Example 11 with CertProviderException
use of de.carne.certmgr.certs.CertProviderException in project certmgr by hdecarne.
the class X509CRLHelper method isCRLSignedBy.
/**
* Check whether a CRL object has been signed by specific key pair.
*
* @param crl The CRL object to check.
* @param publicKey The public key of the key pair to check.
* @return {@code true} if the CRL object has been signed by the public key's key pair.
* @throws IOException if a general security error occurs during the check.
*/
public static boolean isCRLSignedBy(X509CRL crl, PublicKey publicKey) throws IOException {
boolean isSignedBy = false;
try {
crl.verify(publicKey);
isSignedBy = true;
} catch (SignatureException | InvalidKeyException e) {
Exceptions.ignore(e);
} catch (GeneralSecurityException e) {
throw new CertProviderException(e);
}
return isSignedBy;
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
SignatureException(java.security.SignatureException)
InvalidKeyException(java.security.InvalidKeyException)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
Example 12 with CertProviderException
use of de.carne.certmgr.certs.CertProviderException in project certmgr by hdecarne.
the class X509CRLHelper method generateCRL.
/**
* Generate a CRL object.
*
* @param currentCRL The current CRL object in case of an update (may be {@code null}).
* @param lastUpdate The last update timestamp to set.
* @param nextUpdate The next update timestamp to set (may be {@code null}).
* @param revokeEntries The revoked entries.
* @param issuerDN The CRL issuer's DN.
* @param issuerKey The CRL issuer's key pair.
* @param signatureAlgorithm The signature algorithm to use for signing.
* @return The generated CRL object.
* @throws IOException if an error occurs during generation.
*/
public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CRL generation ''{0}'' started...", issuerDN);
// Initialize CRL builder
JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) {
crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value());
}
X509CRL crl;
try {
// Add extensions
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
BigInteger nextCRLNumber = getNextCRLNumber(currentCRL);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber));
// Sign and create CRL object
ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner));
} catch (GeneralSecurityException | OperatorCreationException e) {
throw new CertProviderException(e);
}
LOG.info("CRT generation ''{0}'' done", issuerDN);
return crl;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
GeneralSecurityException(java.security.GeneralSecurityException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
BigInteger(java.math.BigInteger)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Map(java.util.Map)
Example 13 with CertProviderException
use of de.carne.certmgr.certs.CertProviderException in project certmgr by hdecarne.
the class KeyHelper method generateKey.
/**
* Generate a Key object.
*
* @param algorithm The key pair algorithm to use.
* @param keySize The key size to use.
* @return The generated Key object.
* @throws IOException if an error occurs during generation.
*/
public static KeyPair generateKey(KeyPairAlgorithm algorithm, int keySize) throws IOException {
KeyPair keyPair;
try {
LOG.info("Key pair generation {0}/{1} started...", algorithm, Integer.toString(keySize));
KeyPairGenerator keyGenerator = algorithm.getInstance();
keyGenerator.initialize(keySize);
keyPair = keyGenerator.generateKeyPair();
LOG.info("Key pair generation {0} done...", KeyHelper.toString(keyPair.getPublic()));
} catch (GeneralSecurityException e) {
throw new CertProviderException(e);
}
return keyPair;
}
Also used :
KeyPair(java.security.KeyPair)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
GeneralSecurityException(java.security.GeneralSecurityException)
KeyPairGenerator(java.security.KeyPairGenerator)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
Example 14 with CertProviderException
use of de.carne.certmgr.certs.CertProviderException in project certmgr by hdecarne.
the class PKCS10CertificateRequest method generateCSR.
/**
* Generate a CSR object.
*
* @param dn The CSR's Distinguished Name (DN).
* @param key The CSR's key pair
* @param extensions The CRT's extension objects.
* @param signatureAlgorithm The signature algorithm to use.
* @return The generated CSR object.
* @throws IOException if an error occurs during generation.
*/
public static PKCS10CertificateRequest generateCSR(X500Principal dn, KeyPair key, List<X509ExtensionData> extensions, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CSR generation ''{0}'' started...", dn);
// Initialize CSR builder
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(dn, key.getPublic());
// Add custom extension objects
ExtensionsGenerator extensionGenerator = new ExtensionsGenerator();
for (X509ExtensionData extensionData : extensions) {
extensionGenerator.addExtension(new ASN1ObjectIdentifier(extensionData.oid()), extensionData.getCritical(), extensionData.encode());
}
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionGenerator.generate());
PKCS10CertificateRequest csr;
try {
// Sign CSR
ContentSigner csrSigner;
csrSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(key.getPrivate());
csr = fromPKCS10(csrBuilder.build(csrSigner));
} catch (OperatorCreationException e) {
throw new CertProviderException(e);
}
LOG.info("CSR generation ''{0}'' done", dn);
return csr;
}
Also used :
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)
Example 15 with CertProviderException
use of de.carne.certmgr.certs.CertProviderException in project certmgr by hdecarne.
the class X509CertificateHelper method isCRTSignedBy.
/**
* Check whether a certificate has been signed by specific key pair.
*
* @param crt The certificate to check.
* @param publicKey The public key of the key pair to check.
* @return {@code true} if the certificate has been signed by the public key's key pair.
* @throws IOException if a general security error occurs during the check.
*/
public static boolean isCRTSignedBy(X509Certificate crt, PublicKey publicKey) throws IOException {
boolean isSignedBy = false;
try {
crt.verify(publicKey);
isSignedBy = true;
} catch (SignatureException | InvalidKeyException e) {
Exceptions.ignore(e);
} catch (GeneralSecurityException e) {
throw new CertProviderException(e);
}
return isSignedBy;
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
SignatureException(java.security.SignatureException)
InvalidKeyException(java.security.InvalidKeyException)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
Aggregations
CertProviderException (de.carne.certmgr.certs.CertProviderException)15
GeneralSecurityException (java.security.GeneralSecurityException)11
CertObjectStore (de.carne.certmgr.certs.CertObjectStore)5
PasswordRequiredException (de.carne.certmgr.certs.PasswordRequiredException)5
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)5
X509Certificate (java.security.cert.X509Certificate)4
Nullable (de.carne.check.Nullable)3
KeyPair (java.security.KeyPair)3
PrivateKey (java.security.PrivateKey)3
ArrayList (java.util.ArrayList)3
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
ContentSigner (org.bouncycastle.operator.ContentSigner)3
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)3
PKCSException (org.bouncycastle.pkcs.PKCSException)3
PlatformKeyStore (de.carne.certmgr.certs.security.PlatformKeyStore)2
IOException (java.io.IOException)2
InvalidKeyException (java.security.InvalidKeyException)2
KeyFactory (java.security.KeyFactory)2
KeyStore (java.security.KeyStore)2
SignatureException (java.security.SignatureException)2
