Search in sources :

Example 1 with AlgorithmNameFinder

use of org.bouncycastle.operator.AlgorithmNameFinder in project vcert-java by Venafi.

the class CertificateRequest method checkCertificate.

public boolean checkCertificate(Certificate certificate) throws VCertException {
    PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
    if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
        keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
        if (keyType.X509Type() != publicKeyAlgorithm) {
            throw new VCertException(format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));
        }
        switch(publicKeyAlgorithm) {
            case RSA:
                RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
                RSAPublicKey reqPublicKey = (RSAPublicKey) keyPair.getPublic();
                // TODO can be equals?
                if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
                    throw new VCertException("unmatched key modules");
                }
                break;
            case ECDSA:
                ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
                ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
                // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
                java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
                java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
                java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
                if (// 
                certSpec != csrSpec && (// 
                certSpec.getCofactor() != csrSpec.getCofactor() || // 
                !certSpec.getOrder().equals(csrSpec.getOrder()) || // 
                !certSpec.getGenerator().equals(csrSpec.getGenerator()) || // 
                certCurve != csrCurve && (// 
                !certCurve.getA().equals(csrCurve.getA()) || // 
                !certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
                    throw new VCertException("unmatched parameters for elliptic keys");
                }
                break;
            default:
                throw new VCertException(format("unknown key algorithm %s", publicKeyAlgorithm.name()));
        }
    } else if (Objects.nonNull(csr) && csr.length != 0) {
        try {
            PemReader pemReader = new PemReader(new StringReader(new String(csr)));
            PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
            pemReader.close();
            AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
            PublicKeyAlgorithm csrPublicKeyAlgorithm = PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
            if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
                throw new VCertException(format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
            }
            switch(csrPublicKeyAlgorithm) {
                case RSA:
                    RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
                    RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
                    if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
                        throw new VCertException("unmatched key modules");
                    }
                    break;
                case ECDSA:
                    ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
                    ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
                    // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
                    java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
                    java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
                    java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
                    if (// 
                    certSpec != csrSpec && (// 
                    certSpec.getCofactor() != csrSpec.getCofactor() || // 
                    !certSpec.getOrder().equals(csrSpec.getOrder()) || // 
                    !certSpec.getGenerator().equals(csrSpec.getGenerator()) || // 
                    certCurve != csrCurve && (// 
                    !certCurve.getA().equals(csrCurve.getA()) || // 
                    !certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
                        throw new VCertException("unmatched parameters for elliptic keys");
                    }
                    break;
            }
        } catch (IOException e) {
            throw new VCertException(format("bad csr: %s", e.getMessage()), e);
        }
    }
    return true;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) DEROctetString(org.bouncycastle.asn1.DEROctetString) IOException(java.io.IOException) DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder) AlgorithmNameFinder(org.bouncycastle.operator.AlgorithmNameFinder) PemReader(org.bouncycastle.util.io.pem.PemReader) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) VCertException(com.venafi.vcert.sdk.VCertException) StringReader(java.io.StringReader)

Aggregations

VCertException (com.venafi.vcert.sdk.VCertException)1 IOException (java.io.IOException)1 StringReader (java.io.StringReader)1 ECPublicKey (java.security.interfaces.ECPublicKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 JcaPEMKeyConverter (org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)1 AlgorithmNameFinder (org.bouncycastle.operator.AlgorithmNameFinder)1 DefaultAlgorithmNameFinder (org.bouncycastle.operator.DefaultAlgorithmNameFinder)1 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1 PemReader (org.bouncycastle.util.io.pem.PemReader)1