Examples with DefaultDigestAlgorithmIdentifierFinder org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder used on opensource projects

Search in sources :

Example 11 with DefaultDigestAlgorithmIdentifierFinder

use of org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder in project android by nextcloud.

the class CsrHelper method generateCSR.

/**
 * Create the certificate signing request (CSR) from private and public keys
 *
 * @param keyPair the KeyPair with private and public keys
 * @param userId userId of CSR owner
 * @return PKCS10CertificationRequest with the certificate signing request (CSR) data
 * @throws IOException thrown if key cannot be created
 * @throws OperatorCreationException thrown if contentSigner cannot be build
 */
private static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String userId) throws IOException, OperatorCreationException {
    String principal = "CN=" + userId;
    AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
    AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1WITHRSA");
    AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find("SHA-1");
    ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm).build(privateKey);
    PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Name(principal), keyPair.getPublic());
    ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
    extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
    return csrBuilder.build(signer);
}
Also used : BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) ContentSigner(org.bouncycastle.operator.ContentSigner) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder) X500Name(org.bouncycastle.asn1.x500.X500Name) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)

Example 12 with DefaultDigestAlgorithmIdentifierFinder

use of org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder in project OpenAttestation by OpenAttestation.

the class X509AttributeCertificate method isValid.

/**
     * This checks the certificate's notBefore and notAfter dates against the current time.
     * This does NOT check the signature. Do that separately with isTrusted().
     * 
     * @param date to check against the certificate's validity period
     * @return true if the certificate is valid on the given date
     */
public boolean isValid(X509Certificate issuer, Date date) {
    try {
        X509AttributeCertificateHolder holder = new X509AttributeCertificateHolder(encoded);
        ContentVerifierProvider verifierProvider = new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(new X509CertificateHolder(issuer.getEncoded()));
        if (!holder.isSignatureValid(verifierProvider)) {
            log.debug("Certificate signature cannot be validated with certificate: {}", issuer.getIssuerX500Principal().getName());
            return false;
        }
        return date.compareTo(notBefore) > -1 && date.compareTo(notAfter) < 1;
    } catch (Exception e) {
        log.error("Cannot initialize certificate verifier", e);
        return false;
    }
}
Also used : BcRSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) IOException(java.io.IOException) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 13 with DefaultDigestAlgorithmIdentifierFinder

use of org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder in project OpenAttestation by OpenAttestation.

the class X509AttrBuilder method build.

public byte[] build() {
    if (notBefore == null || notAfter == null) {
        // 1 day default
        expires(1, TimeUnit.DAYS);
    }
    if (serialNumber == null) {
        dateSerial();
    }
    if (subjectName == null) {
        fault("Subject name is missing");
    }
    if (issuerName == null) {
        fault("Issuer name is missing");
    }
    if (issuerPrivateKey == null) {
        fault("Issuer private key is missing");
    }
    if (attributes.isEmpty()) {
        fault("No attributes selected");
    }
    try {
        if (getFaults().isEmpty()) {
            AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
            AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
            ContentSigner authority = null;
            if (issuerPrivateKey != null)
                // create a bouncy castle content signer convert using our existing private key
                authority = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()));
            // second, prepare the attribute certificate
            // which is expected to be a UUID  like this: 33766a63-5c55-4461-8a84-5936577df450
            AttributeCertificateHolder holder = new AttributeCertificateHolder(subjectName);
            AttributeCertificateIssuer issuer = new AttributeCertificateIssuer(issuerName);
            X509v2AttributeCertificateBuilder builder = new X509v2AttributeCertificateBuilder(holder, issuer, serialNumber, notBefore, notAfter);
            for (Attribute attribute : attributes) {
                builder.addAttribute(attribute.oid, attribute.value);
            }
            // fourth, sign the attribute certificate
            if (authority != null) {
                X509AttributeCertificateHolder cert;
                cert = builder.build(authority);
                //X509AttributeCertificate.valueOf(cert.getEncoded());            
                return cert.getEncoded();
            }
        }
        return null;
    } catch (IOException | OperatorCreationException e) {
        fault(e, "cannot sign certificate");
        return null;
    } finally {
        done();
    }
}
Also used : X509v2AttributeCertificateBuilder(org.bouncycastle.cert.X509v2AttributeCertificateBuilder) AttributeCertificateIssuer(org.bouncycastle.cert.AttributeCertificateIssuer) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) AttributeCertificateHolder(org.bouncycastle.cert.AttributeCertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) IOException(java.io.IOException) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 14 with DefaultDigestAlgorithmIdentifierFinder

use of org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder in project poi by apache.

the class TSPTimeStampService method timeStamp.

@SuppressWarnings("unchecked")
public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {
    // digest the message
    MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo());
    byte[] digest = messageDigest.digest(data);
    // generate the TSP request
    BigInteger nonce = new BigInteger(128, new SecureRandom());
    TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator();
    requestGenerator.setCertReq(true);
    String requestPolicy = signatureConfig.getTspRequestPolicy();
    if (requestPolicy != null) {
        requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(requestPolicy));
    }
    ASN1ObjectIdentifier digestAlgoOid = mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo());
    TimeStampRequest request = requestGenerator.generate(digestAlgoOid, digest, nonce);
    byte[] encodedRequest = request.getEncoded();
    // create the HTTP POST request
    Proxy proxy = Proxy.NO_PROXY;
    if (signatureConfig.getProxyUrl() != null) {
        URL proxyUrl = new URL(signatureConfig.getProxyUrl());
        String host = proxyUrl.getHost();
        int port = proxyUrl.getPort();
        proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(InetAddress.getByName(host), (port == -1 ? 80 : port)));
    }
    HttpURLConnection huc = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy);
    if (signatureConfig.getTspUser() != null) {
        String userPassword = signatureConfig.getTspUser() + ":" + signatureConfig.getTspPass();
        String encoding = DatatypeConverter.printBase64Binary(userPassword.getBytes(Charset.forName("iso-8859-1")));
        huc.setRequestProperty("Authorization", "Basic " + encoding);
    }
    huc.setRequestMethod("POST");
    huc.setConnectTimeout(20000);
    huc.setReadTimeout(20000);
    // also sets method to POST.
    huc.setDoOutput(true);
    huc.setRequestProperty("User-Agent", signatureConfig.getUserAgent());
    huc.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : // "; charset=ISO-8859-1");
    "application/timestamp-query");
    OutputStream hucOut = huc.getOutputStream();
    hucOut.write(encodedRequest);
    // invoke TSP service
    huc.connect();
    int statusCode = huc.getResponseCode();
    if (statusCode != 200) {
        LOG.log(POILogger.ERROR, "Error contacting TSP server ", signatureConfig.getTspUrl() + ", had status code " + statusCode + "/" + huc.getResponseMessage());
        throw new IOException("Error contacting TSP server " + signatureConfig.getTspUrl() + ", had status code " + statusCode + "/" + huc.getResponseMessage());
    }
    // HTTP input validation
    String contentType = huc.getHeaderField("Content-Type");
    if (null == contentType) {
        throw new RuntimeException("missing Content-Type header");
    }
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    IOUtils.copy(huc.getInputStream(), bos);
    LOG.log(POILogger.DEBUG, "response content: ", HexDump.dump(bos.toByteArray(), 0, 0));
    if (!contentType.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) {
        throw new RuntimeException("invalid Content-Type: " + contentType + // dump the first few bytes
        ": " + HexDump.dump(bos.toByteArray(), 0, 0, 200));
    }
    if (bos.size() == 0) {
        throw new RuntimeException("Content-Length is zero");
    }
    // TSP response parsing and validation
    TimeStampResponse timeStampResponse = new TimeStampResponse(bos.toByteArray());
    timeStampResponse.validate(request);
    if (0 != timeStampResponse.getStatus()) {
        LOG.log(POILogger.DEBUG, "status: " + timeStampResponse.getStatus());
        LOG.log(POILogger.DEBUG, "status string: " + timeStampResponse.getStatusString());
        PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
        if (null != failInfo) {
            LOG.log(POILogger.DEBUG, "fail info int value: " + failInfo.intValue());
            if (/*PKIFailureInfo.unacceptedPolicy*/
            (1 << 8) == failInfo.intValue()) {
                LOG.log(POILogger.DEBUG, "unaccepted policy");
            }
        }
        throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus());
    }
    TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
    SignerId signerId = timeStampToken.getSID();
    BigInteger signerCertSerialNumber = signerId.getSerialNumber();
    X500Name signerCertIssuer = signerId.getIssuer();
    LOG.log(POILogger.DEBUG, "signer cert serial number: " + signerCertSerialNumber);
    LOG.log(POILogger.DEBUG, "signer cert issuer: " + signerCertIssuer);
    // TSP signer certificates retrieval
    Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null);
    X509CertificateHolder signerCert = null;
    Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<X500Name, X509CertificateHolder>();
    for (X509CertificateHolder certificate : certificates) {
        if (signerCertIssuer.equals(certificate.getIssuer()) && signerCertSerialNumber.equals(certificate.getSerialNumber())) {
            signerCert = certificate;
        }
        certificateMap.put(certificate.getSubject(), certificate);
    }
    // TSP signer cert path building
    if (signerCert == null) {
        throw new RuntimeException("TSP response token has no signer certificate");
    }
    List<X509Certificate> tspCertificateChain = new ArrayList<X509Certificate>();
    JcaX509CertificateConverter x509converter = new JcaX509CertificateConverter();
    x509converter.setProvider("BC");
    X509CertificateHolder certificate = signerCert;
    do {
        LOG.log(POILogger.DEBUG, "adding to certificate chain: " + certificate.getSubject());
        tspCertificateChain.add(x509converter.getCertificate(certificate));
        if (certificate.getSubject().equals(certificate.getIssuer())) {
            break;
        }
        certificate = certificateMap.get(certificate.getIssuer());
    } while (null != certificate);
    // verify TSP signer signature
    X509CertificateHolder holder = new X509CertificateHolder(tspCertificateChain.get(0).getEncoded());
    DefaultCMSSignatureAlgorithmNameGenerator nameGen = new DefaultCMSSignatureAlgorithmNameGenerator();
    DefaultSignatureAlgorithmIdentifierFinder sigAlgoFinder = new DefaultSignatureAlgorithmIdentifierFinder();
    DefaultDigestAlgorithmIdentifierFinder hashAlgoFinder = new DefaultDigestAlgorithmIdentifierFinder();
    BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider();
    BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator);
    SignerInformationVerifier verifier = verifierBuilder.build(holder);
    timeStampToken.validate(verifier);
    // verify TSP signer certificate
    if (signatureConfig.getTspValidator() != null) {
        signatureConfig.getTspValidator().validate(tspCertificateChain, revocationData);
    }
    LOG.log(POILogger.DEBUG, "time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime());
    return timeStampToken.getEncoded();
}
Also used : DefaultCMSSignatureAlgorithmNameGenerator(org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator) HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) ByteArrayOutputStream(java.io.ByteArrayOutputStream) OutputStream(java.io.OutputStream) ArrayList(java.util.ArrayList) X500Name(org.bouncycastle.asn1.x500.X500Name) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) URL(java.net.URL) TimeStampResponse(org.bouncycastle.tsp.TimeStampResponse) Proxy(java.net.Proxy) HttpURLConnection(java.net.HttpURLConnection) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) MessageDigest(java.security.MessageDigest) SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier) BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) SecureRandom(java.security.SecureRandom) IOException(java.io.IOException) ByteArrayOutputStream(java.io.ByteArrayOutputStream) TimeStampRequest(org.bouncycastle.tsp.TimeStampRequest) X509Certificate(java.security.cert.X509Certificate) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) SignerId(org.bouncycastle.cms.SignerId) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) TimeStampRequestGenerator(org.bouncycastle.tsp.TimeStampRequestGenerator) BcRSASignerInfoVerifierBuilder(org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder) TimeStampToken(org.bouncycastle.tsp.TimeStampToken) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 15 with DefaultDigestAlgorithmIdentifierFinder

use of org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder in project service-proxy by membrane.

the class GeneratingSSLContext method sign.

public static X509Certificate sign(String subjectName, X509Certificate caPublic, PrivateKey caPrivate, PublicKey keyPublic) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException, OperatorCreationException, CertificateException {
    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(keyPublic.getEncoded());
    org.bouncycastle.asn1.x500.X500Name caName = new JcaX509CertificateHolder(caPublic).getSubject();
    X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(caName, new BigInteger("1"), new Date(System.currentTimeMillis() - 30 * 24 * 24 * 60 * 60 * 1000), new Date(System.currentTimeMillis() + 30 * 365 * 24 * 60 * 60 * 1000), new org.bouncycastle.asn1.x500.X500Name(subjectName), keyInfo);
    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
    X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
    org.bouncycastle.asn1.x509.Certificate eeX509CertificateStructure = holder.toASN1Structure();
    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
    is1.close();
    return theCert;
// return null;
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ContentSigner(org.bouncycastle.operator.ContentSigner) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) CertificateFactory(java.security.cert.CertificateFactory) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) ByteArrayInputStream(java.io.ByteArrayInputStream) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) BigInteger(java.math.BigInteger)

Aggregations

DefaultDigestAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)22 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)19 DefaultSignatureAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)19 BcRSAContentSignerBuilder (org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)18 ContentSigner (org.bouncycastle.operator.ContentSigner)17 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)14 AsymmetricKeyParameter (org.bouncycastle.crypto.params.AsymmetricKeyParameter)12 BigInteger (java.math.BigInteger)11 X500Name (org.bouncycastle.asn1.x500.X500Name)11 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)11 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)10 Date (java.util.Date)9 IOException (java.io.IOException)8 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)8 X509Certificate (java.security.cert.X509Certificate)7 SecureRandom (java.security.SecureRandom)4 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)4 EOFException (java.io.EOFException)3 GeneralSecurityException (java.security.GeneralSecurityException)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial