use of org.bouncycastle.asn1.x509.Time in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method testUserRevokeGenCRL.
// Tests revoking a user with genCRL using the revoke API
@Test
public void testUserRevokeGenCRL() throws Exception {
if (testConfig.isRunningAgainstFabric10()) {
// needs v1.1
return;
}
thrown.expect(EnrollmentException.class);
thrown.expectMessage("Failed to re-enroll user");
// gets a calendar using the default time zone and locale.
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.SECOND, -1);
// avoid any clock skewing.
Date revokedTinyBitAgoTime = calendar.getTime();
SampleUser user1 = getTestUser(TEST_USER1_ORG);
SampleUser user2 = getTestUser(TEST_USER1_ORG);
SampleUser[] users = new SampleUser[] { user1, user2 };
for (SampleUser user : users) {
if (!user.isRegistered()) {
RegistrationRequest rr = new RegistrationRequest(user.getName(), TEST_USER1_AFFILIATION);
String password = "testUserRevoke";
rr.setSecret(password);
rr.addAttribute(new Attribute("user.role", "department lead"));
rr.addAttribute(new Attribute(HFCAClient.HFCA_ATTRIBUTE_HFREVOKER, "true"));
// Admin can register other users.
user.setEnrollmentSecret(client.register(rr, admin));
if (!user.getEnrollmentSecret().equals(password)) {
fail("Secret returned from RegistrationRequest not match : " + user.getEnrollmentSecret());
}
}
sleepALittle();
if (!user.isEnrolled()) {
EnrollmentRequest req = new EnrollmentRequest(DEFAULT_PROFILE_NAME, "label 2", null);
req.addHost("example3.ibm.com");
user.setEnrollment(client.enroll(user.getName(), user.getEnrollmentSecret(), req));
// verify
String cert = user.getEnrollment().getCert();
verifyOptions(cert, req);
}
}
sleepALittle();
int startedWithRevokes = -1;
// one more after we do this revoke.
startedWithRevokes = getRevokes(null).length;
// revoke all enrollment of this user and request back a CRL
String crl = client.revoke(admin, user1.getName(), null, true);
assertNotNull("Failed to get CRL using the Revoke API", crl);
final int newRevokes = getRevokes(null).length;
assertEquals(format("Expected one more revocation %d, but got %d", startedWithRevokes + 1, newRevokes), startedWithRevokes + 1, newRevokes);
final int crlLength = parseCRL(crl).length;
assertEquals(format("The number of revokes %d does not equal the number of revoked certificates (%d) in crl", newRevokes, crlLength), newRevokes, crlLength);
// trying to reenroll the revoked user should fail with an EnrollmentException
client.reenroll(user1);
String crl2 = client.revoke(admin, user2.getName(), null, false);
assertEquals("CRL not requested, CRL should be empty", "", crl2);
}
use of org.bouncycastle.asn1.x509.Time in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method testUserRevoke.
// Tests attempting to re-enroll a revoked user
@Test
public void testUserRevoke() throws Exception {
thrown.expect(EnrollmentException.class);
thrown.expectMessage("Failed to re-enroll user");
// gets a calendar using the default time zone and locale.
Calendar calendar = Calendar.getInstance();
// avoid any clock skewing.
Date revokedTinyBitAgoTime = calendar.getTime();
SampleUser user = getTestUser(TEST_USER1_ORG);
if (!user.isRegistered()) {
RegistrationRequest rr = new RegistrationRequest(user.getName(), TEST_USER1_AFFILIATION);
String password = "testUserRevoke";
rr.setSecret(password);
rr.addAttribute(new Attribute("user.role", "department lead"));
rr.addAttribute(new Attribute(HFCAClient.HFCA_ATTRIBUTE_HFREVOKER, "true"));
// Admin can register other users.
user.setEnrollmentSecret(client.register(rr, admin));
if (!user.getEnrollmentSecret().equals(password)) {
fail("Secret returned from RegistrationRequest not match : " + user.getEnrollmentSecret());
}
}
if (!user.isEnrolled()) {
EnrollmentRequest req = new EnrollmentRequest(DEFAULT_PROFILE_NAME, "label 2", null);
req.addHost("example3.ibm.com");
user.setEnrollment(client.enroll(user.getName(), user.getEnrollmentSecret(), req));
// verify
String cert = user.getEnrollment().getCert();
verifyOptions(cert, req);
}
int startedWithRevokes = -1;
if (!testConfig.isRunningAgainstFabric10()) {
// prevent clock skewing. make sure we request started with revokes.
Thread.sleep(1000);
// one more after we do this revoke.
startedWithRevokes = getRevokes(null).length;
// prevent clock skewing. make sure we request started with revokes.
Thread.sleep(1000);
}
// revoke all enrollment of this user
client.revoke(admin, user.getName(), "revoke user 3");
if (!testConfig.isRunningAgainstFabric10()) {
final int newRevokes = getRevokes(null).length;
assertEquals(format("Expected one more revocation %d, but got %d", startedWithRevokes + 1, newRevokes), startedWithRevokes + 1, newRevokes);
// see if we can get right number of revokes that we started with by specifying the time: revokedTinyBitAgoTime
// TODO: Investigate clock scew
// final int revokestinybitago = getRevokes(revokedTinyBitAgoTime).length; //Should be same number when test case was started.
// assertEquals(format("Expected same revocations %d, but got %d", startedWithRevokes, revokestinybitago), startedWithRevokes, revokestinybitago);
}
// trying to reenroll the revoked user should fail with an EnrollmentException
client.reenroll(user);
}
use of org.bouncycastle.asn1.x509.Time in project netty by netty.
the class OcspRequestBuilder method build.
/**
* ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce
* and CA's will (should) reject subsequent requests that have the same nonce value.
*/
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
SecureRandom generator = checkNotNull(this.generator, "generator");
DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
X509Certificate certificate = checkNotNull(this.certificate, "certificate");
X509Certificate issuer = checkNotNull(this.issuer, "issuer");
BigInteger serial = certificate.getSerialNumber();
CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certId);
byte[] nonce = new byte[8];
generator.nextBytes(nonce);
Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
builder.setRequestExtensions(new Extensions(extensions));
return builder.build();
}
use of org.bouncycastle.asn1.x509.Time in project jruby-openssl by jruby.
the class ASN1 method decodeObject.
// ObjectId
static IRubyObject decodeObject(final ThreadContext context, final RubyModule ASN1, final org.bouncycastle.asn1.ASN1Encodable obj) throws IOException, IllegalArgumentException {
final Ruby runtime = context.runtime;
if (obj instanceof ASN1Integer) {
final BN val = BN.newBN(runtime, ((ASN1Integer) obj).getValue());
return ASN1.getClass("Integer").callMethod(context, "new", val);
}
if (obj instanceof DERInteger) {
final BN val = BN.newBN(runtime, ((DERInteger) obj).getValue());
return ASN1.getClass("Integer").callMethod(context, "new", val);
}
if (obj instanceof DERBitString) {
final DERBitString derObj = (DERBitString) obj;
RubyString str = runtime.newString(new ByteList(derObj.getBytes(), false));
IRubyObject bitString = ASN1.getClass("BitString").callMethod(context, "new", str);
bitString.callMethod(context, "unused_bits=", runtime.newFixnum(derObj.getPadBits()));
return bitString;
}
if (obj instanceof ASN1String) {
final Integer typeId = typeId(obj.getClass());
String type = typeId == null ? null : (String) (ASN1_INFO[typeId][2]);
final ByteList bytes;
if (obj instanceof DERUTF8String) {
if (type == null)
type = "UTF8String";
bytes = new ByteList(((DERUTF8String) obj).getString().getBytes("UTF-8"), false);
} else {
if (type == null) {
if (obj instanceof DERNumericString) {
type = "NumericString";
} else if (obj instanceof DERPrintableString) {
type = "PrintableString";
} else if (obj instanceof DERIA5String) {
type = "IA5String";
} else if (obj instanceof DERT61String) {
type = "T61String";
} else if (obj instanceof DERGeneralString) {
type = "GeneralString";
} else if (obj instanceof DERUniversalString) {
type = "UniversalString";
} else if (obj instanceof DERBMPString) {
type = "BMPString";
} else {
// NOTE "VideotexString", "GraphicString", "ISO64String" not-handled in BC !
throw new IllegalArgumentException("could not handle ASN1 string type: " + obj + " (" + obj.getClass().getName() + ")");
}
}
bytes = ByteList.create(((ASN1String) obj).getString());
}
return ASN1.getClass(type).callMethod(context, "new", runtime.newString(bytes));
}
if (obj instanceof ASN1OctetString) {
final ByteList octets = new ByteList(((ASN1OctetString) obj).getOctets(), false);
// final ByteList octets = new ByteList(((ASN1OctetString) obj).getEncoded(ASN1Encoding.DER), false);
return ASN1.getClass("OctetString").callMethod(context, "new", runtime.newString(octets));
}
if (obj instanceof ASN1Null) {
return ASN1.getClass("Null").callMethod(context, "new", runtime.getNil());
}
if (obj instanceof ASN1Boolean) {
final boolean val = ((ASN1Boolean) obj).isTrue();
return ASN1.getClass("Boolean").callMethod(context, "new", runtime.newBoolean(val));
}
// DERBoolean extends ASN1Boolean only since 1.51 (<= 1.50 the other way around)
if (obj instanceof DERBoolean) {
final boolean val = ((DERBoolean) obj).isTrue();
return ASN1.getClass("Boolean").callMethod(context, "new", runtime.newBoolean(val));
}
if (obj instanceof ASN1UTCTime) {
final Date adjustedTime;
try {
adjustedTime = ((ASN1UTCTime) obj).getAdjustedDate();
} catch (ParseException e) {
throw new IOException(e);
}
final RubyTime time = RubyTime.newTime(runtime, adjustedTime.getTime());
return ASN1.getClass("UTCTime").callMethod(context, "new", time);
}
// NOTE: keep for BC versions compatibility ... extends ASN1UTCTime (since BC 1.51)
if (obj instanceof DERUTCTime) {
final Date adjustedTime;
try {
adjustedTime = ((DERUTCTime) obj).getAdjustedDate();
} catch (ParseException e) {
throw new IOException(e);
}
final RubyTime time = RubyTime.newTime(runtime, adjustedTime.getTime());
return ASN1.getClass("UTCTime").callMethod(context, "new", time);
}
if (obj instanceof ASN1GeneralizedTime) {
final Date generalTime;
try {
generalTime = ((ASN1GeneralizedTime) obj).getDate();
} catch (ParseException e) {
throw new IOException(e);
}
final RubyTime time = RubyTime.newTime(runtime, generalTime.getTime());
return ASN1.getClass("GeneralizedTime").callMethod(context, "new", time);
}
// NOTE: keep for BC versions compatibility ... extends ASN1GeneralizedTime (since BC 1.51)
if (obj instanceof DERGeneralizedTime) {
final Date generalTime;
try {
generalTime = ((DERGeneralizedTime) obj).getDate();
} catch (ParseException e) {
throw new IOException(e);
}
final RubyTime time = RubyTime.newTime(runtime, generalTime.getTime());
return ASN1.getClass("GeneralizedTime").callMethod(context, "new", time);
}
if (obj instanceof ASN1ObjectIdentifier) {
final String objId = ((ASN1ObjectIdentifier) obj).getId();
return ASN1.getClass("ObjectId").callMethod(context, "new", runtime.newString(objId));
}
// DERObjectIdentifier extends ASN1ObjectIdentifier = 1.51
if (obj instanceof DERObjectIdentifier) {
final String objId = ((DERObjectIdentifier) obj).getId();
return ASN1.getClass("ObjectId").callMethod(context, "new", runtime.newString(objId));
}
if (obj instanceof ASN1TaggedObject) {
final ASN1TaggedObject taggedObj = (ASN1TaggedObject) obj;
IRubyObject val = decodeObject(context, ASN1, taggedObj.getObject());
IRubyObject tag = runtime.newFixnum(taggedObj.getTagNo());
IRubyObject tag_class = runtime.newSymbol("CONTEXT_SPECIFIC");
final RubyArray valArr = runtime.newArray(val);
return ASN1.getClass("ASN1Data").callMethod(context, "new", new IRubyObject[] { valArr, tag, tag_class });
}
if (obj instanceof DERApplicationSpecific) {
final DERApplicationSpecific appSpecific = (DERApplicationSpecific) obj;
IRubyObject tag = runtime.newFixnum(appSpecific.getApplicationTag());
IRubyObject tag_class = runtime.newSymbol("APPLICATION");
final ASN1Sequence sequence = (ASN1Sequence) appSpecific.getObject(SEQUENCE);
@SuppressWarnings("unchecked") final RubyArray valArr = decodeObjects(context, ASN1, sequence.getObjects());
return ASN1.getClass("ASN1Data").callMethod(context, "new", new IRubyObject[] { valArr, tag, tag_class });
}
if (obj instanceof ASN1Sequence) {
@SuppressWarnings("unchecked") RubyArray arr = decodeObjects(context, ASN1, ((ASN1Sequence) obj).getObjects());
return ASN1.getClass("Sequence").callMethod(context, "new", arr);
}
if (obj instanceof ASN1Set) {
@SuppressWarnings("unchecked") RubyArray arr = decodeObjects(context, ASN1, ((ASN1Set) obj).getObjects());
return ASN1.getClass("Set").callMethod(context, "new", arr);
}
if (obj instanceof ASN1Enumerated) {
final RubyInteger value = RubyBignum.bignorm(runtime, ((ASN1Enumerated) obj).getValue());
return ASN1.getClass("Enumerated").callMethod(context, "new", value);
}
throw new IllegalArgumentException("unable to decode object: " + obj + " (" + (obj == null ? "" : obj.getClass().getName()) + ")");
}
use of org.bouncycastle.asn1.x509.Time in project jruby-openssl by jruby.
the class PKCS7 method dataFinal.
/**
* c: PKCS7_dataFinal
*/
public int dataFinal(BIO bio) throws PKCS7Exception {
Collection<SignerInfoWithPkey> siSk = null;
BIO btmp;
byte[] buf;
MessageDigest mdc = null;
MessageDigest ctx_tmp = null;
ASN1Set sk;
int i = this.data.getType();
switch(i) {
case ASN1Registry.NID_pkcs7_signedAndEnveloped:
siSk = getSignedAndEnveloped().getSignerInfo();
break;
case ASN1Registry.NID_pkcs7_signed:
siSk = getSign().getSignerInfo();
break;
case ASN1Registry.NID_pkcs7_digest:
break;
default:
break;
}
if (siSk != null) {
for (SignerInfoWithPkey si : siSk) {
if (si.getPkey() == null) {
continue;
}
int j = ASN1Registry.oid2nid(si.getDigestAlgorithm().getAlgorithm());
btmp = bio;
MessageDigest[] _mdc = new MessageDigest[] { mdc };
btmp = findDigest(_mdc, btmp, j);
mdc = _mdc[0];
if (btmp == null) {
return 0;
}
try {
ctx_tmp = (MessageDigest) mdc.clone();
} catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
sk = si.getAuthenticatedAttributes();
Signature sign = null;
try {
if (sk != null && sk.size() > 0) {
/* Add signing time if not already present */
if (null == si.getSignedAttribute(ASN1Registry.NID_pkcs9_signingTime)) {
DERUTCTime signTime = new DERUTCTime(Calendar.getInstance(TimeZone.getTimeZone("UTC")).getTime());
si.addSignedAttribute(ASN1Registry.NID_pkcs9_signingTime, signTime);
}
byte[] md_data = ctx_tmp.digest();
ASN1OctetString digest = new DEROctetString(md_data);
si.addSignedAttribute(ASN1Registry.NID_pkcs9_messageDigest, digest);
sk = si.getAuthenticatedAttributes();
sign = SecurityHelper.getSignature(EVP.signatureAlgorithm(ctx_tmp, si.getPkey()));
sign.initSign(si.getPkey());
byte[] abuf = sk.getEncoded();
sign.update(abuf);
}
if (sign != null) {
byte[] out = sign.sign();
si.setEncryptedDigest(new DEROctetString(out));
}
} catch (Exception e) {
throw new PKCS7Exception(F_PKCS7_DATAFINAL, -1, e);
}
}
} else if (i == ASN1Registry.NID_pkcs7_digest) {
int nid = ASN1Registry.oid2nid(getDigest().getMd().getAlgorithm());
MessageDigest[] _mdc = new MessageDigest[] { mdc };
bio = findDigest(_mdc, bio, nid);
mdc = _mdc[0];
byte[] md_data = mdc.digest();
ASN1OctetString digest = new DEROctetString(md_data);
getDigest().setDigest(digest);
}
if (!isDetached()) {
btmp = bio.findType(BIO.TYPE_MEM);
if (null == btmp) {
throw new PKCS7Exception(F_PKCS7_DATAFINAL, R_UNABLE_TO_FIND_MEM_BIO);
}
buf = ((MemBIO) btmp).getMemCopy();
switch(i) {
case ASN1Registry.NID_pkcs7_signedAndEnveloped:
getSignedAndEnveloped().getEncData().setEncData(new DEROctetString(buf));
break;
case ASN1Registry.NID_pkcs7_enveloped:
getEnveloped().getEncData().setEncData(new DEROctetString(buf));
break;
case ASN1Registry.NID_pkcs7_signed:
if (getSign().getContents().isData() && getDetached() != 0) {
getSign().getContents().setData(null);
} else {
getSign().getContents().setData(new DEROctetString(buf));
}
break;
case ASN1Registry.NID_pkcs7_digest:
if (getDigest().getContents().isData() && getDetached() != 0) {
getDigest().getContents().setData(null);
} else {
getDigest().getContents().setData(new DEROctetString(buf));
}
break;
}
}
return 1;
}
Aggregations