Examples with ASN1BitString com.unboundid.asn1.ASN1BitString used on opensource projects

Example 36 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testCertificateWithInvalidRSAPublicKey.

/**
 * Tests a valid X.509 certificate that claims to have an RSA public key, but
 * whose public key cannot actually be parsed as an RSA key.  This won't
 * cause an error, but will result in the public key not being available.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testCertificateWithInvalidRSAPublicKey() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    X509Certificate c = new X509Certificate(X509CertificateVersion.V1, BigInteger.valueOf(123456789L), new OID("1.2.3.4"), new ASN1Null(), new ASN1BitString(new boolean[1235]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[123]), null, null, null);
    assertNotNull(c.getX509CertificateBytes());
    c = new X509Certificate(c.encode().encode());
    assertNotNull(c.getVersion());
    assertEquals(c.getVersion(), X509CertificateVersion.V1);
    assertNotNull(c.getSerialNumber());
    assertEquals(c.getSerialNumber(), BigInteger.valueOf(123456789L));
    assertNotNull(c.getSignatureAlgorithmOID());
    assertEquals(c.getSignatureAlgorithmOID(), new OID("1.2.3.4"));
    assertNull(c.getSignatureAlgorithmName());
    assertNotNull(c.getSignatureAlgorithmNameOrOID());
    assertEquals(c.getSignatureAlgorithmNameOrOID(), "1.2.3.4");
    assertNotNull(c.getSignatureAlgorithmParameters());
    assertNotNull(c.getIssuerDN());
    assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
    // NOTE:  For some moronic reasons, certificates tend to use UTCTime instead
    // of generalized time when encoding notBefore and notAfter values, despite
    // the spec allowing either one, and despite UTCTime only supporting a
    // two-digit year and no sub-second component.  So we can't check for
    // exact equivalence  of the notBefore and notAfter values.  Instead, just
    // make sure that the values are within 2000 milliseconds of the expected
    // value.
    assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
    assertNotNull(c.getNotBeforeDate());
    assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
    assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
    assertNotNull(c.getNotAfterDate());
    assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
    assertNotNull(c.getSubjectDN());
    assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
    assertNotNull(c.getPublicKeyAlgorithmOID());
    assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.RSA.getOID());
    assertNotNull(c.getPublicKeyAlgorithmName());
    assertEquals(c.getPublicKeyAlgorithmName(), "RSA");
    assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
    assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "RSA");
    assertNotNull(c.getPublicKeyAlgorithmParameters());
    assertNotNull(c.getEncodedPublicKey());
    assertNull(c.getDecodedPublicKey());
    assertNull(c.getIssuerUniqueID());
    assertNull(c.getSubjectUniqueID());
    assertNotNull(c.getExtensions());
    assertTrue(c.getExtensions().isEmpty());
    assertNotNull(c.getSignatureValue());
    assertNotNull(c.toString());
    assertNotNull(c.toPEM());
    assertFalse(c.toPEM().isEmpty());
    assertNotNull(c.toPEMString());
    assertNotNull(c.getX509CertificateBytes());
    assertNotNull(c.getSHA1Fingerprint());
    assertNotNull(c.getSHA256Fingerprint());
}

Example 37 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeSignatureAlgorithmElementNotSequence.

/**
 * Tests the behavior when trying to decode a certificate with a signature
 * algorithm element that is not a valid sequence.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeSignatureAlgorithmElementNotSequence() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1OctetString("not a valid sequence"), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}

Example 38 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testVerifySignatureUnrecognizedSignatureAlgorithm.

/**
 * Tests the behavior of the {@code verifySignature} method with an
 * unrecognized signature algorithm.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testVerifySignatureUnrecognizedSignatureAlgorithm() throws Exception {
    final ObjectPair<X509Certificate, KeyPair> p = X509Certificate.generateSelfSignedCertificate(SignatureAlgorithmIdentifier.SHA_256_WITH_RSA, PublicKeyAlgorithmIdentifier.RSA, 2048, new DN("CN=ldap.example.com,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365L), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()));
    final X509Certificate c = p.getFirst();
    final X509CertificateExtension[] extensions = new X509CertificateExtension[c.getExtensions().size()];
    c.getExtensions().toArray(extensions);
    final X509Certificate cert = new X509Certificate(c.getVersion(), c.getSerialNumber(), new OID("1.2.3.4.5.6.7.8"), c.getSignatureAlgorithmParameters(), new ASN1BitString(true, false, true, false, true), c.getIssuerDN(), c.getNotBeforeTime(), c.getNotAfterTime(), c.getSubjectDN(), c.getPublicKeyAlgorithmOID(), null, c.getEncodedPublicKey(), c.getDecodedPublicKey(), c.getIssuerUniqueID(), c.getSubjectUniqueID(), extensions);
    cert.verifySignature(null);
}

Example 39 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequest method generateCertificateSigningRequest.

/**
 * Generates a PKCS #10 certificate signing request with the provided
 * information.
 *
 * @param  signatureAlgorithm  The algorithm to use to generate the signature.
 *                             This must not be {@code null}.
 * @param  keyPair             The key pair to use for the certificate signing
 *                             request.  This must not be {@code null}.
 * @param  subjectDN           The subject DN for the certificate signing
 *                             request.  This must not be {@code null}.
 * @param  extensions          The set of extensions to include in the
 *                             certificate signing request.  This may be
 *                             {@code null} or empty if the request should not
 *                             include any custom extensions.
 *
 * @return  The generated PKCS #10 certificate signing request.
 *
 * @throws  CertException  If a problem is encountered while creating the
 *                         certificate signing request.
 */
@NotNull()
public static PKCS10CertificateSigningRequest generateCertificateSigningRequest(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final KeyPair keyPair, @NotNull final DN subjectDN, @Nullable final X509CertificateExtension... extensions) throws CertException {
    // Extract the parameters and encoded public key from the generated key
    // pair.  And while we're at it, generate a subject key identifier from
    // the encoded public key.
    DecodedPublicKey decodedPublicKey = null;
    final ASN1BitString encodedPublicKey;
    final ASN1Element publicKeyAlgorithmParameters;
    final byte[] subjectKeyIdentifier;
    final OID publicKeyAlgorithmOID;
    try {
        final ASN1Element[] pkElements = ASN1Sequence.decodeAsSequence(keyPair.getPublic().getEncoded()).elements();
        final ASN1Element[] pkAlgIDElements = ASN1Sequence.decodeAsSequence(pkElements[0]).elements();
        publicKeyAlgorithmOID = pkAlgIDElements[0].decodeAsObjectIdentifier().getOID();
        if (pkAlgIDElements.length == 1) {
            publicKeyAlgorithmParameters = null;
        } else {
            publicKeyAlgorithmParameters = pkAlgIDElements[1];
        }
        encodedPublicKey = pkElements[1].decodeAsBitString();
        try {
            if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.RSA.getOID())) {
                decodedPublicKey = new RSAPublicKey(encodedPublicKey);
            } else if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.EC.getOID())) {
                decodedPublicKey = new EllipticCurvePublicKey(encodedPublicKey);
            }
        } catch (final Exception e) {
            Debug.debugException(e);
        }
        final MessageDigest sha256 = CryptoHelper.getMessageDigest(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_DIGEST_ALGORITHM);
        subjectKeyIdentifier = sha256.digest(encodedPublicKey.getBytes());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_CANNOT_PARSE_KEY_PAIR.get(StaticUtils.getExceptionMessage(e)), e);
    }
    // Construct the set of all extensions for the certificate.
    final ArrayList<X509CertificateExtension> extensionList = new ArrayList<>(10);
    extensionList.add(new SubjectKeyIdentifierExtension(false, new ASN1OctetString(subjectKeyIdentifier)));
    if (extensions != null) {
        for (final X509CertificateExtension e : extensions) {
            if (!e.getOID().equals(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_OID)) {
                extensionList.add(e);
            }
        }
    }
    final X509CertificateExtension[] allExtensions = new X509CertificateExtension[extensionList.size()];
    extensionList.toArray(allExtensions);
    final ASN1BitString encodedSignature = generateSignature(signatureAlgorithm, keyPair.getPrivate(), subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, allExtensions);
    return new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, signatureAlgorithm.getOID(), null, encodedSignature, subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, decodedPublicKey, null, allExtensions);
}

Example 40 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequest method generateSignature.

/**
 * Generates a signature for the certificate signing request with the provided
 * information.
 *
 * @param  signatureAlgorithm            The signature algorithm to use to
 *                                       generate the signature.  This must
 *                                       not be {@code null}.
 * @param  privateKey                    The private key to use to sign the
 *                                       certificate signing request.  This
 *                                       must not be {@code null}.
 * @param  subjectDN                     The subject DN for the certificate
 *                                       signing request.  This must not be
 *                                       {@code null}.
 * @param  publicKeyAlgorithmOID         The OID for the public key algorithm.
 *                                       This must not be {@code null}.
 * @param  publicKeyAlgorithmParameters  The encoded public key algorithm
 *                                       parameters.  This may be
 *                                       {@code null} if no parameters are
 *                                       needed.
 * @param  encodedPublicKey              The encoded representation of the
 *                                       public key.  This must not be
 *                                       {@code null}.
 * @param  extensions                    The set of extensions to include in
 *                                       the certificate signing request.
 *                                       This must not be {@code null} but
 *                                       may be empty.
 *
 * @return  An encoded representation of the generated signature.
 *
 * @throws  CertException  If a problem is encountered while generating the
 *                         certificate.
 */
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
    // Get and initialize the signature generator.
    final Signature signature;
    try {
        signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    try {
        signature.initSign(privateKey);
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    // compute its signature.
    try {
        final ArrayList<ASN1Element> requestInfoElements = new ArrayList<>(4);
        requestInfoElements.add(new ASN1Integer(PKCS10CertificateSigningRequestVersion.V1.getIntValue()));
        requestInfoElements.add(X509Certificate.encodeName(subjectDN));
        if (publicKeyAlgorithmParameters == null) {
            requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
        } else {
            requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
        }
        final ArrayList<ASN1Element> attrElements = new ArrayList<>(1);
        if ((extensions != null) && (extensions.length > 0)) {
            final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
            for (final X509CertificateExtension e : extensions) {
                extensionElements.add(e.encode());
            }
            attrElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(ATTRIBUTE_OID_EXTENSIONS), new ASN1Set(new ASN1Sequence(extensionElements))));
        }
        requestInfoElements.add(new ASN1Set(TYPE_ATTRIBUTES, attrElements));
        final byte[] certificationRequestInfoBytes = new ASN1Sequence(requestInfoElements).encode();
        signature.update(certificationRequestInfoBytes);
        final byte[] signatureBytes = signature.sign();
        return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
}