Search in sources :

Example 26 with ASN1ObjectIdentifier

use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequest method verifySignature.

/**
 * Verifies the signature for this certificate signing request.
 *
 * @throws  CertException  If the certificate signing request's signature
 *                         could not be verified.
 */
public void verifySignature() throws CertException {
    // Generate the public key for this certificate signing request.
    final PublicKey publicKey;
    try {
        final byte[] encodedPublicKeyBytes;
        if (publicKeyAlgorithmParameters == null) {
            encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey).encode();
        } else {
            encodedPublicKeyBytes = new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey).encode();
        }
        final KeyFactory keyFactory = CryptoHelper.getKeyFactory(getPublicKeyAlgorithmNameOrOID());
        publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(encodedPublicKeyBytes));
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_PUBLIC_KEY.get(StaticUtils.getExceptionMessage(e)), e);
    }
    // Get and initialize the signature generator.
    final Signature signature;
    final SignatureAlgorithmIdentifier signatureAlgorithm;
    try {
        signatureAlgorithm = SignatureAlgorithmIdentifier.forOID(signatureAlgorithmOID);
        signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_SIGNATURE_VERIFIER.get(getSignatureAlgorithmNameOrOID(), StaticUtils.getExceptionMessage(e)), e);
    }
    try {
        signature.initVerify(publicKey);
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_VERIFY_SIGNATURE_CANNOT_INIT_SIGNATURE_VERIFIER.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    // Construct the requestInfo element of the certificate signing request and
    // compute its signature.
    final boolean signatureIsValid;
    try {
        final ASN1Element[] requestInfoElements = ASN1Sequence.decodeAsSequence(pkcs10CertificateSigningRequestBytes).elements();
        final byte[] requestInfoBytes = requestInfoElements[0].encode();
        signature.update(requestInfoBytes);
        signatureIsValid = signature.verify(signatureValue.getBytes());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_VERIFY_SIGNATURE_ERROR.get(subjectDN, StaticUtils.getExceptionMessage(e)), e);
    }
    if (!signatureIsValid) {
        throw new CertException(ERR_CSR_VERIFY_SIGNATURE_NOT_VALID.get(subjectDN));
    }
}
Also used : PublicKey(java.security.PublicKey) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) Signature(java.security.Signature) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) KeyFactory(java.security.KeyFactory)

Example 27 with ASN1ObjectIdentifier

use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequest method generateSignature.

/**
 * Generates a signature for the certificate signing request with the provided
 * information.
 *
 * @param  signatureAlgorithm            The signature algorithm to use to
 *                                       generate the signature.  This must
 *                                       not be {@code null}.
 * @param  privateKey                    The private key to use to sign the
 *                                       certificate signing request.  This
 *                                       must not be {@code null}.
 * @param  subjectDN                     The subject DN for the certificate
 *                                       signing request.  This must not be
 *                                       {@code null}.
 * @param  publicKeyAlgorithmOID         The OID for the public key algorithm.
 *                                       This must not be {@code null}.
 * @param  publicKeyAlgorithmParameters  The encoded public key algorithm
 *                                       parameters.  This may be
 *                                       {@code null} if no parameters are
 *                                       needed.
 * @param  encodedPublicKey              The encoded representation of the
 *                                       public key.  This must not be
 *                                       {@code null}.
 * @param  extensions                    The set of extensions to include in
 *                                       the certificate signing request.
 *                                       This must not be {@code null} but
 *                                       may be empty.
 *
 * @return  An encoded representation of the generated signature.
 *
 * @throws  CertException  If a problem is encountered while generating the
 *                         certificate.
 */
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
    // Get and initialize the signature generator.
    final Signature signature;
    try {
        signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    try {
        signature.initSign(privateKey);
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    // compute its signature.
    try {
        final ArrayList<ASN1Element> requestInfoElements = new ArrayList<>(4);
        requestInfoElements.add(new ASN1Integer(PKCS10CertificateSigningRequestVersion.V1.getIntValue()));
        requestInfoElements.add(X509Certificate.encodeName(subjectDN));
        if (publicKeyAlgorithmParameters == null) {
            requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
        } else {
            requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
        }
        final ArrayList<ASN1Element> attrElements = new ArrayList<>(1);
        if ((extensions != null) && (extensions.length > 0)) {
            final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
            for (final X509CertificateExtension e : extensions) {
                extensionElements.add(e.encode());
            }
            attrElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(ATTRIBUTE_OID_EXTENSIONS), new ASN1Set(new ASN1Sequence(extensionElements))));
        }
        requestInfoElements.add(new ASN1Set(TYPE_ATTRIBUTES, attrElements));
        final byte[] certificationRequestInfoBytes = new ASN1Sequence(requestInfoElements).encode();
        signature.update(certificationRequestInfoBytes);
        final byte[] signatureBytes = signature.sign();
        return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CSR_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
}
Also used : ArrayList(java.util.ArrayList) ASN1Integer(com.unboundid.asn1.ASN1Integer) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Set(com.unboundid.asn1.ASN1Set) Signature(java.security.Signature) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) NotNull(com.unboundid.util.NotNull)

Example 28 with ASN1ObjectIdentifier

use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.

the class X509Certificate method encodeName.

/**
 * Encodes the provided DN as an X.509 name for inclusion in an encoded
 * certificate.
 *
 * @param  dn  The DN to encode.
 *
 * @return  The encoded X.509 name.
 *
 * @throws  CertException  If a problem is encountered while encoding the
 *                         provided DN as an X.509 name.
 */
@NotNull()
static ASN1Element encodeName(@NotNull final DN dn) throws CertException {
    final Schema schema;
    try {
        schema = Schema.getDefaultStandardSchema();
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CERT_ENCODE_NAME_CANNOT_GET_SCHEMA.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
    }
    final RDN[] rdns = dn.getRDNs();
    final ArrayList<ASN1Element> rdnSequenceElements = new ArrayList<>(rdns.length);
    for (int i = rdns.length - 1; i >= 0; i--) {
        final RDN rdn = rdns[i];
        final String[] names = rdn.getAttributeNames();
        final String[] values = rdn.getAttributeValues();
        final ArrayList<ASN1Element> rdnElements = new ArrayList<>(names.length);
        for (int j = 0; j < names.length; j++) {
            final AttributeTypeDefinition at = schema.getAttributeType(names[j]);
            if (at == null) {
                throw new CertException(ERR_CERT_ENCODE_NAME_UNKNOWN_ATTR_TYPE.get(String.valueOf(dn), names[j]));
            }
            try {
                rdnElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(at.getOID()), new ASN1UTF8String(values[j])));
            } catch (final Exception e) {
                Debug.debugException(e);
                throw new CertException(ERR_CERT_ENCODE_NAME_ERROR.get(String.valueOf(dn), StaticUtils.getExceptionMessage(e)), e);
            }
        }
        rdnSequenceElements.add(new ASN1Set(rdnElements));
    }
    return new ASN1Sequence(rdnSequenceElements);
}
Also used : ASN1UTF8String(com.unboundid.asn1.ASN1UTF8String) Schema(com.unboundid.ldap.sdk.schema.Schema) ArrayList(java.util.ArrayList) ASN1UTF8String(com.unboundid.asn1.ASN1UTF8String) ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Exception(com.unboundid.asn1.ASN1Exception) CertificateException(java.security.cert.CertificateException) AttributeTypeDefinition(com.unboundid.ldap.sdk.schema.AttributeTypeDefinition) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Set(com.unboundid.asn1.ASN1Set) ASN1Element(com.unboundid.asn1.ASN1Element) RDN(com.unboundid.ldap.sdk.RDN) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) NotNull(com.unboundid.util.NotNull)

Example 29 with ASN1ObjectIdentifier

use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.

the class X509Certificate method generateSignature.

/**
 * Generates a signature for the certificate with the provided information.
 *
 * @param  signatureAlgorithm            The signature algorithm to use to
 *                                       generate the signature.  This must
 *                                       not be {@code null}.
 * @param  privateKey                    The private key to use to sign the
 *                                       certificate.  This must not be
 *                                       {@code null}.
 * @param  serialNumber                  The serial number for the
 *                                       certificate.  This must not be
 *                                       {@code null}.
 * @param  issuerDN                      The issuer DN for the certificate.
 *                                       This must not be {@code null}.
 * @param  notBefore                     The validity start time for the
 *                                       certificate.
 * @param  notAfter                      The validity end time for the
 *                                       certificate.
 * @param  subjectDN                     The subject DN for the certificate.
 *                                       This must not be {@code null}.
 * @param  publicKeyAlgorithmOID         The OID for the public key algorithm.
 *                                       This must not be {@code null}.
 * @param  publicKeyAlgorithmParameters  The encoded public key algorithm
 *                                       parameters.  This may be
 *                                       {@code null} if no parameters are
 *                                       needed.
 * @param  encodedPublicKey              The encoded representation of the
 *                                       public key.  This must not be
 *                                       {@code null}.
 * @param  extensions                    The set of extensions to include in
 *                                       the certificate.  This must not be
 *                                       {@code null} but may be empty.
 *
 * @return  An encoded representation of the generated signature.
 *
 * @throws  CertException  If a problem is encountered while generating the
 *                         certificate.
 */
@NotNull()
private static ASN1BitString generateSignature(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final PrivateKey privateKey, @NotNull final BigInteger serialNumber, @NotNull final DN issuerDN, final long notBefore, final long notAfter, @NotNull final DN subjectDN, @NotNull final OID publicKeyAlgorithmOID, @Nullable final ASN1Element publicKeyAlgorithmParameters, @NotNull final ASN1BitString encodedPublicKey, @NotNull final X509CertificateExtension... extensions) throws CertException {
    // Get and initialize the signature generator.
    final Signature signature;
    try {
        signature = CryptoHelper.getSignature(signatureAlgorithm.getJavaName());
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    try {
        signature.initSign(privateKey);
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
    // signature.
    try {
        final ArrayList<ASN1Element> tbsCertificateElements = new ArrayList<>(8);
        tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_VERSION, new ASN1Integer(X509CertificateVersion.V3.getIntValue()).encode()));
        tbsCertificateElements.add(new ASN1BigInteger(serialNumber));
        tbsCertificateElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(signatureAlgorithm.getOID())));
        tbsCertificateElements.add(encodeName(issuerDN));
        tbsCertificateElements.add(encodeValiditySequence(notBefore, notAfter));
        tbsCertificateElements.add(encodeName(subjectDN));
        if (publicKeyAlgorithmParameters == null) {
            tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
        } else {
            tbsCertificateElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
        }
        final ArrayList<ASN1Element> extensionElements = new ArrayList<>(extensions.length);
        for (final X509CertificateExtension e : extensions) {
            extensionElements.add(e.encode());
        }
        tbsCertificateElements.add(new ASN1Element(TYPE_EXPLICIT_EXTENSIONS, new ASN1Sequence(extensionElements).encode()));
        final byte[] tbsCertificateBytes = new ASN1Sequence(tbsCertificateElements).encode();
        signature.update(tbsCertificateBytes);
        final byte[] signatureBytes = signature.sign();
        return new ASN1BitString(ASN1BitString.getBitsForBytes(signatureBytes));
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_CERT_GEN_SIGNATURE_CANNOT_COMPUTE.get(signatureAlgorithm.getJavaName(), StaticUtils.getExceptionMessage(e)), e);
    }
}
Also used : ArrayList(java.util.ArrayList) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) ASN1Integer(com.unboundid.asn1.ASN1Integer) ASN1Exception(com.unboundid.asn1.ASN1Exception) CertificateException(java.security.cert.CertificateException) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) Signature(java.security.Signature) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) NotNull(com.unboundid.util.NotNull)

Example 30 with ASN1ObjectIdentifier

use of com.unboundid.asn1.ASN1ObjectIdentifier in project ldapsdk by pingidentity.

the class X509CertificateExtension method encode.

/**
 * Encodes this extension to an ASN.1 element suitable for inclusion in an
 * encoded X.509 certificate.
 *
 * @return  The encoded representation of this extension.
 *
 * @throws  CertException  If a problem is encountered while encoding the
 *                         extension.
 */
@NotNull()
ASN1Sequence encode() throws CertException {
    try {
        final ArrayList<ASN1Element> elements = new ArrayList<>(3);
        elements.add(new ASN1ObjectIdentifier(oid));
        if (isCritical) {
            elements.add(ASN1Boolean.UNIVERSAL_BOOLEAN_TRUE_ELEMENT);
        }
        elements.add(new ASN1OctetString(value));
        return new ASN1Sequence(elements);
    } catch (final Exception e) {
        Debug.debugException(e);
        throw new CertException(ERR_EXTENSION_ENCODE_ERROR.get(toString(), StaticUtils.getExceptionMessage(e)), e);
    }
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ArrayList(java.util.ArrayList) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) NotNull(com.unboundid.util.NotNull)

Aggregations

ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)545 IOException (java.io.IOException)155 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)126 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)87 DEROctetString (org.bouncycastle.asn1.DEROctetString)87 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)71 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)71 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)70 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)69 Enumeration (java.util.Enumeration)65 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)64 BigInteger (java.math.BigInteger)60 DERSequence (org.bouncycastle.asn1.DERSequence)60 ArrayList (java.util.ArrayList)55 HashSet (java.util.HashSet)52 DERIA5String (org.bouncycastle.asn1.DERIA5String)52 X500Name (org.bouncycastle.asn1.x500.X500Name)52 X509Certificate (java.security.cert.X509Certificate)49 Extension (org.bouncycastle.asn1.x509.Extension)46 ASN1String (org.bouncycastle.asn1.ASN1String)43