Search in sources :

Example 41 with AlgorithmIdentifier

use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project keystore-explorer by kaikramer.

the class OpenSslPvkUtil method load.

/**
 * Load an unencrypted OpenSSL private key from the stream. The encoding of
 * the private key may be PEM or DER.
 *
 * @param is
 *            Stream to load the unencrypted private key from
 * @return The private key
 * @throws PrivateKeyEncryptedException
 *             If private key is encrypted
 * @throws CryptoException
 *             Problem encountered while loading the private key
 * @throws IOException
 *             An I/O error occurred
 */
public static PrivateKey load(InputStream is) throws CryptoException, IOException {
    byte[] streamContents = ReadUtil.readFully(is);
    EncryptionType encType = getEncryptionType(new ByteArrayInputStream(streamContents));
    if (encType == null) {
        throw new CryptoException(res.getString("NotValidOpenSsl.exception.message"));
    }
    if (encType == ENCRYPTED) {
        throw new PrivateKeyEncryptedException(res.getString("OpenSslIsEncrypted.exception.message"));
    }
    // Check if stream is PEM encoded
    PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
    if (pemInfo != null) {
        // It is - get DER from PEM
        streamContents = pemInfo.getContent();
    }
    try {
        // Read OpenSSL DER structure
        ASN1InputStream asn1InputStream = new ASN1InputStream(streamContents);
        ASN1Primitive openSsl = asn1InputStream.readObject();
        asn1InputStream.close();
        if (openSsl instanceof ASN1Sequence) {
            ASN1Sequence seq = (ASN1Sequence) openSsl;
            if (seq.size() == 9) {
                // RSA private key
                BigInteger version = ((ASN1Integer) seq.getObjectAt(0)).getValue();
                BigInteger modulus = ((ASN1Integer) seq.getObjectAt(1)).getValue();
                BigInteger publicExponent = ((ASN1Integer) seq.getObjectAt(2)).getValue();
                BigInteger privateExponent = ((ASN1Integer) seq.getObjectAt(3)).getValue();
                BigInteger primeP = ((ASN1Integer) seq.getObjectAt(4)).getValue();
                BigInteger primeQ = ((ASN1Integer) seq.getObjectAt(5)).getValue();
                BigInteger primeExponentP = ((ASN1Integer) seq.getObjectAt(6)).getValue();
                BigInteger primeExponenetQ = ((ASN1Integer) seq.getObjectAt(7)).getValue();
                BigInteger crtCoefficient = ((ASN1Integer) seq.getObjectAt(8)).getValue();
                if (!version.equals(VERSION)) {
                    throw new CryptoException(MessageFormat.format(res.getString("OpenSslVersionIncorrect.exception.message"), "" + VERSION.intValue(), "" + version.intValue()));
                }
                RSAPrivateCrtKeySpec rsaPrivateCrtKeySpec = new RSAPrivateCrtKeySpec(modulus, publicExponent, privateExponent, primeP, primeQ, primeExponentP, primeExponenetQ, crtCoefficient);
                KeyFactory keyFactory = KeyFactory.getInstance("RSA");
                return keyFactory.generatePrivate(rsaPrivateCrtKeySpec);
            } else if (seq.size() == 6) {
                // DSA private key
                BigInteger version = ((ASN1Integer) seq.getObjectAt(0)).getValue();
                BigInteger primeModulusP = ((ASN1Integer) seq.getObjectAt(1)).getValue();
                BigInteger primeQ = ((ASN1Integer) seq.getObjectAt(2)).getValue();
                BigInteger generatorG = ((ASN1Integer) seq.getObjectAt(3)).getValue();
                // publicExponentY not req for pvk: sequence.getObjectAt(4);
                BigInteger secretExponentX = ((ASN1Integer) seq.getObjectAt(5)).getValue();
                if (!version.equals(VERSION)) {
                    throw new CryptoException(MessageFormat.format(res.getString("OpenSslVersionIncorrect.exception.message"), "" + VERSION.intValue(), "" + version.intValue()));
                }
                DSAPrivateKeySpec dsaPrivateKeySpec = new DSAPrivateKeySpec(secretExponentX, primeModulusP, primeQ, generatorG);
                KeyFactory keyFactory = KeyFactory.getInstance("DSA");
                return keyFactory.generatePrivate(dsaPrivateKeySpec);
            } else if (seq.size() >= 2) {
                // EC private key (RFC 5915)
                org.bouncycastle.asn1.sec.ECPrivateKey pKey = org.bouncycastle.asn1.sec.ECPrivateKey.getInstance(seq);
                AlgorithmIdentifier algId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, pKey.getParameters());
                PrivateKeyInfo privInfo = new PrivateKeyInfo(algId, pKey);
                return new JcaPEMKeyConverter().getPrivateKey(privInfo);
            } else {
                throw new CryptoException(MessageFormat.format(res.getString("OpenSslSequenceIncorrectSize.exception.message"), "" + seq.size()));
            }
        } else {
            throw new CryptoException(res.getString("OpenSslSequenceNotFound.exception.message"));
        }
    } catch (Exception ex) {
        throw new CryptoException(res.getString("NoLoadOpenSslPrivateKey.exception.message"), ex);
    }
}
Also used : RSAPrivateCrtKeySpec(java.security.spec.RSAPrivateCrtKeySpec) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) PemInfo(org.kse.utilities.pem.PemInfo) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CryptoException(org.kse.crypto.CryptoException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DSAPrivateKeySpec(java.security.spec.DSAPrivateKeySpec) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ByteArrayInputStream(java.io.ByteArrayInputStream) BigInteger(java.math.BigInteger) CryptoException(org.kse.crypto.CryptoException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) KeyFactory(java.security.KeyFactory) PrivateKeyInfo(org.bouncycastle.asn1.pkcs.PrivateKeyInfo)

Example 42 with AlgorithmIdentifier

use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project keystore-explorer by kaikramer.

the class Pkcs8Util method getEncryptionType.

/**
 * Detect if a PKCS #8 private key is encrypted or not.
 *
 * @param is
 *            Input stream containing PKCS #8 private key
 * @return Encryption type or null if not a valid PKCS #8 private key
 * @throws IOException
 *             If an I/O problem occurred
 */
public static EncryptionType getEncryptionType(InputStream is) throws IOException {
    byte[] pkcs8 = ReadUtil.readFully(is);
    PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(pkcs8));
    // PEM encoded?
    if (pemInfo != null) {
        String pemType = pemInfo.getType();
        // Encrypted in pem format?
        if (pemType.equals(Pkcs8Util.PKCS8_ENC_PVK_PEM_TYPE)) {
            return ENCRYPTED;
        } else // Unencrypted in pem format?
        if (pemType.equals(Pkcs8Util.PKCS8_UNENC_PVK_PEM_TYPE)) {
            return UNENCRYPTED;
        }
    }
    // In ASN.1 format?
    try {
        // Read in an ASN.1 and check structure against the following
        ASN1Primitive key = ASN1Primitive.fromByteArray(pkcs8);
        if (key instanceof ASN1Sequence) {
            ASN1Sequence sequence = (ASN1Sequence) key;
            // May be unencrypted
            if ((sequence.size() == 3) || (sequence.size() == 4)) {
                // @formatter:off
                /*
					 * Unencrypted PKCS #8 Private Key:
					 *
					 * PrivateKeyInfo ::= ASN1Sequence { version Version,
					 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
					 * privateKey PrivateKey, attributes [0] IMPLICIT Attributes
					 * OPTIONAL }
					 *
					 * Version ::= ASN1Integer PrivateKeyAlgorithmIdentifier ::=
					 * AlgorithmIdentifier PrivateKey ::= OCTET STRING
					 * Attributes ::= SET OF Attribute
					 */
                // @formatter:on
                Object obj1 = sequence.getObjectAt(0);
                Object obj2 = sequence.getObjectAt(1);
                Object obj3 = sequence.getObjectAt(2);
                if (!(obj1 instanceof ASN1Integer)) {
                    return null;
                }
                ASN1Integer version = (ASN1Integer) obj1;
                if (!version.getValue().equals(BigInteger.ZERO)) {
                    return null;
                }
                if (!(obj2 instanceof ASN1Sequence)) {
                    return null;
                }
                if (!sequenceIsAlgorithmIdentifier((ASN1Sequence) obj2)) {
                    return null;
                }
                if (!(obj3 instanceof ASN1OctetString)) {
                    return null;
                }
                return UNENCRYPTED;
            } else // May be encrypted
            if (sequence.size() == 2) {
                // @formatter:off
                /*
					 * Encrypted PKCS #8 Private Key:
					 *
					 * EncryptedPrivateKeyInfo ::= ASN1Sequence {
					 * encryptionAlgorithm EncryptionAlgorithmIdentifier,
					 * encryptedData EncryptedData }
					 *
					 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
					 * EncryptedData ::= OCTET STRING
					 */
                // @formatter:on
                Object obj1 = sequence.getObjectAt(0);
                Object obj2 = sequence.getObjectAt(1);
                if (!(obj1 instanceof ASN1Sequence)) {
                    return null;
                }
                if (!sequenceIsAlgorithmIdentifier((ASN1Sequence) obj1)) {
                    return null;
                }
                if (!(obj2 instanceof ASN1OctetString)) {
                    return null;
                }
                return ENCRYPTED;
            }
        }
    } catch (Exception ex) {
        // Structure not as expected for PKCS #8
        return null;
    }
    return null;
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ByteArrayInputStream(java.io.ByteArrayInputStream) PemInfo(org.kse.utilities.pem.PemInfo) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) CryptoException(org.kse.crypto.CryptoException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 43 with AlgorithmIdentifier

use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project xipki by xipki.

the class P12KeyGenerator method genECKeypair.

// CHECKSTYLE:SKIP
private KeyPairWithSubjectPublicKeyInfo genECKeypair(String curveNameOrOid, SecureRandom random) throws Exception {
    ASN1ObjectIdentifier curveOid = AlgorithmUtil.getCurveOidForCurveNameOrOid(curveNameOrOid);
    if (curveOid == null) {
        throw new IllegalArgumentException("invalid curveNameOrOid '" + curveNameOrOid + "'");
    }
    KeyPair kp = KeyUtil.generateECKeypair(curveOid, random);
    AlgorithmIdentifier algId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, curveOid);
    BCECPublicKey pub = (BCECPublicKey) kp.getPublic();
    byte[] keyData = pub.getQ().getEncoded(false);
    SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algId, keyData);
    return new KeyPairWithSubjectPublicKeyInfo(kp, subjectPublicKeyInfo);
}
Also used : KeyPair(java.security.KeyPair) BCECPublicKey(org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Example 44 with AlgorithmIdentifier

use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project xipki by xipki.

the class P12KeyGenerator method getContentSigner.

// method generateIdentity
private static ContentSigner getContentSigner(PrivateKey key) throws Exception {
    BcContentSignerBuilder builder;
    if (key instanceof RSAPrivateKey) {
        ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1;
        ASN1ObjectIdentifier sigOid = PKCSObjectIdentifiers.sha1WithRSAEncryption;
        builder = new BcRSAContentSignerBuilder(buildAlgId(sigOid), buildAlgId(hashOid));
    } else if (key instanceof DSAPrivateKey) {
        ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1;
        AlgorithmIdentifier sigId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa_with_sha1);
        builder = new BcDSAContentSignerBuilder(sigId, buildAlgId(hashOid));
    } else if (key instanceof ECPrivateKey) {
        HashAlgo hashAlgo;
        ASN1ObjectIdentifier sigOid;
        int keysize = ((ECPrivateKey) key).getParams().getOrder().bitLength();
        if (keysize > 384) {
            hashAlgo = HashAlgo.SHA512;
            sigOid = X9ObjectIdentifiers.ecdsa_with_SHA512;
        } else if (keysize > 256) {
            hashAlgo = HashAlgo.SHA384;
            sigOid = X9ObjectIdentifiers.ecdsa_with_SHA384;
        } else if (keysize > 224) {
            hashAlgo = HashAlgo.SHA224;
            sigOid = X9ObjectIdentifiers.ecdsa_with_SHA224;
        } else if (keysize > 160) {
            hashAlgo = HashAlgo.SHA256;
            sigOid = X9ObjectIdentifiers.ecdsa_with_SHA256;
        } else {
            hashAlgo = HashAlgo.SHA1;
            sigOid = X9ObjectIdentifiers.ecdsa_with_SHA1;
        }
        builder = new BcECContentSignerBuilder(new AlgorithmIdentifier(sigOid), buildAlgId(hashAlgo.getOid()));
    } else {
        throw new IllegalArgumentException("unknown type of key " + key.getClass().getName());
    }
    return builder.build(KeyUtil.generatePrivateKeyParameter(key));
}
Also used : BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) ECPrivateKey(java.security.interfaces.ECPrivateKey) HashAlgo(org.xipki.security.HashAlgo) DSAPrivateKey(java.security.interfaces.DSAPrivateKey) BcDSAContentSignerBuilder(org.bouncycastle.operator.bc.BcDSAContentSignerBuilder) BcECContentSignerBuilder(org.bouncycastle.operator.bc.BcECContentSignerBuilder) BcContentSignerBuilder(org.bouncycastle.operator.bc.BcContentSignerBuilder) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Example 45 with AlgorithmIdentifier

use of org.bouncycastle.asn1.x509.AlgorithmIdentifier in project xipki by xipki.

the class AlgorithmUtil method getDSASigAlgId.

// method getRSASigAlgId
// CHECKSTYLE:SKIP
private static AlgorithmIdentifier getDSASigAlgId(HashAlgo hashAlgo) throws NoSuchAlgorithmException {
    ParamUtil.requireNonNull("hashAlgo", hashAlgo);
    ASN1ObjectIdentifier sigAlgOid = digestToDSASigAlgMap.get(hashAlgo);
    if (sigAlgOid == null) {
        throw new NoSuchAlgorithmException("unsupported hash " + hashAlgo + " for DSA key");
    }
    return new AlgorithmIdentifier(sigAlgOid);
}
Also used : NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Aggregations

AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)117 IOException (java.io.IOException)54 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)50 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)41 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)40 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)36 DERSequence (org.bouncycastle.asn1.DERSequence)34 BigInteger (java.math.BigInteger)30 X500Name (org.bouncycastle.asn1.x500.X500Name)30 X509Certificate (java.security.cert.X509Certificate)29 DEROctetString (org.bouncycastle.asn1.DEROctetString)29 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)26 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)21 Date (java.util.Date)20 KeyPair (java.security.KeyPair)19 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)19 ContentSigner (org.bouncycastle.operator.ContentSigner)17 KeyPairGenerator (java.security.KeyPairGenerator)15 CertificateEncodingException (java.security.cert.CertificateEncodingException)15