(), this.getSignature());
// found the match!
return;
} catch (InvalidKeyException e) {
// continue;
}
}
throw new InvalidKeyException("no matching signature found");
} else {
checkSignature(key, signature, c.getSignatureAlgorithm().getParameters(), this.getSignature());
}
}
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class CertificateFactory method engineGenerateCRLs.
/**
* Returns a (possibly empty) collection view of the CRLs read from the given input stream
* inStream.
* <p>
* The inStream may contain a sequence of DER-encoded CRLs, or a PKCS#7 CRL set. This is a PKCS#7
* SignedData object, with the only signficant field being crls. In particular the signature and
* the contents are ignored.
*/
public Collection engineGenerateCRLs(InputStream inStream) throws CRLException {
CRL crl;
List crls = new ArrayList();
BufferedInputStream in = new BufferedInputStream(inStream);
// if we do read some certificates we'll return them even if junk at end of file
while ((crl = doGenerateCRL(in, crls.isEmpty())) != null) {
crls.add(crl);
}
return crls;
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class X509CRLImpl method doVerify.
private void doVerify(PublicKey key, SignatureCreator sigCreator) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchProviderException {
if (!c.getSignatureAlgorithm().equals(c.getTBSCertList().getSignature())) {
throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
}
if (key instanceof CompositePublicKey && X509SignatureUtil.isCompositeAlgorithm(c.getSignatureAlgorithm())) {
List<PublicKey> pubKeys = ((CompositePublicKey) key).getPublicKeys();
ASN1Sequence keySeq = ASN1Sequence.getInstance(c.getSignatureAlgorithm().getParameters());
ASN1Sequence sigSeq = ASN1Sequence.getInstance(DERBitString.getInstance(c.getSignature()).getBytes());
boolean success = false;
for (int i = 0; i != pubKeys.size(); i++) {
if (pubKeys.get(i) == null) {
continue;
}
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
String sigName = X509SignatureUtil.getSignatureName(sigAlg);
Signature signature = sigCreator.createSignature(sigName);
SignatureException sigExc = null;
try {
checkSignature((PublicKey) pubKeys.get(i), signature, sigAlg.getParameters(), DERBitString.getInstance(sigSeq.getObjectAt(i)).getBytes());
success = true;
} catch (SignatureException e) {
sigExc = e;
}
if (sigExc != null) {
throw sigExc;
}
}
if (!success) {
throw new InvalidKeyException("no matching key found");
}
} else if (X509SignatureUtil.isCompositeAlgorithm(c.getSignatureAlgorithm())) {
ASN1Sequence keySeq = ASN1Sequence.getInstance(c.getSignatureAlgorithm().getParameters());
ASN1Sequence sigSeq = ASN1Sequence.getInstance(DERBitString.getInstance(c.getSignature()).getBytes());
boolean success = false;
for (int i = 0; i != sigSeq.size(); i++) {
AlgorithmIdentifier sigAlg = AlgorithmIdentifier.getInstance(keySeq.getObjectAt(i));
String sigName = X509SignatureUtil.getSignatureName(sigAlg);
SignatureException sigExc = null;
try {
Signature signature = sigCreator.createSignature(sigName);
checkSignature(key, signature, sigAlg.getParameters(), DERBitString.getInstance(sigSeq.getObjectAt(i)).getBytes());
success = true;
} catch (InvalidKeyException e) {
// ignore
} catch (NoSuchAlgorithmException e) {
// ignore
} catch (SignatureException e) {
sigExc = e;
}
if (sigExc != null) {
throw sigExc;
}
}
if (!success) {
throw new InvalidKeyException("no matching key found");
}
} else {
Signature sig = sigCreator.createSignature(getSigAlgName());
if (sigAlgParams == null) {
checkSignature(key, sig, null, this.getSignature());
} else {
try {
checkSignature(key, sig, ASN1Primitive.fromByteArray(sigAlgParams), this.getSignature());
} catch (IOException e) {
throw new SignatureException("cannot decode signature parameters: " + e.getMessage());
}
}
}
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class ProvOcspRevocationChecker method getDigestName.
// we need to remove the - to create a correct signature name
private static String getDigestName(ASN1ObjectIdentifier oid) {
String name = MessageDigestUtils.getDigestName(oid);
int dIndex = name.indexOf('-');
if (dIndex > 0 && !name.startsWith("SHA3")) {
return name.substring(0, dIndex) + name.substring(dIndex + 1);
}
return name;
}
use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCertA.
protected static void processCertA(CertPath certPath, PKIXExtendedParameters paramsPKIX, Date validityDate, PKIXCertRevocationChecker revocationChecker, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Name workingIssuerName, X509Certificate sign) throws CertPathValidatorException {
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certs.get(index);
//
if (!verificationAlreadyPerformed) {
try {
// (a) (1)
//
CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, paramsPKIX.getSigProvider());
} catch (GeneralSecurityException e) {
throw new ExtCertPathValidatorException("Could not validate certificate signature.", e, certPath, index);
}
}
final Date validCertDate;
try {
validCertDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(validityDate, paramsPKIX.getValidityModel(), certPath, index);
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
}
//
try {
cert.checkValidity(validCertDate);
} catch (CertificateExpiredException e) {
throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
} catch (CertificateNotYetValidException e) {
throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
}
//
if (revocationChecker != null) {
revocationChecker.initialize(new PKIXCertRevocationCheckerParameters(paramsPKIX, validCertDate, certPath, index, sign, workingPublicKey));
revocationChecker.check(cert);
}
//
// (a) (4) name chaining
//
X500Name issuer = PrincipalUtils.getIssuerPrincipal(cert);
if (!issuer.equals(workingIssuerName)) {
throw new ExtCertPathValidatorException("IssuerName(" + issuer + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, certPath, index);
}
}
Aggregations