use of org.bouncycastle.asn1 in project gdmatrix by gdmatrix.
the class CMSUtils method createTimeStampRequest.
public static TimeStampReq createTimeStampRequest(byte[] message, String nonce, boolean requireCert, Extensions extensions, String digestAlgorithm, String timestampPolicy) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] hashedMsg = md.digest(message);
ASN1ObjectIdentifier identifier = new ASN1ObjectIdentifier(digestAlgorithm);
org.bouncycastle.asn1.tsp.MessageImprint imprint = new org.bouncycastle.asn1.tsp.MessageImprint(new AlgorithmIdentifier(identifier), hashedMsg);
TimeStampReq request = new TimeStampReq(imprint, timestampPolicy != null ? new ASN1ObjectIdentifier(timestampPolicy) : null, nonce != null ? new ASN1Integer(nonce.getBytes()) : null, ASN1Boolean.getInstance(requireCert), extensions);
return request;
}
use of org.bouncycastle.asn1 in project snowblossom by snowblossomcoin.
the class CertGen method generateSelfSignedCert.
/**
* @param key_pair Key pair to use to sign the cert inner signed message, the node key
* @param tls_wkp The temporary key to use just for this cert and TLS sessions
* @param spec Address for 'key_pair'
*/
public static X509Certificate generateSelfSignedCert(WalletKeyPair key_pair, WalletKeyPair tls_wkp, AddressSpec spec) throws Exception {
AddressSpecHash address_hash = AddressUtil.getHashForSpec(spec);
String address = AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, address_hash);
byte[] encoded_pub = tls_wkp.getPublicKey().toByteArray();
SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(encoded_pub));
String dn = String.format("CN=%s, O=Snowblossom", address);
X500Name issuer = new X500Name(dn);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter = new Date(System.currentTimeMillis() + 86400000L * 365L * 10L);
X500Name subject = issuer;
X509v3CertificateBuilder cert_builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
// System.out.println(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
ASN1ObjectIdentifier snow_claim_oid = new ASN1ObjectIdentifier("2.5.29.134");
// System.out.println(spec);
SignedMessagePayload payload = SignedMessagePayload.newBuilder().setTlsPublicKey(tls_wkp.getPublicKey()).build();
SignedMessage sm = MsgSigUtil.signMessage(spec, key_pair, payload);
byte[] sm_data = sm.toByteString().toByteArray();
cert_builder.addExtension(snow_claim_oid, true, sm_data);
String algorithm = "SHA256withRSA";
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(tls_wkp.getPrivateKey().toByteArray());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
// ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X509CertificateHolder certificateHolder = cert_builder.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
return cert;
}
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CaCmpConnector method readCertResponse.
/**
* @param responseBytes
* @param pkiMessageReq
* @param csr
* @param config
* @throws IOException
* @throws CRMFException
* @throws CMPException
* @throws GeneralSecurityException
*/
public de.trustable.ca3s.core.domain.Certificate readCertResponse(final byte[] responseBytes, final PKIMessage pkiMessageReq, final CSR csr, final CAConnectorConfig config) throws IOException, CRMFException, CMPException, GeneralSecurityException {
final ASN1Primitive derObject = cryptoUtil.getDERObject(responseBytes);
final PKIMessage pkiMessage = PKIMessage.getInstance(derObject);
if (pkiMessage == null) {
throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
}
printPKIMessageInfo(pkiMessage);
PKIHeader pkiHeaderReq = pkiMessageReq.getHeader();
PKIHeader pkiHeaderResp = pkiMessage.getHeader();
if (!pkiHeaderReq.getSenderNonce().equals(pkiHeaderResp.getRecipNonce())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getRecipNonce();
if (asn1Oct == null) {
LOGGER.info("Recip nonce == null");
} else {
LOGGER.info("sender nonce " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getSenderNonce().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
throw new GeneralSecurityException("Sender / Recip nonce mismatch");
}
if (!pkiHeaderReq.getTransactionID().equals(pkiHeaderResp.getTransactionID())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getTransactionID();
if (asn1Oct == null) {
LOGGER.info("transaction id == null");
} else {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("transaction id " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getTransactionID().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
}
throw new GeneralSecurityException("Sender / Recip Transaction Id mismatch");
}
final PKIBody body = pkiMessage.getBody();
int tagno = body.getType();
if (tagno == PKIBody.TYPE_ERROR) {
handleCMPError(body);
} else if (tagno == PKIBody.TYPE_CERT_REP || tagno == PKIBody.TYPE_INIT_REP) {
// certificate successfully generated
CertRepMessage certRepMessage = CertRepMessage.getInstance(body.getContent());
try {
// CMPCertificate[] cmpCertArr = certRepMessage.getCaPubs();
CMPCertificate[] cmpCertArr = pkiMessage.getExtraCerts();
LOGGER.info("CMP Response body contains " + cmpCertArr.length + " extra certificates");
for (int i = 0; i < cmpCertArr.length; i++) {
CMPCertificate cmpCert = cmpCertArr[i];
LOGGER.info("Added CA '" + cmpCert.getX509v3PKCert().getSubject() + "' from CMP Response body");
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cmpCert.getEncoded(), null, null, true);
certificateRepository.save(certDao);
LOGGER.debug("Additional CA '" + certDao.getSubject() + "' from CMP Response body");
}
} catch (NullPointerException npe) {
// NOSONAR
// just ignore
}
CertResponse[] respArr = certRepMessage.getResponse();
if (respArr == null || (respArr.length == 0)) {
throw new GeneralSecurityException("No CMP response found.");
}
LOGGER.info("CMP Response body contains " + respArr.length + " elements");
for (int i = 0; i < respArr.length; i++) {
if (respArr[i] == null) {
throw new GeneralSecurityException("No CMP response returned.");
}
BigInteger status = BigInteger.ZERO;
String statusText = "";
PKIStatusInfo pkiStatusInfo = respArr[i].getStatus();
if (pkiStatusInfo != null) {
PKIFreeText freeText = pkiStatusInfo.getStatusString();
if (freeText != null) {
for (int j = 0; j < freeText.size(); j++) {
statusText = freeText.getStringAt(j) + "\n";
}
}
}
if ((respArr[i].getCertifiedKeyPair() == null) || (respArr[i].getCertifiedKeyPair().getCertOrEncCert() == null)) {
csrUtil.setStatus(csr, CsrStatus.REJECTED);
csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_FAILURE_INFO, statusText, true);
throw new GeneralSecurityException("CMP response contains no certificate, status :" + status + "\n" + statusText);
}
CMPCertificate cmpCert = respArr[i].getCertifiedKeyPair().getCertOrEncCert().getCertificate();
if (cmpCert != null) {
org.bouncycastle.asn1.x509.Certificate cmpCertificate = cmpCert.getX509v3PKCert();
if (cmpCertificate != null) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("#" + i + ": " + cmpCertificate);
}
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
/*
* version returning just the end entity ...
*/
final Collection<? extends java.security.cert.Certificate> certificateChain = certificateFactory.generateCertificates(new ByteArrayInputStream(cmpCertificate.getEncoded()));
X509Certificate[] certArray = certificateChain.toArray(new X509Certificate[0]);
X509Certificate cert = certArray[0];
if (LOGGER.isDebugEnabled()) {
LOGGER.info("#" + i + ": " + cert);
}
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cert.getEncoded(), csr, null, false);
certDao.setRevocationCA(config);
certificateRepository.save(certDao);
return certDao;
}
}
}
} else {
throw new GeneralSecurityException("unexpected PKI body type :" + tagno);
}
return null;
}
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method getCertificatePolicies.
public List<String> getCertificatePolicies(X509Certificate x509Cert) {
ArrayList<String> certificatePolicyIds = new ArrayList<>();
byte[] extVal = x509Cert.getExtensionValue(Extension.certificatePolicies.getId());
if (extVal == null) {
return certificatePolicyIds;
}
try {
org.bouncycastle.asn1.x509.CertificatePolicies cf = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
PolicyInformation[] information = cf.getPolicyInformation();
for (PolicyInformation p : information) {
ASN1ObjectIdentifier aIdentifier = p.getPolicyIdentifier();
certificatePolicyIds.add(aIdentifier.getId());
}
} catch (IOException ex) {
LOG.error("Failed to get OCSP URL for certificate '" + x509Cert.getSubjectX500Principal().getName() + "'", ex);
}
return certificatePolicyIds;
}
use of org.bouncycastle.asn1 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method insertNameAttributes.
/**
* @param cert
* @param attributeName
* @param x500NameSubject
*/
public void insertNameAttributes(Certificate cert, String attributeName, X500Name x500NameSubject) {
try {
List<Rdn> rdnList = new LdapName(x500NameSubject.toString()).getRdns();
for (Rdn rdn : rdnList) {
String rdnExpression = rdn.getType().toLowerCase() + "=" + rdn.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, rdnExpression);
}
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", x500NameSubject);
}
for (RDN rdn : x500NameSubject.getRDNs()) {
for (org.bouncycastle.asn1.x500.AttributeTypeAndValue atv : rdn.getTypesAndValues()) {
String value = atv.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, value);
String oid = atv.getType().getId().toLowerCase();
setCertMultiValueAttribute(cert, attributeName, oid + "=" + value);
if (!oid.equals(atv.getType().toString().toLowerCase())) {
setCertMultiValueAttribute(cert, attributeName, atv.getType().toString().toLowerCase() + "=" + value);
}
}
}
}
Aggregations