Examples with CertificationRequest org.bouncycastle.asn1.pkcs.CertificationRequest used on opensource projects

Search in sources :

Example 11 with CertificationRequest

use of org.bouncycastle.asn1.pkcs.CertificationRequest in project xipki by xipki.

the class CaManagerImpl method generateRootCa.

// method getIdentifiedPublishersForCa
@Override
public X509Certificate generateRootCa(X509CaEntry caEntry, String profileName, byte[] encodedCsr, BigInteger serialNumber) throws CaMgmtException {
    ParamUtil.requireNonNull("caEntry", caEntry);
    profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
    ParamUtil.requireNonNull("encodedCsr", encodedCsr);
    int numCrls = caEntry.getNumCrls();
    List<String> crlUris = caEntry.getCrlUris();
    List<String> deltaCrlUris = caEntry.getDeltaCrlUris();
    List<String> ocspUris = caEntry.getOcspUris();
    List<String> caCertUris = caEntry.getCaCertUris();
    String signerType = caEntry.getSignerType();
    asssertMasterMode();
    if (numCrls < 0) {
        System.err.println("invalid numCrls: " + numCrls);
        return null;
    }
    int expirationPeriod = caEntry.getExpirationPeriod();
    if (expirationPeriod < 0) {
        System.err.println("invalid expirationPeriod: " + expirationPeriod);
        return null;
    }
    CertificationRequest csr;
    try {
        csr = CertificationRequest.getInstance(encodedCsr);
    } catch (Exception ex) {
        System.err.println("invalid encodedCsr");
        return null;
    }
    IdentifiedX509Certprofile certprofile = getIdentifiedCertprofile(profileName);
    if (certprofile == null) {
        throw new CaMgmtException(concat("unknown certprofile ", profileName));
    }
    BigInteger serialOfThisCert = (serialNumber != null) ? serialNumber : RandomSerialNumberGenerator.getInstance().nextSerialNumber(caEntry.getSerialNoBitLen());
    GenerateSelfSignedResult result;
    try {
        result = X509SelfSignedCertBuilder.generateSelfSigned(securityFactory, signerType, caEntry.getSignerConf(), certprofile, csr, serialOfThisCert, caCertUris, ocspUris, crlUris, deltaCrlUris, caEntry.getExtraControl());
    } catch (OperationException | InvalidConfException ex) {
        throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
    }
    String signerConf = result.getSignerConf();
    X509Certificate caCert = result.getCert();
    if ("PKCS12".equalsIgnoreCase(signerType) || "JKS".equalsIgnoreCase(signerType)) {
        try {
            signerConf = canonicalizeSignerConf(signerType, signerConf, new X509Certificate[] { caCert }, securityFactory);
        } catch (Exception ex) {
            throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
        }
    }
    X509CaUris caUris = new X509CaUris(caCertUris, ocspUris, crlUris, deltaCrlUris);
    String name = caEntry.getIdent().getName();
    long nextCrlNumber = caEntry.getNextCrlNumber();
    CaStatus status = caEntry.getStatus();
    X509CaEntry entry = new X509CaEntry(new NameId(null, name), caEntry.getSerialNoBitLen(), nextCrlNumber, signerType, signerConf, caUris, numCrls, expirationPeriod);
    entry.setCert(caCert);
    entry.setCmpControlName(caEntry.getCmpControlName());
    entry.setCrlSignerName(caEntry.getCrlSignerName());
    entry.setDuplicateKeyPermitted(caEntry.isDuplicateKeyPermitted());
    entry.setDuplicateSubjectPermitted(caEntry.isDuplicateSubjectPermitted());
    entry.setExtraControl(caEntry.getExtraControl());
    entry.setKeepExpiredCertInDays(caEntry.getKeepExpiredCertInDays());
    entry.setMaxValidity(caEntry.getMaxValidity());
    entry.setPermission(caEntry.getPermission());
    entry.setResponderName(caEntry.getResponderName());
    entry.setSaveRequest(caEntry.isSaveRequest());
    entry.setStatus(status);
    entry.setValidityMode(caEntry.getValidityMode());
    addCa(entry);
    return caCert;
}
Also used : NameId(org.xipki.ca.api.NameId) InvalidConfException(org.xipki.common.InvalidConfException) CaStatus(org.xipki.ca.server.mgmt.api.CaStatus) CertprofileException(org.xipki.ca.api.profile.CertprofileException) KeyStoreException(java.security.KeyStoreException) XiSecurityException(org.xipki.security.exception.XiSecurityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) InvalidConfException(org.xipki.common.InvalidConfException) SocketException(java.net.SocketException) IOException(java.io.IOException) CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException) OperationException(org.xipki.ca.api.OperationException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ObjectCreationException(org.xipki.common.ObjectCreationException) DataAccessException(org.xipki.datasource.DataAccessException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) CertificateException(java.security.cert.CertificateException) PasswordResolverException(org.xipki.password.PasswordResolverException) X509Certificate(java.security.cert.X509Certificate) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris) GenerateSelfSignedResult(org.xipki.ca.server.impl.X509SelfSignedCertBuilder.GenerateSelfSignedResult) BigInteger(java.math.BigInteger) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) OperationException(org.xipki.ca.api.OperationException) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)

Example 12 with CertificationRequest

use of org.bouncycastle.asn1.pkcs.CertificationRequest in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
    TransactionId tid = req.getTransactionId();
    PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
    rep.setPkiStatus(PkiStatus.SUCCESS);
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad = false;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
        }
    }
    // check the digest algorithm
    String oid = req.getDigestAlgorithm().getId();
    ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
    if (hashAlgo == null) {
        LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    boolean supported = false;
    if (hashAlgo == ScepHashAlgo.SHA1) {
        if (caCaps.containsCapability(CaCapability.SHA1)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA256) {
        if (caCaps.containsCapability(CaCapability.SHA256)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA512) {
        if (caCaps.containsCapability(CaCapability.SHA512)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.MD5) {
        if (control.isUseInsecureAlg()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.containsCapability(CaCapability.DES3)) {
            LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (AES_ENC_ALGS.contains(encOid)) {
        if (!caCaps.containsCapability(CaCapability.AES)) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
        if (!control.isUseInsecureAlg()) {
            LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        return rep;
    }
    MessageType messageType = req.getMessageType();
    switch(messageType) {
        case PKCSReq:
            boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
            CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
            if (selfSigned) {
                X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
                if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
                    return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
                }
            }
            String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
            if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
                LOG.warn("challengePassword is not trusted");
                return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            }
            Certificate cert;
            try {
                cert = caEmulator.generateCert(csr);
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (cert != null && control.isPendingCert()) {
                rep.setPkiStatus(PkiStatus.PENDING);
            } else if (cert != null) {
                ContentInfo messageData = createSignedData(cert);
                rep.setMessageData(messageData);
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case CertPoll:
            IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
            cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case GetCert:
            IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case RenewalReq:
            if (!caCaps.containsCapability(CaCapability.Renewal)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    rep.setPkiStatus(PkiStatus.FAILURE);
                    rep.setFailInfo(FailInfo.badCertId);
                }
            }
            break;
        case UpdateReq:
            if (!caCaps.containsCapability(CaCapability.Update)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
                }
            }
            break;
        case GetCRL:
            isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            CertificateList crl;
            try {
                crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (crl != null) {
                rep.setMessageData(createSignedData(crl));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        default:
            buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ASN1String(org.bouncycastle.asn1.ASN1String) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject) TransactionId(org.xipki.scep.transaction.TransactionId) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) MessageType(org.xipki.scep.transaction.MessageType) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 13 with CertificationRequest

use of org.bouncycastle.asn1.pkcs.CertificationRequest in project xipki by xipki.

the class EnrollCertCmd method execute0.

@Override
protected Object execute0() throws Exception {
    ScepClient client = getScepClient();
    CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
    EnrolmentResponse resp;
    PrivateKey key0 = getIdentityKey();
    X509Certificate cert0 = getIdentityCert();
    if (StringUtil.isBlank(method)) {
        resp = client.scepEnrol(csr, key0, cert0);
    } else if ("pkcs".equalsIgnoreCase(method)) {
        resp = client.scepPkcsReq(csr, key0, cert0);
    } else if ("renewal".equalsIgnoreCase(method)) {
        resp = client.scepRenewalReq(csr, key0, cert0);
    } else if ("update".equalsIgnoreCase(method)) {
        resp = client.scepUpdateReq(csr, key0, cert0);
    } else {
        throw new CmdFailure("invalid enroll method");
    }
    if (resp.isFailure()) {
        throw new CmdFailure("server returned 'failure'");
    }
    if (resp.isPending()) {
        throw new CmdFailure("server returned 'pending'");
    }
    X509Certificate cert = resp.getCertificates().get(0);
    saveVerbose("saved enrolled certificate to file", new File(outputFile), cert.getEncoded());
    return null;
}
Also used : PrivateKey(java.security.PrivateKey) CmdFailure(org.xipki.console.karaf.CmdFailure) ScepClient(org.xipki.scep.client.ScepClient) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) File(java.io.File) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate)

Example 14 with CertificationRequest

use of org.bouncycastle.asn1.pkcs.CertificationRequest in project xipki by xipki.

the class CheckCertCmd method execute0.

@Override
protected Object execute0() throws Exception {
    Set<String> issuerNames = qaSystemManager.getIssuerNames();
    if (isEmpty(issuerNames)) {
        throw new IllegalCmdParamException("no issuer is configured");
    }
    if (issuerName == null) {
        if (issuerNames.size() != 1) {
            throw new IllegalCmdParamException("no issuer is specified");
        }
        issuerName = issuerNames.iterator().next();
    }
    if (!issuerNames.contains(issuerName)) {
        throw new IllegalCmdParamException("issuer " + issuerName + " is not within the configured issuers " + issuerNames);
    }
    X509IssuerInfo issuerInfo = qaSystemManager.getIssuer(issuerName);
    X509CertprofileQa qa = qaSystemManager.getCertprofile(profileName);
    if (qa == null) {
        throw new IllegalCmdParamException("found no certificate profile named '" + profileName + "'");
    }
    CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
    Extensions extensions = null;
    CertificationRequestInfo reqInfo = csr.getCertificationRequestInfo();
    ASN1Set attrs = reqInfo.getAttributes();
    for (int i = 0; i < attrs.size(); i++) {
        Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
        if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
            extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
        }
    }
    byte[] certBytes = IoUtil.read(certFile);
    ValidationResult result = qa.checkCert(certBytes, issuerInfo, reqInfo.getSubject(), reqInfo.getSubjectPublicKeyInfo(), extensions);
    StringBuilder sb = new StringBuilder();
    sb.append(certFile).append(" (certprofile ").append(profileName).append(")\n");
    sb.append("\tcertificate is ");
    sb.append(result.isAllSuccessful() ? "valid" : "invalid");
    if (verbose.booleanValue()) {
        for (ValidationIssue issue : result.getValidationIssues()) {
            sb.append("\n");
            format(issue, "    ", sb);
        }
    }
    println(sb.toString());
    if (!result.isAllSuccessful()) {
        throw new CmdFailure("certificate is invalid");
    }
    return null;
}
Also used : X509CertprofileQa(org.xipki.ca.qa.X509CertprofileQa) CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X509IssuerInfo(org.xipki.ca.qa.X509IssuerInfo) Extensions(org.bouncycastle.asn1.x509.Extensions) ValidationResult(org.xipki.common.qa.ValidationResult) ValidationIssue(org.xipki.common.qa.ValidationIssue) ASN1Set(org.bouncycastle.asn1.ASN1Set) CmdFailure(org.xipki.console.karaf.CmdFailure) IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 15 with CertificationRequest

use of org.bouncycastle.asn1.pkcs.CertificationRequest in project jruby-openssl by jruby.

the class PKCS10Request method resetSignedRequest.

private void resetSignedRequest() {
    if (signedRequest == null)
        return;
    CertificationRequest req = signedRequest.toASN1Structure();
    CertificationRequestInfo reqInfo = new CertificationRequestInfo(subject, publicKeyInfo, req.getCertificationRequestInfo().getAttributes());
    ASN1Sequence seq = (ASN1Sequence) req.toASN1Primitive();
    req = new CertificationRequest(reqInfo, (AlgorithmIdentifier) seq.getObjectAt(1), (DERBitString) seq.getObjectAt(2));
    // valid = true;
    signedRequest = new PKCS10CertificationRequest(req);
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERBitString(org.bouncycastle.asn1.DERBitString) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Aggregations

CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)17 X509Certificate (java.security.cert.X509Certificate)14 X500Name (org.bouncycastle.asn1.x500.X500Name)12 Date (java.util.Date)10 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)7 CertificateException (java.security.cert.CertificateException)6 CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)6 Extensions (org.bouncycastle.asn1.x509.Extensions)6 OperationException (org.xipki.ca.api.OperationException)6 IOException (java.io.IOException)5 BigInteger (java.math.BigInteger)5 File (java.io.File)4 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)4 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)4 EnrolmentResponse (org.xipki.scep.client.EnrolmentResponse)4 ScepClient (org.xipki.scep.client.ScepClient)4 InvalidKeyException (java.security.InvalidKeyException)3 PrivateKey (java.security.PrivateKey)3 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)3 Certificate (org.bouncycastle.asn1.x509.Certificate)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial