use of com.github.zhenwei.pkix.cert.X509CertificateHolder in project LinLong-Java by zhenwei1108.
the class JcaPKIXIdentityBuilder method build.
/**
* Build an identity from the passed in key and certificate stream in PEM format.
*
* @param keyStream the PEM stream containing the key
* @param certificateStream the PEM stream containing the certificate
* @return an identity object.
* @throws IOException on a general parsing error.
* @throws CertificateException on a certificate parsing error.
*/
public JcaPKIXIdentity build(InputStream keyStream, InputStream certificateStream) throws IOException, CertificateException {
PEMParser keyParser = new PEMParser(new InputStreamReader(keyStream));
PrivateKey privKey;
Object keyObj = keyParser.readObject();
if (keyObj instanceof PEMKeyPair) {
PEMKeyPair kp = (PEMKeyPair) keyObj;
privKey = keyConverter.getPrivateKey(kp.getPrivateKeyInfo());
} else if (keyObj instanceof PrivateKeyInfo) {
privKey = keyConverter.getPrivateKey((PrivateKeyInfo) keyObj);
} else {
// TODO: handle encrypted private keys
throw new IOException("unrecognised private key file");
}
PEMParser certParser = new PEMParser(new InputStreamReader(certificateStream));
List certs = new ArrayList();
Object certObj;
while ((certObj = certParser.readObject()) != null) {
certs.add(certConverter.getCertificate((X509CertificateHolder) certObj));
}
return new JcaPKIXIdentity(privKey, (X509Certificate[]) certs.toArray(new X509Certificate[certs.size()]));
}
use of com.github.zhenwei.pkix.cert.X509CertificateHolder in project LinLong-Java by zhenwei1108.
the class MiscPEMGenerator method createPemObject.
private PemObject createPemObject(Object o) throws IOException {
String type;
byte[] encoding;
if (o instanceof PemObject) {
return (PemObject) o;
}
if (o instanceof PemObjectGenerator) {
return ((PemObjectGenerator) o).generate();
}
if (o instanceof X509CertificateHolder) {
type = "CERTIFICATE";
encoding = ((X509CertificateHolder) o).getEncoded();
} else if (o instanceof X509CRLHolder) {
type = "X509 CRL";
encoding = ((X509CRLHolder) o).getEncoded();
} else if (o instanceof X509TrustedCertificateBlock) {
type = "TRUSTED CERTIFICATE";
encoding = ((X509TrustedCertificateBlock) o).getEncoded();
} else if (o instanceof PrivateKeyInfo) {
PrivateKeyInfo info = (PrivateKeyInfo) o;
ASN1ObjectIdentifier algOID = info.getPrivateKeyAlgorithm().getAlgorithm();
if (algOID.equals(PKCSObjectIdentifiers.rsaEncryption)) {
type = "RSA PRIVATE KEY";
encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
} else if (algOID.equals(dsaOids[0]) || algOID.equals(dsaOids[1])) {
type = "DSA PRIVATE KEY";
DSAParameter p = DSAParameter.getInstance(info.getPrivateKeyAlgorithm().getParameters());
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(new ASN1Integer(0));
v.add(new ASN1Integer(p.getP()));
v.add(new ASN1Integer(p.getQ()));
v.add(new ASN1Integer(p.getG()));
BigInteger x = ASN1Integer.getInstance(info.parsePrivateKey()).getValue();
BigInteger y = p.getG().modPow(x, p.getP());
v.add(new ASN1Integer(y));
v.add(new ASN1Integer(x));
encoding = new DERSequence(v).getEncoded();
} else if (algOID.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
type = "EC PRIVATE KEY";
encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
} else {
type = "PRIVATE KEY";
encoding = info.getEncoded();
}
} else if (o instanceof SubjectPublicKeyInfo) {
type = "PUBLIC KEY";
encoding = ((SubjectPublicKeyInfo) o).getEncoded();
} else if (o instanceof X509AttributeCertificateHolder) {
type = "ATTRIBUTE CERTIFICATE";
encoding = ((X509AttributeCertificateHolder) o).getEncoded();
} else if (o instanceof com.github.zhenwei.pkix.pkcs.PKCS10CertificationRequest) {
type = "CERTIFICATE REQUEST";
encoding = ((PKCS10CertificationRequest) o).getEncoded();
} else if (o instanceof PKCS8EncryptedPrivateKeyInfo) {
type = "ENCRYPTED PRIVATE KEY";
encoding = ((PKCS8EncryptedPrivateKeyInfo) o).getEncoded();
} else if (o instanceof ContentInfo) {
type = "PKCS7";
encoding = ((ContentInfo) o).getEncoded();
} else {
throw new PemGenerationException("unknown object passed - can't encode.");
}
if (encryptor != null) {
String dekAlgName = Strings.toUpperCase(encryptor.getAlgorithm());
// Note: For backward compatibility
if (dekAlgName.equals("DESEDE")) {
dekAlgName = "DES-EDE3-CBC";
}
byte[] iv = encryptor.getIV();
byte[] encData = encryptor.encrypt(encoding);
List headers = new ArrayList(2);
headers.add(new PemHeader("Proc-Type", "4,ENCRYPTED"));
headers.add(new PemHeader("DEK-Info", dekAlgName + "," + getHexEncoded(iv)));
return new PemObject(type, headers, encData);
}
return new PemObject(type, encoding);
}
use of com.github.zhenwei.pkix.cert.X509CertificateHolder in project LinLong-Java by zhenwei1108.
the class CertificateConfirmationContentBuilder method build.
public CertificateConfirmationContent build(DigestCalculatorProvider digesterProvider) throws CMPException {
ASN1EncodableVector v = new ASN1EncodableVector();
for (int i = 0; i != acceptedCerts.size(); i++) {
X509CertificateHolder certHolder = (X509CertificateHolder) acceptedCerts.get(i);
BigInteger reqID = (BigInteger) acceptedReqIds.get(i);
AlgorithmIdentifier digAlg = digestAlgFinder.find(certHolder.toASN1Structure().getSignatureAlgorithm());
if (digAlg == null) {
throw new CMPException("cannot find algorithm for digest from signature");
}
DigestCalculator digester;
try {
digester = digesterProvider.get(digAlg);
} catch (OperatorCreationException e) {
throw new CMPException("unable to create digest: " + e.getMessage(), e);
}
CMPUtil.derEncodeToStream(certHolder.toASN1Structure(), digester.getOutputStream());
v.add(new CertStatus(digester.getDigest(), reqID));
}
return new CertificateConfirmationContent(CertConfirmContent.getInstance(new DERSequence(v)), digestAlgFinder);
}
use of com.github.zhenwei.pkix.cert.X509CertificateHolder in project LinLong-Java by zhenwei1108.
the class ProtectedPKIMessage method getCertificates.
/**
* Return the extra certificates associated with this message.
*
* @return an array of extra certificates, zero length if none present.
*/
public X509CertificateHolder[] getCertificates() {
CMPCertificate[] certs = pkiMessage.getExtraCerts();
if (certs == null) {
return new X509CertificateHolder[0];
}
X509CertificateHolder[] res = new X509CertificateHolder[certs.length];
for (int i = 0; i != certs.length; i++) {
res[i] = new X509CertificateHolder(certs[i].getX509v3PKCert());
}
return res;
}
use of com.github.zhenwei.pkix.cert.X509CertificateHolder in project LinLong-Java by zhenwei1108.
the class ESTService method getCACerts.
/**
* Query the EST server for ca certificates.
* <p>
* RFC7030 leans heavily on the verification phases of TLS for both client and server
* verification.
* <p>
* It does however define a bootstrapping mode where if the client does not have the necessary ca
* certificates to validate the server it can defer to an external source, such as a human, to
* formally accept the ca certs.
* <p>
* If callers are using bootstrapping they must examine the CACertsResponse and validate it
* externally.
*
* @return A store of X509Certificates.
*/
public CACertsResponse getCACerts() throws ESTException {
ESTResponse resp = null;
Exception finalThrowable = null;
CACertsResponse caCertsResponse = null;
URL url = null;
boolean failedBeforeClose = false;
try {
url = new URL(server + CACERTS);
ESTClient client = clientProvider.makeClient();
ESTRequest req = new ESTRequestBuilder("GET", url).withClient(client).build();
resp = client.doRequest(req);
Store<X509CertificateHolder> caCerts = null;
Store<X509CRLHolder> crlHolderStore = null;
if (resp.getStatusCode() == 200) {
String contentType = resp.getHeaders().getFirstValue("Content-Type");
if (contentType == null || !contentType.startsWith("application/pkcs7-mime")) {
String j = contentType != null ? " got " + contentType : " but was not present.";
throw new ESTException(("Response : " + url.toString() + "Expecting application/pkcs7-mime ") + j, null, resp.getStatusCode(), resp.getInputStream());
}
try {
if (resp.getContentLength() != null && resp.getContentLength() > 0) {
ASN1InputStream ain = new ASN1InputStream(resp.getInputStream());
SimplePKIResponse spkr = new SimplePKIResponse(ContentInfo.getInstance((ASN1Sequence) ain.readObject()));
caCerts = spkr.getCertificates();
crlHolderStore = spkr.getCRLs();
}
} catch (Throwable ex) {
throw new ESTException("Decoding CACerts: " + url.toString() + " " + ex.getMessage(), ex, resp.getStatusCode(), resp.getInputStream());
}
} else if (// 204 are No Content
resp.getStatusCode() != 204) {
throw new ESTException("Get CACerts: " + url.toString(), null, resp.getStatusCode(), resp.getInputStream());
}
caCertsResponse = new CACertsResponse(caCerts, crlHolderStore, req, resp.getSource(), clientProvider.isTrusted());
} catch (Throwable t) {
failedBeforeClose = true;
if (t instanceof ESTException) {
throw (ESTException) t;
} else {
throw new ESTException(t.getMessage(), t);
}
} finally {
if (resp != null) {
try {
resp.close();
} catch (Exception t) {
finalThrowable = t;
}
}
}
if (finalThrowable != null) {
if (finalThrowable instanceof ESTException) {
throw (ESTException) finalThrowable;
}
throw new ESTException("Get CACerts: " + url.toString(), finalThrowable, resp.getStatusCode(), null);
}
return caCertsResponse;
}
Aggregations