Example 1 with org.bouncycastle.asn1
use of org.bouncycastle.asn1 in project gdmatrix by gdmatrix.
the class CMSUtils method createTimeStampRequest.
public static TimeStampReq createTimeStampRequest(byte[] message, String nonce, boolean requireCert, Extensions extensions, String digestAlgorithm, String timestampPolicy) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] hashedMsg = md.digest(message);
ASN1ObjectIdentifier identifier = new ASN1ObjectIdentifier(digestAlgorithm);
org.bouncycastle.asn1.tsp.MessageImprint imprint = new org.bouncycastle.asn1.tsp.MessageImprint(new AlgorithmIdentifier(identifier), hashedMsg);
TimeStampReq request = new TimeStampReq(imprint, timestampPolicy != null ? new ASN1ObjectIdentifier(timestampPolicy) : null, nonce != null ? new ASN1Integer(nonce.getBytes()) : null, ASN1Boolean.getInstance(requireCert), extensions);
return request;
}
Also used :
TimeStampReq(org.bouncycastle.asn1.tsp.TimeStampReq)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
MessageDigest(java.security.MessageDigest)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 2 with org.bouncycastle.asn1
use of org.bouncycastle.asn1 in project snowblossom by snowblossomcoin.
the class CertGen method generateSelfSignedCert.
/**
* @param key_pair Key pair to use to sign the cert inner signed message, the node key
* @param tls_wkp The temporary key to use just for this cert and TLS sessions
* @param spec Address for 'key_pair'
*/
public static X509Certificate generateSelfSignedCert(WalletKeyPair key_pair, WalletKeyPair tls_wkp, AddressSpec spec) throws Exception {
AddressSpecHash address_hash = AddressUtil.getHashForSpec(spec);
String address = AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, address_hash);
byte[] encoded_pub = tls_wkp.getPublicKey().toByteArray();
SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(encoded_pub));
String dn = String.format("CN=%s, O=Snowblossom", address);
X500Name issuer = new X500Name(dn);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter = new Date(System.currentTimeMillis() + 86400000L * 365L * 10L);
X500Name subject = issuer;
X509v3CertificateBuilder cert_builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
// System.out.println(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
ASN1ObjectIdentifier snow_claim_oid = new ASN1ObjectIdentifier("2.5.29.134");
// System.out.println(spec);
SignedMessagePayload payload = SignedMessagePayload.newBuilder().setTlsPublicKey(tls_wkp.getPublicKey()).build();
SignedMessage sm = MsgSigUtil.signMessage(spec, key_pair, payload);
byte[] sm_data = sm.toByteString().toByteArray();
cert_builder.addExtension(snow_claim_oid, true, sm_data);
String algorithm = "SHA256withRSA";
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(tls_wkp.getPrivateKey().toByteArray());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
// ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X509CertificateHolder certificateHolder = cert_builder.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
return cert;
}
Also used :
SignedMessagePayload(snowblossom.proto.SignedMessagePayload)
SignedMessage(snowblossom.proto.SignedMessage)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ByteString(com.google.protobuf.ByteString)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
AddressSpecHash(snowblossom.lib.AddressSpecHash)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 3 with org.bouncycastle.asn1
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CaCmpConnector method readCertResponse.
/**
* @param responseBytes
* @param pkiMessageReq
* @param csr
* @param config
* @throws IOException
* @throws CRMFException
* @throws CMPException
* @throws GeneralSecurityException
*/
public de.trustable.ca3s.core.domain.Certificate readCertResponse(final byte[] responseBytes, final PKIMessage pkiMessageReq, final CSR csr, final CAConnectorConfig config) throws IOException, CRMFException, CMPException, GeneralSecurityException {
final ASN1Primitive derObject = cryptoUtil.getDERObject(responseBytes);
final PKIMessage pkiMessage = PKIMessage.getInstance(derObject);
if (pkiMessage == null) {
throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
}
printPKIMessageInfo(pkiMessage);
PKIHeader pkiHeaderReq = pkiMessageReq.getHeader();
PKIHeader pkiHeaderResp = pkiMessage.getHeader();
if (!pkiHeaderReq.getSenderNonce().equals(pkiHeaderResp.getRecipNonce())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getRecipNonce();
if (asn1Oct == null) {
LOGGER.info("Recip nonce == null");
} else {
LOGGER.info("sender nonce " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getSenderNonce().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
throw new GeneralSecurityException("Sender / Recip nonce mismatch");
}
if (!pkiHeaderReq.getTransactionID().equals(pkiHeaderResp.getTransactionID())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getTransactionID();
if (asn1Oct == null) {
LOGGER.info("transaction id == null");
} else {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("transaction id " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getTransactionID().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
}
throw new GeneralSecurityException("Sender / Recip Transaction Id mismatch");
}
final PKIBody body = pkiMessage.getBody();
int tagno = body.getType();
if (tagno == PKIBody.TYPE_ERROR) {
handleCMPError(body);
} else if (tagno == PKIBody.TYPE_CERT_REP || tagno == PKIBody.TYPE_INIT_REP) {
// certificate successfully generated
CertRepMessage certRepMessage = CertRepMessage.getInstance(body.getContent());
try {
// CMPCertificate[] cmpCertArr = certRepMessage.getCaPubs();
CMPCertificate[] cmpCertArr = pkiMessage.getExtraCerts();
LOGGER.info("CMP Response body contains " + cmpCertArr.length + " extra certificates");
for (int i = 0; i < cmpCertArr.length; i++) {
CMPCertificate cmpCert = cmpCertArr[i];
LOGGER.info("Added CA '" + cmpCert.getX509v3PKCert().getSubject() + "' from CMP Response body");
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cmpCert.getEncoded(), null, null, true);
certificateRepository.save(certDao);
LOGGER.debug("Additional CA '" + certDao.getSubject() + "' from CMP Response body");
}
} catch (NullPointerException npe) {
// NOSONAR
// just ignore
}
CertResponse[] respArr = certRepMessage.getResponse();
if (respArr == null || (respArr.length == 0)) {
throw new GeneralSecurityException("No CMP response found.");
}
LOGGER.info("CMP Response body contains " + respArr.length + " elements");
for (int i = 0; i < respArr.length; i++) {
if (respArr[i] == null) {
throw new GeneralSecurityException("No CMP response returned.");
}
BigInteger status = BigInteger.ZERO;
String statusText = "";
PKIStatusInfo pkiStatusInfo = respArr[i].getStatus();
if (pkiStatusInfo != null) {
PKIFreeText freeText = pkiStatusInfo.getStatusString();
if (freeText != null) {
for (int j = 0; j < freeText.size(); j++) {
statusText = freeText.getStringAt(j) + "\n";
}
}
}
if ((respArr[i].getCertifiedKeyPair() == null) || (respArr[i].getCertifiedKeyPair().getCertOrEncCert() == null)) {
csrUtil.setStatus(csr, CsrStatus.REJECTED);
csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_FAILURE_INFO, statusText, true);
throw new GeneralSecurityException("CMP response contains no certificate, status :" + status + "\n" + statusText);
}
CMPCertificate cmpCert = respArr[i].getCertifiedKeyPair().getCertOrEncCert().getCertificate();
if (cmpCert != null) {
org.bouncycastle.asn1.x509.Certificate cmpCertificate = cmpCert.getX509v3PKCert();
if (cmpCertificate != null) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("#" + i + ": " + cmpCertificate);
}
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
/*
* version returning just the end entity ...
*/
final Collection<? extends java.security.cert.Certificate> certificateChain = certificateFactory.generateCertificates(new ByteArrayInputStream(cmpCertificate.getEncoded()));
X509Certificate[] certArray = certificateChain.toArray(new X509Certificate[0]);
X509Certificate cert = certArray[0];
if (LOGGER.isDebugEnabled()) {
LOGGER.info("#" + i + ": " + cert);
}
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cert.getEncoded(), csr, null, false);
certDao.setRevocationCA(config);
certificateRepository.save(certDao);
return certDao;
}
}
}
} else {
throw new GeneralSecurityException("unexpected PKI body type :" + tagno);
}
return null;
}
Also used :
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
GeneralSecurityException(java.security.GeneralSecurityException)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
BigInteger(java.math.BigInteger)
Collection(java.util.Collection)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
X509Certificate(java.security.cert.X509Certificate)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
Certificate(de.trustable.ca3s.core.domain.Certificate)
Example 4 with org.bouncycastle.asn1
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method getCertificatePolicies.
public List<String> getCertificatePolicies(X509Certificate x509Cert) {
ArrayList<String> certificatePolicyIds = new ArrayList<>();
byte[] extVal = x509Cert.getExtensionValue(Extension.certificatePolicies.getId());
if (extVal == null) {
return certificatePolicyIds;
}
try {
org.bouncycastle.asn1.x509.CertificatePolicies cf = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
PolicyInformation[] information = cf.getPolicyInformation();
for (PolicyInformation p : information) {
ASN1ObjectIdentifier aIdentifier = p.getPolicyIdentifier();
certificatePolicyIds.add(aIdentifier.getId());
}
} catch (IOException ex) {
LOG.error("Failed to get OCSP URL for certificate '" + x509Cert.getSubjectX500Principal().getName() + "'", ex);
}
return certificatePolicyIds;
}
Also used :
org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 5 with org.bouncycastle.asn1
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method insertNameAttributes.
/**
* @param cert
* @param attributeName
* @param x500NameSubject
*/
public void insertNameAttributes(Certificate cert, String attributeName, X500Name x500NameSubject) {
try {
List<Rdn> rdnList = new LdapName(x500NameSubject.toString()).getRdns();
for (Rdn rdn : rdnList) {
String rdnExpression = rdn.getType().toLowerCase() + "=" + rdn.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, rdnExpression);
}
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", x500NameSubject);
}
for (RDN rdn : x500NameSubject.getRDNs()) {
for (org.bouncycastle.asn1.x500.AttributeTypeAndValue atv : rdn.getTypesAndValues()) {
String value = atv.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, value);
String oid = atv.getType().getId().toLowerCase();
setCertMultiValueAttribute(cert, attributeName, oid + "=" + value);
if (!oid.equals(atv.getType().toString().toLowerCase())) {
setCertMultiValueAttribute(cert, attributeName, atv.getType().toString().toLowerCase() + "=" + value);
}
}
}
}
Also used :
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
InvalidNameException(javax.naming.InvalidNameException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
Rdn(javax.naming.ldap.Rdn)
RDN(org.bouncycastle.asn1.x500.RDN)
LdapName(javax.naming.ldap.LdapName)
Aggregations
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)29
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)29
IOException (java.io.IOException)22
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)22
X509Certificate (java.security.cert.X509Certificate)20
DEROctetString (org.bouncycastle.asn1.DEROctetString)20
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)17
X500Name (org.bouncycastle.asn1.x500.X500Name)17
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)15
BigInteger (java.math.BigInteger)14
DERSequence (org.bouncycastle.asn1.DERSequence)14
PrivateKeyInfo (org.bouncycastle.asn1.pkcs.PrivateKeyInfo)13
Extension (org.bouncycastle.asn1.x509.Extension)13
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)12
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)12
DERIA5String (org.bouncycastle.asn1.DERIA5String)12
KeyPair (java.security.KeyPair)11
HashSet (java.util.HashSet)11
DERSet (org.bouncycastle.asn1.DERSet)11
ArrayList (java.util.ArrayList)10
