Search in sources :

Example 16 with Certificate

use of com.github.zhenwei.core.asn1.x509.Certificate in project supply-chain-tools by secure-device-onboard.

the class OnDieCertPath method getIssuingCertificate.

private String getIssuingCertificate(Certificate cert) throws IllegalArgumentException, CertificateEncodingException, IOException {
    X509CertificateHolder certholder = new X509CertificateHolder(cert.getEncoded());
    AuthorityInformationAccess aia = AuthorityInformationAccess.fromExtensions(certholder.getExtensions());
    if (aia == null) {
        throw new IllegalArgumentException("AuthorityInformationAccess Extension missing from device certificate.");
    }
    AccessDescription[] descs = aia.getAccessDescriptions();
    if (descs.length != 1) {
        throw new IllegalArgumentException("Too many descriptions in AIA certificate extension: " + descs.length);
    }
    return descs[0].getAccessLocation().getName().toString();
}
Also used : AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)

Example 17 with Certificate

use of com.github.zhenwei.core.asn1.x509.Certificate in project supply-chain-tools by secure-device-onboard.

the class OnDieSignatureValidator method checkRevocations.

private boolean checkRevocations(List<Certificate> certificateList) {
    // Check revocations first.
    try {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
        for (Certificate cert : certificateList) {
            X509Certificate x509cert = (X509Certificate) cert;
            X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
            CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
            if (cdp != null) {
                DistributionPoint[] distPoints = cdp.getDistributionPoints();
                for (DistributionPoint dp : distPoints) {
                    GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
                    for (GeneralName generalName : generalNames) {
                        byte[] crlBytes = onDieCache.getCertOrCrl(generalName.toString());
                        if (crlBytes == null) {
                            LoggerFactory.getLogger(getClass()).error("CRL ({}) not found in cache for cert: {}", generalName.getName().toString(), x509cert.getIssuerX500Principal().getName());
                            return false;
                        } else {
                            CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
                            if (crl.isRevoked(cert)) {
                                return false;
                            }
                        }
                    }
                }
            }
        }
    } catch (IOException | CertificateException | CRLException ex) {
        return false;
    }
    return true;
}
Also used : CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRL(java.security.cert.CRL) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CRLException(java.security.cert.CRLException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 18 with Certificate

use of com.github.zhenwei.core.asn1.x509.Certificate in project ca3sCore by kuehne-trustable-de.

the class CertificateUtil method getCertificatePolicies.

public List<String> getCertificatePolicies(X509Certificate x509Cert) {
    ArrayList<String> certificatePolicyIds = new ArrayList<>();
    byte[] extVal = x509Cert.getExtensionValue(Extension.certificatePolicies.getId());
    if (extVal == null) {
        return certificatePolicyIds;
    }
    try {
        org.bouncycastle.asn1.x509.CertificatePolicies cf = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
        PolicyInformation[] information = cf.getPolicyInformation();
        for (PolicyInformation p : information) {
            ASN1ObjectIdentifier aIdentifier = p.getPolicyIdentifier();
            certificatePolicyIds.add(aIdentifier.getId());
        }
    } catch (IOException ex) {
        LOG.error("Failed to get OCSP URL for certificate '" + x509Cert.getSubjectX500Principal().getName() + "'", ex);
    }
    return certificatePolicyIds;
}
Also used : org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) IOException(java.io.IOException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 19 with Certificate

use of com.github.zhenwei.core.asn1.x509.Certificate in project ca3sCore by kuehne-trustable-de.

the class CaInternalConnector method signCertificateRequest.

public Certificate signCertificateRequest(CSR csr, CAConnectorConfig caConfig) throws GeneralSecurityException {
    try {
        csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_STARTED_TIMESTAMP, "" + System.currentTimeMillis(), false);
        csr.setStatus(CsrStatus.PROCESSING);
        Certificate intermediate = getIntermediate();
        PrivateKey privKeyIntermediate = certUtil.getPrivateKey(intermediate);
        KeyPair kpIntermediate = new KeyPair(certUtil.convertPemToCertificate(intermediate.getContent()).getPublicKey(), privKeyIntermediate);
        PKCS10CertificationRequest p10 = cryptoUtil.convertPemToPKCS10CertificationRequest(csr.getCsrBase64());
        GeneralNames gns = null;
        org.bouncycastle.asn1.pkcs.Attribute[] certAttributes = p10.getAttributes();
        for (org.bouncycastle.asn1.pkcs.Attribute attribute : certAttributes) {
            if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
                Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
                gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
            }
        }
        X509Certificate x509Cert = cryptoUtil.issueCertificate(new X500Name(intermediate.getSubject()), kpIntermediate, p10.getSubject(), p10.getSubjectPublicKeyInfo(), Calendar.YEAR, 1, gns, null, PKILevel.END_ENTITY);
        Certificate cert = certUtil.createCertificate(x509Cert.getEncoded(), csr, "", false);
        cert.setRevocationCA(caConfig);
        certRepository.save(cert);
        csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_FINISHED_TIMESTAMP, "" + System.currentTimeMillis(), true);
        csr.setStatus(CsrStatus.ISSUED);
        csrRepository.save(csr);
        return cert;
    } catch (IOException e) {
        LOG.info("Problem signing certificate request", e);
        throw new GeneralSecurityException(e);
    }
/*
		RDN[] rdnArr = new RDN[csr.getRdns().size()];

		int i = 0;
		for(de.trustable.ca3s.core.domain.RDN rdn:csr.getRdns()) {
			LOG.debug("RDN contains #{}", rdn.getRdnAttributes().size());
			int attLen = rdn.getRdnAttributes().size();
			AttributeTypeAndValue[] atavArr = new AttributeTypeAndValue[attLen];
			int j = 0;
			for(RDNAttribute rdnAtt: rdn.getRdnAttributes()) {
				AttributeTypeAndValue atav = new AttributeTypeAndValue( rdnAtt.getAttributeType(), new DEROctetString(rdnAtt.getAttributeValue().getBytes()));
			}
			rdnArr[i++] = new RDN(atav);
		}
		X500Name subject = new X500Name(csr.getRdns());
*/
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) CertificateAttribute(de.trustable.ca3s.core.domain.CertificateAttribute) CsrAttribute(de.trustable.ca3s.core.domain.CsrAttribute) GeneralSecurityException(java.security.GeneralSecurityException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509Certificate(java.security.cert.X509Certificate) Certificate(de.trustable.ca3s.core.domain.Certificate)

Example 20 with Certificate

use of com.github.zhenwei.core.asn1.x509.Certificate in project modules by assimbly.

the class CertificatesUtil method createAuthorityKeyId.

/**
 * Creates the hash value of the authority public key.
 *
 * @param publicKey of the authority certificate
 *
 * @return AuthorityKeyIdentifier hash
 *
 * @throws OperatorCreationException
 */
private static AuthorityKeyIdentifier createAuthorityKeyId(final PublicKey publicKey) throws OperatorCreationException {
    final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
    final DigestCalculator digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
    return new X509ExtensionUtils(digCalc).createAuthorityKeyIdentifier(publicKeyInfo);
}
Also used : BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) DigestCalculator(org.bouncycastle.operator.DigestCalculator) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Aggregations

IOException (java.io.IOException)242 X509Certificate (java.security.cert.X509Certificate)216 Date (java.util.Date)133 X500Name (org.bouncycastle.asn1.x500.X500Name)133 BigInteger (java.math.BigInteger)120 ContentSigner (org.bouncycastle.operator.ContentSigner)102 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)101 GeneralName (org.bouncycastle.asn1.x509.GeneralName)100 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)96 CertificateException (java.security.cert.CertificateException)95 ArrayList (java.util.ArrayList)90 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)85 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)82 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)78 GeneralSecurityException (java.security.GeneralSecurityException)69 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)62 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)62 Extension (org.bouncycastle.asn1.x509.Extension)61 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)60 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)59