use of org.bouncycastle.asn1.x509 in project documentproduction by qld-gov-au.
the class CertificateVerifier method downloadExtraCertificates.
/**
* Download extra certificates from the URI mentioned in id-ad-caIssuers in the "authority
* information access" extension. The method is lenient, i.e. catches all exceptions.
*
* @param ext an X509 object that can have extensions.
*
* @return a certificate set, never null.
* @throws ExecutionException
*/
public static Set<X509Certificate> downloadExtraCertificates(X509Extension ext) throws ExecutionException {
// https://tools.ietf.org/html/rfc2459#section-4.2.2.1
// https://tools.ietf.org/html/rfc3280#section-4.2.2.1
// https://tools.ietf.org/html/rfc4325
Set<X509Certificate> resultSet = new HashSet<X509Certificate>();
byte[] authorityExtensionValue = ext.getExtensionValue(Extension.authorityInfoAccess.getId());
if (authorityExtensionValue == null) {
return resultSet;
}
ASN1Primitive asn1Prim;
try {
asn1Prim = JcaX509ExtensionUtils.parseExtensionValue(authorityExtensionValue);
} catch (IOException ex) {
LOG.warn(ex.getMessage(), ex);
return resultSet;
}
if (!(asn1Prim instanceof ASN1Sequence)) {
LOG.warn("ASN1Sequence expected, got " + asn1Prim.getClass().getSimpleName());
return resultSet;
}
ASN1Sequence asn1Seq = (ASN1Sequence) asn1Prim;
Enumeration<?> objects = asn1Seq.getObjects();
while (objects.hasMoreElements()) {
// AccessDescription
ASN1Sequence obj = (ASN1Sequence) objects.nextElement();
ASN1Encodable oid = obj.getObjectAt(0);
if (!X509ObjectIdentifiers.id_ad_caIssuers.equals(oid)) {
continue;
}
ASN1TaggedObject location = (ASN1TaggedObject) obj.getObjectAt(1);
ASN1OctetString uri = (ASN1OctetString) location.getObject();
String urlString = new String(uri.getOctets());
LOG.info("CA issuers URL: " + urlString);
Collection<? extends Certificate> altCerts = ISSUER_CERTS.get(urlString);
for (Certificate altCert : altCerts) {
resultSet.add((X509Certificate) altCert);
}
LOG.info("CA issuers URL: " + altCerts.size() + " certificate(s) downloaded");
}
LOG.info("CA issuers: Downloaded " + resultSet.size() + " certificate(s) total");
return resultSet;
}
use of org.bouncycastle.asn1.x509 in project uaa by cloudfoundry.
the class RsaKeyInfo method parseKeyPair.
private KeyPair parseKeyPair(String pemData) {
Matcher m = PEM_DATA.matcher(pemData.trim());
if (!m.matches()) {
throw new IllegalArgumentException("String is not PEM encoded data");
}
String type = m.group(1);
final byte[] content = b64Decode(utf8Encode(m.group(2)));
PublicKey publicKey;
PrivateKey privateKey = null;
try {
KeyFactory fact = KeyFactory.getInstance("RSA");
if (type.equals("RSA PRIVATE KEY")) {
ASN1Sequence seq = ASN1Sequence.getInstance(content);
if (seq.size() != 9) {
throw new IllegalArgumentException("Invalid RSA Private Key ASN1 sequence.");
}
org.bouncycastle.asn1.pkcs.RSAPrivateKey key = org.bouncycastle.asn1.pkcs.RSAPrivateKey.getInstance(seq);
RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent());
RSAPrivateCrtKeySpec privSpec = new RSAPrivateCrtKeySpec(key.getModulus(), key.getPublicExponent(), key.getPrivateExponent(), key.getPrime1(), key.getPrime2(), key.getExponent1(), key.getExponent2(), key.getCoefficient());
publicKey = fact.generatePublic(pubSpec);
privateKey = fact.generatePrivate(privSpec);
} else if (type.equals("PUBLIC KEY")) {
KeySpec keySpec = new X509EncodedKeySpec(content);
publicKey = fact.generatePublic(keySpec);
} else if (type.equals("RSA PUBLIC KEY")) {
ASN1Sequence seq = ASN1Sequence.getInstance(content);
org.bouncycastle.asn1.pkcs.RSAPublicKey key = org.bouncycastle.asn1.pkcs.RSAPublicKey.getInstance(seq);
RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent());
publicKey = fact.generatePublic(pubSpec);
} else {
throw new IllegalArgumentException(type + " is not a supported format");
}
return new KeyPair(publicKey, privateKey);
} catch (InvalidKeySpecException e) {
throw new RuntimeException(e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(e);
}
}
use of org.bouncycastle.asn1.x509 in project attestation by TokenScript.
the class HelperTest method makeUnsignedx509Att.
/* the unsigned x509 attestation will have a subject of "CN=0x2042424242424564648" */
public static Attestation makeUnsignedx509Att(AsymmetricKeyParameter key) throws IOException {
Attestation att = new Attestation();
// =v3 since counting starts from 0
att.setVersion(2);
att.setSerialNumber(42);
// ECDSA with SHA256 which is needed for a proper x509
att.setSigningAlgorithm(SignedIdentifierAttestation.ECDSA_WITH_SHA256);
att.setIssuer("CN=ALX");
Date now = new Date();
att.setNotValidBefore(now);
att.setNotValidAfter(new Date(System.currentTimeMillis() + VALIDITY));
att.setSubject("CN=0x2042424242424564648");
SubjectPublicKeyInfo spki = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(key);
att.setSubjectPublicKeyInfo(spki);
ASN1EncodableVector extensions = new ASN1EncodableVector();
extensions.add(Attestation.OID_OCTETSTRING);
extensions.add(ASN1Boolean.TRUE);
extensions.add(new DEROctetString("hello world".getBytes()));
// Double Sequence is needed to be compatible with X509V3
att.setExtensions(new DERSequence(new DERSequence(extensions)));
assertTrue(att.isValidX509());
return att;
}
use of org.bouncycastle.asn1.x509 in project attestation by TokenScript.
the class Attestor method constructAttestations.
/**
* Constructs a list of X509 attestations to each of the relevant DatasourceName lists of elements
* in the response json.
*
* @param request Json request in a Sring - verification request that was sent to Trulioo Global Gateway†
* @param verifyRecord Json object of the Record in verifyResponse, from Trulioo Global Gateway‡
* @param signature DER encoded signature of exactly the json request string encoded as UTF-8 using a Secp256k1 key with Keccak
* @param userPK user's public key (SubjectPublicKeyInfo object)
* @return List of DER encoded x509 attestations
*
* † An example can be found https://developer.trulioo.com/docs/identity-verification-step-6-verify
* ‡ Observe the "Record" in https://developer.trulioo.com/docs/identity-verification-verify-response
*/
public List<X509CertificateHolder> constructAttestations(String request, JSONObject verifyRecord, byte[] signature, AsymmetricKeyParameter userPK) {
if (!SignatureUtil.verifySha256(request.getBytes(StandardCharsets.UTF_8), signature, userPK)) {
throw ExceptionUtil.throwException(logger, new IllegalArgumentException("Request signature verification failed. " + "Make sure that your message is unaltered, signature is created by hashing the message with SHA256" + "and using a key of secp256k1 type."));
}
List<X509CertificateHolder> res = new ArrayList<>();
Parser parser = new Parser(new JSONObject(request), verifyRecord);
Map<String, X500Name> subjectNames = parser.getX500Names();
Map<String, Extensions> subjectExtensions = parser.getExtensions();
for (String currentAttName : subjectNames.keySet()) {
try {
long time = System.currentTimeMillis();
V3TBSCertificateGenerator certBuilder = new V3TBSCertificateGenerator();
certBuilder.setSignature(serverSigningAlgo);
certBuilder.setIssuer(serverInfo);
certBuilder.setSerialNumber(new ASN1Integer(time));
certBuilder.setStartDate(new Time(new Date(time)));
certBuilder.setEndDate(new Time(new Date(time + lifeTime)));
SubjectPublicKeyInfo spki = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(userPK);
// // todo hack to create a valid spki without ECNamedParameters
// spki = new SubjectPublicKeyInfo(new AlgorithmIdentifier(new ASN1ObjectIdentifier(OID_ECDSA)),
// spki.getPublicKeyData());
certBuilder.setSubjectPublicKeyInfo(spki);
certBuilder.setSubject(subjectNames.get(currentAttName));
certBuilder.setExtensions(subjectExtensions.get(currentAttName));
TBSCertificate tbsCert = certBuilder.generateTBSCertificate();
res.add(new X509CertificateHolder(constructSignedAttestation(tbsCert)));
// To ensure that we get a new serial number for every cert
Thread.sleep(1);
} catch (IOException e) {
throw ExceptionUtil.makeRuntimeException(logger, "Could not parse server key", e);
} catch (InterruptedException e) {
throw ExceptionUtil.makeRuntimeException(logger, "Could not sleep", e);
}
}
return res;
}
use of org.bouncycastle.asn1.x509 in project azure-iot-sdk-java by Azure.
the class X509CertificateGenerator method createX509CertificateFromKeyPair.
/**
* Create a new self signed x509 certificate with the specified common name
*/
private static X509Certificate createX509CertificateFromKeyPair(KeyPair keyPair, CertificateAlgorithm algorithm, String commonName) throws OperatorCreationException, CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
StringBuilder issuerStringBuilder = new StringBuilder(ISSUER_STRING);
if (commonName != null && !commonName.isEmpty()) {
issuerStringBuilder.append(", CN=").append(commonName);
}
X500Name issuer = new X500Name(issuerStringBuilder.toString());
BigInteger serial = BigInteger.ONE;
// valid from 24 hours earlier as well, to avoid clock skew issues with start time
Date notBefore = new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(24));
// 2 hour lifetime
Date notAfter = new Date(System.currentTimeMillis() + TimeUnit.HOURS.toMillis(2));
X500Name subject = new X500Name(issuerStringBuilder.toString());
PublicKey publicKey = keyPair.getPublic();
JcaX509v3CertificateBuilder v3Bldr = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKey);
X509CertificateHolder certHldr = v3Bldr.build(new JcaContentSignerBuilder(CertificateAlgorithm.getSignature(algorithm)).build(keyPair.getPrivate()));
X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHldr);
cert.checkValidity(new Date());
cert.verify(keyPair.getPublic());
return cert;
}
Aggregations