Example 26 with ASN1ObjectIdentifier
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method verifySignature.
/**
* Verifies the signature for this certificate signing request.
*
* @throws CertException If the certificate signing request's signature
* could not be verified.
*/
public void verifySignature() throws CertException {
// Generate the public key for this certificate signing request.
final PublicKey publicKey;
try {
final byte[] encodedPublicKeyBytes;
if (publicKeyAlgorithmParameters == null) {
encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey).encode();
} else {
encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey).encode();
}
final KeyFactory keyFactory = CryptoHelper.getKeyFactory(getPublicKeyAlgorithmNameOrOID());
publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(encodedPublicKeyBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_PUBLIC_KEY.get(StaticUtils.getExceptionMessage(e)), e);
}
// Get and initialize the signature generator.
final Signature signature;
final SignatureAlgorithmIdentifier signatureAlgorithm;
try {
signatureAlgorithm = SignatureAlgorithmIdentifier.forOID(signatureAlgorithmOID);
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_SIGNATURE_VERIFIER.get(getSignatureAlgorithmNameOrOID(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initVerify(publicKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_INIT_SIGNATURE_VERIFIER.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// Construct the requestInfo element of the certificate signing request and
// compute its signature.
final boolean signatureIsValid;
try {
final ASN1Element[] requestInfoElements = ASN1Sequence.decodeAsSequence(pkcs10CertificateSigningRequestBytes).elements();
final byte[] requestInfoBytes = requestInfoElements[0].encode();
signature.update(requestInfoBytes);
signatureIsValid = signature.verify(signatureValue.getBytes());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_ERROR.get(subjectDN, StaticUtils.getExceptionMessage(e)), e);
}
if (!signatureIsValid) {
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_NOT_VALID.get(subjectDN));
}
}
Also used :
PublicKey(java.security.PublicKey)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
Signature(java.security.Signature)
ASN1Element(com.unboundid.asn1.ASN1Element)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
KeyFactory(java.security.KeyFactory)
Example 27 with ASN1ObjectIdentifier
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method generateSignature.
/**
* Generates a signature for the certificate signing request with the provided
* information.
*
* @param signatureAlgorithm The signature algorithm to use to
* generate the signature. This must
* not be {@code null}.
* @param privateKey The private key to use to sign the
* certificate signing request. This
* must not be {@code null}.
* @param subjectDN The subject DN for the certificate
* signing request. This must not be
* {@code null}.
* @param publicKeyAlgorithmOID The OID for the public key algorithm.
* This must not be {@code null}.
* @param publicKeyAlgorithmParameters The encoded public key algorithm
* parameters. This may be
* {@code null} if no parameters are
* needed.
* @param encodedPublicKey The encoded representation of the
* public key. This must not be
* {@code null}.
* @param extensions The set of extensions to include in
* the certificate signing request.
* This must not be {@code null} but
* may be empty.
*
* @return An encoded representation of the generated signature.
*
* @throws CertException If a problem is encountered while generating the
* certificate.
*/
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
// Get and initialize the signature generator.
final Signature signature;
try {
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initSign(privateKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// compute its signature.
try {
final ArrayList<ASN1Element> requestInfoElements = new ArrayList<>(4);
requestInfoElements.add(new ASN1Integer(PKCS10CertificateSigningRequestVersion.V1.getIntValue()));
requestInfoElements.add(X509Certificate.encodeName(subjectDN));
if (publicKeyAlgorithmParameters == null) {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
} else {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
}
final ArrayList<ASN1Element> attrElements = new ArrayList<>(1);
if ((extensions != null) && (extensions.length > 0)) {
final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
for (final X509CertificateExtension e : extensions) {
extensionElements.add(e.encode());
}
attrElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(ATTRIBUTE_OID_EXTENSIONS), new ASN1Set(new ASN1Sequence(extensionElements))));
}
requestInfoElements.add(new ASN1Set(TYPE_ATTRIBUTES, attrElements));
final byte[] certificationRequestInfoBytes = new ASN1Sequence(requestInfoElements).encode();
signature.update(certificationRequestInfoBytes);
final byte[] signatureBytes = signature.sign();
return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
}
Also used :
ArrayList(java.util.ArrayList)
ASN1Integer(com.unboundid.asn1.ASN1Integer)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Set(com.unboundid.asn1.ASN1Set)
Signature(java.security.Signature)
ASN1Element(com.unboundid.asn1.ASN1Element)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
NotNull(com.unboundid.util.NotNull)
Example 28 with ASN1ObjectIdentifier
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509Certificate method encodeName.
/**
* Encodes the provided DN as an X.509 name for inclusion in an encoded
* certificate.
*
* @param dn The DN to encode.
*
* @return The encoded X.509 name.
*
* @throws CertException If a problem is encountered while encoding the
* provided DN as an X.509 name.
*/
@NotNull()
static ASN1Element encodeName(@NotNull final DN dn) throws CertException {
final Schema schema;
try {
schema = Schema.getDefaultStandardSchema();
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_ENCODE_NAME_CANNOT_GET_SCHEMA.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
}
final RDN[] rdns = dn.getRDNs();
final ArrayList<ASN1Element> rdnSequenceElements = new ArrayList<>(rdns.length);
for (int i = rdns.length - 1; i >= 0; i--) {
final RDN rdn = rdns[i];
final String[] names = rdn.getAttributeNames();
final String[] values = rdn.getAttributeValues();
final ArrayList<ASN1Element> rdnElements = new ArrayList<>(names.length);
for (int j = 0; j < names.length; j++) {
final AttributeTypeDefinition at = schema.getAttributeType(names[j]);
if (at == null) {
throw new CertException(ERR_CERT_ENCODE_NAME_UNKNOWN_ATTR_TYPE.get(String.valueOf(dn), names[j]));
}
try {
rdnElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(at.getOID()), new ASN1UTF8String(values[j])));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_ENCODE_NAME_ERROR.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
}
}
rdnSequenceElements.add(new ASN1Set(rdnElements));
}
return new ASN1Sequence(rdnSequenceElements);
}
Also used :
ASN1UTF8String(com.unboundid.asn1.ASN1UTF8String)
Schema(com.unboundid.ldap.sdk.schema.Schema)
ArrayList(java.util.ArrayList)
ASN1UTF8String(com.unboundid.asn1.ASN1UTF8String)
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
ASN1Exception(com.unboundid.asn1.ASN1Exception)
CertificateException(java.security.cert.CertificateException)
AttributeTypeDefinition(com.unboundid.ldap.sdk.schema.AttributeTypeDefinition)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Set(com.unboundid.asn1.ASN1Set)
ASN1Element(com.unboundid.asn1.ASN1Element)
RDN(com.unboundid.ldap.sdk.RDN)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
NotNull(com.unboundid.util.NotNull)
Example 29 with ASN1ObjectIdentifier
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509Certificate method generateSignature.
/**
* Generates a signature for the certificate with the provided information.
*
* @param signatureAlgorithm The signature algorithm to use to
* generate the signature. This must
* not be {@code null}.
* @param privateKey The private key to use to sign the
* certificate. This must not be
* {@code null}.
* @param serialNumber The serial number for the
* certificate. This must not be
* {@code null}.
* @param issuerDN The issuer DN for the certificate.
* This must not be {@code null}.
* @param notBefore The validity start time for the
* certificate.
* @param notAfter The validity end time for the
* certificate.
* @param subjectDN The subject DN for the certificate.
* This must not be {@code null}.
* @param publicKeyAlgorithmOID The OID for the public key algorithm.
* This must not be {@code null}.
* @param publicKeyAlgorithmParameters The encoded public key algorithm
* parameters. This may be
* {@code null} if no parameters are
* needed.
* @param encodedPublicKey The encoded representation of the
* public key. This must not be
* {@code null}.
* @param extensions The set of extensions to include in
* the certificate. This must not be
* {@code null} but may be empty.
*
* @return An encoded representation of the generated signature.
*
* @throws CertException If a problem is encountered while generating the
* certificate.
*/
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final BigInteger serialNumber, @NotNull final DN issuerDN, final long notBefore, final long notAfter, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
// Get and initialize the signature generator.
final Signature signature;
try {
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initSign(privateKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// signature.
try {
final ArrayList<ASN1Element> tbsCertificateElements = new ArrayList<>(8);
tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_VERSION, new ASN1Integer(X509CertificateVersion.V3.getIntValue()).encode()));
tbsCertificateElements.add(new ASN1BigInteger(serialNumber));
tbsCertificateElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(signatureAlgorithm.getOID())));
tbsCertificateElements.add(encodeName(issuerDN));
tbsCertificateElements.add(encodeValiditySequence(notBefore, notAfter));
tbsCertificateElements.add(encodeName(subjectDN));
if (publicKeyAlgorithmParameters == null) {
tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
} else {
tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
}
final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
for (final X509CertificateExtension e : extensions) {
extensionElements.add(e.encode());
}
tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_EXTENSIONS, new ASN1Sequence(extensionElements).encode()));
final byte[] tbsCertificateBytes = new ASN1Sequence(tbsCertificateElements).encode();
signature.update(tbsCertificateBytes);
final byte[] signatureBytes = signature.sign();
return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
}
Also used :
ArrayList(java.util.ArrayList)
ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger)
ASN1Integer(com.unboundid.asn1.ASN1Integer)
ASN1Exception(com.unboundid.asn1.ASN1Exception)
CertificateException(java.security.cert.CertificateException)
ASN1BitString(com.unboundid.asn1.ASN1BitString)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
Signature(java.security.Signature)
ASN1Element(com.unboundid.asn1.ASN1Element)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
NotNull(com.unboundid.util.NotNull)
Example 30 with ASN1ObjectIdentifier
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509CertificateExtension method encode.
/**
* Encodes this extension to an ASN.1 element suitable for inclusion in an
* encoded X.509 certificate.
*
* @return The encoded representation of this extension.
*
* @throws CertException If a problem is encountered while encoding the
* extension.
*/
@NotNull()
ASN1Sequence encode() throws CertException {
try {
final ArrayList<ASN1Element> elements = new ArrayList<>(3);
elements.add(new ASN1ObjectIdentifier(oid));
if (isCritical) {
elements.add(ASN1Boolean.UNIVERSAL_BOOLEAN_TRUE_ELEMENT);
}
elements.add(new ASN1OctetString(value));
return new ASN1Sequence(elements);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_EXTENSION_ENCODE_ERROR.get(toString(), StaticUtils.getExceptionMessage(e)), e);
}
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
ASN1Sequence(com.unboundid.asn1.ASN1Sequence)
ASN1Element(com.unboundid.asn1.ASN1Element)
ArrayList(java.util.ArrayList)
ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier)
NotNull(com.unboundid.util.NotNull)
Aggregations
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)545
IOException (java.io.IOException)155
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)126
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)87
DEROctetString (org.bouncycastle.asn1.DEROctetString)87
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)71
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)71
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)70
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)69
Enumeration (java.util.Enumeration)65
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)64
BigInteger (java.math.BigInteger)60
DERSequence (org.bouncycastle.asn1.DERSequence)60
ArrayList (java.util.ArrayList)55
HashSet (java.util.HashSet)52
DERIA5String (org.bouncycastle.asn1.DERIA5String)52
X500Name (org.bouncycastle.asn1.x500.X500Name)52
X509Certificate (java.security.cert.X509Certificate)49
Extension (org.bouncycastle.asn1.x509.Extension)46
ASN1String (org.bouncycastle.asn1.ASN1String)43
