use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.
the class TppConnector method getPolicy.
@Override
public PolicySpecification getPolicy(String policyName) throws VCertException {
PolicySpecification policySpecification;
try {
TPPPolicy tppPolicy = getTPPPolicy(policyName);
policySpecification = TPPPolicySpecificationConverter.INSTANCE.convertToPolicySpecification(tppPolicy);
} catch (Exception e) {
throw new VCertException(e);
}
return policySpecification;
}
use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.
the class PEMCollection method fromStringPEMCollection.
public static PEMCollection fromStringPEMCollection(String stringPemCollection, ChainOption chainOption, PrivateKey privateKey, String privateKeyPassword, DataFormat dataFormat) throws VCertException {
List<X509Certificate> chain = new ArrayList<>();
// 1. Extracting the Certificates and PrivateKey
PEMParser pemParser = new PEMParser(new StringReader(stringPemCollection));
JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
try {
Object object = pemParser.readObject();
while (object != null) {
if (object instanceof X509CertificateHolder) {
Certificate certificate = certificateConverter.getCertificate((X509CertificateHolder) object);
chain.add((X509Certificate) certificate);
} else {
privateKey = parsePrivateKey(object, privateKeyPassword);
}
object = pemParser.readObject();
}
} catch (IOException | CertificateException | PKCSException | OperatorCreationException e) {
throw new VCertException("Unable to parse certificate from response", e);
}
// 2. Ordering the Certificates chain
PEMCollection pemCollection;
if (chain.size() > 0) {
switch(chainOption) {
case ChainOptionRootFirst:
pemCollection = new PEMCollection();
pemCollection.certificate(chain.get(chain.size() - 1));
if (chain.size() > 1 && chainOption != ChainOption.ChainOptionIgnore) {
for (int i = 0; i < chain.size() - 1; i++) {
pemCollection.chain().add(chain.get(i));
}
}
break;
default:
pemCollection = new PEMCollection();
pemCollection.certificate(chain.get(0));
if (chain.size() > 1 && chainOption != ChainOption.ChainOptionIgnore) {
for (int i = 1; i < chain.size(); i++) {
pemCollection.chain().add(chain.get(i));
}
}
break;
}
} else {
pemCollection = new PEMCollection();
}
pemCollection.privateKey(privateKey);
pemCollection.privateKeyPassword(privateKeyPassword);
pemCollection.dataFormat(dataFormat);
return pemCollection;
}
use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.
the class CloudConnector method retrieveCertificateAsPemCollectionFromCSRServiceGenerated.
private PEMCollection retrieveCertificateAsPemCollectionFromCSRServiceGenerated(CertificateRequest request, byte[] serverPublicKey, String chainOption) throws VCertException {
String encodedMessage = null;
try {
byte[] cipherText = SealedBoxUtility.cryptoBoxSeal(serverPublicKey, request.keyPassword().getBytes());
encodedMessage = Base64.getEncoder().encodeToString(cipherText);
} catch (Exception e) {
throw new VCertException(e);
}
KeystoreRequest keystoreRequest = new KeystoreRequest().exportFormat("PEM").encryptedPrivateKeyPassphrase(encodedMessage).encryptedKeystorePassphrase("").certificateLabel("");
InputStream keyStoreAsStream = null;
try {
Response response = cloud.retrieveKeystore(request.certId(), keystoreRequest, auth.apiKey());
keyStoreAsStream = response.body().asInputStream();
} catch (IOException e) {
throw new VCertException(e);
}
return CloudConnectorUtils.getPEMCollectionFromKeyStoreAsStream(keyStoreAsStream, request.certId(), request.chainOption(), request.keyPassword(), request.dataFormat());
}
use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.
the class CertificateRequest method checkCertificate.
public boolean checkCertificate(Certificate certificate) throws VCertException {
PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
if (keyType.X509Type() != publicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));
}
switch(publicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) keyPair.getPublic();
// TODO can be equals?
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
default:
throw new VCertException(format("unknown key algorithm %s", publicKeyAlgorithm.name()));
}
} else if (Objects.nonNull(csr) && csr.length != 0) {
try {
PemReader pemReader = new PemReader(new StringReader(new String(csr)));
PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
pemReader.close();
AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
PublicKeyAlgorithm csrPublicKeyAlgorithm = PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
}
switch(csrPublicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
}
} catch (IOException e) {
throw new VCertException(format("bad csr: %s", e.getMessage()), e);
}
}
return true;
}
use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.
the class TppConnectorUtils method populatePolicy.
public static TPPPolicy populatePolicy(TPPPolicy tppPolicy, TppAPI tppAPI) throws VCertException {
GetPolicyResponse getPolicyResponse;
try {
getPolicyResponse = tppAPI.getPolicy(new GetPolicyRequest(tppPolicy.policyName()));
} catch (Exception e) {
throw new VCertException(e);
}
if (getPolicyResponse != null && getPolicyResponse.error() != null)
throw new VCertException(getPolicyResponse.error());
PolicyResponse policyResponse = getPolicyResponse.policy();
if (policyResponse != null) {
// Domain suffix white list
tppPolicy.domainSuffixWhiteList(policyResponse.whitelistedDomains());
// Prohibited wildcard
tppPolicy.prohibitWildcard(policyResponse.wildcardsAllowed() ? 0 : 1);
// Certificate authority
tppPolicy.certificateAuthority(policyResponse.certificateAuthority() != null ? policyResponse.certificateAuthority().value() : null);
// management type
if (policyResponse.managementType() != null)
tppPolicy.managementType(policyResponse.managementType().value(), policyResponse.managementType().locked());
// Subject
SubjectResponse subjectResponse = policyResponse.subject();
if (subjectResponse != null) {
// Organization
if (subjectResponse.organization() != null)
tppPolicy.organization(subjectResponse.organization().value(), subjectResponse.organization().locked());
// Org Unit
if (subjectResponse.organizationalUnit() != null)
tppPolicy.organizationalUnit(subjectResponse.organizationalUnit().values(), subjectResponse.organizationalUnit().locked());
// City
if (subjectResponse.city() != null)
tppPolicy.city(subjectResponse.city().value(), subjectResponse.city().locked());
// State
if (subjectResponse.state() != null)
tppPolicy.state(subjectResponse.state().value(), subjectResponse.state().locked());
// country
if (subjectResponse.country() != null)
tppPolicy.country(subjectResponse.country().value(), subjectResponse.country().locked());
}
// KeyPair
KeyPairResponse keyPairResponse = policyResponse.keyPair();
if (keyPairResponse != null) {
// KeyAlgorithm
if (keyPairResponse.keyAlgorithm() != null)
tppPolicy.keyAlgorithm(keyPairResponse.keyAlgorithm().value(), keyPairResponse.keyAlgorithm().locked());
// Key Bit Strength
if (keyPairResponse.keySize() != null)
tppPolicy.keyBitStrength(keyPairResponse.keySize().value().toString(), keyPairResponse.keySize().locked());
// Elliptic Curve
if (keyPairResponse.ellipticCurve() != null)
tppPolicy.ellipticCurve(keyPairResponse.ellipticCurve().value(), keyPairResponse.ellipticCurve().locked());
}
// Manual Csr
if (policyResponse.csrGeneration() != null)
if (policyResponse.csrGeneration().value().equals("ServiceGenerated"))
tppPolicy.manualCsr("0", policyResponse.csrGeneration().locked());
else if (policyResponse.csrGeneration().value().equals("UserProvided"))
tppPolicy.manualCsr("1", policyResponse.csrGeneration().locked());
// AllowPrivate Key Reuse
tppPolicy.allowPrivateKeyReuse(policyResponse.privateKeyReuseAllowed() ? "1" : "0", true);
// TppWantRenewal
tppPolicy.wantRenewal(policyResponse.privateKeyReuseAllowed() ? "1" : "0", true);
// Prohibited SAN Types
setProhibitedSANTypes(tppPolicy, policyResponse);
}
return tppPolicy;
}
Aggregations