use of org.bouncycastle.operator.AlgorithmNameFinder in project vcert-java by Venafi.
the class CertificateRequest method checkCertificate.
public boolean checkCertificate(Certificate certificate) throws VCertException {
PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
if (keyType.X509Type() != publicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));
}
switch(publicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) keyPair.getPublic();
// TODO can be equals?
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
default:
throw new VCertException(format("unknown key algorithm %s", publicKeyAlgorithm.name()));
}
} else if (Objects.nonNull(csr) && csr.length != 0) {
try {
PemReader pemReader = new PemReader(new StringReader(new String(csr)));
PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
pemReader.close();
AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
PublicKeyAlgorithm csrPublicKeyAlgorithm = PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
throw new VCertException(format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
}
switch(csrPublicKeyAlgorithm) {
case RSA:
RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
throw new VCertException("unmatched key modules");
}
break;
case ECDSA:
ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
// https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
if (//
certSpec != csrSpec && (//
certSpec.getCofactor() != csrSpec.getCofactor() || //
!certSpec.getOrder().equals(csrSpec.getOrder()) || //
!certSpec.getGenerator().equals(csrSpec.getGenerator()) || //
certCurve != csrCurve && (//
!certCurve.getA().equals(csrCurve.getA()) || //
!certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
throw new VCertException("unmatched parameters for elliptic keys");
}
break;
}
} catch (IOException e) {
throw new VCertException(format("bad csr: %s", e.getMessage()), e);
}
}
return true;
}
Aggregations