use of org.bouncycastle.operator.bc.BcDigestCalculatorProvider in project xipki by xipki.
the class PkiMessage method encode.
public ContentInfo encode(ContentSigner signer, X509Certificate signerCert, X509Certificate[] cmsCertSet, X509Certificate recipientCert, ASN1ObjectIdentifier encAlgId) throws MessageEncodingException {
ScepUtil.requireNonNull("signer", signer);
ScepUtil.requireNonNull("signerCert", signerCert);
if (messageData != null) {
ScepUtil.requireNonNull("recipientCert", recipientCert);
ScepUtil.requireNonNull("encAlgId", encAlgId);
}
CMSTypedData content;
if (messageData == null) {
content = new CMSAbsentContent();
} else {
CMSEnvelopedData envelopedData = encrypt(recipientCert, encAlgId);
byte[] encoded;
try {
encoded = envelopedData.getEncoded();
} catch (IOException ex) {
throw new MessageEncodingException(ex);
}
content = new CMSProcessableByteArray(CMSObjectIdentifiers.envelopedData, encoded);
}
try {
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
// signerInfo
JcaSignerInfoGeneratorBuilder signerInfoBuilder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
signerInfoBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(getSignedAttributes()));
AttributeTable attrTable = getUnsignedAttributes();
if (attrTable != null) {
signerInfoBuilder.setUnsignedAttributeGenerator(new SimpleAttributeTableGenerator(attrTable));
}
// certificateSet
ScepUtil.addCmsCertSet(generator, cmsCertSet);
SignerInfoGenerator signerInfo;
try {
signerInfo = signerInfoBuilder.build(signer, signerCert);
} catch (Exception ex) {
throw new MessageEncodingException(ex);
}
generator.addSignerInfoGenerator(signerInfo);
CMSSignedData signedData = generator.generate(content, true);
return signedData.toASN1Structure();
} catch (CMSException ex) {
throw new MessageEncodingException(ex);
} catch (Exception ex) {
throw new MessageEncodingException(ex);
}
}
use of org.bouncycastle.operator.bc.BcDigestCalculatorProvider in project xipki by xipki.
the class NextCaMessage method encode.
public ContentInfo encode(PrivateKey signingKey, X509Certificate signerCert, X509Certificate[] cmsCertSet) throws MessageEncodingException {
ScepUtil.requireNonNull("signingKey", signingKey);
ScepUtil.requireNonNull("signerCert", signerCert);
try {
byte[] degenratedSignedDataBytes;
try {
CMSSignedDataGenerator degenerateSignedData = new CMSSignedDataGenerator();
degenerateSignedData.addCertificate(new X509CertificateHolder(caCert.getEncoded()));
if (raCerts != null && !raCerts.isEmpty()) {
for (X509Certificate m : raCerts) {
degenerateSignedData.addCertificate(new X509CertificateHolder(m.getEncoded()));
}
}
degenratedSignedDataBytes = degenerateSignedData.generate(new CMSAbsentContent()).getEncoded();
} catch (CertificateEncodingException ex) {
throw new MessageEncodingException(ex.getMessage(), ex);
}
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
// I don't known which hash algorithm is supported by the client, use SHA-1
String signatureAlgo = getSignatureAlgorithm(signingKey, ScepHashAlgo.SHA1);
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgo).build(signingKey);
// signerInfo
JcaSignerInfoGeneratorBuilder signerInfoBuilder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
signerInfoBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator());
SignerInfoGenerator signerInfo = signerInfoBuilder.build(signer, signerCert);
generator.addSignerInfoGenerator(signerInfo);
CMSTypedData cmsContent = new CMSProcessableByteArray(CMSObjectIdentifiers.signedData, degenratedSignedDataBytes);
// certificateSet
ScepUtil.addCmsCertSet(generator, cmsCertSet);
return generator.generate(cmsContent, true).toASN1Structure();
} catch (CMSException | CertificateEncodingException | IOException | OperatorCreationException ex) {
throw new MessageEncodingException(ex);
}
}
use of org.bouncycastle.operator.bc.BcDigestCalculatorProvider in project helios by spotify.
the class X509CertificateFactory method generate.
private CertificateAndPrivateKey generate(final AgentProxy agentProxy, final Identity identity, final String username) {
final UUID uuid = new UUID();
final Calendar calendar = Calendar.getInstance();
final X500Name issuerdn = new X500Name("C=US,O=Spotify,CN=helios-client");
final X500Name subjectdn = new X500NameBuilder().addRDN(BCStyle.UID, username).build();
calendar.add(Calendar.MILLISECOND, -validBeforeMilliseconds);
final Date notBefore = calendar.getTime();
calendar.add(Calendar.MILLISECOND, validBeforeMilliseconds + validAfterMilliseconds);
final Date notAfter = calendar.getTime();
// Reuse the UUID time as a SN
final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs();
try {
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(KEY_SIZE, new SecureRandom());
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()));
final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerdn, serialNumber, notBefore, notAfter, subjectdn, subjectPublicKeyInfo);
final DigestCalculator digestCalculator = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator);
final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier());
log.info("generating an X509 certificate for {} with key ID={} and identity={}", username, keyIdHex, identity.getComment());
builder.addExtension(Extension.subjectKeyIdentifier, false, keyId);
builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign));
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
final X509CertificateHolder holder = builder.build(new SshAgentContentSigner(agentProxy, identity));
final X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(holder);
log.debug("generated certificate:\n{}", asPemString(certificate));
return new CertificateAndPrivateKey(certificate, keyPair.getPrivate());
} catch (Exception e) {
throw Throwables.propagate(e);
}
}
use of org.bouncycastle.operator.bc.BcDigestCalculatorProvider in project poi by apache.
the class TSPTimeStampService method timeStamp.
@SuppressWarnings("unchecked")
public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {
// digest the message
MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo());
byte[] digest = messageDigest.digest(data);
// generate the TSP request
BigInteger nonce = new BigInteger(128, new SecureRandom());
TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator();
requestGenerator.setCertReq(true);
String requestPolicy = signatureConfig.getTspRequestPolicy();
if (requestPolicy != null) {
requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(requestPolicy));
}
ASN1ObjectIdentifier digestAlgoOid = mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo());
TimeStampRequest request = requestGenerator.generate(digestAlgoOid, digest, nonce);
byte[] encodedRequest = request.getEncoded();
// create the HTTP POST request
Proxy proxy = Proxy.NO_PROXY;
if (signatureConfig.getProxyUrl() != null) {
URL proxyUrl = new URL(signatureConfig.getProxyUrl());
String host = proxyUrl.getHost();
int port = proxyUrl.getPort();
proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(InetAddress.getByName(host), (port == -1 ? 80 : port)));
}
HttpURLConnection huc = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy);
if (signatureConfig.getTspUser() != null) {
String userPassword = signatureConfig.getTspUser() + ":" + signatureConfig.getTspPass();
String encoding = DatatypeConverter.printBase64Binary(userPassword.getBytes(Charset.forName("iso-8859-1")));
huc.setRequestProperty("Authorization", "Basic " + encoding);
}
huc.setRequestMethod("POST");
huc.setConnectTimeout(20000);
huc.setReadTimeout(20000);
// also sets method to POST.
huc.setDoOutput(true);
huc.setRequestProperty("User-Agent", signatureConfig.getUserAgent());
huc.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : // "; charset=ISO-8859-1");
"application/timestamp-query");
OutputStream hucOut = huc.getOutputStream();
hucOut.write(encodedRequest);
// invoke TSP service
huc.connect();
int statusCode = huc.getResponseCode();
if (statusCode != 200) {
LOG.log(POILogger.ERROR, "Error contacting TSP server ", signatureConfig.getTspUrl() + ", had status code " + statusCode + "/" + huc.getResponseMessage());
throw new IOException("Error contacting TSP server " + signatureConfig.getTspUrl() + ", had status code " + statusCode + "/" + huc.getResponseMessage());
}
// HTTP input validation
String contentType = huc.getHeaderField("Content-Type");
if (null == contentType) {
throw new RuntimeException("missing Content-Type header");
}
ByteArrayOutputStream bos = new ByteArrayOutputStream();
IOUtils.copy(huc.getInputStream(), bos);
LOG.log(POILogger.DEBUG, "response content: ", HexDump.dump(bos.toByteArray(), 0, 0));
if (!contentType.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) {
throw new RuntimeException("invalid Content-Type: " + contentType + // dump the first few bytes
": " + HexDump.dump(bos.toByteArray(), 0, 0, 200));
}
if (bos.size() == 0) {
throw new RuntimeException("Content-Length is zero");
}
// TSP response parsing and validation
TimeStampResponse timeStampResponse = new TimeStampResponse(bos.toByteArray());
timeStampResponse.validate(request);
if (0 != timeStampResponse.getStatus()) {
LOG.log(POILogger.DEBUG, "status: " + timeStampResponse.getStatus());
LOG.log(POILogger.DEBUG, "status string: " + timeStampResponse.getStatusString());
PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
if (null != failInfo) {
LOG.log(POILogger.DEBUG, "fail info int value: " + failInfo.intValue());
if (/*PKIFailureInfo.unacceptedPolicy*/
(1 << 8) == failInfo.intValue()) {
LOG.log(POILogger.DEBUG, "unaccepted policy");
}
}
throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus());
}
TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
SignerId signerId = timeStampToken.getSID();
BigInteger signerCertSerialNumber = signerId.getSerialNumber();
X500Name signerCertIssuer = signerId.getIssuer();
LOG.log(POILogger.DEBUG, "signer cert serial number: " + signerCertSerialNumber);
LOG.log(POILogger.DEBUG, "signer cert issuer: " + signerCertIssuer);
// TSP signer certificates retrieval
Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null);
X509CertificateHolder signerCert = null;
Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<X500Name, X509CertificateHolder>();
for (X509CertificateHolder certificate : certificates) {
if (signerCertIssuer.equals(certificate.getIssuer()) && signerCertSerialNumber.equals(certificate.getSerialNumber())) {
signerCert = certificate;
}
certificateMap.put(certificate.getSubject(), certificate);
}
// TSP signer cert path building
if (signerCert == null) {
throw new RuntimeException("TSP response token has no signer certificate");
}
List<X509Certificate> tspCertificateChain = new ArrayList<X509Certificate>();
JcaX509CertificateConverter x509converter = new JcaX509CertificateConverter();
x509converter.setProvider("BC");
X509CertificateHolder certificate = signerCert;
do {
LOG.log(POILogger.DEBUG, "adding to certificate chain: " + certificate.getSubject());
tspCertificateChain.add(x509converter.getCertificate(certificate));
if (certificate.getSubject().equals(certificate.getIssuer())) {
break;
}
certificate = certificateMap.get(certificate.getIssuer());
} while (null != certificate);
// verify TSP signer signature
X509CertificateHolder holder = new X509CertificateHolder(tspCertificateChain.get(0).getEncoded());
DefaultCMSSignatureAlgorithmNameGenerator nameGen = new DefaultCMSSignatureAlgorithmNameGenerator();
DefaultSignatureAlgorithmIdentifierFinder sigAlgoFinder = new DefaultSignatureAlgorithmIdentifierFinder();
DefaultDigestAlgorithmIdentifierFinder hashAlgoFinder = new DefaultDigestAlgorithmIdentifierFinder();
BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider();
BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator);
SignerInformationVerifier verifier = verifierBuilder.build(holder);
timeStampToken.validate(verifier);
// verify TSP signer certificate
if (signatureConfig.getTspValidator() != null) {
signatureConfig.getTspValidator().validate(tspCertificateChain, revocationData);
}
LOG.log(POILogger.DEBUG, "time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime());
return timeStampToken.getEncoded();
}
use of org.bouncycastle.operator.bc.BcDigestCalculatorProvider in project jruby-openssl by jruby.
the class OCSPCertificateId method initializeImpl.
private IRubyObject initializeImpl(final ThreadContext context, BigInteger serial, IRubyObject issuerCert, IRubyObject digest) {
Ruby runtime = context.getRuntime();
Digest rubyDigest = (Digest) digest;
ASN1ObjectIdentifier oid = ASN1.sym2Oid(runtime, rubyDigest.getName().toLowerCase());
AlgorithmIdentifier bcAlgId = new AlgorithmIdentifier(oid);
BcDigestCalculatorProvider calculatorProvider = new BcDigestCalculatorProvider();
DigestCalculator calc;
try {
calc = calculatorProvider.get(bcAlgId);
} catch (OperatorCreationException e) {
throw newOCSPError(runtime, e);
}
X509Cert rubyCert = (X509Cert) issuerCert;
try {
this.bcCertId = new CertificateID(calc, new X509CertificateHolder(rubyCert.getAuxCert().getEncoded()), serial).toASN1Primitive();
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
return this;
}
Aggregations