Example 41 with Certificate
use of org.apache.harmony.security.x509.Certificate in project xipki by xipki.
the class CmpCaClient method init.
public void init() throws Exception {
TlsInit.init();
if (caCert != null) {
return;
}
Certificate tcert = cmpCaCerts()[0];
this.caSubject = tcert.getSubject();
this.caCert = SdkUtil.parseCert(tcert.getEncoded());
this.caSubjectKeyIdentifier = SdkUtil.extractSki(this.caCert);
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 42 with Certificate
use of org.apache.harmony.security.x509.Certificate in project xipki by xipki.
the class CaLoadTestRevokeCmd method execute0.
@Override
protected Object execute0() throws Exception {
if (numThreads < 1) {
throw new IllegalCmdParamException("invalid number of threads " + numThreads);
}
if (!(serialNumberFile == null ^ caDbConfFile == null)) {
throw new IllegalCmdParamException("exactly one of ca-db and serial-file must be specified");
}
String description = StringUtil.concatObjectsCap(200, "issuer: ", issuerCertFile, "\ncadb: ", caDbConfFile, "\nserialNumberFile: ", serialNumberFile, "\nmaxCerts: ", maxCerts, "\n#certs/req: ", num, "\nunit: ", num, " certificate", (num > 1 ? "s" : ""), "\n");
Certificate caCert = Certificate.getInstance(IoUtil.read(issuerCertFile));
Properties props = new Properties();
props.load(new FileInputStream(IoUtil.expandFilepath(caDbConfFile)));
props.setProperty("autoCommit", "false");
props.setProperty("readOnly", "true");
props.setProperty("maximumPoolSize", "1");
props.setProperty("minimumIdle", "1");
DataSourceWrapper caDataSource = null;
Iterator<BigInteger> serialNumberIterator;
if (caDbConfFile != null) {
caDataSource = new DataSourceFactory().createDataSource("ds-" + caDbConfFile, props, securityFactory.getPasswordResolver());
serialNumberIterator = new DbGoodCertSerialIterator(caCert, caDataSource);
} else {
serialNumberIterator = new FileBigIntegerIterator(serialNumberFile, hex, false);
}
try {
CaLoadTestRevoke loadTest = new CaLoadTestRevoke(caClient, caCert, serialNumberIterator, maxCerts, num, description);
loadTest.setDuration(duration);
loadTest.setThreads(numThreads);
loadTest.test();
} finally {
if (caDataSource != null) {
caDataSource.close();
}
if (serialNumberIterator instanceof FileBigIntegerIterator) {
((FileBigIntegerIterator) serialNumberIterator).close();
}
}
return null;
}
Also used :
DataSourceFactory(org.xipki.datasource.DataSourceFactory)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
BigInteger(java.math.BigInteger)
DataSourceWrapper(org.xipki.datasource.DataSourceWrapper)
Properties(java.util.Properties)
FileBigIntegerIterator(org.xipki.common.util.FileBigIntegerIterator)
FileInputStream(java.io.FileInputStream)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 43 with Certificate
use of org.apache.harmony.security.x509.Certificate in project xipki by xipki.
the class X509CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
ParamUtil.requireNonNull("certBytes", certBytes);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
Certificate bcCert;
TBSCertificate tbsCert;
X509Certificate cert;
ValidationIssue issue;
// certificate size
issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
Integer maxSize = certProfile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
try {
bcCert = Certificate.getInstance(certBytes);
tbsCert = bcCert.getTBSCertificate();
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
issue.setFailureMessage("certificate is not corrected encoded");
return new ValidationResult(resultIssues);
}
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersionNumber();
X509CertVersion expVersion = certProfile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
if (!issue.isFailed()) {
if (!signatureAlgorithms.contains(sigAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
}
}
// check parameters
if (!issue.isFailed()) {
AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
if (!expSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("invalid parameters");
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
// notBefore
if (certProfile.isNotBeforeMidnight()) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (hourOfDay != 0 || minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter must not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore must not be before CA's notBefore");
} else {
CertValidity validity = certProfile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Calendar(java.util.Calendar)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion)
BigInteger(java.math.BigInteger)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Example 44 with Certificate
use of org.apache.harmony.security.x509.Certificate in project xipki by xipki.
the class AbstractCaTest method test.
@Test
public void test() throws Exception {
CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
ScepClient client = new ScepClient(caId, caCertValidator);
client.setUseInsecureAlgorithms(useInsecureAlgorithms());
client.refresh();
CaCaps expCaCaps = getExpectedCaCaps();
// CACaps
CaCaps caCaps = client.getCaCaps();
Assert.assertEquals("CACaps", expCaCaps, caCaps);
// CA certificate
Certificate expCaCert = scepServer.getCaCert();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
if (!equals(expCaCert, caCert)) {
Assert.fail("Configured and received CA certificate not the same");
}
boolean withRa = isWithRa();
// RA
if (withRa) {
Certificate expRaCert = scepServer.getRaCert();
X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
Assert.assertEquals("RA certificate", raSigCert, raEncCert);
if (!equals(expRaCert, raSigCert)) {
Assert.fail("Configured and received RA certificate not the same");
}
}
// getNextCA
if (isWithNextCa()) {
AuthorityCertStore nextCa = client.scepNextCaCert();
Certificate expNextCaCert = scepServer.getNextCaCert();
X509Certificate nextCaCert = nextCa.getCaCert();
if (!equals(expNextCaCert, nextCaCert)) {
Assert.fail("Configured and received next CA certificate not the same");
}
if (withRa) {
Certificate expNextRaCert = scepServer.getNextRaCert();
X509Certificate nextRaSigCert = nextCa.getSignatureCert();
X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
if (!equals(expNextRaCert, nextRaSigCert)) {
Assert.fail("Configured and received next RA certificate not the same");
}
}
}
// enroll
CertificationRequest csr;
X509Certificate selfSignedCert;
X509Certificate enroledCert;
X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
PrivateKey privKey;
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
privKey = keypair.getPrivate();
SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
// first try without secret
PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
// then try invalid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
// try with valid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enroled certificate", cert);
enroledCert = cert;
// try :: self-signed certificate's subject different from the one of CSR
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
}
// certPoll
EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enrolled certificate", cert);
// getCert
certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
Assert.assertTrue("number of received certificates", certs.size() > 0);
cert = certs.get(0);
Assert.assertNotNull("received certificate", cert);
// getCRL
X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
Assert.assertNotNull("received CRL", crl);
// getNextCA
AuthorityCertStore nextCa = client.scepNextCaCert();
Assert.assertNotNull("nextCa", nextCa);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
PkiStatus(org.xipki.scep.transaction.PkiStatus)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
X509CRL(java.security.cert.X509CRL)
CaIdentifier(org.xipki.scep.client.CaIdentifier)
ScepClient(org.xipki.scep.client.ScepClient)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509Certificate(java.security.cert.X509Certificate)
CaCertValidator(org.xipki.scep.client.CaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
CaCaps(org.xipki.scep.message.CaCaps)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
List(java.util.List)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 45 with Certificate
use of org.apache.harmony.security.x509.Certificate in project xipki by xipki.
the class ScepResponder method servicePkiOperation.
public ContentInfo servicePkiOperation(CMSSignedData requestContent, AuditEvent event) throws MessageDecodingException, CaException {
ScepUtil.requireNonNull("requestContent", requestContent);
PrivateKey recipientKey = (raEmulator != null) ? raEmulator.getRaKey() : caEmulator.getCaKey();
Certificate recipientCert = (raEmulator != null) ? raEmulator.getRaCert() : caEmulator.getCaCert();
X509Certificate recipientX509Obj;
try {
recipientX509Obj = ScepUtil.toX509Cert(recipientCert);
} catch (CertificateException ex) {
throw new MessageDecodingException("could not parse recipientCert " + recipientCert.getTBSCertificate().getSubject());
}
EnvelopedDataDecryptorInstance decInstance = new EnvelopedDataDecryptorInstance(recipientX509Obj, recipientKey);
EnvelopedDataDecryptor recipient = new EnvelopedDataDecryptor(decInstance);
DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, recipient, null);
PkiMessage rep = servicePkiOperation0(req, event);
event.putEventData(ScepAuditConstants.NAME_pkiStatus, rep.getPkiStatus());
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
event.setLevel(AuditLevel.ERROR);
}
if (rep.getFailInfo() != null) {
event.putEventData(ScepAuditConstants.NAME_failInfo, rep.getFailInfo());
}
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(getSigningKey(), ScepHashAlgo.forNameOrOid(req.getDigestAlgorithm().getId()));
try {
X509Certificate jceSignerCert = ScepUtil.toX509Cert(getSigningCert());
X509Certificate[] certs = control.isSendSignerCert() ? new X509Certificate[] { jceSignerCert } : null;
return rep.encode(getSigningKey(), signatureAlgorithm, jceSignerCert, certs, req.getSignatureCert(), req.getContentEncryptionAlgorithm());
} catch (Exception ex) {
throw new CaException(ex);
}
}
Also used :
EnvelopedDataDecryptor(org.xipki.scep.message.EnvelopedDataDecryptor)
PrivateKey(java.security.PrivateKey)
CertificateException(java.security.cert.CertificateException)
ASN1String(org.bouncycastle.asn1.ASN1String)
X509Certificate(java.security.cert.X509Certificate)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
EnvelopedDataDecryptorInstance(org.xipki.scep.message.EnvelopedDataDecryptorInstance)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Aggregations
Certificate (org.bouncycastle.asn1.x509.Certificate)35
X509Certificate (java.security.cert.X509Certificate)29
IOException (java.io.IOException)23
CertificateException (java.security.cert.CertificateException)18
ArrayList (java.util.ArrayList)11
Date (java.util.Date)11
BigInteger (java.math.BigInteger)9
List (java.util.List)9
X500Name (org.bouncycastle.asn1.x500.X500Name)9
File (java.io.File)7
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)7
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
GeneralName (org.apache.harmony.security.x509.GeneralName)6
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)6
TBSCertificate (org.bouncycastle.asn1.x509.TBSCertificate)6
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)5
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)5
EOFException (java.io.EOFException)4
X509CRL (java.security.cert.X509CRL)4
