Example 1 with Attribute
use of com.github.zhenwei.core.asn1.pkcs.Attribute in project ca3sCore by kuehne-trustable-de.
the class CaCmpConnector method buildCertRequest.
/**
* @param certReqId
* @param csr
* @param hmacSecret
* @return PKIMessage
* @throws GeneralSecurityException
*/
public PKIMessage buildCertRequest(long certReqId, final CSR csr, final String hmacSecret) throws GeneralSecurityException {
// read the pem csr and verify the signature
PKCS10CertificationRequest p10Req;
try {
p10Req = cryptoUtil.parseCertificateRequest(csr.getCsrBase64()).getP10Req();
} catch (IOException e) {
LOGGER.error("parsing csr", e);
throw new GeneralSecurityException(e.getMessage());
}
List<RDN> rdnList = new ArrayList<>();
for (de.trustable.ca3s.core.domain.RDN rdnDao : csr.getRdns()) {
LOGGER.debug("rdnDao : " + rdnDao.getRdnAttributes());
List<AttributeTypeAndValue> attrTVList = new ArrayList<AttributeTypeAndValue>();
if (rdnDao != null && rdnDao.getRdnAttributes() != null) {
for (RDNAttribute rdnAttr : rdnDao.getRdnAttributes()) {
ASN1ObjectIdentifier aoi = new ASN1ObjectIdentifier(rdnAttr.getAttributeType());
ASN1Encodable ae = new DERUTF8String(rdnAttr.getAttributeValue());
AttributeTypeAndValue attrTV = new AttributeTypeAndValue(aoi, ae);
attrTVList.add(attrTV);
}
}
RDN rdn = new RDN(attrTVList.toArray(new AttributeTypeAndValue[attrTVList.size()]));
LOGGER.debug("rdn : " + rdn.size() + " elements");
rdnList.add(rdn);
}
X500Name subjectDN = new X500Name(rdnList.toArray(new RDN[rdnList.size()]));
LOGGER.debug("subjectDN : " + subjectDN);
Collection<Extension> certExtList = new ArrayList<>();
// copy CSR attributes to Extension list
for (Attribute attribute : p10Req.getAttributes()) {
for (ASN1Encodable asn1Encodable : attribute.getAttributeValues()) {
if (asn1Encodable != null) {
try {
Extensions extensions = Extensions.getInstance(asn1Encodable);
for (ASN1ObjectIdentifier oid : extensions.getExtensionOIDs()) {
LOGGER.debug("copying oid '" + oid.toString() + "' from csr to PKIMessage");
certExtList.add(extensions.getExtension(oid));
}
} catch (IllegalArgumentException iae) {
LOGGER.debug("processing asn1 value '" + asn1Encodable + "' caused exception", iae);
}
}
}
}
final SubjectPublicKeyInfo keyInfo = p10Req.getSubjectPublicKeyInfo();
return cryptoUtil.buildCertRequest(certReqId, subjectDN, certExtList, keyInfo, hmacSecret);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
RDNAttribute(de.trustable.ca3s.core.domain.RDNAttribute)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
RDNAttribute(de.trustable.ca3s.core.domain.RDNAttribute)
CsrAttribute(de.trustable.ca3s.core.domain.CsrAttribute)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
GeneralSecurityException(java.security.GeneralSecurityException)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Extensions(org.bouncycastle.asn1.x509.Extensions)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
Extension(org.bouncycastle.asn1.x509.Extension)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
RDN(org.bouncycastle.asn1.x500.RDN)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 2 with Attribute
use of com.github.zhenwei.core.asn1.pkcs.Attribute in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method getSANList.
public Set<GeneralName> getSANList(Pkcs10RequestHolder p10ReqHolder) {
Set<GeneralName> generalNameSet = new HashSet<>();
for (Attribute attr : p10ReqHolder.getReqAttributes()) {
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
ASN1Set valueSet = attr.getAttrValues();
LOG.debug("ExtensionRequest / AttrValues has {} elements", valueSet.size());
for (ASN1Encodable asn1Enc : valueSet) {
DERSequence derSeq = (DERSequence) asn1Enc;
LOG.debug("ExtensionRequest / DERSequence has {} elements", derSeq.size());
LOG.debug("ExtensionRequest / DERSequence[0] is a {}", derSeq.getObjectAt(0).getClass().getName());
DERSequence derSeq2 = (DERSequence) derSeq.getObjectAt(0);
LOG.debug("ExtensionRequest / DERSequence2 has {} elements", derSeq2.size());
LOG.debug("ExtensionRequest / DERSequence2[0] is a {}", derSeq2.getObjectAt(0).getClass().getName());
ASN1ObjectIdentifier objId = (ASN1ObjectIdentifier) (derSeq2.getObjectAt(0));
if (Extension.subjectAlternativeName.equals(objId)) {
DEROctetString derStr = (DEROctetString) derSeq2.getObjectAt(1);
GeneralNames names = GeneralNames.getInstance(derStr.getOctets());
LOG.debug("Attribute value SAN" + names);
LOG.debug("SAN values #" + names.getNames().length);
for (GeneralName gnSAN : names.getNames()) {
LOG.debug("GN " + gnSAN.toString());
generalNameSet.add(gnSAN);
}
} else {
LOG.info("Unexpected Extensions Attribute value " + objId.getId());
}
}
}
}
return generalNameSet;
}
Also used :
DERSequence(org.bouncycastle.asn1.DERSequence)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 3 with Attribute
use of com.github.zhenwei.core.asn1.pkcs.Attribute in project ca3sCore by kuehne-trustable-de.
the class CSRUtil method buildCSR.
/**
* @param csrBase64
* @param p10ReqHolder
* @param pipelineType
* @return
* @throws IOException
*/
public CSR buildCSR(final String csrBase64, String requestorName, final Pkcs10RequestHolder p10ReqHolder, PipelineType pipelineType, Pipeline pipeline) throws IOException {
CSR csr = new CSR();
csr.setStatus(CsrStatus.PENDING);
csr.setPipeline(pipeline);
csr.setPipelineType(pipelineType);
// avoid to forward the initial CSR text: don't store accidentially included private keys or XSS attacks
// csr.setCsrBase64(csrBase64);
csr.setCsrBase64(CryptoUtil.pkcs10RequestToPem(p10ReqHolder.getP10Req()));
csr.setSubject(p10ReqHolder.getSubject());
/**
* produce a readable form of algorithms
*/
String sigAlgName = OidNameMapper.lookupOid(p10ReqHolder.getSigningAlgorithm());
String keyAlgName = getKeyAlgoName(sigAlgName);
csr.setSigningAlgorithm(sigAlgName);
csr.setIsCSRValid(p10ReqHolder.isCSRValid());
csr.setx509KeySpec(p10ReqHolder.getX509KeySpec());
csr.setPublicKeyAlgorithm(keyAlgName);
csr.setPublicKeyHash(p10ReqHolder.getPublicKeyHash());
csr.setKeyLength(CertificateUtil.getAlignedKeyLength(p10ReqHolder.getPublicSigningKey()));
csr.setServersideKeyGeneration(false);
csr.setSubjectPublicKeyInfoBase64(p10ReqHolder.getSubjectPublicKeyInfoBase64());
/*
* if( p10ReqHolder.publicSigningKey != null ){ try {
* this.setPublicKeyPEM(cryptoUtil.publicKeyToPem(
* p10ReqHolder.publicSigningKey)); } catch (IOException e) {
* logger.warn("wrapping of public key into PEM failed."); } }
*/
// not yet ...
// setProcessInstanceId(processInstanceId);
csr.setRequestedOn(Instant.now());
csr.setRequestedBy(requestorName);
csrRepository.save(csr);
AlgorithmInfo algorithmInfo = p10ReqHolder.getAlgorithmInfo();
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_HASH_ALGO, algorithmInfo.getHashAlgName(), false);
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_SIGN_ALGO, algorithmInfo.getSigAlgName(), false);
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_PADDING_ALGO, algorithmInfo.getPaddingAlgName(), false);
if (algorithmInfo.getMfgName() != null && !algorithmInfo.getMfgName().isEmpty()) {
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_MFG, algorithmInfo.getMfgName(), false);
}
LOG.debug("RDN arr #" + p10ReqHolder.getSubjectRDNs().length);
Set<RDN> newRdns = new HashSet<>();
for (org.bouncycastle.asn1.x500.RDN currentRdn : p10ReqHolder.getSubjectRDNs()) {
RDN rdn = new RDN();
rdn.csr(csr);
LOG.debug("AttributeTypeAndValue arr #" + currentRdn.size());
Set<RDNAttribute> rdnAttributes = new HashSet<>();
AttributeTypeAndValue[] attrTVArr = currentRdn.getTypesAndValues();
for (AttributeTypeAndValue attrTV : attrTVArr) {
RDNAttribute rdnAttr = new RDNAttribute();
rdnAttr.setRdn(rdn);
rdnAttr.setAttributeType(attrTV.getType().toString());
rdnAttr.setAttributeValue(attrTV.getValue().toString());
rdnAttributes.add(rdnAttr);
}
rdn.setRdnAttributes(rdnAttributes);
newRdns.add(rdn);
}
try {
insertNameAttributes(csr, CsrAttribute.ATTRIBUTE_SUBJECT, new LdapName(p10ReqHolder.getSubject()));
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", p10ReqHolder.getSubject());
}
insertNameAttributes(csr, CsrAttribute.ATTRIBUTE_SUBJECT, p10ReqHolder.getSubjectRDNs());
Set<GeneralName> gNameSet = getSANList(p10ReqHolder);
String allSans = "";
LOG.debug("putting SANs into CSRAttributes");
for (GeneralName gName : gNameSet) {
String sanValue = gName.getName().toString();
if (GeneralName.otherName == gName.getTagNo()) {
sanValue = "--other value--";
}
if (allSans.length() > 0) {
allSans += ";";
}
allSans += sanValue;
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_SAN, sanValue, true);
if (GeneralName.dNSName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "DNS:" + sanValue, true);
} else if (GeneralName.iPAddress == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "IP:" + sanValue, true);
} else if (GeneralName.ediPartyName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "EDI:" + sanValue, true);
} else if (GeneralName.otherName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "other:" + sanValue, true);
} else if (GeneralName.registeredID == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "regID:" + sanValue, true);
} else if (GeneralName.rfc822Name == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "rfc822:" + sanValue, true);
} else if (GeneralName.uniformResourceIdentifier == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "URI:" + sanValue, true);
} else if (GeneralName.x400Address == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "X400:" + sanValue, true);
} else if (GeneralName.directoryName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "DirName:" + sanValue, true);
} else {
LOG.info("unexpected name / tag '{}' in SANs", gName.getTagNo());
}
}
csr.setSans(CryptoUtil.limitLength(allSans, 250));
if (p10ReqHolder.getSubjectRDNs().length == 0) {
LOG.info("Subject empty, using SANs");
for (GeneralName gName : gNameSet) {
if (GeneralName.dNSName == gName.getTagNo()) {
RDN rdn = new RDN();
rdn.csr(csr);
Set<RDNAttribute> rdnAttributes = new HashSet<>();
RDNAttribute rdnAttr = new RDNAttribute();
rdnAttr.setRdn(rdn);
rdnAttr.setAttributeType(X509ObjectIdentifiers.commonName.toString());
rdnAttr.setAttributeValue(gName.getName().toString());
rdnAttributes.add(rdnAttr);
rdn.setRdnAttributes(rdnAttributes);
newRdns.add(rdn);
LOG.info("First DNS SAN inserted as CN: " + gName.getName().toString());
// just one CN !
break;
}
}
}
csr.setRdns(newRdns);
Set<RequestAttribute> newRas = new HashSet<>();
for (Attribute attr : p10ReqHolder.getReqAttributes()) {
RequestAttribute reqAttrs = new RequestAttribute();
reqAttrs.setCsr(csr);
reqAttrs.setAttributeType(attr.getAttrType().toString());
Set<RequestAttributeValue> requestAttributes = new HashSet<>();
String type = attr.getAttrType().toString();
ASN1Set valueSet = attr.getAttrValues();
LOG.debug("AttributeSet type " + type + " #" + valueSet.size());
for (ASN1Encodable asn1Enc : valueSet.toArray()) {
String value = asn1Enc.toString();
LOG.debug("Attribute value " + value);
RequestAttributeValue reqAttrValue = new RequestAttributeValue();
reqAttrValue.setReqAttr(reqAttrs);
reqAttrValue.setAttributeValue(asn1Enc.toString());
requestAttributes.add(reqAttrValue);
}
reqAttrs.setRequestAttributeValues(requestAttributes);
newRas.add(reqAttrs);
}
csr.setRas(newRas);
// add requestor
CsrAttribute csrAttRequestorName = new CsrAttribute();
csrAttRequestorName.setCsr(csr);
csrAttRequestorName.setName(CsrAttribute.ATTRIBUTE_REQUESTED_BY);
csrAttRequestorName.setValue(requestorName);
csr.getCsrAttributes().add(csrAttRequestorName);
rdnRepository.saveAll(csr.getRdns());
for (RDN rdn : csr.getRdns()) {
rdnAttRepository.saveAll(rdn.getRdnAttributes());
}
/*
rasRepository.saveAll(csr.getRas());
for( RequestAttribute ras: csr.getRas()) {
rasvRepository.saveAll(ras.getRequestAttributeValues());
}
*/
csrAttRepository.saveAll(csr.getCsrAttributes());
csrRepository.save(csr);
LOG.debug("saved #{} csr attributes, ", newRas.size());
return csr;
}
Also used :
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
AlgorithmInfo(de.trustable.util.AlgorithmInfo)
InvalidNameException(javax.naming.InvalidNameException)
HashSet(java.util.HashSet)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
LdapName(javax.naming.ldap.LdapName)
Example 4 with Attribute
use of com.github.zhenwei.core.asn1.pkcs.Attribute in project acme4j by shred.
the class SMIMECSRBuilderTest method keyUsageTest.
/**
* Validate the Key Usage bits.
*
* @param csr
* {@link PKCS10CertificationRequest} to validate
* @param expectedUsageBits
* Expected key usage bits. Exact match, validation fails if other bits are
* set or reset. If {@code null}, validation fails if key usage bits are set.
*/
private void keyUsageTest(PKCS10CertificationRequest csr, Integer expectedUsageBits) {
Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
assertThat(attr).hasSize(1);
ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
assertThat(extensions).hasSize(1);
DERBitString keyUsageBits = (DERBitString) ((Extensions) extensions[0]).getExtensionParsedValue(Extension.keyUsage);
if (expectedUsageBits != null) {
assertThat(keyUsageBits.intValue()).isEqualTo(expectedUsageBits);
} else {
assertThat(keyUsageBits).isNull();
}
}
Also used :
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
Example 5 with Attribute
use of com.github.zhenwei.core.asn1.pkcs.Attribute in project acme4j by shred.
the class CSRBuilderTest method csrTest.
/**
* Checks if the CSR contains the right parameters.
* <p>
* This is not supposed to be a Bouncy Castle test. If the
* {@link PKCS10CertificationRequest} contains the right parameters, we assume that
* Bouncy Castle encodes it properly.
*/
private void csrTest(PKCS10CertificationRequest csr) {
X500Name name = csr.getSubject();
try (AutoCloseableSoftAssertions softly = new AutoCloseableSoftAssertions()) {
softly.assertThat(name.getRDNs(BCStyle.CN)).as("CN").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("abc.de");
softly.assertThat(name.getRDNs(BCStyle.C)).as("C").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("XX");
softly.assertThat(name.getRDNs(BCStyle.L)).as("L").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testville");
softly.assertThat(name.getRDNs(BCStyle.O)).as("O").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testing Co");
softly.assertThat(name.getRDNs(BCStyle.OU)).as("OU").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testunit");
softly.assertThat(name.getRDNs(BCStyle.ST)).as("ST").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("ABC");
}
Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
assertThat(attr).hasSize(1);
ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
assertThat(extensions).hasSize(1);
GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.dNSName).extracting(gn -> ASN1IA5String.getInstance(gn.getName()).getString()).containsExactlyInAnyOrder("abc.de", "fg.hi", "jklm.no", "pqr.st", "uv.wx", "y.z", "*.wild.card", "ide1.nt", "ide2.nt", "ide3.nt");
assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.iPAddress).extracting(gn -> getIP(gn.getName()).getHostAddress()).containsExactlyInAnyOrder("192.168.0.1", "192.168.0.2", "10.0.0.1", "10.0.0.2", "fd00:0:0:0:0:0:0:1", "fd00:0:0:0:0:0:0:2", "192.168.5.5", "192.168.5.6", "192.168.5.7");
}
Also used :
Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows)
KeyPair(java.security.KeyPair)
Arrays(java.util.Arrays)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Identifier(org.shredzone.acme4j.Identifier)
PKCSObjectIdentifiers(org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers)
Extension(org.bouncycastle.asn1.x509.Extension)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
Security(java.security.Security)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
BCStyle(org.bouncycastle.asn1.x500.style.BCStyle)
InetAddress(java.net.InetAddress)
X500Name(org.bouncycastle.asn1.x500.X500Name)
BeforeAll(org.junit.jupiter.api.BeforeAll)
Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType)
ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
PEMParser(org.bouncycastle.openssl.PEMParser)
StringWriter(java.io.StringWriter)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
StandardCharsets(java.nio.charset.StandardCharsets)
Extensions(org.bouncycastle.asn1.x509.Extensions)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Test(org.junit.jupiter.api.Test)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
StringReader(java.io.StringReader)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions)
Aggregations
Attribute (org.bouncycastle.asn1.pkcs.Attribute)36
IOException (java.io.IOException)25
Extensions (org.bouncycastle.asn1.x509.Extensions)18
ArrayList (java.util.ArrayList)17
ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)15
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)13
List (java.util.List)12
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)12
GeneralName (org.bouncycastle.asn1.x509.GeneralName)12
ASN1Set (org.bouncycastle.asn1.ASN1Set)10
ASN1Set (com.github.zhenwei.core.asn1.ASN1Set)9
Iterator (java.util.Iterator)9
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)8
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)8
AttributeTable (com.github.zhenwei.pkix.util.asn1.cms.AttributeTable)8
Enumeration (java.util.Enumeration)8
X500Name (org.bouncycastle.asn1.x500.X500Name)8
Attribute (com.github.zhenwei.pkix.util.asn1.cms.Attribute)7
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)6
GeneralSecurityException (java.security.GeneralSecurityException)6
