Examples with Time org.bouncycastle.asn1.x509.Time used on opensource projects

Search in sources :

Example 31 with Time

use of org.bouncycastle.asn1.x509.Time in project signer by demoiselle.

the class TimeStampOperator method validate.

/**
 * Validate a time stamp
 *
 * @param content if it is assigned, the parameter hash must to be null
 * @param timeStamp timestamp to be validated
 * @param hash if it is assigned, the parameter content must to be null
 * @throws CertificateCoreException validate exception
 */
@SuppressWarnings("unchecked")
public void validate(byte[] content, byte[] timeStamp, byte[] hash) throws CertificateCoreException {
    try {
        TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(timeStamp));
        CMSSignedData s = timeStampToken.toCMSSignedData();
        int verified = 0;
        Store<?> certStore = s.getCertificates();
        SignerInformationStore signers = s.getSignerInfos();
        Collection<SignerInformation> c = signers.getSigners();
        Iterator<SignerInformation> it = c.iterator();
        while (it.hasNext()) {
            SignerInformation signer = it.next();
            Collection<?> certCollection = certStore.getMatches(signer.getSID());
            Iterator<?> certIt = certCollection.iterator();
            X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
            if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) {
                verified++;
            }
            cert.getExtension(new ASN1ObjectIdentifier("2.5.29.31")).getExtnValue();
        }
        logger.info(timeStampMessagesBundle.getString("info.signature.verified", verified));
        // Valida o hash  incluso no carimbo de tempo com hash do arquivo carimbado
        byte[] calculatedHash = null;
        if (content != null) {
            Digest digest = DigestFactory.getInstance().factoryDefault();
            digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
            calculatedHash = digest.digest(content);
        } else {
            calculatedHash = hash;
        }
        if (Arrays.equals(calculatedHash, timeStampToken.getTimeStampInfo().getMessageImprintDigest())) {
            logger.info(timeStampMessagesBundle.getString("info.timestamp.hash.ok"));
        } else {
            throw new CertificateCoreException(timeStampMessagesBundle.getString("info.timestamp.hash.nok"));
        }
    } catch (TSPException | IOException | CMSException | OperatorCreationException | CertificateException ex) {
        throw new CertificateCoreException(ex.getMessage());
    }
}
Also used : Digest(org.demoiselle.signer.cryptography.Digest) SignerInformation(org.bouncycastle.cms.SignerInformation) JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) CMSSignedData(org.bouncycastle.cms.CMSSignedData) CertificateCoreException(org.demoiselle.signer.core.exception.CertificateCoreException) SignerInformationStore(org.bouncycastle.cms.SignerInformationStore) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) TSPException(org.bouncycastle.tsp.TSPException) TimeStampToken(org.bouncycastle.tsp.TimeStampToken) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CMSException(org.bouncycastle.cms.CMSException)

Example 32 with Time

use of org.bouncycastle.asn1.x509.Time in project oxAuth by GluuFederation.

the class CRLCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CRL, CertificateValidity.UNKNOWN);
    try {
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        String crlURL = getCrlUri(certificate);
        if (crlURL == null) {
            log.error("CRL's URL for '" + subjectX500Principal + "' is empty");
            return status;
        }
        log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'");
        X509CRL x509crl = getCrl(crlURL);
        if (!validateCRL(x509crl, certificate, issuer, validationDate)) {
            log.error("The CRL is not valid!");
            status.setValidity(CertificateValidity.INVALID);
            return status;
        }
        X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber());
        if (crlEntry == null) {
            log.debug("CRL status is valid for '" + subjectX500Principal + "'");
            status.setValidity(CertificateValidity.VALID);
        } else if (crlEntry.getRevocationDate().after(validationDate)) {
            log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
            status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
            status.setValidity(CertificateValidity.VALID);
        } else {
            log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate());
            status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
            status.setRevocationDate(crlEntry.getRevocationDate());
            status.setValidity(CertificateValidity.REVOKED);
        }
    } catch (Exception ex) {
        log.error("CRL exception: ", ex);
    }
    return status;
}
Also used : ValidationStatus(org.gluu.oxauth.cert.validation.model.ValidationStatus) X509CRLEntry(java.security.cert.X509CRLEntry) X509CRL(java.security.cert.X509CRL) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) X509Certificate(java.security.cert.X509Certificate) Principal(java.security.Principal) NoSuchParserException(org.bouncycastle.x509.NoSuchParserException) StreamParsingException(org.bouncycastle.x509.util.StreamParsingException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) ExecutionException(java.util.concurrent.ExecutionException) CRLException(java.security.cert.CRLException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 33 with Time

use of org.bouncycastle.asn1.x509.Time in project oxAuth by GluuFederation.

the class OCSPCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
    try {
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        String ocspUrl = getOCSPUrl(certificate);
        if (ocspUrl == null) {
            log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
            return status;
        }
        log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
        DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
        CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
        // Generate OCSP request
        OCSPReq ocspReq = generateOCSPRequest(certificateId);
        // Get OCSP response from server
        OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
        if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
            log.error("OCSP response is invalid!");
            status.setValidity(CertificateValidity.INVALID);
            return status;
        }
        boolean foundResponse = false;
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
        SingleResp[] singleResps = basicOCSPResp.getResponses();
        for (SingleResp singleResp : singleResps) {
            CertificateID responseCertificateId = singleResp.getCertID();
            if (!certificateId.equals(responseCertificateId)) {
                continue;
            }
            foundResponse = true;
            log.debug("OCSP validationDate: " + validationDate);
            log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
            log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
            status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
            Object certStatus = singleResp.getCertStatus();
            if (certStatus == CertificateStatus.GOOD) {
                log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
                status.setValidity(CertificateValidity.VALID);
            } else {
                if (singleResp.getCertStatus() instanceof RevokedStatus) {
                    log.warn("OCSP status is revoked for: " + subjectX500Principal);
                    if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
                        log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
                        status.setValidity(CertificateValidity.VALID);
                    } else {
                        Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
                        log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
                        status.setRevocationDate(revocationDate);
                        status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
                        status.setValidity(CertificateValidity.REVOKED);
                    }
                }
            }
        }
        if (!foundResponse) {
            log.error("There is no matching OCSP response entries");
        }
    } catch (Exception ex) {
        log.error("OCSP exception: ", ex);
    }
    return status;
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DigestCalculator(org.bouncycastle.operator.DigestCalculator) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) CertificateEncodingException(java.security.cert.CertificateEncodingException) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) ValidationStatus(org.gluu.oxauth.cert.validation.model.ValidationStatus) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) Principal(java.security.Principal)

Example 34 with Time

use of org.bouncycastle.asn1.x509.Time in project azure-iot-sdk-java by Azure.

the class X509CertificateGenerator method createX509CertificateFromKeyPair.

/**
 * Create a new self signed x509 certificate with the specified common name
 */
private static X509Certificate createX509CertificateFromKeyPair(KeyPair keyPair, String commonName) throws OperatorCreationException, CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
    StringBuilder issuerStringBuilder = new StringBuilder(ISSUER_STRING);
    if (commonName != null && !commonName.isEmpty()) {
        issuerStringBuilder.append(", CN=").append(commonName);
    }
    X500Name issuer = new X500Name(issuerStringBuilder.toString());
    BigInteger serial = BigInteger.ONE;
    // valid from 24 hours earlier as well, to avoid clock skew issues with start time
    Date notBefore = new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(24));
    // 2 hour lifetime
    Date notAfter = new Date(System.currentTimeMillis() + TimeUnit.HOURS.toMillis(2));
    X500Name subject = new X500Name(issuerStringBuilder.toString());
    PublicKey publicKey = keyPair.getPublic();
    JcaX509v3CertificateBuilder v3Bldr = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKey);
    X509CertificateHolder certHldr = v3Bldr.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(keyPair.getPrivate()));
    X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHldr);
    cert.checkValidity(new Date());
    cert.verify(keyPair.getPublic());
    return cert;
}
Also used : JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate)

Example 35 with Time

use of org.bouncycastle.asn1.x509.Time in project ddf by codice.

the class CertificateSigningRequestTest method testNewCertificateBuilderWithoutSan.

@Test
public void testNewCertificateBuilderWithoutSan() throws Exception {
    final DateTime start = DateTime.now().minusDays(1);
    final DateTime end = start.plusYears(100);
    final KeyPair kp = makeKeyPair();
    csr.setSerialNumber(1);
    csr.setNotBefore(start);
    csr.setNotAfter(end);
    csr.setCommonName("A");
    csr.setSubjectKeyPair(kp);
    final X509Certificate issuerCert = mock(X509Certificate.class);
    doReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US")).when(issuerCert).getSubjectX500Principal();
    final JcaX509v3CertificateBuilder builder = csr.newCertificateBuilder(issuerCert);
    final X509CertificateHolder holder = builder.build(new DemoCertificateAuthority().getContentSigner());
    assertThat(holder.getSerialNumber(), equalTo(BigInteger.ONE));
    assertThat(holder.getNotBefore(), equalTo(new Time(start.toDate()).getDate()));
    assertThat(holder.getNotAfter(), equalTo(new Time(end.toDate()).getDate()));
    assertThat(holder.getSubject().toString(), equalTo("cn=A"));
    assertThat("Unable to validate public key", holder.getSubjectPublicKeyInfo(), equalTo(SubjectPublicKeyInfo.getInstance(kp.getPublic().getEncoded())));
    assertThat("There should be no subject alternative name extension", holder.getExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName), nullValue(org.bouncycastle.asn1.x509.Extension.class));
}
Also used : KeyPair(java.security.KeyPair) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) X500Principal(javax.security.auth.x500.X500Principal) Time(org.bouncycastle.asn1.x509.Time) DateTime(org.joda.time.DateTime) DateTime(org.joda.time.DateTime) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Aggregations

Date (java.util.Date)26 IOException (java.io.IOException)20 X509Certificate (java.security.cert.X509Certificate)20 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)19 BigInteger (java.math.BigInteger)18 DEROctetString (org.bouncycastle.asn1.DEROctetString)16 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)14 DERIA5String (org.bouncycastle.asn1.DERIA5String)12 X500Name (org.bouncycastle.asn1.x500.X500Name)11 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)11 Calendar (java.util.Calendar)9 ASN1GeneralizedTime (org.bouncycastle.asn1.ASN1GeneralizedTime)8 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)8 Time (org.bouncycastle.asn1.x509.Time)8 ArrayList (java.util.ArrayList)7 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)7 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)7 ASN1TaggedObject (org.bouncycastle.asn1.ASN1TaggedObject)6 Extension (org.bouncycastle.asn1.x509.Extension)6 ASN1EncodableVector (com.android.org.bouncycastle.asn1.ASN1EncodableVector)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial