Example 6 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project snowblossom by snowblossomcoin.
the class CertGen method generateSelfSignedCert.
/**
* @param key_pair Key pair to use to sign the cert inner signed message, the node key
* @param tls_wkp The temporary key to use just for this cert and TLS sessions
* @param spec Address for 'key_pair'
*/
public static X509Certificate generateSelfSignedCert(WalletKeyPair key_pair, WalletKeyPair tls_wkp, AddressSpec spec) throws Exception {
AddressSpecHash address_hash = AddressUtil.getHashForSpec(spec);
String address = AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, address_hash);
byte[] encoded_pub = tls_wkp.getPublicKey().toByteArray();
SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(encoded_pub));
String dn = String.format("CN=%s, O=Snowblossom", address);
X500Name issuer = new X500Name(dn);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter = new Date(System.currentTimeMillis() + 86400000L * 365L * 10L);
X500Name subject = issuer;
X509v3CertificateBuilder cert_builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
// System.out.println(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
ASN1ObjectIdentifier snow_claim_oid = new ASN1ObjectIdentifier("2.5.29.134");
// System.out.println(spec);
SignedMessagePayload payload = SignedMessagePayload.newBuilder().setTlsPublicKey(tls_wkp.getPublicKey()).build();
SignedMessage sm = MsgSigUtil.signMessage(spec, key_pair, payload);
byte[] sm_data = sm.toByteString().toByteArray();
cert_builder.addExtension(snow_claim_oid, true, sm_data);
String algorithm = "SHA256withRSA";
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(tls_wkp.getPrivateKey().toByteArray());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
// ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X509CertificateHolder certificateHolder = cert_builder.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
return cert;
}
Also used :
SignedMessagePayload(snowblossom.proto.SignedMessagePayload)
SignedMessage(snowblossom.proto.SignedMessage)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ByteString(com.google.protobuf.ByteString)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
AddressSpecHash(snowblossom.lib.AddressSpecHash)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 7 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project supply-chain-tools by secure-device-onboard.
the class OnDieSignatureValidator method checkRevocations.
private boolean checkRevocations(List<Certificate> certificateList) {
// Check revocations first.
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
for (Certificate cert : certificateList) {
X509Certificate x509cert = (X509Certificate) cert;
X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
if (cdp != null) {
DistributionPoint[] distPoints = cdp.getDistributionPoints();
for (DistributionPoint dp : distPoints) {
GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
for (GeneralName generalName : generalNames) {
byte[] crlBytes = onDieCache.getCertOrCrl(generalName.toString());
if (crlBytes == null) {
LoggerFactory.getLogger(getClass()).error("CRL ({}) not found in cache for cert: {}", generalName.getName().toString(), x509cert.getIssuerX500Principal().getName());
return false;
} else {
CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
if (crl.isRevoked(cert)) {
return false;
}
}
}
}
}
}
} catch (IOException | CertificateException | CRLException ex) {
return false;
}
return true;
}
Also used :
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRL(java.security.cert.CRL)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 8 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ca3sCore by kuehne-trustable-de.
the class CaCmpConnector method readCertResponse.
/**
* @param responseBytes
* @param pkiMessageReq
* @param csr
* @param config
* @throws IOException
* @throws CRMFException
* @throws CMPException
* @throws GeneralSecurityException
*/
public de.trustable.ca3s.core.domain.Certificate readCertResponse(final byte[] responseBytes, final PKIMessage pkiMessageReq, final CSR csr, final CAConnectorConfig config) throws IOException, CRMFException, CMPException, GeneralSecurityException {
final ASN1Primitive derObject = cryptoUtil.getDERObject(responseBytes);
final PKIMessage pkiMessage = PKIMessage.getInstance(derObject);
if (pkiMessage == null) {
throw new GeneralSecurityException("No CMP message could be parsed from received Der object.");
}
printPKIMessageInfo(pkiMessage);
PKIHeader pkiHeaderReq = pkiMessageReq.getHeader();
PKIHeader pkiHeaderResp = pkiMessage.getHeader();
if (!pkiHeaderReq.getSenderNonce().equals(pkiHeaderResp.getRecipNonce())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getRecipNonce();
if (asn1Oct == null) {
LOGGER.info("Recip nonce == null");
} else {
LOGGER.info("sender nonce " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getSenderNonce().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
throw new GeneralSecurityException("Sender / Recip nonce mismatch");
}
if (!pkiHeaderReq.getTransactionID().equals(pkiHeaderResp.getTransactionID())) {
ASN1OctetString asn1Oct = pkiHeaderResp.getTransactionID();
if (asn1Oct == null) {
LOGGER.info("transaction id == null");
} else {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("transaction id " + java.util.Base64.getEncoder().encodeToString(pkiHeaderReq.getTransactionID().getOctets()) + " != " + java.util.Base64.getEncoder().encodeToString(asn1Oct.getOctets()));
}
}
throw new GeneralSecurityException("Sender / Recip Transaction Id mismatch");
}
final PKIBody body = pkiMessage.getBody();
int tagno = body.getType();
if (tagno == PKIBody.TYPE_ERROR) {
handleCMPError(body);
} else if (tagno == PKIBody.TYPE_CERT_REP || tagno == PKIBody.TYPE_INIT_REP) {
// certificate successfully generated
CertRepMessage certRepMessage = CertRepMessage.getInstance(body.getContent());
try {
// CMPCertificate[] cmpCertArr = certRepMessage.getCaPubs();
CMPCertificate[] cmpCertArr = pkiMessage.getExtraCerts();
LOGGER.info("CMP Response body contains " + cmpCertArr.length + " extra certificates");
for (int i = 0; i < cmpCertArr.length; i++) {
CMPCertificate cmpCert = cmpCertArr[i];
LOGGER.info("Added CA '" + cmpCert.getX509v3PKCert().getSubject() + "' from CMP Response body");
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cmpCert.getEncoded(), null, null, true);
certificateRepository.save(certDao);
LOGGER.debug("Additional CA '" + certDao.getSubject() + "' from CMP Response body");
}
} catch (NullPointerException npe) {
// NOSONAR
// just ignore
}
CertResponse[] respArr = certRepMessage.getResponse();
if (respArr == null || (respArr.length == 0)) {
throw new GeneralSecurityException("No CMP response found.");
}
LOGGER.info("CMP Response body contains " + respArr.length + " elements");
for (int i = 0; i < respArr.length; i++) {
if (respArr[i] == null) {
throw new GeneralSecurityException("No CMP response returned.");
}
BigInteger status = BigInteger.ZERO;
String statusText = "";
PKIStatusInfo pkiStatusInfo = respArr[i].getStatus();
if (pkiStatusInfo != null) {
PKIFreeText freeText = pkiStatusInfo.getStatusString();
if (freeText != null) {
for (int j = 0; j < freeText.size(); j++) {
statusText = freeText.getStringAt(j) + "\n";
}
}
}
if ((respArr[i].getCertifiedKeyPair() == null) || (respArr[i].getCertifiedKeyPair().getCertOrEncCert() == null)) {
csrUtil.setStatus(csr, CsrStatus.REJECTED);
csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_FAILURE_INFO, statusText, true);
throw new GeneralSecurityException("CMP response contains no certificate, status :" + status + "\n" + statusText);
}
CMPCertificate cmpCert = respArr[i].getCertifiedKeyPair().getCertOrEncCert().getCertificate();
if (cmpCert != null) {
org.bouncycastle.asn1.x509.Certificate cmpCertificate = cmpCert.getX509v3PKCert();
if (cmpCertificate != null) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("#" + i + ": " + cmpCertificate);
}
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
/*
* version returning just the end entity ...
*/
final Collection<? extends java.security.cert.Certificate> certificateChain = certificateFactory.generateCertificates(new ByteArrayInputStream(cmpCertificate.getEncoded()));
X509Certificate[] certArray = certificateChain.toArray(new X509Certificate[0]);
X509Certificate cert = certArray[0];
if (LOGGER.isDebugEnabled()) {
LOGGER.info("#" + i + ": " + cert);
}
de.trustable.ca3s.core.domain.Certificate certDao = certUtil.createCertificate(cert.getEncoded(), csr, null, false);
certDao.setRevocationCA(config);
certificateRepository.save(certDao);
return certDao;
}
}
}
} else {
throw new GeneralSecurityException("unexpected PKI body type :" + tagno);
}
return null;
}
Also used :
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
GeneralSecurityException(java.security.GeneralSecurityException)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
BigInteger(java.math.BigInteger)
Collection(java.util.Collection)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
X509Certificate(java.security.cert.X509Certificate)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
Certificate(de.trustable.ca3s.core.domain.Certificate)
Example 9 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method getCertificatePolicies.
public List<String> getCertificatePolicies(X509Certificate x509Cert) {
ArrayList<String> certificatePolicyIds = new ArrayList<>();
byte[] extVal = x509Cert.getExtensionValue(Extension.certificatePolicies.getId());
if (extVal == null) {
return certificatePolicyIds;
}
try {
org.bouncycastle.asn1.x509.CertificatePolicies cf = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(X509ExtensionUtil.fromExtensionValue(extVal));
PolicyInformation[] information = cf.getPolicyInformation();
for (PolicyInformation p : information) {
ASN1ObjectIdentifier aIdentifier = p.getPolicyIdentifier();
certificatePolicyIds.add(aIdentifier.getId());
}
} catch (IOException ex) {
LOG.error("Failed to get OCSP URL for certificate '" + x509Cert.getSubjectX500Principal().getName() + "'", ex);
}
return certificatePolicyIds;
}
Also used :
org.bouncycastle.asn1.x509(org.bouncycastle.asn1.x509)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 10 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method insertNameAttributes.
/**
* @param cert
* @param attributeName
* @param x500NameSubject
*/
public void insertNameAttributes(Certificate cert, String attributeName, X500Name x500NameSubject) {
try {
List<Rdn> rdnList = new LdapName(x500NameSubject.toString()).getRdns();
for (Rdn rdn : rdnList) {
String rdnExpression = rdn.getType().toLowerCase() + "=" + rdn.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, rdnExpression);
}
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", x500NameSubject);
}
for (RDN rdn : x500NameSubject.getRDNs()) {
for (org.bouncycastle.asn1.x500.AttributeTypeAndValue atv : rdn.getTypesAndValues()) {
String value = atv.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, value);
String oid = atv.getType().getId().toLowerCase();
setCertMultiValueAttribute(cert, attributeName, oid + "=" + value);
if (!oid.equals(atv.getType().toString().toLowerCase())) {
setCertMultiValueAttribute(cert, attributeName, atv.getType().toString().toLowerCase() + "=" + value);
}
}
}
}
Also used :
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
InvalidNameException(javax.naming.InvalidNameException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
Rdn(javax.naming.ldap.Rdn)
RDN(org.bouncycastle.asn1.x500.RDN)
LdapName(javax.naming.ldap.LdapName)
Aggregations
IOException (java.io.IOException)81
X509Certificate (java.security.cert.X509Certificate)61
X500Name (org.bouncycastle.asn1.x500.X500Name)43
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)39
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)36
BigInteger (java.math.BigInteger)34
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)33
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)31
DEROctetString (org.bouncycastle.asn1.DEROctetString)31
DERIA5String (org.bouncycastle.asn1.DERIA5String)28
Date (java.util.Date)27
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)26
ArrayList (java.util.ArrayList)25
CertificateEncodingException (java.security.cert.CertificateEncodingException)24
CertificateException (java.security.cert.CertificateException)24
GeneralName (org.bouncycastle.asn1.x509.GeneralName)24
ByteArrayInputStream (java.io.ByteArrayInputStream)23
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23
PrivateKey (java.security.PrivateKey)21
GeneralSecurityException (java.security.GeneralSecurityException)20
