Example 1 with AlgorithmNameFinder
use of org.bouncycastle.operator.AlgorithmNameFinder in project vcert-java by Venafi.
the class CertificateRequest method checkCertificate.
public boolean checkCertificate(Certificate certificate) throws VCertException {
PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
if (keyType.X509Type() != publicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));
}
switch(publicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) keyPair.getPublic();
// TODO can be equals?
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
default:
throw new VCertException(format("unknown key algorithm %s", publicKeyAlgorithm.name()));
}
} else if (Objects.nonNull(csr) && csr.length != 0) {
try {
PemReader pemReader = new PemReader(new StringReader(new String(csr)));
PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
pemReader.close();
AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
PublicKeyAlgorithm csrPublicKeyAlgorithm = PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
}
switch(csrPublicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
}
} catch (IOException e) {
throw new VCertException(format("bad csr: %s", e.getMessage()), e);
}
}
return true;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
IOException(java.io.IOException)
DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder)
AlgorithmNameFinder(org.bouncycastle.operator.AlgorithmNameFinder)
PemReader(org.bouncycastle.util.io.pem.PemReader)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
VCertException(com.venafi.vcert.sdk.VCertException)
StringReader(java.io.StringReader)
Aggregations
VCertException (com.venafi.vcert.sdk.VCertException)1
IOException (java.io.IOException)1
StringReader (java.io.StringReader)1
ECPublicKey (java.security.interfaces.ECPublicKey)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
DEROctetString (org.bouncycastle.asn1.DEROctetString)1
JcaPEMKeyConverter (org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)1
AlgorithmNameFinder (org.bouncycastle.operator.AlgorithmNameFinder)1
DefaultAlgorithmNameFinder (org.bouncycastle.operator.DefaultAlgorithmNameFinder)1
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1
PemReader (org.bouncycastle.util.io.pem.PemReader)1
