Search in sources :

Example 6 with CertRequest

use of org.bouncycastle.asn1.crmf.CertRequest in project xipki by xipki.

the class X509CaCmpResponderImpl method verifyPopo.

// method revokePendingCertificates
private boolean verifyPopo(CertificateRequestMessage certRequest, boolean allowRaPopo) {
    int popType = certRequest.getProofOfPossessionType();
    if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) {
        return true;
    }
    if (popType != CertificateRequestMessage.popSigningKey) {
        LOG.error("unsupported POP type: " + popType);
        return false;
    }
    // check the POP signature algorithm
    ProofOfPossession pop = certRequest.toASN1Structure().getPopo();
    POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject());
    AlgorithmIdentifier popoAlgId = popoSign.getAlgorithmIdentifier();
    AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator();
    if (!algoValidator.isAlgorithmPermitted(popoAlgId)) {
        String algoName;
        try {
            algoName = AlgorithmUtil.getSignatureAlgoName(popoAlgId);
        } catch (NoSuchAlgorithmException ex) {
            algoName = popoAlgId.getAlgorithm().getId();
        }
        LOG.error("POPO signature algorithm {} not permitted", algoName);
        return false;
    }
    try {
        PublicKey publicKey = securityFactory.generatePublicKey(certRequest.getCertTemplate().getPublicKey());
        ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey);
        return certRequest.isValidSigningKeyPOP(cvp);
    } catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
        LogUtil.error(LOG, ex);
    }
    return false;
}
Also used : AlgorithmValidator(org.xipki.security.AlgorithmValidator) PublicKey(java.security.PublicKey) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) CRMFException(org.bouncycastle.cert.crmf.CRMFException) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 7 with CertRequest

use of org.bouncycastle.asn1.crmf.CertRequest in project xipki by xipki.

the class CmpCaClient method requestCertViaCrmf.

public X509Certificate requestCertViaCrmf(String certProfile, PrivateKey privateKey, SubjectPublicKeyInfo publicKeyInfo, String subject) throws Exception {
    CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
    certTemplateBuilder.setSubject(new X500Name(subject));
    certTemplateBuilder.setPublicKey(publicKeyInfo);
    CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
    ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq);
    ContentSigner popoSigner = buildSigner(privateKey);
    POPOSigningKey popoSk = popoBuilder.build(popoSigner);
    ProofOfPossession popo = new ProofOfPossession(popoSk);
    AttributeTypeAndValue certprofileInfo = new AttributeTypeAndValue(CMPObjectIdentifiers.regInfo_utf8Pairs, new DERUTF8String("CERT-PROFILE?" + certProfile + "%"));
    AttributeTypeAndValue[] atvs = { certprofileInfo };
    CertReqMsg certReqMsg = new CertReqMsg(certReq, popo, atvs);
    PKIBody body = new PKIBody(PKIBody.TYPE_CERT_REQ, new CertReqMessages(certReqMsg));
    ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(PKIHeader.CMP_2000, requestorSubject, responderSubject);
    builder.setMessageTime(new Date());
    builder.setTransactionID(randomTransactionId());
    builder.setSenderNonce(randomSenderNonce());
    builder.addGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm, DERNull.INSTANCE));
    builder.setBody(body);
    ProtectedPKIMessage request = builder.build(requestorSigner);
    PKIMessage response = transmit(request);
    return parseEnrollCertResult(response);
}
Also used : ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertReqMessages(org.bouncycastle.asn1.crmf.CertReqMessages) CertReqMsg(org.bouncycastle.asn1.crmf.CertReqMsg) ContentSigner(org.bouncycastle.operator.ContentSigner) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) X500Name(org.bouncycastle.asn1.x500.X500Name) AttributeTypeAndValue(org.bouncycastle.asn1.crmf.AttributeTypeAndValue) Date(java.util.Date) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) CertRequest(org.bouncycastle.asn1.crmf.CertRequest) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ProofOfPossessionSigningKeyBuilder(org.bouncycastle.cert.crmf.ProofOfPossessionSigningKeyBuilder) ProtectedPKIMessageBuilder(org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey)

Example 8 with CertRequest

use of org.bouncycastle.asn1.crmf.CertRequest in project xipki by xipki.

the class EnrollCertAction method execute0.

@Override
protected Object execute0() throws Exception {
    if (caName != null) {
        caName = caName.toLowerCase();
    }
    CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
    ConcurrentContentSigner signer = getSigner(new SignatureAlgoControl(rsaMgf1, dsaPlain, gm));
    X509CertificateHolder ssCert = signer.getBcCertificate();
    X500Name x500Subject = new X500Name(subject);
    certTemplateBuilder.setSubject(x500Subject);
    certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo());
    if (StringUtil.isNotBlank(notBeforeS) || StringUtil.isNotBlank(notAfterS)) {
        Time notBefore = StringUtil.isNotBlank(notBeforeS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notBeforeS)) : null;
        Time notAfter = StringUtil.isNotBlank(notAfterS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notAfterS)) : null;
        OptionalValidity validity = new OptionalValidity(notBefore, notAfter);
        certTemplateBuilder.setValidity(validity);
    }
    if (needExtensionTypes == null) {
        needExtensionTypes = new LinkedList<>();
    }
    // SubjectAltNames
    List<Extension> extensions = new LinkedList<>();
    if (isNotEmpty(subjectAltNames)) {
        extensions.add(X509Util.createExtnSubjectAltName(subjectAltNames, false));
        needExtensionTypes.add(Extension.subjectAlternativeName.getId());
    }
    // SubjectInfoAccess
    if (isNotEmpty(subjectInfoAccesses)) {
        extensions.add(X509Util.createExtnSubjectInfoAccess(subjectInfoAccesses, false));
        needExtensionTypes.add(Extension.subjectInfoAccess.getId());
    }
    // Keyusage
    if (isNotEmpty(keyusages)) {
        Set<KeyUsage> usages = new HashSet<>();
        for (String usage : keyusages) {
            usages.add(KeyUsage.getKeyUsage(usage));
        }
        org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages);
        ASN1ObjectIdentifier extType = Extension.keyUsage;
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // ExtendedKeyusage
    if (isNotEmpty(extkeyusages)) {
        ExtendedKeyUsage extValue = X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(extkeyusages));
        ASN1ObjectIdentifier extType = Extension.extendedKeyUsage;
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // QcEuLimitValue
    if (isNotEmpty(qcEuLimits)) {
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (String m : qcEuLimits) {
            StringTokenizer st = new StringTokenizer(m, ":");
            try {
                String currencyS = st.nextToken();
                String amountS = st.nextToken();
                String exponentS = st.nextToken();
                Iso4217CurrencyCode currency;
                try {
                    int intValue = Integer.parseInt(currencyS);
                    currency = new Iso4217CurrencyCode(intValue);
                } catch (NumberFormatException ex) {
                    currency = new Iso4217CurrencyCode(currencyS);
                }
                int amount = Integer.parseInt(amountS);
                int exponent = Integer.parseInt(exponentS);
                MonetaryValue monterayValue = new MonetaryValue(currency, amount, exponent);
                QCStatement statment = new QCStatement(ObjectIdentifiers.id_etsi_qcs_QcLimitValue, monterayValue);
                vec.add(statment);
            } catch (Exception ex) {
                throw new Exception("invalid qc-eu-limit '" + m + "'");
            }
        }
        ASN1ObjectIdentifier extType = Extension.qCStatements;
        ASN1Sequence extValue = new DERSequence(vec);
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    }
    // biometricInfo
    if (biometricType != null && biometricHashAlgo != null && biometricFile != null) {
        TypeOfBiometricData objBiometricType = StringUtil.isNumber(biometricType) ? new TypeOfBiometricData(Integer.parseInt(biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(biometricType));
        ASN1ObjectIdentifier objBiometricHashAlgo = AlgorithmUtil.getHashAlg(biometricHashAlgo);
        byte[] biometricBytes = IoUtil.read(biometricFile);
        MessageDigest md = MessageDigest.getInstance(objBiometricHashAlgo.getId());
        md.reset();
        byte[] biometricDataHash = md.digest(biometricBytes);
        DERIA5String sourceDataUri = null;
        if (biometricUri != null) {
            sourceDataUri = new DERIA5String(biometricUri);
        }
        BiometricData biometricData = new BiometricData(objBiometricType, new AlgorithmIdentifier(objBiometricHashAlgo), new DEROctetString(biometricDataHash), sourceDataUri);
        ASN1EncodableVector vec = new ASN1EncodableVector();
        vec.add(biometricData);
        ASN1ObjectIdentifier extType = Extension.biometricInfo;
        ASN1Sequence extValue = new DERSequence(vec);
        extensions.add(new Extension(extType, false, extValue.getEncoded()));
        needExtensionTypes.add(extType.getId());
    } else if (biometricType == null && biometricHashAlgo == null && biometricFile == null) {
    // Do nothing
    } else {
        throw new Exception("either all of biometric triples (type, hash algo, file)" + " must be set or none of them should be set");
    }
    if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) {
        ExtensionExistence ee = new ExtensionExistence(textToAsn1ObjectIdentifers(needExtensionTypes), textToAsn1ObjectIdentifers(wantExtensionTypes));
        extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded()));
    }
    if (isNotEmpty(extensions)) {
        Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0]));
        certTemplateBuilder.setExtensions(asn1Extensions);
    }
    CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
    ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq);
    ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
    POPOSigningKey popoSk;
    try {
        popoSk = popoBuilder.build(signer0.value());
    } finally {
        signer.requiteSigner(signer0);
    }
    ProofOfPossession popo = new ProofOfPossession(popoSk);
    EnrollCertRequestEntry reqEntry = new EnrollCertRequestEntry("id-1", profile, certReq, popo);
    EnrollCertRequest request = new EnrollCertRequest(EnrollCertRequest.Type.CERT_REQ);
    request.addRequestEntry(reqEntry);
    RequestResponseDebug debug = getRequestResponseDebug();
    EnrollCertResult result;
    try {
        result = caClient.requestCerts(caName, request, debug);
    } finally {
        saveRequestResponse(debug);
    }
    X509Certificate cert = null;
    if (result != null) {
        String id = result.getAllIds().iterator().next();
        CertOrError certOrError = result.getCertOrError(id);
        cert = (X509Certificate) certOrError.getCertificate();
    }
    if (cert == null) {
        throw new CmdFailure("no certificate received from the server");
    }
    File certFile = new File(outputFile);
    saveVerbose("saved certificate to file", certFile, cert.getEncoded());
    return null;
}
Also used : TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.xipki.security.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DERSequence(org.bouncycastle.asn1.DERSequence) EnrollCertRequestEntry(org.xipki.ca.client.api.dto.EnrollCertRequestEntry) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) MessageDigest(java.security.MessageDigest) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData) HashSet(java.util.HashSet) RequestResponseDebug(org.xipki.common.RequestResponseDebug) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) LinkedList(java.util.LinkedList) X509Certificate(java.security.cert.X509Certificate) OptionalValidity(org.bouncycastle.asn1.crmf.OptionalValidity) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ProofOfPossessionSigningKeyBuilder(org.bouncycastle.cert.crmf.ProofOfPossessionSigningKeyBuilder) File(java.io.File) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement) EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest) Time(org.bouncycastle.asn1.x509.Time) Extensions(org.bouncycastle.asn1.x509.Extensions) Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode) DERIA5String(org.bouncycastle.asn1.DERIA5String) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) CmdFailure(org.xipki.console.karaf.CmdFailure) EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue) ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner) CertOrError(org.xipki.ca.client.api.CertOrError) ObjectCreationException(org.xipki.common.ObjectCreationException) InvalidOidOrNameException(org.xipki.security.exception.InvalidOidOrNameException) Extension(org.bouncycastle.asn1.x509.Extension) StringTokenizer(java.util.StringTokenizer) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) ExtensionExistence(org.xipki.security.ExtensionExistence) EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest) CertRequest(org.bouncycastle.asn1.crmf.CertRequest) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) SignatureAlgoControl(org.xipki.security.SignatureAlgoControl)

Example 9 with CertRequest

use of org.bouncycastle.asn1.crmf.CertRequest in project xipki by xipki.

the class CaLoadTestEnroll method nextCertRequests.

private Map<Integer, CertRequest> nextCertRequests() {
    if (maxRequests > 0) {
        int num = processedRequests.getAndAdd(1);
        if (num >= maxRequests) {
            return null;
        }
    }
    Map<Integer, CertRequest> certRequests = new HashMap<>();
    for (int i = 0; i < num; i++) {
        final int certId = i + 1;
        CertTemplateBuilder certTempBuilder = new CertTemplateBuilder();
        long thisIndex = index.getAndIncrement();
        certTempBuilder.setSubject(loadtestEntry.getX500Name(thisIndex));
        SubjectPublicKeyInfo spki = loadtestEntry.getSubjectPublicKeyInfo();
        certTempBuilder.setPublicKey(spki);
        CertTemplate certTemplate = certTempBuilder.build();
        CertRequest certRequest = new CertRequest(certId, certTemplate, null);
        certRequests.put(certId, certRequest);
    }
    return certRequests;
}
Also used : AtomicInteger(java.util.concurrent.atomic.AtomicInteger) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) HashMap(java.util.HashMap) CertRequest(org.bouncycastle.asn1.crmf.CertRequest) EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest) CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)

Example 10 with CertRequest

use of org.bouncycastle.asn1.crmf.CertRequest in project xipki by xipki.

the class CaClientImpl method envelope.

@Override
public byte[] envelope(CertRequest certRequest, ProofOfPossession pop, String profileName, String caName) throws CaClientException {
    ParamUtil.requireNonNull("certRequest", certRequest);
    ParamUtil.requireNonNull("pop", pop);
    profileName = ParamUtil.requireNonNull("profileName", profileName).toLowerCase();
    init0(false);
    if (caName == null) {
        // detect the CA name
        caName = getCaNameForProfile(profileName);
        if (caName == null) {
            throw new CaClientException("certprofile " + profileName + " is not supported by any CA");
        }
    } else {
        caName = caName.toLowerCase();
        checkCertprofileSupportInCa(profileName, caName);
    }
    CaConf ca = casMap.get(caName);
    if (ca == null) {
        throw new CaClientException("could not find CA named " + caName);
    }
    PKIMessage pkiMessage;
    try {
        pkiMessage = ca.getRequestor().envelope(certRequest, pop, profileName);
    } catch (CmpRequestorException ex) {
        throw new CaClientException("CmpRequestorException: " + ex.getMessage(), ex);
    }
    try {
        return pkiMessage.getEncoded();
    } catch (IOException ex) {
        throw new CaClientException("IOException: " + ex.getMessage(), ex);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) IOException(java.io.IOException) CaClientException(org.xipki.ca.client.api.CaClientException)

Aggregations

PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)4 CertRequest (org.bouncycastle.asn1.crmf.CertRequest)4 CertTemplateBuilder (org.bouncycastle.asn1.crmf.CertTemplateBuilder)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 HashMap (java.util.HashMap)3 DERIA5String (org.bouncycastle.asn1.DERIA5String)3 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3 CertReqMsg (org.bouncycastle.asn1.crmf.CertReqMsg)3 CertTemplate (org.bouncycastle.asn1.crmf.CertTemplate)3 POPOSigningKey (org.bouncycastle.asn1.crmf.POPOSigningKey)3 ProofOfPossession (org.bouncycastle.asn1.crmf.ProofOfPossession)3 EnrollCertRequest (org.xipki.ca.client.api.dto.EnrollCertRequest)3 PrivateKey (java.security.PrivateKey)2 PublicKey (java.security.PublicKey)2 Date (java.util.Date)2 AtomicInteger (java.util.concurrent.atomic.AtomicInteger)2 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)2 AttributeTypeAndValue (org.bouncycastle.asn1.crmf.AttributeTypeAndValue)2 CertReqMessages (org.bouncycastle.asn1.crmf.CertReqMessages)2