Examples with IssuerAndSerialNumber com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber used on opensource projects

Search in sources :

Example 6 with IssuerAndSerialNumber

use of com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber in project xipki by xipki.

the class CaUtil method verifyCsr.

// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, AlgorithmValidator algorithmValidator, DhpocControl dhpocControl) {
    notNull(csr, "csr");
    ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
    DHSigStaticKeyCertPair kaKeyAndCert = null;
    if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
        if (dhpocControl != null) {
            DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
            IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
            ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
            kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
        }
        if (kaKeyAndCert == null) {
            return false;
        }
    }
    return securityFactory.verifyPopo(csr, algorithmValidator, kaKeyAndCert);
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic)

Example 7 with IssuerAndSerialNumber

use of com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber in project ett by onc-healthit.

the class PrivateCertificateLoader method getSMIMESignedGenerator.

public SMIMESignedGenerator getSMIMESignedGenerator() throws CertificateEncodingException, OperatorCreationException {
    Collection<X509Certificate> signingCertificates = new ArrayList<X509Certificate>();
    X509CertificateEx signCert = X509CertificateEx.fromX509Certificate((X509Certificate) this.getChain()[0], this.getPrivateKey());
    // System.out.println(signCert);
    signingCertificates.add(signCert);
    // 
    // create a CertStore containing the certificates we want carried
    // in the signature
    // 
    Store certs = new JcaCertStore(signingCertificates);
    // 
    // create some smime capabilities in case someone wants to respond
    // 
    ASN1EncodableVector signedAttrs = new ASN1EncodableVector();
    SMIMECapabilityVector caps = new SMIMECapabilityVector();
    caps.addCapability(SMIMECapability.dES_EDE3_CBC);
    caps.addCapability(SMIMECapability.rC2_CBC, 128);
    caps.addCapability(SMIMECapability.dES_CBC);
    caps.addCapability(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"));
    caps.addCapability(new ASN1ObjectIdentifier("1.2.840.113549.1.9.22.1"));
    signedAttrs.add(new SMIMECapabilitiesAttribute(caps));
    // logger.debug("Signing Cert is \n = " + signCert.toString());
    // 
    // add an encryption key preference for encrypted responses -
    // normally this would be different from the signing certificate...
    // 
    IssuerAndSerialNumber issAndSer = new IssuerAndSerialNumber(new X500Name(this.getSignDN()), signCert.getSerialNumber());
    signedAttrs.add(new SMIMEEncryptionKeyPreferenceAttribute(issAndSer));
    // 
    // create the generator for creating an smime/signed message
    // 
    SMIMESignedGenerator gen = new SMIMESignedGenerator();
    // 
    // add a signer to the generator - this specifies we are using SHA1 and
    // adding the smime attributes above to the signed attributes that
    // will be generated as part of the signature. The encryption algorithm
    // used is taken from the key - in this RSA with PKCS1Padding
    // 
    logger.info("Creating message with algorithm " + digestAlgo);
    gen.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").setSignedAttributeGenerator(new AttributeTable(signedAttrs)).build(digestAlgo, signCert.getPrivateKey(), signCert));
    // 
    // add our pool of certs and cerls (if any) to go with the signature
    // 
    gen.addCertificates(certs);
    return gen;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ArrayList(java.util.ArrayList) AttributeTable(org.bouncycastle.asn1.cms.AttributeTable) Store(org.bouncycastle.util.Store) JcaCertStore(org.bouncycastle.cert.jcajce.JcaCertStore) KeyStore(java.security.KeyStore) SMIMESignedGenerator(org.bouncycastle.mail.smime.SMIMESignedGenerator) JcaCertStore(org.bouncycastle.cert.jcajce.JcaCertStore) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) SMIMEEncryptionKeyPreferenceAttribute(org.bouncycastle.asn1.smime.SMIMEEncryptionKeyPreferenceAttribute) SMIMECapabilityVector(org.bouncycastle.asn1.smime.SMIMECapabilityVector) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) SMIMECapabilitiesAttribute(org.bouncycastle.asn1.smime.SMIMECapabilitiesAttribute) JcaSimpleSignerInfoGeneratorBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 8 with IssuerAndSerialNumber

use of com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

private PkiMessage servicePkiOperation0(DecodedPkiMessage req) throws CaException {
    TransactionId tid = req.getTransactionId();
    PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
    rep.setPkiStatus(PkiStatus.SUCCESS);
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
        }
    }
    // check the digest algorithm
    HashAlgo hashAlgo = req.getDigestAlgorithm();
    boolean supported = false;
    if (hashAlgo == HashAlgo.SHA1) {
        if (caCaps.supportsSHA1()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA256) {
        if (caCaps.supportsSHA256()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA512) {
        if (caCaps.supportsSHA512()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, hashAlgo);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.supportsDES3()) {
            LOG.warn("tid={}: encryption with DES3 algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (CMSAlgorithm.AES128_CBC.equals(encOid)) {
        if (!caCaps.supportsAES()) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        return rep;
    }
    MessageType messageType = req.getMessageType();
    switch(messageType) {
        case PKCSReq:
            boolean selfSigned = req.getSignatureCert().isSelfSigned();
            CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
            if (selfSigned) {
                X500Name name = req.getSignatureCert().getSubject();
                if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
                    return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
                }
            }
            String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
            if (!control.getSecret().equals(challengePwd)) {
                LOG.warn("challengePassword is not trusted");
                return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            }
            X509Cert cert;
            try {
                cert = caEmulator.generateCert(csr);
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (cert != null && control.isPendingCert()) {
                rep.setPkiStatus(PkiStatus.PENDING);
            } else if (cert != null) {
                ContentInfo messageData = createSignedData(cert);
                rep.setMessageData(messageData);
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case CertPoll:
            IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
            cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case GetCert:
            IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case RenewalReq:
            if (!caCaps.supportsRenewal()) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    rep.setPkiStatus(PkiStatus.FAILURE);
                    rep.setFailInfo(FailInfo.badCertId);
                }
            }
            break;
        case GetCRL:
            isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            CertificateList crl;
            try {
                crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (crl != null) {
                rep.setMessageData(createSignedData(crl));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        default:
            buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) HashAlgo(org.xipki.security.HashAlgo) CertificateList(org.bouncycastle.asn1.x509.CertificateList) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1String(org.bouncycastle.asn1.ASN1String) Date(java.util.Date) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) X509Cert(org.xipki.security.X509Cert) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 9 with IssuerAndSerialNumber

use of com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber in project xipki by xipki.

the class Client method scepGetCrl.

public X509CRLHolder scepGetCrl(PrivateKey identityKey, X509Cert identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
    Args.notNull(identityKey, "identityKey");
    Args.notNull(identityCert, "identityCert");
    Args.notNull(issuer, "issuer");
    Args.notNull(serialNumber, "serialNumber");
    initIfNotInited();
    PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
    IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
    pkiMessage.setMessageData(isn);
    ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert);
    ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request);
    CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
    PkiMessage response = decode(cmsSignedData, identityKey, identityCert);
    if (response.getPkiStatus() != PkiStatus.SUCCESS) {
        throw new ScepClientException("server returned " + response.getPkiStatus());
    }
    ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
    try {
        return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent()));
    } catch (CRLException ex) {
        throw new ScepClientException(ex.getMessage(), ex);
    }
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) CMSSignedData(org.bouncycastle.cms.CMSSignedData) CRLException(java.security.cert.CRLException)

Example 10 with IssuerAndSerialNumber

use of com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber in project xipki by xipki.

the class CaUtil method verifyCsr.

// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, PopControl popControl) {
    notNull(csr, "csr");
    notNull(popControl, "popControl");
    ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
    DHSigStaticKeyCertPair kaKeyAndCert = null;
    if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
        DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
        IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
        ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
        kaKeyAndCert = popControl.getDhKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
        if (kaKeyAndCert == null) {
            return false;
        }
    }
    AlgorithmValidator popValidator = popControl.getPopAlgoValidator();
    return securityFactory.verifyPop(csr, popValidator, kaKeyAndCert);
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic)

Aggregations

IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)21 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)8 X500Name (org.bouncycastle.asn1.x500.X500Name)8 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)7 CMSSignedData (org.bouncycastle.cms.CMSSignedData)5 IssuerAndSerialNumber (com.github.zhenwei.pkix.util.asn1.cms.IssuerAndSerialNumber)4 Date (java.util.Date)4 Cipher (javax.crypto.Cipher)4 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)4 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)4 DEROctetString (org.bouncycastle.asn1.DEROctetString)4 DhSigStatic (org.bouncycastle.asn1.crmf.DhSigStatic)4 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)4 SMIMEEncryptionKeyPreferenceAttribute (org.bouncycastle.asn1.smime.SMIMEEncryptionKeyPreferenceAttribute)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 KeyTransRecipientInfo (org.bouncycastle.asn1.cms.KeyTransRecipientInfo)3 RecipientIdentifier (org.bouncycastle.asn1.cms.RecipientIdentifier)3 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 BigInteger (java.math.BigInteger)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial