Example 1 with IssuerAndSerialNumber
use of org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber in project robovm by robovm.
the class SignerInfoGeneratorBuilder method build.
/**
* Build a generator with the passed in certHolder issuer and serial number as the signerIdentifier.
*
* @param contentSigner operator for generating the final signature in the SignerInfo with.
* @param certHolder carrier for the X.509 certificate related to the contentSigner.
* @return a SignerInfoGenerator
* @throws OperatorCreationException if the generator cannot be built.
*/
public SignerInfoGenerator build(ContentSigner contentSigner, X509CertificateHolder certHolder) throws OperatorCreationException {
SignerIdentifier sigId = new SignerIdentifier(new IssuerAndSerialNumber(certHolder.toASN1Structure()));
SignerInfoGenerator sigInfoGen = createGenerator(contentSigner, sigId);
sigInfoGen.setAssociatedCertificate(certHolder);
return sigInfoGen;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
SignerIdentifier(org.bouncycastle.asn1.cms.SignerIdentifier)
Example 2 with IssuerAndSerialNumber
use of org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber in project xipki by xipki.
the class ScepResponder method servicePkiOperation0.
private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
TransactionId tid = req.getTransactionId();
PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
rep.setPkiStatus(PkiStatus.SUCCESS);
rep.setRecipientNonce(req.getSenderNonce());
if (req.getFailureMessage() != null) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Boolean bo = req.isSignatureValid();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
}
bo = req.isDecryptionSuccessful();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Date signingTime = req.getSigningTime();
if (maxSigningTimeBiasInMs > 0) {
boolean isTimeBad = false;
if (signingTime == null) {
isTimeBad = true;
} else {
long now = System.currentTimeMillis();
long diff = now - signingTime.getTime();
if (diff < 0) {
diff = -1 * diff;
}
isTimeBad = diff > maxSigningTimeBiasInMs;
}
if (isTimeBad) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
}
}
// check the digest algorithm
String oid = req.getDigestAlgorithm().getId();
ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
if (hashAlgo == null) {
LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
boolean supported = false;
if (hashAlgo == ScepHashAlgo.SHA1) {
if (caCaps.containsCapability(CaCapability.SHA1)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA256) {
if (caCaps.containsCapability(CaCapability.SHA256)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA512) {
if (caCaps.containsCapability(CaCapability.SHA512)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.MD5) {
if (control.isUseInsecureAlg()) {
supported = true;
}
}
if (!supported) {
LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
// check the content encryption algorithm
ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
if (!caCaps.containsCapability(CaCapability.DES3)) {
LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (AES_ENC_ALGS.contains(encOid)) {
if (!caCaps.containsCapability(CaCapability.AES)) {
LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
if (!control.isUseInsecureAlg()) {
LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else {
LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
return rep;
}
MessageType messageType = req.getMessageType();
switch(messageType) {
case PKCSReq:
boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
if (selfSigned) {
X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
}
String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
LOG.warn("challengePassword is not trusted");
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Certificate cert;
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null && control.isPendingCert()) {
rep.setPkiStatus(PkiStatus.PENDING);
} else if (cert != null) {
ContentInfo messageData = createSignedData(cert);
rep.setMessageData(messageData);
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case CertPoll:
IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case GetCert:
IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case RenewalReq:
if (!caCaps.containsCapability(CaCapability.Renewal)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badCertId);
}
}
break;
case UpdateReq:
if (!caCaps.containsCapability(CaCapability.Update)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
}
break;
case GetCRL:
isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
CertificateList crl;
try {
crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (crl != null) {
rep.setMessageData(createSignedData(crl));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
default:
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
return rep;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ASN1String(org.bouncycastle.asn1.ASN1String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject)
TransactionId(org.xipki.scep.transaction.TransactionId)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
MessageType(org.xipki.scep.transaction.MessageType)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 3 with IssuerAndSerialNumber
use of org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber in project xipki by xipki.
the class Client method scepGetCrl.
public X509CRL scepGetCrl(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("serialNumber", serialNumber);
initIfNotInited();
PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
pkiMessage.setMessageData(isn);
ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
PkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
}
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent()));
} catch (CRLException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
CRLException(java.security.cert.CRLException)
Example 4 with IssuerAndSerialNumber
use of org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber in project jruby-openssl by jruby.
the class RecipInfo method set.
/**
* c: PKCS7_RECIP_INFO_set
*/
public void set(X509AuxCertificate cert) throws PKCS7Exception {
version = 0;
X500Name issuer = X500Name.getInstance(cert.getIssuerX500Principal().getEncoded());
BigInteger serial = cert.getSerialNumber();
issuerAndSerial = new IssuerAndSerialNumber(issuer, serial);
String algo = addEncryptionIfNeeded(cert.getPublicKey().getAlgorithm());
keyEncAlgor = new AlgorithmIdentifier(ASN1Registry.sym2oid(algo));
this.cert = cert;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber)
BigInteger(java.math.BigInteger)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 5 with IssuerAndSerialNumber
use of org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber in project jruby-openssl by jruby.
the class RecipInfo method fromASN1.
/**
* RecipientInfo ::= SEQUENCE {
* version Version,
* issuerAndSerialNumber IssuerAndSerialNumber,
* keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
* encryptedKey EncryptedKey }
*
* EncryptedKey ::= OCTET STRING
*/
public static RecipInfo fromASN1(ASN1Encodable content) {
ASN1Sequence sequence = (ASN1Sequence) content;
RecipInfo ri = new RecipInfo();
ri.setVersion(((ASN1Integer) sequence.getObjectAt(0)).getValue().intValue());
ri.setIssuerAndSerial(IssuerAndSerialNumber.getInstance(sequence.getObjectAt(1)));
ri.setKeyEncAlgor(AlgorithmIdentifier.getInstance(sequence.getObjectAt(2)));
ri.setEncKey((ASN1OctetString) sequence.getObjectAt(3));
return ri;
}
Also used :
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Aggregations
IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)7
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)5
X500Name (org.bouncycastle.asn1.x500.X500Name)4
DecodedPkiMessage (org.xipki.scep.message.DecodedPkiMessage)4
PkiMessage (org.xipki.scep.message.PkiMessage)4
BigInteger (java.math.BigInteger)3
CertificateException (java.security.cert.CertificateException)3
X509Certificate (java.security.cert.X509Certificate)3
Date (java.util.Date)3
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)3
IssuerAndSerialNumber (org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber)3
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)3
CMSSignedData (org.bouncycastle.cms.CMSSignedData)3
MessageType (org.xipki.scep.transaction.MessageType)3
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)2
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
CRLException (java.security.cert.CRLException)1
DSAPrivateKey (java.security.interfaces.DSAPrivateKey)1
