Example 26 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project jruby-openssl by jruby.
the class X509Extension method value.
@JRubyMethod
public RubyString value(final ThreadContext context) {
if (this.value instanceof RubyString) {
// return the same as set
return (RubyString) this.value;
}
final Ruby runtime = context.runtime;
final String oid = getRealObjectID().getId();
try {
if (oid.equals("2.5.29.19")) {
// basicConstraints
ASN1Sequence seq2 = (ASN1Sequence) ASN1.readObject(getRealValueEncoded());
final ByteList val = new ByteList(32);
if (seq2.size() > 0) {
val.append(CA_);
ASN1Encodable obj0 = seq2.getObjectAt(0);
final boolean bool = ((ASN1Boolean) obj0).isTrue();
val.append(bool ? TRUE : FALSE);
}
if (seq2.size() > 1) {
val.append(", pathlen:".getBytes());
val.append(seq2.getObjectAt(1).toString().getBytes());
}
return runtime.newString(val);
}
if (oid.equals("2.5.29.15")) {
// keyUsage
final byte[] enc = getRealValueEncoded();
byte b3 = 0;
byte b2 = enc[2];
if (enc.length > 3)
b3 = enc[3];
final ByteList val = new ByteList(64);
byte[] sep = NULL;
if ((b2 & (byte) 128) != 0) {
val.append(sep);
val.append(Decipher_Only);
sep = SEP;
}
if ((b3 & (byte) 128) != 0) {
val.append(sep);
val.append(Digital_Signature);
sep = SEP;
}
if ((b3 & (byte) 64) != 0) {
val.append(sep);
val.append(Non_Repudiation);
sep = SEP;
}
if ((b3 & (byte) 32) != 0) {
val.append(sep);
val.append(Key_Encipherment);
sep = SEP;
}
if ((b3 & (byte) 16) != 0) {
val.append(sep);
val.append(Data_Encipherment);
sep = SEP;
}
if ((b3 & (byte) 8) != 0) {
val.append(sep);
val.append(Key_Agreement);
sep = SEP;
}
if ((b3 & (byte) 4) != 0) {
val.append(sep);
val.append(Certificate_Sign);
sep = SEP;
}
if ((b3 & (byte) 2) != 0) {
val.append(sep);
val.append(CRL_Sign);
sep = SEP;
}
if ((b3 & (byte) 1) != 0) {
// sep = SEP;
val.append(sep);
// sep = SEP;
val.append(Encipher_Only);
}
return runtime.newString(val);
}
if (oid.equals("2.16.840.1.113730.1.1")) {
// nsCertType
final byte b0 = getRealValueEncoded()[0];
final ByteList val = new ByteList(64);
byte[] sep = NULL;
if ((b0 & (byte) 128) != 0) {
val.append(sep);
val.append(SSL_Client);
sep = SEP;
}
if ((b0 & (byte) 64) != 0) {
val.append(sep);
val.append(SSL_Server);
sep = SEP;
}
if ((b0 & (byte) 32) != 0) {
val.append(sep);
val.append(SMIME);
sep = SEP;
}
if ((b0 & (byte) 16) != 0) {
val.append(sep);
val.append(Object_Signing);
sep = SEP;
}
if ((b0 & (byte) 8) != 0) {
val.append(sep);
val.append(Unused);
sep = SEP;
}
if ((b0 & (byte) 4) != 0) {
val.append(sep);
val.append(SSL_CA);
sep = SEP;
}
if ((b0 & (byte) 2) != 0) {
val.append(sep);
val.append(SMIME_CA);
sep = SEP;
}
if ((b0 & (byte) 1) != 0) {
val.append(sep);
val.append(Object_Signing_CA);
}
return runtime.newString(val);
}
if (oid.equals("2.5.29.14")) {
// subjectKeyIdentifier
ASN1Encodable value = getRealValue();
if (value instanceof ASN1OctetString) {
byte[] octets = ((ASN1OctetString) value).getOctets();
if (octets.length > 0 && octets[0] == BERTags.OCTET_STRING) {
// read nested octets
value = ASN1.readObject(octets);
}
}
return runtime.newString(hexBytes(keyidBytes(value.toASN1Primitive()), 0));
}
if (oid.equals("2.5.29.35")) {
// authorityKeyIdentifier
ASN1Encodable value = getRealValue();
if (value instanceof ASN1OctetString) {
value = ASN1.readObject(((ASN1OctetString) value).getOctets());
}
final ByteList val = new ByteList(72);
if (value instanceof ASN1Sequence) {
final ASN1Sequence seq = (ASN1Sequence) value;
final int size = seq.size();
if (size == 0)
return RubyString.newEmptyString(runtime);
for (int i = 0; i < size; i++) {
final ASN1Encodable enc = seq.getObjectAt(i);
if (enc instanceof ASN1TaggedObject) {
ASN1Primitive obj = ((ASN1TaggedObject) enc).getObject();
switch(((ASN1TaggedObject) enc).getTagNo()) {
case 0:
ASN1Primitive keyid = obj;
val.append(keyid_);
hexBytes(keyidBytes(keyid), val);
break;
case 1:
GeneralName name;
if (obj instanceof ASN1Sequence) {
// GeneralNames -> toASN1Primitive()
GeneralName[] names = GeneralNames.getInstance(obj).getNames();
name = names.length > 0 ? names[0] : null;
} else {
name = GeneralName.getInstance(obj);
}
if (name != null)
formatGeneralName(name, val, true);
break;
case // serial
2:
val.append(new byte[] { 's', 'e', 'r', 'i', 'a', 'l', ':' });
if (obj instanceof ASN1Integer) {
hexBytes(((ASN1Integer) obj).getValue().toByteArray(), val);
} else {
hexBytes(((ASN1OctetString) obj).getOctets(), val);
}
break;
}
} else if (size == 1) {
ASN1Primitive keyid = enc.toASN1Primitive();
hexBytes(keyidBytes(keyid), val);
}
val.append('\n');
}
return runtime.newString(val);
}
hexBytes(keyidBytes(value.toASN1Primitive()), val).append('\n');
return runtime.newString(val);
}
if (oid.equals("2.5.29.21")) {
// CRLReason
final IRubyObject value = getValue(runtime);
switch(RubyNumeric.fix2int(value)) {
case 0:
return runtime.newString(new ByteList(Unspecified));
case 1:
return RubyString.newString(runtime, "Key Compromise");
case 2:
return RubyString.newString(runtime, "CA Compromise");
case 3:
return RubyString.newString(runtime, "Affiliation Changed");
case 4:
return RubyString.newString(runtime, "Superseded");
case 5:
return RubyString.newString(runtime, "Cessation Of Operation");
case 6:
return RubyString.newString(runtime, "Certificate Hold");
case 8:
return RubyString.newString(runtime, "Remove From CRL");
case 9:
return RubyString.newString(runtime, "Privilege Withdrawn");
default:
return runtime.newString(new ByteList(Unspecified));
}
}
if (oid.equals("2.5.29.17") || oid.equals("2.5.29.18")) {
// subjectAltName || issuerAltName
try {
ASN1Encodable value = getRealValue();
final ByteList val = new ByteList(64);
if (value instanceof ASN1TaggedObject) {
formatGeneralName(GeneralName.getInstance(value), val, false);
return runtime.newString(val);
}
if (value instanceof GeneralName) {
formatGeneralName((GeneralName) value, val, false);
return runtime.newString(val);
}
if (value instanceof ASN1OctetString) {
// decoded octets will end up as an ASN1Sequence instance :
value = ASN1.readObject(((ASN1OctetString) value).getOctets());
}
if (value instanceof ASN1TaggedObject) {
// DERTaggedObject (issuerAltName wrapping)
formatGeneralName(GeneralName.getInstance(value), val, false);
return runtime.newString(val);
}
final GeneralName[] names = GeneralNames.getInstance(value).getNames();
for (int i = 0; i < names.length; i++) {
boolean other = formatGeneralName(names[i], val, false);
if (i < names.length - 1) {
if (other)
val.append(';');
else
val.append(',').append(' ');
}
}
return runtime.newString(val);
} catch (IllegalArgumentException e) {
debugStackTrace(runtime, e);
return rawValueAsString(context);
}
}
if (oid.equals("2.5.29.37")) {
// extendedKeyUsage
final ByteList val = new ByteList(64);
if (this.value instanceof ASN1Sequence) {
// opt "short" path
final ASN1Sequence seq = (ASN1Sequence) this.value;
final int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Encodable o = seq.getObjectAt(i);
String name = o.toString();
Integer nid = ASN1.oid2nid(runtime, new ASN1ObjectIdentifier(name));
if (nid != null)
name = ASN1.nid2ln(runtime, nid);
if (name == null)
name = o.toString();
val.append(ByteList.plain(name));
if (i < size - 1)
val.append(',').append(' ');
}
return runtime.newString(val);
}
final IRubyObject value = getValue(runtime);
if (value instanceof RubyArray) {
final RubyArray arr = (RubyArray) value;
final int size = arr.size();
for (int i = 0; i < size; i++) {
IRubyObject entry = arr.eltInternal(i);
if ("ObjectId".equals(entry.getMetaClass().getBaseName())) {
entry = entry.callMethod(context, "ln");
} else if (entry.respondsTo("value")) {
entry = entry.callMethod(context, "value");
}
val.append(entry.asString().getByteList());
if (i < size - 1)
val.append(',').append(' ');
}
}
return runtime.newString(val);
}
return rawValueAsString(context);
} catch (IOException e) {
debugStackTrace(runtime, e);
throw newExtensionError(runtime, e);
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ByteList(org.jruby.util.ByteList)
RubyArray(org.jruby.RubyArray)
RubyString(org.jruby.RubyString)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
RubyString(org.jruby.RubyString)
ASN1String(org.bouncycastle.asn1.ASN1String)
DERUniversalString(org.bouncycastle.asn1.DERUniversalString)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
IOException(java.io.IOException)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ASN1Boolean(org.bouncycastle.asn1.ASN1Boolean)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Ruby(org.jruby.Ruby)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 27 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project jruby-openssl by jruby.
the class X509Utils method checkIfIssuedBy.
/*
* c: X509_check_issued + x509_likely_issued + x509_signing_allowed
*/
static int checkIfIssuedBy(final X509AuxCertificate issuer, final X509AuxCertificate subject) throws IOException {
if (!issuer.getSubjectX500Principal().equals(subject.getIssuerX500Principal())) {
return V_ERR_SUBJECT_ISSUER_MISMATCH;
}
if (subject.getExtensionValue("2.5.29.35") != null) {
// authorityKeyID
// I hate ASN1 and DER
Object key = get(subject.getExtensionValue("2.5.29.35"));
if (!(key instanceof ASN1Sequence))
key = get((DEROctetString) key);
final ASN1Sequence seq = (ASN1Sequence) key;
final AuthorityKeyIdentifier sakid;
if (seq.size() == 1 && (seq.getObjectAt(0) instanceof ASN1OctetString)) {
sakid = AuthorityKeyIdentifier.getInstance(new DLSequence(new DERTaggedObject(0, seq.getObjectAt(0))));
} else {
sakid = AuthorityKeyIdentifier.getInstance(seq);
}
if (sakid.getKeyIdentifier() != null) {
if (issuer.getExtensionValue("2.5.29.14") != null) {
DEROctetString der = (DEROctetString) get(issuer.getExtensionValue("2.5.29.14"));
SubjectKeyIdentifier iskid = SubjectKeyIdentifier.getInstance(get(der.getOctets()));
if (iskid.getKeyIdentifier() != null) {
if (!Arrays.equals(sakid.getKeyIdentifier(), iskid.getKeyIdentifier())) {
return V_ERR_AKID_SKID_MISMATCH;
}
}
}
}
final BigInteger serialNumber = sakid.getAuthorityCertSerialNumber();
if (serialNumber != null && !serialNumber.equals(issuer.getSerialNumber())) {
return V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
if (sakid.getAuthorityCertIssuer() != null) {
GeneralName[] gens = sakid.getAuthorityCertIssuer().getNames();
X500Name x500Name = null;
for (int i = 0; i < gens.length; i++) {
if (gens[i].getTagNo() == GeneralName.directoryName) {
ASN1Encodable name = gens[i].getName();
if (name instanceof X500Name) {
x500Name = (X500Name) name;
} else if (name instanceof ASN1Sequence) {
x500Name = X500Name.getInstance((ASN1Sequence) name);
} else {
throw new RuntimeException("unknown name type: " + name);
}
break;
}
}
if (x500Name != null) {
if (!new Name(x500Name).equalTo(issuer.getIssuerX500Principal())) {
return V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
}
}
}
final boolean[] keyUsage = issuer.getKeyUsage();
if (subject.getExtensionValue("1.3.6.1.5.5.7.1.14") != null) {
if (keyUsage != null && !keyUsage[0]) {
// KU_DIGITAL_SIGNATURE
return V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
}
} else if (keyUsage != null && !keyUsage[5]) {
// KU_KEY_CERT_SIGN
return V_ERR_KEYUSAGE_NO_CERTSIGN;
}
return V_OK;
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DLSequence(org.bouncycastle.asn1.DLSequence)
BigInteger(java.math.BigInteger)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
Example 28 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project xipki by xipki.
the class ExtensionsChecker method checkExtensions.
public List<ValidationIssue> checkExtensions(Certificate cert, IssuerInfo issuerInfo, Extensions requestedExtns, X500Name requestedSubject) {
notNull(cert, "cert");
notNull(issuerInfo, "issuerInfo");
X509Cert jceCert = new X509Cert(cert);
List<ValidationIssue> result = new LinkedList<>();
// detect the list of extension types in certificate
Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(cert, issuerInfo, requestedExtns);
Extensions extensions = cert.getTBSCertificate().getExtensions();
ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs();
if (oids == null) {
ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general");
result.add(issue);
issue.setFailureMessage("no extension is present");
return result;
}
List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids);
for (ASN1ObjectIdentifier extType : presentExtenionTypes) {
if (!certExtTypes.contains(extType)) {
ValidationIssue issue = createExtensionIssue(extType);
result.add(issue);
issue.setFailureMessage("extension is absent but is required");
}
}
Map<ASN1ObjectIdentifier, ExtensionControl> extnControls = certprofile.getExtensionControls();
for (ASN1ObjectIdentifier oid : certExtTypes) {
ValidationIssue issue = createExtensionIssue(oid);
result.add(issue);
if (!presentExtenionTypes.contains(oid)) {
issue.setFailureMessage("extension is present but is not permitted");
continue;
}
Extension ext = extensions.getExtension(oid);
StringBuilder failureMsg = new StringBuilder();
ExtensionControl extnControl = extnControls.get(oid);
if (extnControl.isCritical() != ext.isCritical()) {
addViolation(failureMsg, "critical", ext.isCritical(), extnControl.isCritical());
}
byte[] extnValue = ext.getExtnValue().getOctets();
try {
if (extensionSyntaxes != null && extensionSyntaxes.containsKey(oid)) {
Extension requestedExtn = requestedExtns.getExtension(oid);
if (!Arrays.equals(requestedExtn.getExtnValue().getOctets(), extnValue)) {
failureMsg.append("extension in certificate does not equal the one contained in the request");
} else {
ExtnSyntax syntax = extensionSyntaxes.get(oid);
String extnName = "extension " + ObjectIdentifiers.oidToDisplayName(oid);
try {
ExtensionSyntaxChecker.checkExtension(extnName, ext.getParsedValue(), syntax);
} catch (BadCertTemplateException ex) {
failureMsg.append(ex.getMessage());
}
}
} else if (Extension.authorityKeyIdentifier.equals(oid)) {
a2gChecker.checkExtnAuthorityKeyId(failureMsg, extnValue, issuerInfo);
} else if (Extension.subjectKeyIdentifier.equals(oid)) {
// SubjectKeyIdentifier
o2tChecker.checkExtnSubjectKeyIdentifier(failureMsg, extnValue, cert.getSubjectPublicKeyInfo());
} else if (Extension.keyUsage.equals(oid)) {
h2nChecker.checkExtnKeyUsage(failureMsg, jceCert.getKeyUsage(), requestedExtns, extnControl);
} else if (Extension.certificatePolicies.equals(oid)) {
a2gChecker.checkExtnCertificatePolicies(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.policyMappings.equals(oid)) {
o2tChecker.checkExtnPolicyMappings(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.subjectAlternativeName.equals(oid)) {
o2tChecker.checkExtnSubjectAltNames(failureMsg, extnValue, requestedExtns, extnControl, requestedSubject);
} else if (Extension.subjectDirectoryAttributes.equals(oid)) {
o2tChecker.checkExtnSubjectDirAttrs(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.issuerAlternativeName.equals(oid)) {
h2nChecker.checkExtnIssuerAltNames(failureMsg, extnValue, issuerInfo);
} else if (Extension.basicConstraints.equals(oid)) {
a2gChecker.checkExtnBasicConstraints(failureMsg, extnValue);
} else if (Extension.nameConstraints.equals(oid)) {
h2nChecker.checkExtnNameConstraints(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.policyConstraints.equals(oid)) {
o2tChecker.checkExtnPolicyConstraints(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.extendedKeyUsage.equals(oid)) {
a2gChecker.checkExtnExtendedKeyUsage(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.cRLDistributionPoints.equals(oid)) {
a2gChecker.checkExtnCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
} else if (Extension.inhibitAnyPolicy.equals(oid)) {
h2nChecker.checkExtnInhibitAnyPolicy(failureMsg, extnValue, extensions, extnControl);
} else if (Extension.freshestCRL.equals(oid)) {
a2gChecker.checkExtnDeltaCrlDistributionPoints(failureMsg, extnValue, issuerInfo);
} else if (Extension.authorityInfoAccess.equals(oid)) {
a2gChecker.checkExtnAuthorityInfoAccess(failureMsg, extnValue, issuerInfo);
} else if (Extension.subjectInfoAccess.equals(oid)) {
o2tChecker.checkExtnSubjectInfoAccess(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_admission.equals(oid)) {
a2gChecker.checkExtnAdmission(failureMsg, extnValue, requestedExtns, requestedSubject, extnControl);
} else if (Extn.id_extension_pkix_ocsp_nocheck.equals(oid)) {
o2tChecker.checkExtnOcspNocheck(failureMsg, extnValue);
} else if (Extn.id_extension_restriction.equals(oid)) {
o2tChecker.checkExtnRestriction(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_additionalInformation.equals(oid)) {
a2gChecker.checkExtnAdditionalInformation(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_extension_validityModel.equals(oid)) {
u2zChecker.checkExtnValidityModel(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.privateKeyUsagePeriod.equals(oid)) {
o2tChecker.checkExtnPrivateKeyUsagePeriod(failureMsg, extnValue, jceCert.getNotBefore(), jceCert.getNotAfter());
} else if (Extension.qCStatements.equals(oid)) {
o2tChecker.checkExtnQcStatements(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extension.biometricInfo.equals(oid)) {
a2gChecker.checkExtnBiometricInfo(failureMsg, extnValue, requestedExtns);
} else if (Extn.id_pe_tlsfeature.equals(oid)) {
o2tChecker.checkExtnTlsFeature(failureMsg, extnValue, requestedExtns, extnControl);
} else if (Extn.id_smimeCapabilities.equals(oid)) {
o2tChecker.checkSmimeCapabilities(failureMsg, extnValue, extnControl);
} else if (Extn.id_SCTs.equals(oid)) {
o2tChecker.checkScts(failureMsg, extnValue, extnControl);
} else if (Extn.id_GMT_0015_ICRegistrationNumber.equals(oid) || Extn.id_GMT_0015_InsuranceNumber.equals(oid) || Extn.id_GMT_0015_OrganizationCode.equals(oid) || Extn.id_GMT_0015_TaxationNumber.equals(oid) || Extn.id_GMT_0015_IdentityCode.equals(oid)) {
a2gChecker.checkExtnGmt0015(failureMsg, extnValue, requestedExtns, extnControl, oid, requestedSubject);
} else {
byte[] expected = getExpectedExtValue(oid, requestedExtns, extnControl);
if (!Arrays.equals(expected, extnValue)) {
addViolation(failureMsg, "extension value", hex(extnValue), (expected == null) ? "not present" : hex(expected));
}
}
if (failureMsg.length() > 0) {
issue.setFailureMessage(failureMsg.toString());
}
} catch (IllegalArgumentException | ClassCastException | IOException | ArrayIndexOutOfBoundsException ex) {
LOG.debug("extension value does not have correct syntax", ex);
issue.setFailureMessage("extension value does not have correct syntax");
}
}
return result;
}
Also used :
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
ValidationIssue(org.xipki.qa.ValidationIssue)
Extension(org.bouncycastle.asn1.x509.Extension)
X509Cert(org.xipki.security.X509Cert)
ExtensionControl(org.xipki.ca.api.profile.Certprofile.ExtensionControl)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
Example 29 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project LinLong-Java by zhenwei1108.
the class RecipientKeyIdentifier method toASN1Primitive.
/**
* Produce an object suitable for an ASN1OutputStream.
*/
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector v = new ASN1EncodableVector(3);
v.add(subjectKeyIdentifier);
if (date != null) {
v.add(date);
}
if (other != null) {
v.add(other);
}
return new DERSequence(v);
}
Also used :
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
Example 30 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project LinLong-Java by zhenwei1108.
the class CertBuilder method generateCertificate.
/**
* @param [dn, publicKey, privateKey]
* @return java.security.cert.Certificate
* @author zhangzhenwei
* @description 生成证书
* todo just support sm2
* @date 2022/3/15 9:09 下午
* @since: 1.0.0
*/
public static byte[] generateCertificate(String subjectDn, String issuerDn, PublicKey publicKey, PrivateKey privateKey, SignAlgEnum signAlgEnum, int time, TimeUnit timeUnit) throws WeGooCryptoException {
try {
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
// SubjectPublicKeyInfo publicKeyInfo = (SubjectPublicKeyInfo)publicKey;
X500Name subject = new X500Name(subjectDn);
X500Name issuer = new X500Name(issuerDn);
byte[] bytes = new byte[15];
Random random = new Random();
random.nextBytes(bytes);
byte[] bytes1 = ByteArrayUtil.mergeBytes("9".getBytes(StandardCharsets.UTF_8), bytes);
BigInteger sn = new BigInteger(bytes1);
Date notBefore = DateUtil.now();
int max = Math.max(1, (int) timeUnit.toDays(time));
Date notAfter = DateUtil.nowPlusDays(max);
BcX509ExtensionUtils x509ExtensionUtils = new BcX509ExtensionUtils();
// 密钥用途: 签名和不可抵赖
int usage = KeyUsage.digitalSignature | KeyUsage.nonRepudiation;
// 使用者标识符
SubjectKeyIdentifier subjectKeyIdentifier = x509ExtensionUtils.createSubjectKeyIdentifier(publicKeyInfo);
// 授权者标识符
AuthorityKeyIdentifier authorityKeyIdentifier = x509ExtensionUtils.createAuthorityKeyIdentifier(publicKeyInfo);
// 判断是否签发根证书
if (subject.toString().equals(subject.toString())) {
// 根证书 颁发者标识符
authorityKeyIdentifier = x509ExtensionUtils.createAuthorityKeyIdentifier(publicKeyInfo);
// 补充证书签名用途
usage = usage | KeyUsage.keyCertSign;
}
X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuer, sn, notBefore, notAfter, subject, publicKeyInfo);
// 增加扩展项
Extension keyUsage = new Extension(Extension.keyUsage, false, new KeyUsage(usage).getEncoded());
Extension subjectKeyId = new Extension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier.getEncoded());
Extension authorityKeyId = new Extension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier.getEncoded());
AlgorithmIdentifier sigAlgId = new AlgorithmIdentifier(signAlgEnum.getOid());
AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(signAlgEnum.getDigestAlgEnum().getOid());
builder.addExtension(keyUsage);
builder.addExtension(subjectKeyId);
builder.addExtension(authorityKeyId);
X509CertificateHolder holder;
BcContentSignerBuilder signerBuilder;
AsymmetricKeyParameter keyParameters;
if (publicKey.getAlgorithm().equals("EC")) {
signerBuilder = new BcECContentSignerBuilder(sigAlgId, digAlgId);
BCECPrivateKey key = (BCECPrivateKey) privateKey;
ECParameterSpec parameters = key.getParameters();
ECDomainParameters params = new ECDomainParameters(parameters.getCurve(), parameters.getG(), parameters.getN());
keyParameters = new ECPrivateKeyParameters(key.getD(), params);
holder = builder.build(signerBuilder.build(keyParameters));
} else {
BCRSAPrivateKey key = (BCRSAPrivateKey) privateKey;
signerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId);
keyParameters = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent());
holder = builder.build(signerBuilder.build(keyParameters));
}
return holder.toASN1Structure().getEncoded();
} catch (Exception e) {
throw new WeGooCryptoException(CryptoExceptionMassageEnum.generate_cert_err, e);
}
}
Also used :
ECDomainParameters(com.github.zhenwei.core.crypto.params.ECDomainParameters)
BCRSAPrivateKey(com.github.zhenwei.provider.jcajce.provider.asymmetric.rsa.BCRSAPrivateKey)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
RSAKeyParameters(com.github.zhenwei.core.crypto.params.RSAKeyParameters)
BcRSAContentSignerBuilder(com.github.zhenwei.pkix.operator.bc.BcRSAContentSignerBuilder)
Random(java.util.Random)
BcContentSignerBuilder(com.github.zhenwei.pkix.operator.bc.BcContentSignerBuilder)
Date(java.util.Date)
WeGooCryptoException(com.github.zhenwei.core.exception.WeGooCryptoException)
BCECPrivateKey(com.github.zhenwei.provider.jcajce.provider.asymmetric.ec.BCECPrivateKey)
ECPrivateKeyParameters(com.github.zhenwei.core.crypto.params.ECPrivateKeyParameters)
WeGooCryptoException(com.github.zhenwei.core.exception.WeGooCryptoException)
AsymmetricKeyParameter(com.github.zhenwei.core.crypto.params.AsymmetricKeyParameter)
X509v3CertificateBuilder(com.github.zhenwei.pkix.cert.X509v3CertificateBuilder)
ECParameterSpec(com.github.zhenwei.provider.jce.spec.ECParameterSpec)
X509CertificateHolder(com.github.zhenwei.pkix.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
BcX509ExtensionUtils(com.github.zhenwei.pkix.cert.bc.BcX509ExtensionUtils)
BcECContentSignerBuilder(com.github.zhenwei.pkix.operator.bc.BcECContentSignerBuilder)
Aggregations
SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)34
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)17
X509Certificate (java.security.cert.X509Certificate)14
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)14
IOException (java.io.IOException)12
X500Name (org.bouncycastle.asn1.x500.X500Name)10
GeneralName (org.bouncycastle.asn1.x509.GeneralName)10
ContentSigner (org.bouncycastle.operator.ContentSigner)10
BigInteger (java.math.BigInteger)9
Date (java.util.Date)9
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)9
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)8
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)8
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)8
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)8
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
CertificateException (java.security.cert.CertificateException)6
