Example 11 with ContentVerifierProvider
use of org.bouncycastle.operator.ContentVerifierProvider in project xipki by xipki.
the class OcspQa method checkOcsp.
// method checkOcsp
public ValidationResult checkOcsp(OCSPResp response, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts, Map<BigInteger, OcspCertStatus> expectedOcspStatuses, Map<BigInteger, Date> expectedRevTimes, OcspResponseOption responseOption, boolean noSigVerify) {
notNull(response, "response");
notEmpty(serialNumbers, "serialNumbers");
notEmpty(expectedOcspStatuses, "expectedOcspStatuses");
notNull(responseOption, "responseOption");
List<ValidationIssue> resultIssues = new LinkedList<>();
int status = response.getStatus();
// Response status
ValidationIssue issue = new ValidationIssue("OCSP.STATUS", "response.status");
resultIssues.add(issue);
if (status != 0) {
issue.setFailureMessage("is '" + Unsuccessful.getStatusText(status) + "', but expected 'successful'");
return new ValidationResult(resultIssues);
}
ValidationIssue encodingIssue = new ValidationIssue("OCSP.ENCODING", "response encoding");
resultIssues.add(encodingIssue);
BasicOCSPResp basicResp;
try {
basicResp = (BasicOCSPResp) response.getResponseObject();
} catch (OCSPException ex) {
encodingIssue.setFailureMessage(ex.getMessage());
return new ValidationResult(resultIssues);
}
SingleResp[] singleResponses = basicResp.getResponses();
issue = new ValidationIssue("OCSP.RESPONSES.NUM", "number of single responses");
resultIssues.add(issue);
if (singleResponses == null || singleResponses.length == 0) {
issue.setFailureMessage("received no status from server");
return new ValidationResult(resultIssues);
}
final int n = singleResponses.length;
if (n != serialNumbers.size()) {
issue.setFailureMessage("is '" + n + "', but expected '" + serialNumbers.size() + "'");
return new ValidationResult(resultIssues);
}
boolean hasSignature = basicResp.getSignature() != null;
// check the signature if available
if (noSigVerify) {
issue = new ValidationIssue("OCSP.SIG", (hasSignature ? "signature presence (Ignore)" : "signature presence"));
} else {
issue = new ValidationIssue("OCSP.SIG", "signature presence");
}
resultIssues.add(issue);
if (!hasSignature) {
issue.setFailureMessage("response is not signed");
}
if (hasSignature && !noSigVerify) {
// signature algorithm
issue = new ValidationIssue("OCSP.SIG.ALG", "signature algorithm");
resultIssues.add(issue);
SignAlgo expectedSigalgo = responseOption.getSignatureAlg();
if (expectedSigalgo != null) {
try {
SignAlgo signAlgo = SignAlgo.getInstance(basicResp.getSignatureAlgorithmID());
if (signAlgo != expectedSigalgo) {
issue.setFailureMessage("is '" + signAlgo.getJceName() + "', but expected '" + expectedSigalgo.getJceName() + "'");
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("could not extract the signature algorithm");
}
}
// end if (expectedSigalgo != null)
// signer certificate
ValidationIssue sigSignerCertIssue = new ValidationIssue("OCSP.SIGNERCERT", "signer certificate");
resultIssues.add(sigSignerCertIssue);
// signature validation
ValidationIssue sigValIssue = new ValidationIssue("OCSP.SIG.VALIDATION", "signature validation");
resultIssues.add(sigValIssue);
X509CertificateHolder respSigner = null;
X509CertificateHolder[] responderCerts = basicResp.getCerts();
if (responderCerts == null || responderCerts.length < 1) {
sigSignerCertIssue.setFailureMessage("no responder certificate is contained in the response");
sigValIssue.setFailureMessage("could not find certificate to validate signature");
} else {
ResponderID respId = basicResp.getResponderId().toASN1Primitive();
X500Name respIdByName = respId.getName();
byte[] respIdByKey = respId.getKeyHash();
for (X509CertificateHolder cert : responderCerts) {
if (respIdByName != null) {
if (cert.getSubject().equals(respIdByName)) {
respSigner = cert;
}
} else {
byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
if (Arrays.equals(respIdByKey, spkiSha1)) {
respSigner = cert;
}
}
if (respSigner != null) {
break;
}
}
if (respSigner == null) {
sigSignerCertIssue.setFailureMessage("no responder certificate match the ResponderId");
sigValIssue.setFailureMessage("could not find certificate matching the" + " ResponderId to validate signature");
}
}
if (respSigner != null) {
issue = new ValidationIssue("OCSP.SIGNERCERT.TRUST", "signer certificate validation");
resultIssues.add(issue);
for (int i = 0; i < singleResponses.length; i++) {
SingleResp singleResp = singleResponses[i];
if (!respSigner.isValidOn(singleResp.getThisUpdate())) {
issue.setFailureMessage(String.format("responder certificate is not valid on the thisUpdate[%d]: %s", i, singleResp.getThisUpdate()));
}
}
// end for
X509Cert respIssuer = responseOption.getRespIssuer();
if (!issue.isFailed() && respIssuer != null) {
X509Cert jceRespSigner;
try {
jceRespSigner = new X509Cert(respSigner);
if (X509Util.issues(respIssuer, jceRespSigner)) {
jceRespSigner.verify(respIssuer.getPublicKey());
} else {
issue.setFailureMessage("responder signer is not trusted");
}
} catch (Exception ex) {
issue.setFailureMessage("responder signer is not trusted");
}
}
try {
PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
boolean sigValid = basicResp.isSignatureValid(cvp);
if (!sigValid) {
sigValIssue.setFailureMessage("signature is invalid");
}
} catch (Exception ex) {
sigValIssue.setFailureMessage("could not validate signature");
}
}
// end if
}
// end if (hasSignature)
// nonce
Extension nonceExtn = basicResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
resultIssues.add(checkOccurrence("OCSP.NONCE", nonceExtn, responseOption.getNonceOccurrence()));
boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke) != null;
for (int i = 0; i < singleResponses.length; i++) {
SingleResp singleResp = singleResponses[i];
BigInteger serialNumber = singleResp.getCertID().getSerialNumber();
OcspCertStatus expectedStatus = expectedOcspStatuses.get(serialNumber);
Date expectedRevTime = null;
if (expectedRevTimes != null) {
expectedRevTime = expectedRevTimes.get(serialNumber);
}
byte[] encodedCert = null;
if (encodedCerts != null) {
encodedCert = encodedCerts.get(serialNumber);
}
List<ValidationIssue> issues = checkSingleCert(i, singleResp, issuerHash, expectedStatus, encodedCert, expectedRevTime, extendedRevoke, responseOption.getNextUpdateOccurrence(), responseOption.getCerthashOccurrence(), responseOption.getCerthashAlg());
resultIssues.addAll(issues);
}
return new ValidationResult(resultIssues);
}
Also used :
ResponderID(org.bouncycastle.asn1.ocsp.ResponderID)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ValidationResult(org.xipki.qa.ValidationResult)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
ValidationIssue(org.xipki.qa.ValidationIssue)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Extension(org.bouncycastle.asn1.x509.Extension)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
Example 12 with ContentVerifierProvider
use of org.bouncycastle.operator.ContentVerifierProvider in project jruby-openssl by jruby.
the class OCSPBasicResponse method verify.
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(final ThreadContext context, IRubyObject[] args) {
Ruby runtime = context.runtime;
int flags = 0;
IRubyObject certificates = args[0];
IRubyObject store = args[1];
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int(args[2]);
}
JcaContentVerifierProviderBuilder jcacvpb = newJcaContentVerifierProviderBuilder();
BasicOCSPResp basicOCSPResp = getBasicOCSPResp();
java.security.cert.Certificate signer = findSignerCert(context, asn1BCBasicOCSPResp, convertRubyCerts(certificates), flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, false);
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOINTERN))) == 0 && (flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) != 0) {
flags |= RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOVERIFY));
}
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey sPKey = signer.getPublicKey();
if (sPKey == null)
return RubyBoolean.newBoolean(runtime, false);
try {
ContentVerifierProvider cvp = jcacvpb.build(sPKey);
ret = basicOCSPResp.isSignatureValid(cvp);
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
}
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
List<X509Cert> untrustedCerts;
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCHAIN))) != 0) {
untrustedCerts = Collections.EMPTY_LIST;
} else if (basicOCSPResp.getCerts() != null && (certificates != null && !((RubyArray) certificates).isEmpty())) {
untrustedCerts = getCertsFromResp(context);
Iterator<java.security.cert.Certificate> certIt = ((RubyArray) certificates).iterator();
while (certIt.hasNext()) {
try {
untrustedCerts.add(X509Cert.wrap(context, certIt.next().getEncoded()));
} catch (CertificateEncodingException e) {
throw newOCSPError(runtime, e);
}
}
} else {
untrustedCerts = getCertsFromResp(context);
}
RubyArray rUntrustedCerts = RubyArray.newArray(runtime, untrustedCerts);
X509StoreContext ctx;
try {
ctx = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), rUntrustedCerts);
} catch (CertificateEncodingException e) {
throw newOCSPError(runtime, e);
}
ctx.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
ret = ctx.verify(context).isTrue();
IRubyObject chain = ctx.chain(context);
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCHECKS))) > 0) {
ret = true;
}
try {
if (checkIssuer(getBasicOCSPResp(), chain))
return RubyBoolean.newBoolean(runtime, true);
} catch (IOException e) {
throw newOCSPError(runtime, e);
}
if ((flags & RubyFixnum.fix2int((RubyFixnum) _OCSP(runtime).getConstant(OCSP_NOCHAIN))) != 0) {
return RubyBoolean.newBoolean(runtime, ret);
} else {
X509Cert rootCA = (X509Cert) ((RubyArray) chain).last();
PublicKey rootKey = rootCA.getAuxCert().getPublicKey();
try {
// check if self-signed and valid (trusts itself)
rootCA.getAuxCert().verify(rootKey);
ret = true;
} catch (Exception e) {
ret = false;
}
}
}
return RubyBoolean.newBoolean(runtime, ret);
}
Also used :
RubyArray(org.jruby.RubyArray)
PublicKey(java.security.PublicKey)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
RubyFixnum(org.jruby.RubyFixnum)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
CertificateParsingException(java.security.cert.CertificateParsingException)
IOException(java.io.IOException)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
Iterator(java.util.Iterator)
Ruby(org.jruby.Ruby)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 13 with ContentVerifierProvider
use of org.bouncycastle.operator.ContentVerifierProvider in project jruby-openssl by jruby.
the class OCSPRequest method verify.
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(ThreadContext context, IRubyObject[] args) {
Ruby runtime = context.runtime;
int flags = 0;
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int((RubyFixnum) args[2]);
}
IRubyObject certificates = args[0];
IRubyObject store = args[1];
OCSPReq bcOCSPReq = getBCOCSPReq();
if (bcOCSPReq == null) {
throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
}
if (!bcOCSPReq.isSigned()) {
return RubyBoolean.newBoolean(runtime, ret);
}
GeneralName genName = bcOCSPReq.getRequestorName();
if (genName.getTagNo() != 4) {
return RubyBoolean.newBoolean(runtime, ret);
}
X500Name genX500Name = X500Name.getInstance(genName.getName());
X509StoreContext storeContext;
try {
java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, ret);
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0))
flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY));
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey signerPubKey = signer.getPublicKey();
ContentVerifierProvider cvp = newJcaContentVerifierProviderBuilder().build(signerPubKey);
ret = bcOCSPReq.isSignatureValid(cvp);
if (!ret) {
return RubyBoolean.newBoolean(runtime, ret);
}
}
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) {
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil);
} else {
RubyArray certs = RubyArray.newEmptyArray(runtime);
ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts();
if (bcCerts != null) {
Iterator<ASN1Encodable> it = bcCerts.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert)));
}
}
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs);
}
storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST"));
ret = storeContext.verify(context).isTrue();
if (!ret)
return RubyBoolean.newBoolean(runtime, false);
}
} catch (Exception e) {
debugStackTrace(e);
throw newOCSPError(runtime, e);
}
return RubyBoolean.newBoolean(getRuntime(), ret);
}
Also used :
RubyArray(org.jruby.RubyArray)
PublicKey(java.security.PublicKey)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IRubyObject(org.jruby.runtime.builtin.IRubyObject)
RubyFixnum(org.jruby.RubyFixnum)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
Ruby(org.jruby.Ruby)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 14 with ContentVerifierProvider
use of org.bouncycastle.operator.ContentVerifierProvider in project jruby-openssl by jruby.
the class SecurityHelper method verify.
static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent) throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
if (crl instanceof X509CRLObject) {
final CertificateList crlList = (CertificateList) getCertificateList(crl);
final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) {
if (silent)
return false;
throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
}
final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);
signature.initVerify(publicKey);
signature.update(crl.getTBSCertList());
if (!signature.verify(crl.getSignature())) {
if (silent)
return false;
throw new SignatureException("CRL does not verify with supplied public key.");
}
return true;
} else {
try {
final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
final ContentVerifierProvider verifierProvider;
if ("DSA".equalsIgnoreCase(publicKey.getAlgorithm())) {
BigInteger y = ((DSAPublicKey) publicKey).getY();
DSAParams params = ((DSAPublicKey) publicKey).getParams();
DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
} else {
BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
}
return new X509CRLHolder(crl.getEncoded()).isSignatureValid(verifierProvider);
} catch (OperatorException e) {
throw new SignatureException(e);
} catch (CertException e) {
throw new SignatureException(e);
}// can happen if the input is DER but does not match expected structure
catch (ClassCastException e) {
throw new SignatureException(e);
} catch (IOException e) {
throw new SignatureException(e);
}
}
}
Also used :
DSAPublicKeyParameters(org.bouncycastle.crypto.params.DSAPublicKeyParameters)
X509CRLObject(org.bouncycastle.jce.provider.X509CRLObject)
BcRSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
CertException(org.bouncycastle.cert.CertException)
SignatureException(java.security.SignatureException)
DSAParams(java.security.interfaces.DSAParams)
IOException(java.io.IOException)
DigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DigestAlgorithmIdentifierFinder)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
RSAKeyParameters(org.bouncycastle.crypto.params.RSAKeyParameters)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
Signature(java.security.Signature)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
BcDSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder)
CRLException(java.security.cert.CRLException)
DSAParameters(org.bouncycastle.crypto.params.DSAParameters)
OperatorException(org.bouncycastle.operator.OperatorException)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
Example 15 with ContentVerifierProvider
use of org.bouncycastle.operator.ContentVerifierProvider in project ozone by apache.
the class TestCertificateSignRequest method testGenerateCSR.
@Test
public void testGenerateCSR() throws NoSuchProviderException, NoSuchAlgorithmException, SCMSecurityException, OperatorCreationException, PKCSException {
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder = new CertificateSignRequest.Builder().setSubject(subject).setScmID(scmID).setClusterID(clusterID).setKey(keyPair).setConfiguration(conf);
PKCS10CertificationRequest csr = builder.build();
// Check the Subject Name is in the expected format.
String dnName = String.format(SecurityUtil.getDistinguishedNameFormat(), subject, scmID, clusterID);
Assert.assertEquals(csr.getSubject().toString(), dnName);
// Verify the public key info match
byte[] encoded = keyPair.getPublic().getEncoded();
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(encoded));
SubjectPublicKeyInfo csrPublicKeyInfo = csr.getSubjectPublicKeyInfo();
Assert.assertEquals(csrPublicKeyInfo, subjectPublicKeyInfo);
// Verify CSR with attribute for extensions
Assert.assertEquals(1, csr.getAttributes().length);
Extensions extensions = SecurityUtil.getPkcs9Extensions(csr);
// Verify key usage extension
Extension keyUsageExt = extensions.getExtension(Extension.keyUsage);
Assert.assertEquals(true, keyUsageExt.isCritical());
// Verify San extension not set
Assert.assertEquals(null, extensions.getExtension(Extension.subjectAlternativeName));
// Verify signature in CSR
ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().setProvider(securityConfig.getProvider()).build(csr.getSubjectPublicKeyInfo());
Assert.assertEquals(true, csr.isSignatureValid(verifierProvider));
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
Extension(org.bouncycastle.asn1.x509.Extension)
KeyPair(java.security.KeyPair)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
Extensions(org.bouncycastle.asn1.x509.Extensions)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
Test(org.junit.Test)
Aggregations
ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)30
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)11
PublicKey (java.security.PublicKey)10
X500Name (org.bouncycastle.asn1.x500.X500Name)10
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)10
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)9
JcaContentVerifierProviderBuilder (org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)9
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7
X509Certificate (java.security.cert.X509Certificate)7
BigInteger (java.math.BigInteger)6
InvalidKeyException (java.security.InvalidKeyException)6
IOException (java.io.IOException)5
Extension (org.bouncycastle.asn1.x509.Extension)5
Date (java.util.Date)4
ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)4
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)4
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)4
GeneralSecurityException (java.security.GeneralSecurityException)3
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)3
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3
