use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.
the class CaUtil method verifyCsr.
// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, AlgorithmValidator algorithmValidator, DhpocControl dhpocControl) {
notNull(csr, "csr");
ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
DHSigStaticKeyCertPair kaKeyAndCert = null;
if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
if (dhpocControl != null) {
DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
}
if (kaKeyAndCert == null) {
return false;
}
}
return securityFactory.verifyPopo(csr, algorithmValidator, kaKeyAndCert);
}
use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.
the class CaUtil method verifyCsr.
// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, PopControl popControl) {
notNull(csr, "csr");
notNull(popControl, "popControl");
ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
DHSigStaticKeyCertPair kaKeyAndCert = null;
if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
kaKeyAndCert = popControl.getDhKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
if (kaKeyAndCert == null) {
return false;
}
}
AlgorithmValidator popValidator = popControl.getPopAlgoValidator();
return securityFactory.verifyPop(csr, popValidator, kaKeyAndCert);
}
use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.
the class BaseCmpResponder method verifyPopo.
protected boolean verifyPopo(CertificateRequestMessage certRequest, SubjectPublicKeyInfo spki, boolean allowRaPopo) {
int popType = certRequest.getProofOfPossessionType();
if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) {
return true;
}
if (popType != CertificateRequestMessage.popSigningKey) {
LOG.error("unsupported POP type: " + popType);
return false;
}
// check the POP signature algorithm
ProofOfPossession pop = certRequest.toASN1Structure().getPopo();
POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject());
SignAlgo popoAlg;
try {
popoAlg = SignAlgo.getInstance(popoSign.getAlgorithmIdentifier());
} catch (NoSuchAlgorithmException ex) {
LogUtil.error(LOG, ex, "Cannot parse POPO signature algorithm");
return false;
}
AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator();
if (!algoValidator.isAlgorithmPermitted(popoAlg)) {
LOG.error("POPO signature algorithm {} not permitted", popoAlg.getJceName());
return false;
}
try {
PublicKey publicKey = securityFactory.generatePublicKey(spki);
DhpocControl dhpocControl = getCa().getCaInfo().getDhpocControl();
DHSigStaticKeyCertPair kaKeyAndCert = null;
if (SignAlgo.DHPOP_X25519 == popoAlg || SignAlgo.DHPOP_X448 == popoAlg) {
if (dhpocControl != null) {
DhSigStatic dhSigStatic = DhSigStatic.getInstance(popoSign.getSignature().getBytes());
IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
ASN1ObjectIdentifier keyAlgOid = spki.getAlgorithm().getAlgorithm();
kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyAlgOid));
}
if (kaKeyAndCert == null) {
return false;
}
}
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey, kaKeyAndCert);
return certRequest.isValidSigningKeyPOP(cvp);
} catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
LogUtil.error(LOG, ex);
}
return false;
}
use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.
the class BaseCmpResponder method verifyPop.
protected boolean verifyPop(CertificateRequestMessage certRequest, SubjectPublicKeyInfo spki, boolean allowRaPop) {
int popType = certRequest.getProofOfPossessionType();
if (popType == CertificateRequestMessage.popRaVerified && allowRaPop) {
return true;
}
if (popType != CertificateRequestMessage.popSigningKey) {
LOG.error("unsupported POP type: " + popType);
return false;
}
// check the POP signature algorithm
ProofOfPossession pop = certRequest.toASN1Structure().getPop();
POPOSigningKey popSign = POPOSigningKey.getInstance(pop.getObject());
SignAlgo popAlg;
try {
popAlg = SignAlgo.getInstance(popSign.getAlgorithmIdentifier());
} catch (NoSuchAlgorithmException ex) {
LogUtil.error(LOG, ex, "Cannot parse POP signature algorithm");
return false;
}
AlgorithmValidator algoValidator = getCa().getPopAlgoValidator();
if (!algoValidator.isAlgorithmPermitted(popAlg)) {
LOG.error("POP signature algorithm {} not permitted", popAlg.getJceName());
return false;
}
try {
PublicKey publicKey = securityFactory.generatePublicKey(spki);
PopControl popControl = getCa().getCaInfo().getPopControl();
DHSigStaticKeyCertPair kaKeyAndCert = null;
if (SignAlgo.DHPOP_X25519 == popAlg || SignAlgo.DHPOP_X448 == popAlg) {
if (popControl != null) {
DhSigStatic dhSigStatic = DhSigStatic.getInstance(popSign.getSignature().getBytes());
IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
ASN1ObjectIdentifier keyAlgOid = spki.getAlgorithm().getAlgorithm();
kaKeyAndCert = popControl.getDhKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyAlgOid));
}
if (kaKeyAndCert == null) {
return false;
}
}
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey, kaKeyAndCert);
return certRequest.isValidSigningKeyPOP(cvp);
} catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
LogUtil.error(LOG, ex);
}
return false;
}
Aggregations