Search in sources :

Example 1 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class CRLValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    // TODO: add handling of delta CRLs
    Collection matches = crls.getMatches(new Selector() {

        public boolean match(Object obj) {
            X509CRLHolder crl = (X509CRLHolder) obj;
            return (crl.getIssuer().equals(workingIssuerName));
        }

        public Object clone() {
            return this;
        }
    });
    if (matches.isEmpty()) {
        throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
    }
    for (Iterator it = matches.iterator(); it.hasNext(); ) {
        X509CRLHolder crl = (X509CRLHolder) it.next();
        // TODO: not quite right!
        if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
            throw new CertPathValidationException("Certificate revoked");
        }
    }
    this.workingIssuerName = certificate.getSubject();
}
Also used : CertPathValidationException(com.github.zhenwei.pkix.cert.path.CertPathValidationException) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder) Iterator(java.util.Iterator) Collection(java.util.Collection) Selector(com.github.zhenwei.core.util.Selector)

Example 2 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class MiscPEMGenerator method createPemObject.

private PemObject createPemObject(Object o) throws IOException {
    String type;
    byte[] encoding;
    if (o instanceof PemObject) {
        return (PemObject) o;
    }
    if (o instanceof PemObjectGenerator) {
        return ((PemObjectGenerator) o).generate();
    }
    if (o instanceof X509CertificateHolder) {
        type = "CERTIFICATE";
        encoding = ((X509CertificateHolder) o).getEncoded();
    } else if (o instanceof X509CRLHolder) {
        type = "X509 CRL";
        encoding = ((X509CRLHolder) o).getEncoded();
    } else if (o instanceof X509TrustedCertificateBlock) {
        type = "TRUSTED CERTIFICATE";
        encoding = ((X509TrustedCertificateBlock) o).getEncoded();
    } else if (o instanceof PrivateKeyInfo) {
        PrivateKeyInfo info = (PrivateKeyInfo) o;
        ASN1ObjectIdentifier algOID = info.getPrivateKeyAlgorithm().getAlgorithm();
        if (algOID.equals(PKCSObjectIdentifiers.rsaEncryption)) {
            type = "RSA PRIVATE KEY";
            encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
        } else if (algOID.equals(dsaOids[0]) || algOID.equals(dsaOids[1])) {
            type = "DSA PRIVATE KEY";
            DSAParameter p = DSAParameter.getInstance(info.getPrivateKeyAlgorithm().getParameters());
            ASN1EncodableVector v = new ASN1EncodableVector();
            v.add(new ASN1Integer(0));
            v.add(new ASN1Integer(p.getP()));
            v.add(new ASN1Integer(p.getQ()));
            v.add(new ASN1Integer(p.getG()));
            BigInteger x = ASN1Integer.getInstance(info.parsePrivateKey()).getValue();
            BigInteger y = p.getG().modPow(x, p.getP());
            v.add(new ASN1Integer(y));
            v.add(new ASN1Integer(x));
            encoding = new DERSequence(v).getEncoded();
        } else if (algOID.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
            type = "EC PRIVATE KEY";
            encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
        } else {
            type = "PRIVATE KEY";
            encoding = info.getEncoded();
        }
    } else if (o instanceof SubjectPublicKeyInfo) {
        type = "PUBLIC KEY";
        encoding = ((SubjectPublicKeyInfo) o).getEncoded();
    } else if (o instanceof X509AttributeCertificateHolder) {
        type = "ATTRIBUTE CERTIFICATE";
        encoding = ((X509AttributeCertificateHolder) o).getEncoded();
    } else if (o instanceof com.github.zhenwei.pkix.pkcs.PKCS10CertificationRequest) {
        type = "CERTIFICATE REQUEST";
        encoding = ((PKCS10CertificationRequest) o).getEncoded();
    } else if (o instanceof PKCS8EncryptedPrivateKeyInfo) {
        type = "ENCRYPTED PRIVATE KEY";
        encoding = ((PKCS8EncryptedPrivateKeyInfo) o).getEncoded();
    } else if (o instanceof ContentInfo) {
        type = "PKCS7";
        encoding = ((ContentInfo) o).getEncoded();
    } else {
        throw new PemGenerationException("unknown object passed - can't encode.");
    }
    if (encryptor != null) {
        String dekAlgName = Strings.toUpperCase(encryptor.getAlgorithm());
        // Note: For backward compatibility
        if (dekAlgName.equals("DESEDE")) {
            dekAlgName = "DES-EDE3-CBC";
        }
        byte[] iv = encryptor.getIV();
        byte[] encData = encryptor.encrypt(encoding);
        List headers = new ArrayList(2);
        headers.add(new PemHeader("Proc-Type", "4,ENCRYPTED"));
        headers.add(new PemHeader("DEK-Info", dekAlgName + "," + getHexEncoded(iv)));
        return new PemObject(type, headers, encData);
    }
    return new PemObject(type, encoding);
}
Also used : ArrayList(java.util.ArrayList) SubjectPublicKeyInfo(com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo) PemObjectGenerator(com.github.zhenwei.core.util.io.pem.PemObjectGenerator) DERSequence(com.github.zhenwei.core.asn1.DERSequence) ContentInfo(com.github.zhenwei.pkix.util.asn1.cms.ContentInfo) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) ArrayList(java.util.ArrayList) List(java.util.List) DSAParameter(com.github.zhenwei.core.asn1.x509.DSAParameter) PKCS10CertificationRequest(com.github.zhenwei.pkix.pkcs.PKCS10CertificationRequest) PemGenerationException(com.github.zhenwei.core.util.io.pem.PemGenerationException) X509AttributeCertificateHolder(com.github.zhenwei.pkix.cert.X509AttributeCertificateHolder) ASN1Integer(com.github.zhenwei.core.asn1.ASN1Integer) PKCS8EncryptedPrivateKeyInfo(com.github.zhenwei.pkix.pkcs.PKCS8EncryptedPrivateKeyInfo) PemObject(com.github.zhenwei.core.util.io.pem.PemObject) X509CertificateHolder(com.github.zhenwei.pkix.cert.X509CertificateHolder) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder) BigInteger(java.math.BigInteger) PKCS8EncryptedPrivateKeyInfo(com.github.zhenwei.pkix.pkcs.PKCS8EncryptedPrivateKeyInfo) PrivateKeyInfo(com.github.zhenwei.core.asn1.pkcs.PrivateKeyInfo) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier) PemHeader(com.github.zhenwei.core.util.io.pem.PemHeader)

Example 3 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class ESTService method getCACerts.

/**
 * Query the EST server for ca certificates.
 * <p>
 * RFC7030 leans heavily on the verification phases of TLS for both client and server
 * verification.
 * <p>
 * It does however define a bootstrapping mode where if the client does not have the necessary ca
 * certificates to validate the server it can defer to an external source, such as a human, to
 * formally accept the ca certs.
 * <p>
 * If callers are using bootstrapping they must examine the CACertsResponse and validate it
 * externally.
 *
 * @return A store of X509Certificates.
 */
public CACertsResponse getCACerts() throws ESTException {
    ESTResponse resp = null;
    Exception finalThrowable = null;
    CACertsResponse caCertsResponse = null;
    URL url = null;
    boolean failedBeforeClose = false;
    try {
        url = new URL(server + CACERTS);
        ESTClient client = clientProvider.makeClient();
        ESTRequest req = new ESTRequestBuilder("GET", url).withClient(client).build();
        resp = client.doRequest(req);
        Store<X509CertificateHolder> caCerts = null;
        Store<X509CRLHolder> crlHolderStore = null;
        if (resp.getStatusCode() == 200) {
            String contentType = resp.getHeaders().getFirstValue("Content-Type");
            if (contentType == null || !contentType.startsWith("application/pkcs7-mime")) {
                String j = contentType != null ? " got " + contentType : " but was not present.";
                throw new ESTException(("Response : " + url.toString() + "Expecting application/pkcs7-mime ") + j, null, resp.getStatusCode(), resp.getInputStream());
            }
            try {
                if (resp.getContentLength() != null && resp.getContentLength() > 0) {
                    ASN1InputStream ain = new ASN1InputStream(resp.getInputStream());
                    SimplePKIResponse spkr = new SimplePKIResponse(ContentInfo.getInstance((ASN1Sequence) ain.readObject()));
                    caCerts = spkr.getCertificates();
                    crlHolderStore = spkr.getCRLs();
                }
            } catch (Throwable ex) {
                throw new ESTException("Decoding CACerts: " + url.toString() + " " + ex.getMessage(), ex, resp.getStatusCode(), resp.getInputStream());
            }
        } else if (// 204 are No Content
        resp.getStatusCode() != 204) {
            throw new ESTException("Get CACerts: " + url.toString(), null, resp.getStatusCode(), resp.getInputStream());
        }
        caCertsResponse = new CACertsResponse(caCerts, crlHolderStore, req, resp.getSource(), clientProvider.isTrusted());
    } catch (Throwable t) {
        failedBeforeClose = true;
        if (t instanceof ESTException) {
            throw (ESTException) t;
        } else {
            throw new ESTException(t.getMessage(), t);
        }
    } finally {
        if (resp != null) {
            try {
                resp.close();
            } catch (Exception t) {
                finalThrowable = t;
            }
        }
    }
    if (finalThrowable != null) {
        if (finalThrowable instanceof ESTException) {
            throw (ESTException) finalThrowable;
        }
        throw new ESTException("Get CACerts: " + url.toString(), finalThrowable, resp.getStatusCode(), null);
    }
    return caCertsResponse;
}
Also used : ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream) DERPrintableString(com.github.zhenwei.core.asn1.DERPrintableString) IOException(java.io.IOException) CMCException(com.github.zhenwei.pkix.cmc.CMCException) URL(java.net.URL) ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence) SimplePKIResponse(com.github.zhenwei.pkix.cmc.SimplePKIResponse) X509CertificateHolder(com.github.zhenwei.pkix.cert.X509CertificateHolder) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder)

Example 4 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class CMSUtils method getCRLsFromStore.

static List getCRLsFromStore(Store crlStore) throws CMSException {
    List crls = new ArrayList();
    try {
        for (Iterator it = crlStore.getMatches(null).iterator(); it.hasNext(); ) {
            Object rev = it.next();
            if (rev instanceof X509CRLHolder) {
                X509CRLHolder c = (X509CRLHolder) rev;
                crls.add(c.toASN1Structure());
            } else if (rev instanceof OtherRevocationInfoFormat) {
                OtherRevocationInfoFormat infoFormat = OtherRevocationInfoFormat.getInstance(rev);
                validateInfoFormat(infoFormat);
                crls.add(new DERTaggedObject(false, 1, infoFormat));
            } else if (rev instanceof ASN1TaggedObject) {
                crls.add(rev);
            }
        }
        return crls;
    } catch (ClassCastException e) {
        throw new CMSException("error processing certs", e);
    }
}
Also used : OtherRevocationInfoFormat(com.github.zhenwei.pkix.util.asn1.cms.OtherRevocationInfoFormat) DERTaggedObject(com.github.zhenwei.core.asn1.DERTaggedObject) ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject) ArrayList(java.util.ArrayList) Iterator(java.util.Iterator) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder) ArrayList(java.util.ArrayList) List(java.util.List) ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject) DERTaggedObject(com.github.zhenwei.core.asn1.DERTaggedObject)

Aggregations

X509CRLHolder (com.github.zhenwei.pkix.cert.X509CRLHolder)4 X509CertificateHolder (com.github.zhenwei.pkix.cert.X509CertificateHolder)2 ArrayList (java.util.ArrayList)2 Iterator (java.util.Iterator)2 List (java.util.List)2 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)1 ASN1InputStream (com.github.zhenwei.core.asn1.ASN1InputStream)1 ASN1Integer (com.github.zhenwei.core.asn1.ASN1Integer)1 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)1 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)1 ASN1TaggedObject (com.github.zhenwei.core.asn1.ASN1TaggedObject)1 DERPrintableString (com.github.zhenwei.core.asn1.DERPrintableString)1 DERSequence (com.github.zhenwei.core.asn1.DERSequence)1 DERTaggedObject (com.github.zhenwei.core.asn1.DERTaggedObject)1 PrivateKeyInfo (com.github.zhenwei.core.asn1.pkcs.PrivateKeyInfo)1 DSAParameter (com.github.zhenwei.core.asn1.x509.DSAParameter)1 SubjectPublicKeyInfo (com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo)1 Selector (com.github.zhenwei.core.util.Selector)1 PemGenerationException (com.github.zhenwei.core.util.io.pem.PemGenerationException)1 PemHeader (com.github.zhenwei.core.util.io.pem.PemHeader)1