use of com.github.zhenwei.core.asn1.x509.Extensions in project attestation by TokenScript.
the class Attestor method constructAttestations.
/**
* Constructs a list of X509 attestations to each of the relevant DatasourceName lists of elements
* in the response json.
*
* @param request Json request in a Sring - verification request that was sent to Trulioo Global Gateway†
* @param verifyRecord Json object of the Record in verifyResponse, from Trulioo Global Gateway‡
* @param signature DER encoded signature of exactly the json request string encoded as UTF-8 using a Secp256k1 key with Keccak
* @param userPK user's public key (SubjectPublicKeyInfo object)
* @return List of DER encoded x509 attestations
*
* † An example can be found https://developer.trulioo.com/docs/identity-verification-step-6-verify
* ‡ Observe the "Record" in https://developer.trulioo.com/docs/identity-verification-verify-response
*/
public List<X509CertificateHolder> constructAttestations(String request, JSONObject verifyRecord, byte[] signature, AsymmetricKeyParameter userPK) {
if (!SignatureUtil.verifySha256(request.getBytes(StandardCharsets.UTF_8), signature, userPK)) {
throw ExceptionUtil.throwException(logger, new IllegalArgumentException("Request signature verification failed. " + "Make sure that your message is unaltered, signature is created by hashing the message with SHA256" + "and using a key of secp256k1 type."));
}
List<X509CertificateHolder> res = new ArrayList<>();
Parser parser = new Parser(new JSONObject(request), verifyRecord);
Map<String, X500Name> subjectNames = parser.getX500Names();
Map<String, Extensions> subjectExtensions = parser.getExtensions();
for (String currentAttName : subjectNames.keySet()) {
try {
long time = System.currentTimeMillis();
V3TBSCertificateGenerator certBuilder = new V3TBSCertificateGenerator();
certBuilder.setSignature(serverSigningAlgo);
certBuilder.setIssuer(serverInfo);
certBuilder.setSerialNumber(new ASN1Integer(time));
certBuilder.setStartDate(new Time(new Date(time)));
certBuilder.setEndDate(new Time(new Date(time + lifeTime)));
SubjectPublicKeyInfo spki = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(userPK);
// // todo hack to create a valid spki without ECNamedParameters
// spki = new SubjectPublicKeyInfo(new AlgorithmIdentifier(new ASN1ObjectIdentifier(OID_ECDSA)),
// spki.getPublicKeyData());
certBuilder.setSubjectPublicKeyInfo(spki);
certBuilder.setSubject(subjectNames.get(currentAttName));
certBuilder.setExtensions(subjectExtensions.get(currentAttName));
TBSCertificate tbsCert = certBuilder.generateTBSCertificate();
res.add(new X509CertificateHolder(constructSignedAttestation(tbsCert)));
// To ensure that we get a new serial number for every cert
Thread.sleep(1);
} catch (IOException e) {
throw ExceptionUtil.makeRuntimeException(logger, "Could not parse server key", e);
} catch (InterruptedException e) {
throw ExceptionUtil.makeRuntimeException(logger, "Could not sleep", e);
}
}
return res;
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project attestation by TokenScript.
the class Parser method getExtensions.
public Map<String, Extensions> getExtensions() {
Map<String, Extensions> res = new HashMap<>();
for (String currentDatasourceName : matching.keySet()) {
List<Extension> extensionList = new ArrayList<>();
Map<String, String> currentMap = matching.get(currentDatasourceName);
currentMap.putAll(global);
for (String oid : currentMap.keySet()) {
if (!X500_OIDS.contains(oid)) {
Extension extension = new Extension(new ASN1ObjectIdentifier(oid), true, new DEROctetString(currentMap.get(oid).getBytes(StandardCharsets.UTF_8)));
extensionList.add(extension);
}
}
res.put(currentDatasourceName, new Extensions(extensionList.toArray(new Extension[0])));
}
return res;
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class X509ProxyCertPathValidator method checkProxyConstraints.
@SuppressWarnings("unused")
protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertificateStructure issuer, X509Certificate checkedProxy) throws CertPathValidatorException, IOException {
X509Extensions extensions;
ASN1ObjectIdentifier oid;
X509Extension proxyExtension;
X509Extension proxyKeyUsage = null;
extensions = proxy.getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
oid = (ASN1ObjectIdentifier) e.nextElement();
proxyExtension = extensions.getExtension(oid);
if (oid.equals(X509Extension.subjectAlternativeName) || oid.equals(X509Extension.issuerAlternativeName)) {
// No Alt name extensions - 3.2 & 3.5
throw new CertPathValidatorException("Proxy violation: no Subject or Issuer Alternative Name");
} else if (oid.equals(X509Extension.basicConstraints)) {
// Basic Constraint must not be true - 3.8
BasicConstraints basicExt = CertificateUtil.getBasicConstraints(proxyExtension);
if (basicExt.isCA()) {
throw new CertPathValidatorException("Proxy violation: Basic Constraint CA is set to true");
}
} else if (oid.equals(X509Extension.keyUsage)) {
proxyKeyUsage = proxyExtension;
}
}
}
extensions = issuer.getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
oid = (ASN1ObjectIdentifier) e.nextElement();
proxyExtension = extensions.getExtension(oid);
checkExtension(oid, proxyExtension, proxyKeyUsage);
}
}
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class ProxyCertificateUtil method getProxyCertInfo.
public static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException {
X509Extensions extensions = crt.getExtensions();
if (extensions == null) {
return null;
}
X509Extension ext = extensions.getExtension(ProxyCertInfo.OID);
if (ext == null) {
ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
}
return (ext != null) ? getProxyCertInfo(ext) : null;
}
use of com.github.zhenwei.core.asn1.x509.Extensions in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class BouncyCastleUtil method getProxyCertInfo.
public static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException {
X509Extensions extensions = crt.getExtensions();
if (extensions == null) {
return null;
}
X509Extension ext = extensions.getExtension(ProxyCertInfo.OID);
if (ext == null) {
ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
}
return (ext != null) ? BouncyCastleUtil.getProxyCertInfo(ext) : null;
}
Aggregations