use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project xipki by xipki.
the class OcspStatusCmd method processResponse.
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
ParamUtil.requireNonNull("response", response);
ParamUtil.requireNonNull("issuerHash", issuerHash);
ParamUtil.requireNonNull("serialNumbers", serialNumbers);
BasicOCSPResp basicResp = OcspUtils.extractBasicOcspResp(response);
boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke) != null;
SingleResp[] singleResponses = basicResp.getResponses();
if (singleResponses == null || singleResponses.length == 0) {
throw new CmdFailure("received no status from server");
}
final int n = singleResponses.length;
if (n != serialNumbers.size()) {
throw new CmdFailure("received status with " + n + " single responses from server, but " + serialNumbers.size() + " were requested");
}
Date[] thisUpdates = new Date[n];
for (int i = 0; i < n; i++) {
thisUpdates[i] = singleResponses[i].getThisUpdate();
}
// check the signature if available
if (null == basicResp.getSignature()) {
println("response is not signed");
} else {
X509CertificateHolder[] responderCerts = basicResp.getCerts();
if (responderCerts == null || responderCerts.length < 1) {
throw new CmdFailure("no responder certificate is contained in the response");
}
ResponderID respId = basicResp.getResponderId().toASN1Primitive();
X500Name respIdByName = respId.getName();
byte[] respIdByKey = respId.getKeyHash();
X509CertificateHolder respSigner = null;
for (X509CertificateHolder cert : responderCerts) {
if (respIdByName != null) {
if (cert.getSubject().equals(respIdByName)) {
respSigner = cert;
}
} else {
byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
if (Arrays.equals(respIdByKey, spkiSha1)) {
respSigner = cert;
}
}
if (respSigner != null) {
break;
}
}
if (respSigner == null) {
throw new CmdFailure("no responder certificate match the ResponderId");
}
boolean validOn = true;
for (Date thisUpdate : thisUpdates) {
validOn = respSigner.isValidOn(thisUpdate);
if (!validOn) {
throw new CmdFailure("responder certificate is not valid on " + thisUpdate);
}
}
if (validOn) {
PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
boolean sigValid = basicResp.isSignatureValid(cvp);
if (!sigValid) {
throw new CmdFailure("response is equipped with invalid signature");
}
// verify the OCSPResponse signer
if (respIssuer != null) {
boolean certValid = true;
X509Certificate jceRespSigner = X509Util.toX509Cert(respSigner.toASN1Structure());
if (X509Util.issues(respIssuer, jceRespSigner)) {
try {
jceRespSigner.verify(respIssuer.getPublicKey());
} catch (SignatureException ex) {
certValid = false;
}
}
if (!certValid) {
throw new CmdFailure("response is equipped with valid signature but the" + " OCSP signer is not trusted");
}
} else {
println("response is equipped with valid signature");
}
// end if(respIssuer)
}
if (verbose.booleanValue()) {
println("responder is " + X509Util.getRfc4519Name(responderCerts[0].getSubject()));
}
}
for (int i = 0; i < n; i++) {
if (n > 1) {
println("---------------------------- " + i + "----------------------------");
}
SingleResp singleResp = singleResponses[i];
CertificateStatus singleCertStatus = singleResp.getCertStatus();
String status;
if (singleCertStatus == null) {
status = "good";
} else if (singleCertStatus instanceof RevokedStatus) {
RevokedStatus revStatus = (RevokedStatus) singleCertStatus;
Date revTime = revStatus.getRevocationTime();
Date invTime = null;
Extension ext = singleResp.getExtension(Extension.invalidityDate);
if (ext != null) {
invTime = ASN1GeneralizedTime.getInstance(ext.getParsedValue()).getDate();
}
if (revStatus.hasRevocationReason()) {
int reason = revStatus.getRevocationReason();
if (extendedRevoke && reason == CrlReason.CERTIFICATE_HOLD.getCode() && revTime.getTime() == 0) {
status = "unknown (RFC6960)";
} else {
status = StringUtil.concatObjects("revoked, reason = ", CrlReason.forReasonCode(reason).getDescription(), ", revocationTime = ", revTime, (invTime == null ? "" : ", invalidityTime = " + invTime));
}
} else {
status = "revoked, no reason, revocationTime = " + revTime;
}
} else if (singleCertStatus instanceof UnknownStatus) {
status = "unknown (RFC2560)";
} else {
status = "ERROR";
}
StringBuilder msg = new StringBuilder();
CertificateID certId = singleResp.getCertID();
HashAlgo hashAlgo = HashAlgo.getNonNullInstance(certId.getHashAlgOID());
boolean issuerMatch = issuerHash.match(hashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash());
BigInteger serialNumber = certId.getSerialNumber();
msg.append("issuer matched: ").append(issuerMatch);
msg.append("\nserialNumber: ").append(LogUtil.formatCsn(serialNumber));
msg.append("\nCertificate status: ").append(status);
if (verbose.booleanValue()) {
msg.append("\nthisUpdate: ").append(singleResp.getThisUpdate());
msg.append("\nnextUpdate: ").append(singleResp.getNextUpdate());
Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
if (extension != null) {
msg.append("\nCertHash is provided:\n");
ASN1Encodable extensionValue = extension.getParsedValue();
CertHash certHash = CertHash.getInstance(extensionValue);
ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm();
byte[] hashValue = certHash.getCertificateHash();
msg.append("\tHash algo : ").append(hashAlgOid.getId()).append("\n");
msg.append("\tHash value: ").append(Hex.encode(hashValue)).append("\n");
if (encodedCerts != null) {
byte[] encodedCert = encodedCerts.get(serialNumber);
MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId());
byte[] expectedHashValue = md.digest(encodedCert);
if (Arrays.equals(expectedHashValue, hashValue)) {
msg.append("\tThis matches the requested certificate");
} else {
msg.append("\tThis differs from the requested certificate");
}
}
}
// end if (extension != null)
extension = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff);
if (extension != null) {
ASN1Encodable extensionValue = extension.getParsedValue();
ASN1GeneralizedTime time = ASN1GeneralizedTime.getInstance(extensionValue);
msg.append("\nArchive-CutOff: ");
msg.append(time.getTimeString());
}
AlgorithmIdentifier sigAlg = basicResp.getSignatureAlgorithmID();
if (sigAlg == null) {
msg.append(("\nresponse is not signed"));
} else {
String sigAlgName = AlgorithmUtil.getSignatureAlgoName(sigAlg);
if (sigAlgName == null) {
sigAlgName = "unknown";
}
msg.append("\nresponse is signed with ").append(sigAlgName);
}
// extensions
msg.append("\nExtensions: ");
List<?> extensionOids = basicResp.getExtensionOIDs();
if (extensionOids == null || extensionOids.size() == 0) {
msg.append("-");
} else {
int size = extensionOids.size();
for (int j = 0; j < size; j++) {
ASN1ObjectIdentifier extensionOid = (ASN1ObjectIdentifier) extensionOids.get(j);
String name = EXTENSION_OIDNAME_MAP.get(extensionOid);
if (name == null) {
msg.append(extensionOid.getId());
} else {
msg.append(name);
}
if (j != size - 1) {
msg.append(", ");
}
}
}
}
// end if (verbose.booleanValue())
println(msg.toString());
}
// end for
println("");
return null;
}
use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project signer by demoiselle.
the class RevocationRefs method makeCrlValidatedID.
/**
* @param extract
* CrlValidatedID from X509CRL
* @return a CrlValidatedID
* @throws NoSuchAlgorithmException
* @throws CRLException
*/
private CrlValidatedID makeCrlValidatedID(X509CRL crl) throws NoSuchAlgorithmException, CRLException {
Digest digest = DigestFactory.getInstance().factoryDefault();
digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
OtherHashAlgAndValue otherHashAlgAndValue = new OtherHashAlgAndValue(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256), new DEROctetString(digest.digest(crl.getEncoded())));
OtherHash hash = new OtherHash(otherHashAlgAndValue);
BigInteger crlnumber;
CrlIdentifier crlid;
if (crl.getExtensionValue("2.5.29.20") != null) {
ASN1Integer varASN1Integer = new ASN1Integer(crl.getExtensionValue("2.5.29.20"));
crlnumber = varASN1Integer.getPositiveValue();
crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate()), crlnumber);
} else {
crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate()));
}
CrlValidatedID crlvid = new CrlValidatedID(hash, crlid);
return crlvid;
}
use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project signer by demoiselle.
the class CertificateRefs method getValue.
@Override
public Attribute getValue() throws SignerException {
try {
int chainSize = certificates.length - 1;
OtherCertID[] arrayOtherCertID = new OtherCertID[chainSize];
for (int i = 1; i <= chainSize; i++) {
X509Certificate issuerCert = null;
X509Certificate cert = (X509Certificate) certificates[i];
if (i < chainSize) {
issuerCert = (X509Certificate) certificates[i + 1];
} else {
// raiz
issuerCert = (X509Certificate) certificates[i];
}
Digest digest = DigestFactory.getInstance().factoryDefault();
digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
byte[] certHash = digest.digest(cert.getEncoded());
X500Name dirName = new X500Name(issuerCert.getSubjectX500Principal().getName());
GeneralName name = new GeneralName(dirName);
GeneralNames issuer = new GeneralNames(name);
ASN1Integer serialNumber = new ASN1Integer(cert.getSerialNumber());
IssuerSerial issuerSerial = new IssuerSerial(issuer, serialNumber);
AlgorithmIdentifier algId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256);
OtherCertID otherCertID = new OtherCertID(algId, certHash, issuerSerial);
arrayOtherCertID[i - 1] = otherCertID;
}
return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new ASN1Encodable[] { new DERSequence(arrayOtherCertID) }));
} catch (CertificateEncodingException e) {
throw new SignerException(e.getMessage());
}
}
use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project platformlayer by platformlayer.
the class SimpleCertificateAuthority method signCertificate.
private static Certificate signCertificate(X500Name signer, PrivateKey signerPrivateKey, X500Name subject, SubjectPublicKeyInfo subjectPublicKeyInfo) throws OpsException {
try {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(SIGNATURE_ALGORITHM);
AlgorithmIdentifier digestAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
long days = 3650;
long now = System.currentTimeMillis();
Date notBefore = new Date(now - ONE_DAY);
Date notAfter = new Date(notBefore.getTime() + (days * ONE_DAY));
BigInteger serialNumber;
synchronized (SimpleCertificateAuthority.class) {
long nextSerialNumber = System.currentTimeMillis();
serialNumber = BigInteger.valueOf(nextSerialNumber);
}
X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(signer, serialNumber, notBefore, notAfter, subject, subjectPublicKeyInfo);
// {
// boolean isCritical = false;
// certificateBuilder.addExtension(X509Extensions.SubjectKeyIdentifier, isCritical,
// csr.getSubjectPublicKeyInfo());
// }
AsymmetricKeyParameter caPrivateKeyParameters = PrivateKeyFactory.createKey(signerPrivateKey.getEncoded());
ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digestAlgId).build(caPrivateKeyParameters);
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
Certificate certificate = certificateHolder.toASN1Structure();
return certificate;
} catch (OperatorCreationException e) {
throw new OpsException("Error signing certificate", e);
} catch (IOException e) {
throw new OpsException("Error signing certificate", e);
}
}
use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project open-ecard by ecsec.
the class SignatureVerifier method validate.
public void validate(@Nonnull byte[] signature) throws KeyStoreException, SignatureInvalid {
try {
// load BC provider, so that the algorithms are available for the signature verification
Security.addProvider(new BouncyCastleProvider());
CMSProcessable wrappedChallenge = new CMSProcessableByteArray(challenge);
CMSSignedData signedData = new CMSSignedData(wrappedChallenge, signature);
Store<X509CertificateHolder> certStore = signedData.getCertificates();
SignerInformationStore signerInfoStore = signedData.getSignerInfos();
Collection<SignerInformation> signers = signerInfoStore.getSigners();
Collection<X509Certificate> allCerts = convertCertificates(certStore.getMatches(new AllSelector()));
for (SignerInformation signer : signers) {
Collection<X509CertificateHolder> certCollection = certStore.getMatches(signer.getSID());
X509CertificateHolder cert = certCollection.iterator().next();
DigestCalculatorProvider dp = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
JcaSignerInfoVerifierBuilder verifBuilder = new JcaSignerInfoVerifierBuilder(dp).setProvider("BC");
verifBuilder.setSignatureAlgorithmFinder(new DefaultSignatureAlgorithmIdentifierFinder() {
@Override
public AlgorithmIdentifier find(String sigAlgName) {
if (!AllowedSignatureAlgorithms.isKnownJcaAlgorithm(sigAlgName)) {
throw new IllegalArgumentException("Unsupported signature algorithm used.");
} else {
return super.find(sigAlgName);
}
}
});
SignerInformationVerifier verif = verifBuilder.build(cert);
// verify the signature
if (!signer.verify(verif)) {
throw new SignatureInvalid("Signer information could not be verified.");
}
// verify the path and certificate
X509Certificate x509Cert = convertCertificate(cert);
// TODO: verify that the signature is not too old. How old can it be at max? 1 minute?
validatePath(x509Cert, allCerts, null);
// check that the end certificate is under the admissable certificates
if (ChipGatewayProperties.isUseSubjectWhitelist()) {
X500Principal subj = x509Cert.getSubjectX500Principal();
if (!AllowedSubjects.instance().isInSubjects(subj)) {
String msg = "The certificate used in the signature has an invalid subject: " + subj.getName();
throw new InvalidSubjectException(msg);
}
}
}
// fail if there is no signature in the SignedData structure
if (signers.isEmpty()) {
throw new SignatureInvalid("No signatures present in the given SignedData element.");
}
} catch (CertificateException ex) {
throw new SignatureInvalid("Failed to read a certificate form the CMS data structure.", ex);
} catch (CertPathBuilderException ex) {
throw new SignatureInvalid("Failed to build certificate path for PKIX validation.", ex);
} catch (CMSVerifierCertificateNotValidException ex) {
throw new SignatureInvalid("Signer certificate was not valid when the signature was created.", ex);
} catch (CMSException ex) {
throw new SignatureInvalid("Failed to validate CMS data structure.", ex);
} catch (InvalidSubjectException ex) {
throw new SignatureInvalid("Certificate with invalid subject used in signature.", ex);
} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | OperatorCreationException ex) {
throw new SignatureInvalid("Invalid or unsupported algorithm or algorithm parameter used in signature.", ex);
} catch (IllegalArgumentException ex) {
throw new SignatureInvalid("Signature containes an invalid value.", ex);
}
}
Aggregations