use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class OcspBenchRequestor method init.
public void init(OcspBenchmark responseHandler, String responderUrl, Certificate issuerCert, RequestOptions requestOptions, int queueSize) throws Exception {
ParamUtil.requireNonNull("issuerCert", issuerCert);
ParamUtil.requireNonNull("responseHandler", responseHandler);
this.requestOptions = ParamUtil.requireNonNull("requestOptions", requestOptions);
HashAlgo hashAlgo = HashAlgo.getInstance(requestOptions.getHashAlgorithmId());
if (hashAlgo == null) {
throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId());
}
this.issuerhashAlg = hashAlgo.getAlgorithmIdentifier();
this.issuerNameHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubject().getEncoded()));
this.issuerKeyHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
List<AlgorithmIdentifier> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
if (prefSigAlgs == null || prefSigAlgs.size() == 0) {
this.extensions = null;
} else {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (AlgorithmIdentifier algId : prefSigAlgs) {
ASN1Sequence prefSigAlgObj = new DERSequence(algId);
vec.add(prefSigAlgObj);
}
ASN1Sequence extnValue = new DERSequence(vec);
Extension extn;
try {
extn = new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
} catch (IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
this.extensions = new Extension[] { extn };
}
URI uri = new URI(responderUrl);
this.responderRawPathPost = uri.getRawPath();
if (this.responderRawPathPost.endsWith("/")) {
this.responderRawPathGet = this.responderRawPathPost;
} else {
this.responderRawPathGet = this.responderRawPathPost + "/";
}
this.httpClient = new HttpClient(responderUrl, responseHandler, queueSize);
this.httpClient.start();
}
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class RequestOptions method createPSSRSAParams.
// method createAlgId
// CHECKSTYLE:SKIP
public static RSASSAPSSparams createPSSRSAParams(ASN1ObjectIdentifier digestAlgOid) {
int saltSize;
if (X509ObjectIdentifiers.id_SHA1.equals(digestAlgOid)) {
saltSize = 20;
} else if (NISTObjectIdentifiers.id_sha224.equals(digestAlgOid)) {
saltSize = 28;
} else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOid)) {
saltSize = 32;
} else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOid)) {
saltSize = 48;
} else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOid)) {
saltSize = 64;
} else {
throw new RuntimeException("unknown digest algorithm " + digestAlgOid);
}
AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(digestAlgOid, DERNull.INSTANCE);
return new RSASSAPSSparams(digAlgId, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, digAlgId), new ASN1Integer(saltSize), RSASSAPSSparams.DEFAULT_TRAILER_FIELD);
}
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class RequestOptions method createAlgId.
private static AlgorithmIdentifier createAlgId(String algoName) {
algoName = algoName.toUpperCase();
ASN1ObjectIdentifier algOid = null;
if ("SHA1WITHRSA".equals(algoName)) {
algOid = PKCSObjectIdentifiers.sha1WithRSAEncryption;
} else if ("SHA256WITHRSA".equals(algoName)) {
algOid = PKCSObjectIdentifiers.sha256WithRSAEncryption;
} else if ("SHA384WITHRSA".equals(algoName)) {
algOid = PKCSObjectIdentifiers.sha384WithRSAEncryption;
} else if ("SHA512WITHRSA".equals(algoName)) {
algOid = PKCSObjectIdentifiers.sha512WithRSAEncryption;
} else if ("SHA1WITHECDSA".equals(algoName)) {
algOid = X9ObjectIdentifiers.ecdsa_with_SHA1;
} else if ("SHA256WITHECDSA".equals(algoName)) {
algOid = X9ObjectIdentifiers.ecdsa_with_SHA256;
} else if ("SHA384WITHECDSA".equals(algoName)) {
algOid = X9ObjectIdentifiers.ecdsa_with_SHA384;
} else if ("SHA512WITHECDSA".equals(algoName)) {
algOid = X9ObjectIdentifiers.ecdsa_with_SHA512;
} else if ("SHA1WITHRSAANDMGF1".equals(algoName) || "SHA256WITHRSAANDMGF1".equals(algoName) || "SHA384WITHRSAANDMGF1".equals(algoName) || "SHA512WITHRSAANDMGF1".equals(algoName)) {
algOid = PKCSObjectIdentifiers.id_RSASSA_PSS;
} else {
// should not happen
throw new RuntimeException("Unsupported algorithm " + algoName);
}
ASN1Encodable params;
if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algOid)) {
ASN1ObjectIdentifier digestAlgOid = null;
if ("SHA1WITHRSAANDMGF1".equals(algoName)) {
digestAlgOid = X509ObjectIdentifiers.id_SHA1;
} else if ("SHA256WITHRSAANDMGF1".equals(algoName)) {
digestAlgOid = NISTObjectIdentifiers.id_sha256;
} else if ("SHA384WITHRSAANDMGF1".equals(algoName)) {
digestAlgOid = NISTObjectIdentifiers.id_sha384;
} else {
// if ("SHA512WITHRSAANDMGF1".equals(algoName))
digestAlgOid = NISTObjectIdentifiers.id_sha512;
}
params = createPSSRSAParams(digestAlgOid);
} else {
params = DERNull.INSTANCE;
}
return new AlgorithmIdentifier(algOid, params);
}
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class CmpResponder method verifyProtection.
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException {
ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
if (protectedMsg.hasPasswordBasedMacProtection()) {
LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED);
}
PKIHeader header = protectedMsg.getHeader();
AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN);
}
CmpRequestorInfo requestor = getRequestor(header);
if (requestor == null) {
LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender());
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(requestor.getCert().getCert());
if (verifierProvider == null) {
LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender());
return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
boolean signatureValid = protectedMsg.verify(verifierProvider);
return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID);
}
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class P11ProviderTestCmd method getSignatureAlgo.
private String getSignatureAlgo(PublicKey pubKey) throws NoSuchAlgorithmException {
SignatureAlgoControl algoControl = new SignatureAlgoControl(rsaMgf1, dsaPlain, gm);
AlgorithmIdentifier sigAlgId = AlgorithmUtil.getSigAlgId(pubKey, HashAlgo.getNonNullInstance(hashAlgo), algoControl);
return AlgorithmUtil.getSignatureAlgoName(sigAlgId);
}
Aggregations