use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method verifySignature.
/**
* Verifies the signature for this certificate signing request.
*
* @throws CertException If the certificate signing request's signature
* could not be verified.
*/
public void verifySignature() throws CertException {
// Generate the public key for this certificate signing request.
final PublicKey publicKey;
try {
final byte[] encodedPublicKeyBytes;
if (publicKeyAlgorithmParameters == null) {
encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey).encode();
} else {
encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey).encode();
}
final KeyFactory keyFactory = CryptoHelper.getKeyFactory(getPublicKeyAlgorithmNameOrOID());
publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(encodedPublicKeyBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_PUBLIC_KEY.get(StaticUtils.getExceptionMessage(e)), e);
}
// Get and initialize the signature generator.
final Signature signature;
final SignatureAlgorithmIdentifier signatureAlgorithm;
try {
signatureAlgorithm = SignatureAlgorithmIdentifier.forOID(signatureAlgorithmOID);
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_SIGNATURE_VERIFIER.get(getSignatureAlgorithmNameOrOID(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initVerify(publicKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_INIT_SIGNATURE_VERIFIER.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// Construct the requestInfo element of the certificate signing request and
// compute its signature.
final boolean signatureIsValid;
try {
final ASN1Element[] requestInfoElements = ASN1Sequence.decodeAsSequence(pkcs10CertificateSigningRequestBytes).elements();
final byte[] requestInfoBytes = requestInfoElements[0].encode();
signature.update(requestInfoBytes);
signatureIsValid = signature.verify(signatureValue.getBytes());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_ERROR.get(subjectDN, StaticUtils.getExceptionMessage(e)), e);
}
if (!signatureIsValid) {
throw new CertException(ERR_CSR_VERIFY_SIGNATURE_NOT_VALID.get(subjectDN));
}
}
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method generateSignature.
/**
* Generates a signature for the certificate signing request with the provided
* information.
*
* @param signatureAlgorithm The signature algorithm to use to
* generate the signature. This must
* not be {@code null}.
* @param privateKey The private key to use to sign the
* certificate signing request. This
* must not be {@code null}.
* @param subjectDN The subject DN for the certificate
* signing request. This must not be
* {@code null}.
* @param publicKeyAlgorithmOID The OID for the public key algorithm.
* This must not be {@code null}.
* @param publicKeyAlgorithmParameters The encoded public key algorithm
* parameters. This may be
* {@code null} if no parameters are
* needed.
* @param encodedPublicKey The encoded representation of the
* public key. This must not be
* {@code null}.
* @param extensions The set of extensions to include in
* the certificate signing request.
* This must not be {@code null} but
* may be empty.
*
* @return An encoded representation of the generated signature.
*
* @throws CertException If a problem is encountered while generating the
* certificate.
*/
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
// Get and initialize the signature generator.
final Signature signature;
try {
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initSign(privateKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// compute its signature.
try {
final ArrayList<ASN1Element> requestInfoElements = new ArrayList<>(4);
requestInfoElements.add(new ASN1Integer(PKCS10CertificateSigningRequestVersion.V1.getIntValue()));
requestInfoElements.add(X509Certificate.encodeName(subjectDN));
if (publicKeyAlgorithmParameters == null) {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
} else {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
}
final ArrayList<ASN1Element> attrElements = new ArrayList<>(1);
if ((extensions != null) && (extensions.length > 0)) {
final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
for (final X509CertificateExtension e : extensions) {
extensionElements.add(e.encode());
}
attrElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(ATTRIBUTE_OID_EXTENSIONS), new ASN1Set(new ASN1Sequence(extensionElements))));
}
requestInfoElements.add(new ASN1Set(TYPE_ATTRIBUTES, attrElements));
final byte[] certificationRequestInfoBytes = new ASN1Sequence(requestInfoElements).encode();
signature.update(certificationRequestInfoBytes);
final byte[] signatureBytes = signature.sign();
return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
}
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509Certificate method encodeName.
/**
* Encodes the provided DN as an X.509 name for inclusion in an encoded
* certificate.
*
* @param dn The DN to encode.
*
* @return The encoded X.509 name.
*
* @throws CertException If a problem is encountered while encoding the
* provided DN as an X.509 name.
*/
@NotNull()
static ASN1Element encodeName(@NotNull final DN dn) throws CertException {
final Schema schema;
try {
schema = Schema.getDefaultStandardSchema();
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_ENCODE_NAME_CANNOT_GET_SCHEMA.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
}
final RDN[] rdns = dn.getRDNs();
final ArrayList<ASN1Element> rdnSequenceElements = new ArrayList<>(rdns.length);
for (int i = rdns.length - 1; i >= 0; i--) {
final RDN rdn = rdns[i];
final String[] names = rdn.getAttributeNames();
final String[] values = rdn.getAttributeValues();
final ArrayList<ASN1Element> rdnElements = new ArrayList<>(names.length);
for (int j = 0; j < names.length; j++) {
final AttributeTypeDefinition at = schema.getAttributeType(names[j]);
if (at == null) {
throw new CertException(ERR_CERT_ENCODE_NAME_UNKNOWN_ATTR_TYPE.get(String.valueOf(dn), names[j]));
}
try {
rdnElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(at.getOID()), new ASN1UTF8String(values[j])));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_ENCODE_NAME_ERROR.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
}
}
rdnSequenceElements.add(new ASN1Set(rdnElements));
}
return new ASN1Sequence(rdnSequenceElements);
}
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509Certificate method generateSignature.
/**
* Generates a signature for the certificate with the provided information.
*
* @param signatureAlgorithm The signature algorithm to use to
* generate the signature. This must
* not be {@code null}.
* @param privateKey The private key to use to sign the
* certificate. This must not be
* {@code null}.
* @param serialNumber The serial number for the
* certificate. This must not be
* {@code null}.
* @param issuerDN The issuer DN for the certificate.
* This must not be {@code null}.
* @param notBefore The validity start time for the
* certificate.
* @param notAfter The validity end time for the
* certificate.
* @param subjectDN The subject DN for the certificate.
* This must not be {@code null}.
* @param publicKeyAlgorithmOID The OID for the public key algorithm.
* This must not be {@code null}.
* @param publicKeyAlgorithmParameters The encoded public key algorithm
* parameters. This may be
* {@code null} if no parameters are
* needed.
* @param encodedPublicKey The encoded representation of the
* public key. This must not be
* {@code null}.
* @param extensions The set of extensions to include in
* the certificate. This must not be
* {@code null} but may be empty.
*
* @return An encoded representation of the generated signature.
*
* @throws CertException If a problem is encountered while generating the
* certificate.
*/
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final BigInteger serialNumber, @NotNull final DN issuerDN, final long notBefore, final long notAfter, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
// Get and initialize the signature generator.
final Signature signature;
try {
signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
try {
signature.initSign(privateKey);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
// signature.
try {
final ArrayList<ASN1Element> tbsCertificateElements = new ArrayList<>(8);
tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_VERSION, new ASN1Integer(X509CertificateVersion.V3.getIntValue()).encode()));
tbsCertificateElements.add(new ASN1BigInteger(serialNumber));
tbsCertificateElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(signatureAlgorithm.getOID())));
tbsCertificateElements.add(encodeName(issuerDN));
tbsCertificateElements.add(encodeValiditySequence(notBefore, notAfter));
tbsCertificateElements.add(encodeName(subjectDN));
if (publicKeyAlgorithmParameters == null) {
tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
} else {
tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
}
final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
for (final X509CertificateExtension e : extensions) {
extensionElements.add(e.encode());
}
tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_EXTENSIONS, new ASN1Sequence(extensionElements).encode()));
final byte[] tbsCertificateBytes = new ASN1Sequence(tbsCertificateElements).encode();
signature.update(tbsCertificateBytes);
final byte[] signatureBytes = signature.sign();
return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
}
}
use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.
the class X509CertificateExtension method encode.
/**
* Encodes this extension to an ASN.1 element suitable for inclusion in an
* encoded X.509 certificate.
*
* @return The encoded representation of this extension.
*
* @throws CertException If a problem is encountered while encoding the
* extension.
*/
@NotNull()
ASN1Sequence encode() throws CertException {
try {
final ArrayList<ASN1Element> elements = new ArrayList<>(3);
elements.add(new ASN1ObjectIdentifier(oid));
if (isCritical) {
elements.add(ASN1Boolean.UNIVERSAL_BOOLEAN_TRUE_ELEMENT);
}
elements.add(new ASN1OctetString(value));
return new ASN1Sequence(elements);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_EXTENSION_ENCODE_ERROR.get(toString(), StaticUtils.getExceptionMessage(e)), e);
}
}
Aggregations