Examples with ContentVerifierProvider org.bouncycastle.operator.ContentVerifierProvider used on opensource projects

Example 16 with ContentVerifierProvider

use of org.bouncycastle.operator.ContentVerifierProvider in project dgc-gateway by eu-digital-green-certificates.

the class SignerInformationService method certificateSignedByCa.

private boolean certificateSignedByCa(X509CertificateHolder certificate, TrustedPartyEntity caCertificateEntity) {
    X509Certificate caCertificate = trustedPartyService.getX509CertificateFromEntity(caCertificateEntity);
    ContentVerifierProvider verifier;
    try {
        verifier = new JcaContentVerifierProviderBuilder().build(caCertificate);
    } catch (OperatorCreationException e) {
        DgcMdc.put("certHash", caCertificateEntity.getThumbprint());
        log.error("Failed to instantiate JcaContentVerifierProvider from cert");
        return false;
    }
    try {
        return certificate.isSignatureValid(verifier);
    } catch (CertException | RuntimeOperatorException e) {
        return false;
    }
}

Example 17 with ContentVerifierProvider

use of org.bouncycastle.operator.ContentVerifierProvider in project OpenAttestation by OpenAttestation.

the class X509AttributeCertificate method isValid.

/**
     * This checks the certificate's notBefore and notAfter dates against the current time.
     * This does NOT check the signature. Do that separately with isTrusted().
     * 
     * @param date to check against the certificate's validity period
     * @return true if the certificate is valid on the given date
     */
public boolean isValid(X509Certificate issuer, Date date) {
    try {
        X509AttributeCertificateHolder holder = new X509AttributeCertificateHolder(encoded);
        ContentVerifierProvider verifierProvider = new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(new X509CertificateHolder(issuer.getEncoded()));
        if (!holder.isSignatureValid(verifierProvider)) {
            log.debug("Certificate signature cannot be validated with certificate: {}", issuer.getIssuerX500Principal().getName());
            return false;
        }
        return date.compareTo(notBefore) > -1 && date.compareTo(notAfter) < 1;
    } catch (Exception e) {
        log.error("Cannot initialize certificate verifier", e);
        return false;
    }
}

Example 18 with ContentVerifierProvider

use of org.bouncycastle.operator.ContentVerifierProvider in project robovm by robovm.

the class JcaContentVerifierProviderBuilder method build.

public ContentVerifierProvider build(final PublicKey publicKey) throws OperatorCreationException {
    return new ContentVerifierProvider() {

        public boolean hasAssociatedCertificate() {
            return false;
        }

        public X509CertificateHolder getAssociatedCertificate() {
            return null;
        }

        public ContentVerifier get(AlgorithmIdentifier algorithm) throws OperatorCreationException {
            SignatureOutputStream stream = createSignatureStream(algorithm, publicKey);
            Signature rawSig = createRawSig(algorithm, publicKey);
            if (rawSig != null) {
                return new RawSigVerifier(algorithm, stream, rawSig);
            } else {
                return new SigVerifier(algorithm, stream);
            }
        }
    };
}

Example 19 with ContentVerifierProvider

use of org.bouncycastle.operator.ContentVerifierProvider in project robovm by robovm.

the class JcaContentVerifierProviderBuilder method build.

public ContentVerifierProvider build(final X509Certificate certificate) throws OperatorCreationException {
    final X509CertificateHolder certHolder;
    try {
        certHolder = new JcaX509CertificateHolder(certificate);
    } catch (CertificateEncodingException e) {
        throw new OperatorCreationException("cannot process certificate: " + e.getMessage(), e);
    }
    return new ContentVerifierProvider() {

        private SignatureOutputStream stream;

        public boolean hasAssociatedCertificate() {
            return true;
        }

        public X509CertificateHolder getAssociatedCertificate() {
            return certHolder;
        }

        public ContentVerifier get(AlgorithmIdentifier algorithm) throws OperatorCreationException {
            try {
                Signature sig = helper.createSignature(algorithm);
                sig.initVerify(certificate.getPublicKey());
                stream = new SignatureOutputStream(sig);
            } catch (GeneralSecurityException e) {
                throw new OperatorCreationException("exception on setup: " + e, e);
            }
            Signature rawSig = createRawSig(algorithm, certificate.getPublicKey());
            if (rawSig != null) {
                return new RawSigVerifier(algorithm, stream, rawSig);
            } else {
                return new SigVerifier(algorithm, stream);
            }
        }
    };
}

Example 20 with ContentVerifierProvider

use of org.bouncycastle.operator.ContentVerifierProvider in project Openfire by igniterealtime.

the class CertificateManager method createX509V3Certificate.

public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int days, X500NameBuilder issuerBuilder, X500NameBuilder subjectBuilder, String domain, String signAlgoritm, Set<String> sanDnsNames) throws GeneralSecurityException, IOException {
    PublicKey pubKey = kp.getPublic();
    PrivateKey privKey = kp.getPrivate();
    byte[] serno = new byte[8];
    SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
    random.setSeed((new Date().getTime()));
    random.nextBytes(serno);
    BigInteger serial = (new java.math.BigInteger(serno)).abs();
    X500Name issuerDN = issuerBuilder.build();
    X500Name subjectDN = subjectBuilder.build();
    // builder
    JcaX509v3CertificateBuilder certBuilder = new // 
    JcaX509v3CertificateBuilder(// 
    issuerDN, // 
    serial, // 
    new Date(), // 
    new Date(System.currentTimeMillis() + days * (1000L * 60 * 60 * 24)), // 
    subjectDN, // 
    pubKey);
    // add subjectAlternativeName extension that includes all relevant names.
    final GeneralNames subjectAlternativeNames = getSubjectAlternativeNames(sanDnsNames);
    final boolean critical = subjectDN.getRDNs().length == 0;
    certBuilder.addExtension(Extension.subjectAlternativeName, critical, subjectAlternativeNames);
    // add keyIdentifiers extensions
    JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils();
    certBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(pubKey));
    certBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(pubKey));
    try {
        // build the certificate
        ContentSigner signer = new JcaContentSignerBuilder(signAlgoritm).build(privKey);
        X509CertificateHolder cert = certBuilder.build(signer);
        // verify the validity
        if (!cert.isValidOn(new Date())) {
            throw new GeneralSecurityException("Certificate validity not valid");
        }
        // verify the signature (self-signed)
        ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().build(pubKey);
        if (!cert.isSignatureValid(verifierProvider)) {
            throw new GeneralSecurityException("Certificate signature not valid");
        }
        return new JcaX509CertificateConverter().getCertificate(cert);
    } catch (OperatorCreationException | CertException e) {
        throw new GeneralSecurityException(e);
    }
}