Example 56 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method testGetCertificates.
// Tests getting certificates
@Test
public void testGetCertificates() throws Exception {
if (testConfig.isRunningAgainstFabric10()) {
return;
}
HFCACertificateRequest certReq = client.newHFCACertificateRequest();
SampleUser admin2 = sampleStore.getMember("admin2", "org2.department1");
RegistrationRequest rr = new RegistrationRequest(admin2.getName(), "org2.department1");
String password = "password";
rr.setSecret(password);
rr.addAttribute(new Attribute("hf.Registrar.Roles", "client,peer,user"));
client.register(rr, admin);
admin2.setEnrollment(client.enroll(admin2.getName(), password));
rr = new RegistrationRequest("testUser", "org2.department1");
rr.setSecret(password);
client.register(rr, admin);
Enrollment enroll = client.enroll("testUser", password);
// Get all certificates that 'admin2' is allowed to see because no attributes are set
// in the certificate request. This returns 2 certificates, one certificate for the caller
// itself 'admin2' and the other certificate for 'testuser2'. These are the only two users
// that fall under the caller's affiliation of 'org2.department1'.
HFCACertificateResponse resp = client.getHFCACertificates(admin2, certReq);
assertEquals(2, resp.getCerts().size());
assertTrue(resultContains(resp.getCerts(), new String[] { "admin", "testUser" }));
// Get certificate for a specific enrollment id
certReq.setEnrollmentID("admin2");
resp = client.getHFCACertificates(admin, certReq);
assertEquals(1, resp.getCerts().size());
assertTrue(resultContains(resp.getCerts(), new String[] { "admin" }));
// Get certificate for a specific serial number
certReq = client.newHFCACertificateRequest();
X509Certificate cert = getCert(enroll.getCert().getBytes());
String serial = cert.getSerialNumber().toString(16);
certReq.setSerial(serial);
resp = client.getHFCACertificates(admin, certReq);
assertEquals(1, resp.getCerts().size());
assertTrue(resultContains(resp.getCerts(), new String[] { "testUser" }));
// Get certificate for a specific AKI
certReq = client.newHFCACertificateRequest();
String oid = Extension.authorityKeyIdentifier.getId();
byte[] extensionValue = cert.getExtensionValue(oid);
ASN1OctetString aki0c = ASN1OctetString.getInstance(extensionValue);
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(aki0c.getOctets());
String aki2 = DatatypeConverter.printHexBinary(aki.getKeyIdentifier());
certReq.setAki(aki2);
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(2, resp.getCerts().size());
SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd");
// Get certificates that expired before a specific date
// In this case, using a really old date should return 0 certificates
certReq = client.newHFCACertificateRequest();
certReq.setExpiredEnd(formatter.parse("2014-30-31"));
resp = client.getHFCACertificates(admin, certReq);
assertEquals(0, resp.getCerts().size());
// Get certificates that expired before a specific date
// In this case, using a date far into the future should return all certificates
certReq = client.newHFCACertificateRequest();
Calendar cal = Calendar.getInstance();
Date date = new Date();
cal.setTime(date);
cal.add(Calendar.YEAR, 20);
date = cal.getTime();
certReq.setExpiredEnd(date);
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(2, resp.getCerts().size());
assertTrue(resultContains(resp.getCerts(), new String[] { "admin2", "testUser" }));
// Get certificates that expired after specific date
// In this case, using a really old date should return all certificates that the caller is
// allowed to see because they all have a future expiration date
certReq = client.newHFCACertificateRequest();
certReq.setExpiredStart(formatter.parse("2014-03-31"));
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(2, resp.getCerts().size());
// Get certificates that expired after specified date
// In this case, using a date far into the future should return zero certificates
certReq = client.newHFCACertificateRequest();
certReq.setExpiredStart(date);
resp = client.getHFCACertificates(admin, certReq);
assertEquals(0, resp.getCerts().size());
client.revoke(admin, "testUser", "baduser");
// Get certificates that were revoked after specific date
certReq = client.newHFCACertificateRequest();
certReq.setRevokedStart(formatter.parse("2014-03-31"));
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(1, resp.getCerts().size());
certReq = client.newHFCACertificateRequest();
certReq.setRevokedEnd(formatter.parse("2014-03-31"));
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(0, resp.getCerts().size());
certReq = client.newHFCACertificateRequest();
certReq.setRevoked(false);
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(1, resp.getCerts().size());
assertTrue(resultContains(resp.getCerts(), new String[] { "admin2" }));
assertFalse(resultContains(resp.getCerts(), new String[] { "testUser" }));
certReq = client.newHFCACertificateRequest();
certReq.setRevoked(true);
resp = client.getHFCACertificates(admin2, certReq);
assertTrue(resultContains(resp.getCerts(), new String[] { "admin2", "testUser" }));
assertEquals(2, resp.getCerts().size());
certReq = client.newHFCACertificateRequest();
certReq.setExpired(false);
resp = client.getHFCACertificates(admin2, certReq);
assertEquals(2, resp.getCerts().size());
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
Attribute(org.hyperledger.fabric_ca.sdk.Attribute)
Calendar(java.util.Calendar)
HFCACertificateResponse(org.hyperledger.fabric_ca.sdk.HFCACertificateResponse)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
RegistrationRequest(org.hyperledger.fabric_ca.sdk.RegistrationRequest)
X509Certificate(java.security.cert.X509Certificate)
HFCAX509Certificate(org.hyperledger.fabric_ca.sdk.HFCAX509Certificate)
Date(java.util.Date)
SampleUser(org.hyperledger.fabric.sdkintegration.SampleUser)
IdemixEnrollment(org.hyperledger.fabric.sdk.identity.IdemixEnrollment)
Enrollment(org.hyperledger.fabric.sdk.Enrollment)
HFCACertificateRequest(org.hyperledger.fabric_ca.sdk.HFCACertificateRequest)
SimpleDateFormat(java.text.SimpleDateFormat)
Test(org.junit.Test)
Example 57 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project camel-quarkus by apache.
the class As2Receiver method createAuthorityKeyId.
public static AuthorityKeyIdentifier createAuthorityKeyId(PublicKey pub) throws IOException {
SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(pub.getEncoded());
BcX509ExtensionUtils utils = new BcX509ExtensionUtils();
return utils.createAuthorityKeyIdentifier(info);
}
Also used :
BcX509ExtensionUtils(org.bouncycastle.cert.bc.BcX509ExtensionUtils)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Example 58 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project jruby-openssl by jruby.
the class X509AuxCertificate method computeExFlags.
// NOTE: not all EXFLAGS are implemented!
private int computeExFlags() throws IOException {
int flags = 0;
/* V1 should mean no extensions ... */
if (getVersion() == 1) {
flags |= X509Utils.EXFLAG_V1;
}
if (getExtensionValue("2.5.29.19") != null) {
// BASIC_CONSTRAINTS
if (getBasicConstraints() != -1) {
// is CA
flags |= X509Utils.EXFLAG_CA;
}
flags |= X509Utils.EXFLAG_BCONS;
}
if (getSubjectX500Principal().equals(getIssuerX500Principal())) {
flags |= X509Utils.EXFLAG_SI;
// TODO duplicate code from X509Utils.checkIfIssuedBy
if (getExtensionValue("2.5.29.35") != null) {
// authorityKeyID
Object key = X509Utils.get(getExtensionValue("2.5.29.35"));
if (!(key instanceof ASN1Sequence))
key = X509Utils.get((DEROctetString) key);
final ASN1Sequence seq = (ASN1Sequence) key;
final AuthorityKeyIdentifier akid;
if (seq.size() == 1 && (seq.getObjectAt(0) instanceof ASN1OctetString)) {
akid = AuthorityKeyIdentifier.getInstance(new DLSequence(new DERTaggedObject(0, seq.getObjectAt(0))));
} else {
akid = AuthorityKeyIdentifier.getInstance(seq);
}
if (akid.getKeyIdentifier() != null) {
if (getExtensionValue("2.5.29.14") != null) {
DEROctetString der = (DEROctetString) X509Utils.get(getExtensionValue("2.5.29.14"));
SubjectKeyIdentifier skid = SubjectKeyIdentifier.getInstance(X509Utils.get(der.getOctets()));
if (skid.getKeyIdentifier() != null) {
if (Arrays.equals(akid.getKeyIdentifier(), skid.getKeyIdentifier())) {
/* .. and the signature alg matches the PUBKEY alg: */
if (getSigAlgName().equals(getPublicKey().getAlgorithm())) {
flags |= X509Utils.EXFLAG_SS;
/* indicate self-signed */
}
}
}
}
}
}
}
if (getKeyUsage() != null) {
flags |= X509Utils.EXFLAG_XKUSAGE;
}
if (getExtensionValue("1.3.6.1.5.5.7.1.14") != null) {
flags |= X509Utils.EXFLAG_PROXY;
}
return flags;
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DLSequence(org.bouncycastle.asn1.DLSequence)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 59 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project LinLong-Java by zhenwei1108.
the class PKCS12KeyStoreSpi method engineGetCertificateChain.
public Certificate[] engineGetCertificateChain(String alias) {
if (alias == null) {
throw new IllegalArgumentException("null alias passed to getCertificateChain.");
}
if (!engineIsKeyEntry(alias)) {
return null;
}
Certificate c = engineGetCertificate(alias);
if (c != null) {
Vector cs = new Vector();
while (c != null) {
X509Certificate x509c = (X509Certificate) c;
Certificate nextC = null;
byte[] akiBytes = x509c.getExtensionValue(Extension.authorityKeyIdentifier.getId());
if (akiBytes != null) {
ASN1OctetString akiValue = ASN1OctetString.getInstance(akiBytes);
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(akiValue.getOctets());
byte[] keyID = aki.getKeyIdentifier();
if (null != keyID) {
nextC = (Certificate) chainCerts.get(new CertId(keyID));
}
}
if (nextC == null) {
//
// no authority key id, try the Issuer DN
//
Principal i = x509c.getIssuerDN();
Principal s = x509c.getSubjectDN();
if (!i.equals(s)) {
Enumeration e = chainCerts.keys();
while (e.hasMoreElements()) {
X509Certificate crt = (X509Certificate) chainCerts.get(e.nextElement());
Principal sub = crt.getSubjectDN();
if (sub.equals(i)) {
try {
x509c.verify(crt.getPublicKey());
nextC = crt;
break;
} catch (Exception ex) {
// continue
}
}
}
}
}
if (cs.contains(c)) {
// we've got a certificate chain loop time to stop
c = null;
} else {
cs.addElement(c);
if (// self signed - end of the chain
nextC != c) {
c = nextC;
} else {
c = null;
}
}
}
Certificate[] certChain = new Certificate[cs.size()];
for (int i = 0; i != certChain.length; i++) {
certChain[i] = (Certificate) cs.elementAt(i);
}
return certChain;
}
return null;
}
Also used :
ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString)
Enumeration(java.util.Enumeration)
AuthorityKeyIdentifier(com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
IOException(java.io.IOException)
EOFException(java.io.EOFException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
NoSuchProviderException(java.security.NoSuchProviderException)
Vector(java.util.Vector)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
Principal(java.security.Principal)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 60 with AuthorityKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.AuthorityKeyIdentifier in project eblocker by eblocker.
the class IntermediateProvidingValidator method addIntermediateCertifcates.
private X509Certificate[] addIntermediateCertifcates(X509Certificate[] certificates) {
Deque<X509Certificate> checkCertificates = new ArrayDeque<>();
Map<X500Principal, X509Certificate> certificatesBySubject = new HashMap<>();
for (X509Certificate certificate : certificates) {
checkCertificates.add(certificate);
addEntry(certificatesBySubject, certificate);
}
List<X509Certificate> completeChain = new ArrayList<>();
while (!checkCertificates.isEmpty()) {
X509Certificate certificate = checkCertificates.pop();
completeChain.add(certificate);
X500Principal issuer = certificate.getIssuerX500Principal();
AuthorityKeyIdentifier authorityKeyIdentifier = PKI.getAuthorityKeyIdentifier(certificate);
BigInteger issuerSerialNumber = authorityKeyIdentifier != null ? authorityKeyIdentifier.getAuthorityCertSerialNumber() : null;
byte[] issuerKeyId = authorityKeyIdentifier != null ? authorityKeyIdentifier.getKeyIdentifier() : null;
if (!certificatesBySubject.containsKey(issuer)) {
List<X509Certificate> intermediateCertificates = intermediateCertificatesStore.get(issuer, issuerSerialNumber, issuerKeyId);
for (X509Certificate intermediateCertificate : intermediateCertificates) {
checkCertificates.push(intermediateCertificate);
addEntry(certificatesBySubject, intermediateCertificate);
}
}
}
X509Certificate[] completeChainArray = completeChain.toArray(new X509Certificate[0]);
if (log.isDebugEnabled()) {
logChain("original", certificates);
logChain("complete", completeChainArray);
}
return completeChainArray;
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
X500Principal(javax.security.auth.x500.X500Principal)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X509Certificate(java.security.cert.X509Certificate)
ArrayDeque(java.util.ArrayDeque)
Aggregations
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)49
BigInteger (java.math.BigInteger)24
X509Certificate (java.security.cert.X509Certificate)21
IOException (java.io.IOException)17
GeneralName (org.bouncycastle.asn1.x509.GeneralName)16
Test (org.junit.Test)16
SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)15
Date (java.util.Date)14
X500Name (org.bouncycastle.asn1.x500.X500Name)13
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)13
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)13
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)10
DEROctetString (org.bouncycastle.asn1.DEROctetString)9
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)8
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)8
ContentSigner (org.bouncycastle.operator.ContentSigner)8
HashSet (java.util.HashSet)7
Extension (org.bouncycastle.asn1.x509.Extension)7
