Search in sources :

Example 16 with CertificateList

use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

private PkiMessage servicePkiOperation0(DecodedPkiMessage req) throws CaException {
    TransactionId tid = req.getTransactionId();
    PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
    rep.setPkiStatus(PkiStatus.SUCCESS);
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
        }
    }
    // check the digest algorithm
    HashAlgo hashAlgo = req.getDigestAlgorithm();
    boolean supported = false;
    if (hashAlgo == HashAlgo.SHA1) {
        if (caCaps.supportsSHA1()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA256) {
        if (caCaps.supportsSHA256()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA512) {
        if (caCaps.supportsSHA512()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, hashAlgo);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.supportsDES3()) {
            LOG.warn("tid={}: encryption with DES3 algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (CMSAlgorithm.AES128_CBC.equals(encOid)) {
        if (!caCaps.supportsAES()) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        return rep;
    }
    MessageType messageType = req.getMessageType();
    switch(messageType) {
        case PKCSReq:
            boolean selfSigned = req.getSignatureCert().isSelfSigned();
            CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
            if (selfSigned) {
                X500Name name = req.getSignatureCert().getSubject();
                if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
                    return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
                }
            }
            String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
            if (!control.getSecret().equals(challengePwd)) {
                LOG.warn("challengePassword is not trusted");
                return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            }
            X509Cert cert;
            try {
                cert = caEmulator.generateCert(csr);
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (cert != null && control.isPendingCert()) {
                rep.setPkiStatus(PkiStatus.PENDING);
            } else if (cert != null) {
                ContentInfo messageData = createSignedData(cert);
                rep.setMessageData(messageData);
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case CertPoll:
            IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
            cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case GetCert:
            IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case RenewalReq:
            if (!caCaps.supportsRenewal()) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    rep.setPkiStatus(PkiStatus.FAILURE);
                    rep.setFailInfo(FailInfo.badCertId);
                }
            }
            break;
        case GetCRL:
            isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            CertificateList crl;
            try {
                crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (crl != null) {
                rep.setMessageData(createSignedData(crl));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        default:
            buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) HashAlgo(org.xipki.security.HashAlgo) CertificateList(org.bouncycastle.asn1.x509.CertificateList) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1String(org.bouncycastle.asn1.ASN1String) Date(java.util.Date) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) X509Cert(org.xipki.security.X509Cert) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 17 with CertificateList

use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.

the class ScepUtil method getCrlFromPkiMessage.

// method getCertsFromSignedData
public static X509CRLHolder getCrlFromPkiMessage(SignedData signedData) throws CRLException {
    Args.notNull(signedData, "signedData");
    ASN1Set set = signedData.getCRLs();
    if (set == null || set.size() == 0) {
        return null;
    }
    try {
        CertificateList cl = CertificateList.getInstance(set.getObjectAt(0));
        return new X509CRLHolder(cl);
    } catch (IllegalArgumentException ex) {
        throw new CRLException(ex);
    }
}
Also used : CertificateList(org.bouncycastle.asn1.x509.CertificateList) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) CRLException(java.security.cert.CRLException)

Example 18 with CertificateList

use of com.github.zhenwei.core.asn1.x509.CertificateList in project LinLong-Java by zhenwei1108.

the class X509CRLHolder method init.

private void init(CertificateList x509CRL) {
    this.x509CRL = x509CRL;
    this.extensions = x509CRL.getTBSCertList().getExtensions();
    this.isIndirect = isIndirectCRL(extensions);
    this.issuerName = new GeneralNames(new GeneralName(x509CRL.getIssuer()));
}
Also used : GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames) GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)

Example 19 with CertificateList

use of com.github.zhenwei.core.asn1.x509.CertificateList in project LinLong-Java by zhenwei1108.

the class RevRepContent method toASN1Primitive.

/**
 * <pre>
 * RevRepContent ::= SEQUENCE {
 *        status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
 *        -- in same order as was sent in RevReqContent
 *        revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
 *        -- IDs for which revocation was requested
 *        -- (same order as status)
 *        crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList OPTIONAL
 *        -- the resulting CRLs (there may be more than one)
 *   }
 * </pre>
 *
 * @return a basic ASN.1 object representation.
 */
public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector(3);
    v.add(status);
    addOptional(v, 0, revCerts);
    addOptional(v, 1, crls);
    return new DERSequence(v);
}
Also used : DERSequence(com.github.zhenwei.core.asn1.DERSequence) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)

Example 20 with CertificateList

use of com.github.zhenwei.core.asn1.x509.CertificateList in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCertStatus.

protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    // use BC X509CRLObject so that indirect CRLs are supported
    X509CRLObject bcCRL = null;
    try {
        bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded())));
    } catch (Exception exception) {
        throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception);
    }
    // use BC X509CRLEntryObject, so that getCertificateIssuer() is
    // supported.
    X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert));
    if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl)))) {
        DEREnumerated reasonCode = null;
        if (crl_entry.hasExtensions()) {
            try {
                reasonCode = DEREnumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
            } catch (Exception e) {
                new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
            }
        }
        // unspecified
        if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) {
            // (i) or (j) (1)
            if (reasonCode != null) {
                certStatus.setCertStatus(reasonCode.getValue().intValue());
            } else // (i) or (j) (2)
            {
                certStatus.setCertStatus(CRLReason.unspecified);
            }
            certStatus.setRevocationDate(crl_entry.getRevocationDate());
        }
    }
}
Also used : DEREnumerated(org.bouncycastle.asn1.DEREnumerated) CertificateList(org.bouncycastle.asn1.x509.CertificateList) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException)

Aggregations

IOException (java.io.IOException)13 CertificateList (org.bouncycastle.asn1.x509.CertificateList)13 CRLException (java.security.cert.CRLException)10 Test (org.junit.jupiter.api.Test)8 CRL (java.security.cert.CRL)5 X509CRL (java.security.cert.X509CRL)5 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)5 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)5 OperationException (org.xipki.ca.api.OperationException)5 DefaultCertManagerClient (io.fabric8.certmanager.client.DefaultCertManagerClient)4 NamespacedCertManagerClient (io.fabric8.certmanager.client.NamespacedCertManagerClient)4 GeneralName (org.bouncycastle.asn1.x509.GeneralName)4 CertificateList (io.fabric8.certmanager.api.model.v1.CertificateList)3 CertificateList (io.fabric8.certmanager.api.model.v1alpha2.CertificateList)3 CertificateList (io.fabric8.certmanager.api.model.v1alpha3.CertificateList)3 ByteArrayInputStream (java.io.ByteArrayInputStream)3 BigInteger (java.math.BigInteger)3 CertificateException (java.security.cert.CertificateException)3 X509Certificate (java.security.cert.X509Certificate)3 CertificateList (com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList)2