Search in sources :

Example 1 with DhSigStatic

use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.

the class CaUtil method verifyCsr.

// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, AlgorithmValidator algorithmValidator, DhpocControl dhpocControl) {
    notNull(csr, "csr");
    ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
    DHSigStaticKeyCertPair kaKeyAndCert = null;
    if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
        if (dhpocControl != null) {
            DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
            IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
            ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
            kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
        }
        if (kaKeyAndCert == null) {
            return false;
        }
    }
    return securityFactory.verifyPopo(csr, algorithmValidator, kaKeyAndCert);
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic)

Example 2 with DhSigStatic

use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.

the class CaUtil method verifyCsr.

// method sortX509Name
public static boolean verifyCsr(CertificationRequest csr, SecurityFactory securityFactory, PopControl popControl) {
    notNull(csr, "csr");
    notNull(popControl, "popControl");
    ASN1ObjectIdentifier algOid = csr.getSignatureAlgorithm().getAlgorithm();
    DHSigStaticKeyCertPair kaKeyAndCert = null;
    if (Xipki.id_alg_dhPop_x25519.equals(algOid) || Xipki.id_alg_dhPop_x448.equals(algOid)) {
        DhSigStatic dhSigStatic = DhSigStatic.getInstance(csr.getSignature().getBytes());
        IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
        ASN1ObjectIdentifier keyOid = csr.getCertificationRequestInfo().getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm();
        kaKeyAndCert = popControl.getDhKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyOid));
        if (kaKeyAndCert == null) {
            return false;
        }
    }
    AlgorithmValidator popValidator = popControl.getPopAlgoValidator();
    return securityFactory.verifyPop(csr, popValidator, kaKeyAndCert);
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic)

Example 3 with DhSigStatic

use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.

the class BaseCmpResponder method verifyPopo.

protected boolean verifyPopo(CertificateRequestMessage certRequest, SubjectPublicKeyInfo spki, boolean allowRaPopo) {
    int popType = certRequest.getProofOfPossessionType();
    if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) {
        return true;
    }
    if (popType != CertificateRequestMessage.popSigningKey) {
        LOG.error("unsupported POP type: " + popType);
        return false;
    }
    // check the POP signature algorithm
    ProofOfPossession pop = certRequest.toASN1Structure().getPopo();
    POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject());
    SignAlgo popoAlg;
    try {
        popoAlg = SignAlgo.getInstance(popoSign.getAlgorithmIdentifier());
    } catch (NoSuchAlgorithmException ex) {
        LogUtil.error(LOG, ex, "Cannot parse POPO signature algorithm");
        return false;
    }
    AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator();
    if (!algoValidator.isAlgorithmPermitted(popoAlg)) {
        LOG.error("POPO signature algorithm {} not permitted", popoAlg.getJceName());
        return false;
    }
    try {
        PublicKey publicKey = securityFactory.generatePublicKey(spki);
        DhpocControl dhpocControl = getCa().getCaInfo().getDhpocControl();
        DHSigStaticKeyCertPair kaKeyAndCert = null;
        if (SignAlgo.DHPOP_X25519 == popoAlg || SignAlgo.DHPOP_X448 == popoAlg) {
            if (dhpocControl != null) {
                DhSigStatic dhSigStatic = DhSigStatic.getInstance(popoSign.getSignature().getBytes());
                IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
                ASN1ObjectIdentifier keyAlgOid = spki.getAlgorithm().getAlgorithm();
                kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyAlgOid));
            }
            if (kaKeyAndCert == null) {
                return false;
            }
        }
        ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey, kaKeyAndCert);
        return certRequest.isValidSigningKeyPOP(cvp);
    } catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
        LogUtil.error(LOG, ex);
    }
    return false;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic) CRMFException(org.bouncycastle.cert.crmf.CRMFException) DhpocControl(org.xipki.ca.server.DhpocControl) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 4 with DhSigStatic

use of org.bouncycastle.asn1.crmf.DhSigStatic in project xipki by xipki.

the class BaseCmpResponder method verifyPop.

protected boolean verifyPop(CertificateRequestMessage certRequest, SubjectPublicKeyInfo spki, boolean allowRaPop) {
    int popType = certRequest.getProofOfPossessionType();
    if (popType == CertificateRequestMessage.popRaVerified && allowRaPop) {
        return true;
    }
    if (popType != CertificateRequestMessage.popSigningKey) {
        LOG.error("unsupported POP type: " + popType);
        return false;
    }
    // check the POP signature algorithm
    ProofOfPossession pop = certRequest.toASN1Structure().getPop();
    POPOSigningKey popSign = POPOSigningKey.getInstance(pop.getObject());
    SignAlgo popAlg;
    try {
        popAlg = SignAlgo.getInstance(popSign.getAlgorithmIdentifier());
    } catch (NoSuchAlgorithmException ex) {
        LogUtil.error(LOG, ex, "Cannot parse POP signature algorithm");
        return false;
    }
    AlgorithmValidator algoValidator = getCa().getPopAlgoValidator();
    if (!algoValidator.isAlgorithmPermitted(popAlg)) {
        LOG.error("POP signature algorithm {} not permitted", popAlg.getJceName());
        return false;
    }
    try {
        PublicKey publicKey = securityFactory.generatePublicKey(spki);
        PopControl popControl = getCa().getCaInfo().getPopControl();
        DHSigStaticKeyCertPair kaKeyAndCert = null;
        if (SignAlgo.DHPOP_X25519 == popAlg || SignAlgo.DHPOP_X448 == popAlg) {
            if (popControl != null) {
                DhSigStatic dhSigStatic = DhSigStatic.getInstance(popSign.getSignature().getBytes());
                IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
                ASN1ObjectIdentifier keyAlgOid = spki.getAlgorithm().getAlgorithm();
                kaKeyAndCert = popControl.getDhKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyAlgOid));
            }
            if (kaKeyAndCert == null) {
                return false;
            }
        }
        ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey, kaKeyAndCert);
        return certRequest.isValidSigningKeyPOP(cvp);
    } catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
        LogUtil.error(LOG, ex);
    }
    return false;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic) CRMFException(org.bouncycastle.cert.crmf.CRMFException) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Aggregations

IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)4 DhSigStatic (org.bouncycastle.asn1.crmf.DhSigStatic)4 ECPublicKey (java.security.interfaces.ECPublicKey)2 RSAPublicKey (java.security.interfaces.RSAPublicKey)2 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2 POPOSigningKey (org.bouncycastle.asn1.crmf.POPOSigningKey)2 ProofOfPossession (org.bouncycastle.asn1.crmf.ProofOfPossession)2 CRMFException (org.bouncycastle.cert.crmf.CRMFException)2 ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)2 DhpocControl (org.xipki.ca.server.DhpocControl)1