Examples with AttributeCertificateIssuer org.bouncycastle.cert.AttributeCertificateIssuer used on opensource projects

Search in sources :

Example 1 with AttributeCertificateIssuer

use of org.bouncycastle.cert.AttributeCertificateIssuer in project OpenAttestation by OpenAttestation.

the class X509AttrBuilder method build.

public byte[] build() {
    if (notBefore == null || notAfter == null) {
        // 1 day default
        expires(1, TimeUnit.DAYS);
    }
    if (serialNumber == null) {
        dateSerial();
    }
    if (subjectName == null) {
        fault("Subject name is missing");
    }
    if (issuerName == null) {
        fault("Issuer name is missing");
    }
    if (issuerPrivateKey == null) {
        fault("Issuer private key is missing");
    }
    if (attributes.isEmpty()) {
        fault("No attributes selected");
    }
    try {
        if (getFaults().isEmpty()) {
            AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
            AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
            ContentSigner authority = null;
            if (issuerPrivateKey != null)
                // create a bouncy castle content signer convert using our existing private key
                authority = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()));
            // second, prepare the attribute certificate
            // which is expected to be a UUID  like this: 33766a63-5c55-4461-8a84-5936577df450
            AttributeCertificateHolder holder = new AttributeCertificateHolder(subjectName);
            AttributeCertificateIssuer issuer = new AttributeCertificateIssuer(issuerName);
            X509v2AttributeCertificateBuilder builder = new X509v2AttributeCertificateBuilder(holder, issuer, serialNumber, notBefore, notAfter);
            for (Attribute attribute : attributes) {
                builder.addAttribute(attribute.oid, attribute.value);
            }
            // fourth, sign the attribute certificate
            if (authority != null) {
                X509AttributeCertificateHolder cert;
                cert = builder.build(authority);
                //X509AttributeCertificate.valueOf(cert.getEncoded());            
                return cert.getEncoded();
            }
        }
        return null;
    } catch (IOException | OperatorCreationException e) {
        fault(e, "cannot sign certificate");
        return null;
    } finally {
        done();
    }
}
Also used : X509v2AttributeCertificateBuilder(org.bouncycastle.cert.X509v2AttributeCertificateBuilder) AttributeCertificateIssuer(org.bouncycastle.cert.AttributeCertificateIssuer) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) AttributeCertificateHolder(org.bouncycastle.cert.AttributeCertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) IOException(java.io.IOException) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 2 with AttributeCertificateIssuer

use of org.bouncycastle.cert.AttributeCertificateIssuer in project xipki by xipki.

the class BaseOcspStatusAction method execute0.

@Override
protected final Object execute0() throws Exception {
    if (StringUtil.isBlank(serialNumberList) && isEmpty(certFiles)) {
        throw new IllegalCmdParamException("Neither serialNumbers nor certFiles is set");
    }
    X509Certificate issuerCert = X509Util.parseCert(issuerCertFile);
    Map<BigInteger, byte[]> encodedCerts = null;
    List<BigInteger> sns = new LinkedList<>();
    if (isNotEmpty(certFiles)) {
        encodedCerts = new HashMap<>(certFiles.size());
        String ocspUrl = null;
        X500Name issuerX500Name = null;
        for (String certFile : certFiles) {
            BigInteger sn;
            List<String> ocspUrls;
            if (isAttrCert) {
                if (issuerX500Name == null) {
                    issuerX500Name = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded());
                }
                X509AttributeCertificateHolder cert = new X509AttributeCertificateHolder(IoUtil.read(certFile));
                // no signature validation
                AttributeCertificateIssuer reqIssuer = cert.getIssuer();
                if (reqIssuer != null && issuerX500Name != null) {
                    X500Name reqIssuerName = reqIssuer.getNames()[0];
                    if (!issuerX500Name.equals(reqIssuerName)) {
                        throw new IllegalCmdParamException("certificate " + certFile + " is not issued by the given issuer");
                    }
                }
                ocspUrls = extractOcspUrls(cert);
                sn = cert.getSerialNumber();
            } else {
                X509Certificate cert = X509Util.parseCert(certFile);
                if (!X509Util.issues(issuerCert, cert)) {
                    throw new IllegalCmdParamException("certificate " + certFile + " is not issued by the given issuer");
                }
                ocspUrls = extractOcspUrls(cert);
                sn = cert.getSerialNumber();
            }
            if (isBlank(serverUrl)) {
                if (CollectionUtil.isEmpty(ocspUrls)) {
                    throw new IllegalCmdParamException("could not extract OCSP responder URL");
                } else {
                    String url = ocspUrls.get(0);
                    if (ocspUrl != null && !ocspUrl.equals(url)) {
                        throw new IllegalCmdParamException("given certificates have different" + " OCSP responder URL in certificate");
                    } else {
                        ocspUrl = url;
                    }
                }
            }
            // end if
            sns.add(sn);
            byte[] encodedCert = IoUtil.read(certFile);
            encodedCerts.put(sn, encodedCert);
        }
        if (isBlank(serverUrl)) {
            serverUrl = ocspUrl;
        }
    } else {
        StringTokenizer st = new StringTokenizer(serialNumberList, ", ");
        while (st.hasMoreTokens()) {
            String token = st.nextToken();
            StringTokenizer st2 = new StringTokenizer(token, "-");
            BigInteger from = toBigInt(st2.nextToken(), hex);
            BigInteger to = st2.hasMoreTokens() ? toBigInt(st2.nextToken(), hex) : null;
            if (to == null) {
                sns.add(from);
            } else {
                BigIntegerRange range = new BigIntegerRange(from, to);
                if (range.getDiff().compareTo(BigInteger.valueOf(10)) > 0) {
                    throw new IllegalCmdParamException("to many serial numbers");
                }
                BigInteger sn = range.getFrom();
                while (range.isInRange(sn)) {
                    sns.add(sn);
                    sn = sn.add(BigInteger.ONE);
                }
            }
        }
    }
    if (isBlank(serverUrl)) {
        throw new IllegalCmdParamException("could not get URL for the OCSP responder");
    }
    X509Certificate respIssuer = null;
    if (respIssuerFile != null) {
        respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile));
    }
    URL serverUrlObj = new URL(serverUrl);
    RequestOptions options = getRequestOptions();
    checkParameters(respIssuer, sns, encodedCerts);
    boolean saveReq = isNotBlank(reqout);
    boolean saveResp = isNotBlank(respout);
    RequestResponseDebug debug = null;
    if (saveReq || saveResp) {
        debug = new RequestResponseDebug(saveReq, saveResp);
    }
    IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(options.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded()));
    OCSPResp response;
    try {
        response = requestor.ask(issuerCert, sns.toArray(new BigInteger[0]), serverUrlObj, options, debug);
    } finally {
        if (debug != null && debug.size() > 0) {
            RequestResponsePair reqResp = debug.get(0);
            if (saveReq) {
                byte[] bytes = reqResp.getRequest();
                if (bytes != null) {
                    IoUtil.save(reqout, bytes);
                }
            }
            if (saveResp) {
                byte[] bytes = reqResp.getResponse();
                if (bytes != null) {
                    IoUtil.save(respout, bytes);
                }
            }
        }
    // end if
    }
    return processResponse(response, respIssuer, issuerHash, sns, encodedCerts);
}
Also used : RequestResponsePair(org.xipki.common.RequestResponsePair) AttributeCertificateIssuer(org.bouncycastle.cert.AttributeCertificateIssuer) BigIntegerRange(org.xipki.common.util.BigIntegerRange) RequestResponseDebug(org.xipki.common.RequestResponseDebug) RequestOptions(org.xipki.ocsp.client.api.RequestOptions) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) ASN1String(org.bouncycastle.asn1.ASN1String) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) LinkedList(java.util.LinkedList) URL(java.net.URL) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) StringTokenizer(java.util.StringTokenizer) IssuerHash(org.xipki.security.IssuerHash) IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException) BigInteger(java.math.BigInteger)

Aggregations

AttributeCertificateIssuer (org.bouncycastle.cert.AttributeCertificateIssuer)2 X509AttributeCertificateHolder (org.bouncycastle.cert.X509AttributeCertificateHolder)2 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 URL (java.net.URL)1 X509Certificate (java.security.cert.X509Certificate)1 LinkedList (java.util.LinkedList)1 StringTokenizer (java.util.StringTokenizer)1 ASN1String (org.bouncycastle.asn1.ASN1String)1 X500Name (org.bouncycastle.asn1.x500.X500Name)1 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1 AttributeCertificateHolder (org.bouncycastle.cert.AttributeCertificateHolder)1 X509v2AttributeCertificateBuilder (org.bouncycastle.cert.X509v2AttributeCertificateBuilder)1 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)1 ContentSigner (org.bouncycastle.operator.ContentSigner)1 DefaultDigestAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)1 DefaultSignatureAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)1 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)1 BcRSAContentSignerBuilder (org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)1 RequestResponseDebug (org.xipki.common.RequestResponseDebug)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial