Example 76 with Certificate
use of com.google.cloud.security.privateca.v1.Certificate in project xipki by xipki.
the class CaLoadTestRevokeCmd method execute0.
@Override
protected Object execute0() throws Exception {
if (numThreads < 1) {
throw new IllegalCmdParamException("invalid number of threads " + numThreads);
}
if (!(serialNumberFile == null ^ caDbConfFile == null)) {
throw new IllegalCmdParamException("exactly one of ca-db and serial-file must be specified");
}
String description = StringUtil.concatObjectsCap(200, "issuer: ", issuerCertFile, "\ncadb: ", caDbConfFile, "\nserialNumberFile: ", serialNumberFile, "\nmaxCerts: ", maxCerts, "\n#certs/req: ", num, "\nunit: ", num, " certificate", (num > 1 ? "s" : ""), "\n");
Certificate caCert = Certificate.getInstance(IoUtil.read(issuerCertFile));
Properties props = new Properties();
props.load(new FileInputStream(IoUtil.expandFilepath(caDbConfFile)));
props.setProperty("autoCommit", "false");
props.setProperty("readOnly", "true");
props.setProperty("maximumPoolSize", "1");
props.setProperty("minimumIdle", "1");
DataSourceWrapper caDataSource = null;
Iterator<BigInteger> serialNumberIterator;
if (caDbConfFile != null) {
caDataSource = new DataSourceFactory().createDataSource("ds-" + caDbConfFile, props, securityFactory.getPasswordResolver());
serialNumberIterator = new DbGoodCertSerialIterator(caCert, caDataSource);
} else {
serialNumberIterator = new FileBigIntegerIterator(serialNumberFile, hex, false);
}
try {
CaLoadTestRevoke loadTest = new CaLoadTestRevoke(caClient, caCert, serialNumberIterator, maxCerts, num, description);
loadTest.setDuration(duration);
loadTest.setThreads(numThreads);
loadTest.test();
} finally {
if (caDataSource != null) {
caDataSource.close();
}
if (serialNumberIterator instanceof FileBigIntegerIterator) {
((FileBigIntegerIterator) serialNumberIterator).close();
}
}
return null;
}
Also used :
DataSourceFactory(org.xipki.datasource.DataSourceFactory)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
BigInteger(java.math.BigInteger)
DataSourceWrapper(org.xipki.datasource.DataSourceWrapper)
Properties(java.util.Properties)
FileBigIntegerIterator(org.xipki.common.util.FileBigIntegerIterator)
FileInputStream(java.io.FileInputStream)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 77 with Certificate
use of com.google.cloud.security.privateca.v1.Certificate in project xipki by xipki.
the class X509CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
ParamUtil.requireNonNull("certBytes", certBytes);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
Certificate bcCert;
TBSCertificate tbsCert;
X509Certificate cert;
ValidationIssue issue;
// certificate size
issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
Integer maxSize = certProfile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
try {
bcCert = Certificate.getInstance(certBytes);
tbsCert = bcCert.getTBSCertificate();
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
issue.setFailureMessage("certificate is not corrected encoded");
return new ValidationResult(resultIssues);
}
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersionNumber();
X509CertVersion expVersion = certProfile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
if (!issue.isFailed()) {
if (!signatureAlgorithms.contains(sigAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
}
}
// check parameters
if (!issue.isFailed()) {
AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
if (!expSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("invalid parameters");
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
// notBefore
if (certProfile.isNotBeforeMidnight()) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (hourOfDay != 0 || minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter must not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore must not be before CA's notBefore");
} else {
CertValidity validity = certProfile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Calendar(java.util.Calendar)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion)
BigInteger(java.math.BigInteger)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Example 78 with Certificate
use of com.google.cloud.security.privateca.v1.Certificate in project jasn1 by openmuc.
the class OtherSignedNotification method decode.
public int decode(InputStream is, boolean withTag) throws IOException {
int tlByteCount = 0;
int vByteCount = 0;
BerTag berTag = new BerTag();
if (withTag) {
tlByteCount += tag.decodeAndCheck(is);
}
BerLength length = new BerLength();
tlByteCount += length.decode(is);
int lengthVal = length.val;
vByteCount += berTag.decode(is);
if (berTag.equals(NotificationMetadata.tag)) {
tbsOtherNotification = new NotificationMetadata();
vByteCount += tbsOtherNotification.decode(is, false);
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (berTag.equals(BerTag.APPLICATION_CLASS, BerTag.PRIMITIVE, 55)) {
euiccNotificationSignature = new BerOctetString();
vByteCount += euiccNotificationSignature.decode(is, false);
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (berTag.equals(Certificate.tag)) {
euiccCertificate = new Certificate();
vByteCount += euiccCertificate.decode(is, false);
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (berTag.equals(Certificate.tag)) {
eumCertificate = new Certificate();
vByteCount += eumCertificate.decode(is, false);
if (lengthVal >= 0 && vByteCount == lengthVal) {
return tlByteCount + vByteCount;
}
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (lengthVal < 0) {
while (!berTag.equals(0, 0, 0)) {
vByteCount += DecodeUtil.decodeUnknownComponent(is);
vByteCount += berTag.decode(is);
}
vByteCount += BerLength.readEocByte(is);
return tlByteCount + vByteCount;
} else {
while (vByteCount < lengthVal) {
vByteCount += DecodeUtil.decodeUnknownComponent(is);
if (vByteCount == lengthVal) {
return tlByteCount + vByteCount;
}
vByteCount += berTag.decode(is);
}
}
throw new IOException("Unexpected end of sequence, length tag: " + lengthVal + ", bytes decoded: " + vByteCount);
}
Also used :
IOException(java.io.IOException)
Certificate(com.beanit.asn1bean.compiler.pkix1explicit88.Certificate)
Example 79 with Certificate
use of com.google.cloud.security.privateca.v1.Certificate in project jasn1 by openmuc.
the class PrepareDownloadRequest method decode.
public int decode(InputStream is, boolean withTag) throws IOException {
int tlByteCount = 0;
int vByteCount = 0;
BerTag berTag = new BerTag();
if (withTag) {
tlByteCount += tag.decodeAndCheck(is);
}
BerLength length = new BerLength();
tlByteCount += length.decode(is);
int lengthVal = length.val;
vByteCount += berTag.decode(is);
if (berTag.equals(SmdpSigned2.tag)) {
smdpSigned2 = new SmdpSigned2();
vByteCount += smdpSigned2.decode(is, false);
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (berTag.equals(BerTag.APPLICATION_CLASS, BerTag.PRIMITIVE, 55)) {
smdpSignature2 = new BerOctetString();
vByteCount += smdpSignature2.decode(is, false);
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (berTag.equals(Octet32.tag)) {
hashCc = new Octet32();
vByteCount += hashCc.decode(is, false);
vByteCount += berTag.decode(is);
}
if (berTag.equals(Certificate.tag)) {
smdpCertificate = new Certificate();
vByteCount += smdpCertificate.decode(is, false);
if (lengthVal >= 0 && vByteCount == lengthVal) {
return tlByteCount + vByteCount;
}
vByteCount += berTag.decode(is);
} else {
throw new IOException("Tag does not match mandatory sequence component.");
}
if (lengthVal < 0) {
while (!berTag.equals(0, 0, 0)) {
vByteCount += DecodeUtil.decodeUnknownComponent(is);
vByteCount += berTag.decode(is);
}
vByteCount += BerLength.readEocByte(is);
return tlByteCount + vByteCount;
} else {
while (vByteCount < lengthVal) {
vByteCount += DecodeUtil.decodeUnknownComponent(is);
if (vByteCount == lengthVal) {
return tlByteCount + vByteCount;
}
vByteCount += berTag.decode(is);
}
}
throw new IOException("Unexpected end of sequence, length tag: " + lengthVal + ", bytes decoded: " + vByteCount);
}
Also used :
IOException(java.io.IOException)
Certificate(com.beanit.asn1bean.compiler.pkix1explicit88.Certificate)
Example 80 with Certificate
use of com.google.cloud.security.privateca.v1.Certificate in project xipki by xipki.
the class OcspCertStoreFromCaDbImporter method importCert0.
// method importCert
private long importCert0(HashAlgo certhashAlgo, PreparedStatement psCert, String certsZipFile, boolean revokedOnly, List<Integer> caIds, long minId, File processLogFile, ProcessLog processLog, int numProcessedInLastProcess, ProcessLog importLog) throws Exception {
ZipFile zipFile = new ZipFile(new File(certsZipFile));
ZipEntry certsEntry = zipFile.getEntry("overview.json");
CaCertstore.Certs certs;
try {
certs = JSON.parseObject(zipFile.getInputStream(certsEntry), StandardCharsets.UTF_8, CaCertstore.Certs.class);
} catch (Exception ex) {
try {
zipFile.close();
} catch (Exception e2) {
LOG.error("could not close ZIP file {}: {}", certsZipFile, e2.getMessage());
LOG.debug("could not close ZIP file " + certsZipFile, e2);
}
throw ex;
}
certs.validate();
disableAutoCommit();
try {
int numProcessedEntriesInBatch = 0;
int numImportedEntriesInBatch = 0;
long lastSuccessfulCertId = 0;
List<CaCertstore.Cert> list = certs.getCerts();
final int n = list.size();
for (int i = 0; i < n; i++) {
if (stopMe.get()) {
throw new InterruptedException("interrupted by the user");
}
CaCertstore.Cert cert = list.get(i);
long id = cert.getId();
lastSuccessfulCertId = id;
if (id < minId) {
continue;
}
numProcessedEntriesInBatch++;
if (!revokedOnly || (cert.getRev() != null && cert.getRev() == 1)) {
int caId = cert.getCaId();
if (caIds.contains(caId)) {
numImportedEntriesInBatch++;
String filename = cert.getFile();
// rawcert
ZipEntry certZipEnty = zipFile.getEntry(filename);
// rawcert
byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty));
String certhash = certhashAlgo.base64Hash(encodedCert);
TBSCertificate tbsCert;
try {
Certificate cc = Certificate.getInstance(encodedCert);
tbsCert = cc.getTBSCertificate();
} catch (RuntimeException ex) {
LogUtil.error(LOG, ex, "could not parse certificate in file " + filename);
throw new CertificateException(ex.getMessage(), ex);
}
String subject = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen);
// cert
try {
int idx = 1;
psCert.setLong(idx++, id);
psCert.setInt(idx++, caId);
psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16));
psCert.setLong(idx++, cert.getUpdate());
psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000);
psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000);
setInt(psCert, idx++, cert.getRev());
setInt(psCert, idx++, cert.getRr());
setLong(psCert, idx++, cert.getRt());
setLong(psCert, idx++, cert.getRit());
psCert.setString(idx++, certhash);
psCert.setString(idx++, subject);
psCert.setNull(idx, Types.INTEGER);
psCert.addBatch();
} catch (SQLException ex) {
throw translate(SQL_ADD_CERT, ex);
}
}
// end if (caIds.contains(caId))
}
// end if (revokedOnly
boolean isLastBlock = i == n - 1;
if (numImportedEntriesInBatch > 0 && (numImportedEntriesInBatch % this.numCertsPerCommit == 0 || isLastBlock)) {
try {
psCert.executeBatch();
commit("(commit import cert to OCSP)");
} catch (Throwable th) {
rollback();
deleteCertGreatherThan(lastSuccessfulCertId, LOG);
if (th instanceof SQLException) {
throw translate(SQL_ADD_CERT, (SQLException) th);
} else if (th instanceof Exception) {
throw (Exception) th;
} else {
throw new Exception(th);
}
}
lastSuccessfulCertId = id;
processLog.addNumProcessed(numProcessedEntriesInBatch);
importLog.addNumProcessed(numImportedEntriesInBatch);
numProcessedEntriesInBatch = 0;
numImportedEntriesInBatch = 0;
String filename = (numProcessedInLastProcess + processLog.numProcessed()) + ":" + lastSuccessfulCertId;
echoToFile(filename, processLogFile);
processLog.printStatus();
} else if (isLastBlock) {
lastSuccessfulCertId = id;
processLog.addNumProcessed(numProcessedEntriesInBatch);
importLog.addNumProcessed(numImportedEntriesInBatch);
numProcessedEntriesInBatch = 0;
numImportedEntriesInBatch = 0;
String filename = (numProcessedInLastProcess + processLog.numProcessed()) + ":" + lastSuccessfulCertId;
echoToFile(filename, processLogFile);
processLog.printStatus();
}
// if (numImportedEntriesInBatch)
}
return lastSuccessfulCertId;
} finally {
recoverAutoCommit();
zipFile.close();
}
}
Also used :
SQLException(java.sql.SQLException)
ZipEntry(java.util.zip.ZipEntry)
CertificateException(java.security.cert.CertificateException)
SQLException(java.sql.SQLException)
DataAccessException(org.xipki.datasource.DataAccessException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ZipFile(java.util.zip.ZipFile)
ZipFile(java.util.zip.ZipFile)
File(java.io.File)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Aggregations
Certificate (org.bouncycastle.asn1.x509.Certificate)53
IOException (java.io.IOException)40
X509Certificate (java.security.cert.X509Certificate)37
CertificateException (java.security.cert.CertificateException)27
CertificateAuthorityServiceClient (com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient)24
Test (org.junit.Test)14
Operation (com.google.longrunning.Operation)13
File (java.io.File)11
BigInteger (java.math.BigInteger)9
CertificateEncodingException (java.security.cert.CertificateEncodingException)9
TBSCertificate (org.bouncycastle.asn1.x509.TBSCertificate)9
Test (org.junit.jupiter.api.Test)9
Certificate (com.google.cloud.security.privateca.v1.Certificate)8
SQLException (java.sql.SQLException)8
X500Name (org.bouncycastle.asn1.x500.X500Name)8
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
Certificate (com.beanit.asn1bean.compiler.pkix1explicit88.Certificate)6
Extension (org.bouncycastle.asn1.x509.Extension)6
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)6
Date (java.util.Date)5
