use of org.openecard.bouncycastle.asn1.ASN1Integer in project xipki by xipki.
the class Foo method createRequest.
private static byte[] createRequest(Control control) throws Exception {
GeneralName requestorName = control.withRequestName ? new GeneralName(new X500Name("CN=requestor1")) : null;
AlgorithmIdentifier algId1 = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE);
CertID certId1 = new CertID(algId1, new DEROctetString(newBytes(20, (byte) 0x11)), new DEROctetString(newBytes(20, (byte) 0x12)), new ASN1Integer(BigInteger.valueOf(0x1234)));
Request request1 = new Request(certId1, null);
AlgorithmIdentifier algId2 = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
CertID certId2 = new CertID(algId2, new DEROctetString(newBytes(20, (byte) 0x21)), new DEROctetString(newBytes(20, (byte) 0x22)), new ASN1Integer(BigInteger.valueOf(0x1235)));
Request request2 = new Request(certId2, new Extensions(new Extension(ObjectIdentifiers.id_ad_timeStamping, false, newBytes(30, (byte) 0x33))));
// CHECKSTYLE:SKIP
ASN1Sequence requestList = new DERSequence(new ASN1Encodable[] { request1, request2 });
Extensions requestExtensions = null;
if (control.withNonce || control.withPrefSigAlgs) {
int size = 0;
if (control.withNonce) {
size++;
}
if (control.withPrefSigAlgs) {
size++;
}
Extension[] arrays = new Extension[size];
int offset = 0;
if (control.withNonce) {
arrays[offset++] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, control.extensionCritical, newBytes(20, (byte) 0x44));
}
if (control.withPrefSigAlgs) {
AlgorithmIdentifier sigAlg1 = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, DERNull.INSTANCE);
AlgorithmIdentifier sigAlg2 = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption, DERNull.INSTANCE);
ASN1Sequence seq = new DERSequence(new ASN1Encodable[] { sigAlg1, sigAlg2 });
arrays[offset++] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_pref_sig_algs, control.extensionCritical, seq.getEncoded());
}
requestExtensions = new Extensions(arrays);
}
ASN1EncodableVector vec = new ASN1EncodableVector();
if (control.version != 0) {
vec.add(new DERTaggedObject(true, 0, new ASN1Integer(BigInteger.valueOf(control.version))));
}
if (requestorName != null) {
vec.add(new DERTaggedObject(true, 1, requestorName));
}
vec.add(requestList);
if (requestExtensions != null) {
vec.add(new DERTaggedObject(true, 2, requestExtensions));
}
TBSRequest tbsRequest = TBSRequest.getInstance(new DERSequence(vec));
Signature sig = null;
if (control.withSignature) {
sig = new Signature(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption), new DERBitString(newBytes(256, (byte) 0xFF)));
}
return new OCSPRequest(tbsRequest, sig).getEncoded();
}
use of org.openecard.bouncycastle.asn1.ASN1Integer in project xipki by xipki.
the class SM2Signer method generateSignatureForHash.
// CHECKSTYLE:SKIP
public byte[] generateSignatureForHash(byte[] eHash) throws CryptoException {
BigInteger n = ecParams.getN();
BigInteger e = new BigInteger(1, eHash);
BigInteger d = ((ECPrivateKeyParameters) ecKey).getD();
BigInteger r;
BigInteger s;
ECMultiplier basePointMultiplier = new FixedPointCombMultiplier();
// 5.2.1 Draft RFC: SM2 Public Key Algorithms
do {
// generate s
BigInteger k;
do {
// generate r
// A3
k = kCalculator.nextK();
// A4
ECPoint p = basePointMultiplier.multiply(ecParams.getG(), k).normalize();
// A5
r = e.add(p.getAffineXCoord().toBigInteger()).mod(n);
} while (r.equals(ECConstants.ZERO) || r.add(k).equals(n));
// A6
// CHECKSTYLE:SKIP
BigInteger dPlus1ModN = d.add(ECConstants.ONE).modInverse(n);
s = k.subtract(r.multiply(d)).mod(n);
s = dPlus1ModN.multiply(s).mod(n);
} while (s.equals(ECConstants.ZERO));
// A7
try {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(new ASN1Integer(r));
v.add(new ASN1Integer(s));
return new DERSequence(v).getEncoded(ASN1Encoding.DER);
} catch (IOException ex) {
throw new CryptoException("unable to encode signature: " + ex.getMessage(), ex);
}
}
use of org.openecard.bouncycastle.asn1.ASN1Integer in project xipki by xipki.
the class AbstractOcspRequestor method buildRequest.
// method ask
private OCSPRequest buildRequest(X509Certificate caCert, BigInteger[] serialNumbers, byte[] nonce, RequestOptions requestOptions) throws OcspRequestorException {
HashAlgo hashAlgo = HashAlgo.getInstance(requestOptions.getHashAlgorithmId());
if (hashAlgo == null) {
throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId());
}
List<AlgorithmIdentifier> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
XiOCSPReqBuilder reqBuilder = new XiOCSPReqBuilder();
List<Extension> extensions = new LinkedList<>();
if (nonce != null) {
extensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
}
if (prefSigAlgs != null && prefSigAlgs.size() > 0) {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (AlgorithmIdentifier algId : prefSigAlgs) {
vec.add(new DERSequence(algId));
}
ASN1Sequence extnValue = new DERSequence(vec);
Extension extn;
try {
extn = new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
} catch (IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
extensions.add(extn);
}
if (CollectionUtil.isNonEmpty(extensions)) {
reqBuilder.setRequestExtensions(new Extensions(extensions.toArray(new Extension[0])));
}
try {
DEROctetString issuerNameHash = new DEROctetString(hashAlgo.hash(caCert.getSubjectX500Principal().getEncoded()));
TBSCertificate tbsCert;
try {
tbsCert = TBSCertificate.getInstance(caCert.getTBSCertificate());
} catch (CertificateEncodingException ex) {
throw new OcspRequestorException(ex);
}
DEROctetString issuerKeyHash = new DEROctetString(hashAlgo.hash(tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
for (BigInteger serialNumber : serialNumbers) {
CertID certId = new CertID(hashAlgo.getAlgorithmIdentifier(), issuerNameHash, issuerKeyHash, new ASN1Integer(serialNumber));
reqBuilder.addRequest(certId);
}
if (requestOptions.isSignRequest()) {
synchronized (signerLock) {
if (signer == null) {
if (StringUtil.isBlank(signerType)) {
throw new OcspRequestorException("signerType is not configured");
}
if (StringUtil.isBlank(signerConf)) {
throw new OcspRequestorException("signerConf is not configured");
}
X509Certificate cert = null;
if (StringUtil.isNotBlank(signerCertFile)) {
try {
cert = X509Util.parseCert(signerCertFile);
} catch (CertificateException ex) {
throw new OcspRequestorException("could not parse certificate " + signerCertFile + ": " + ex.getMessage());
}
}
try {
signer = getSecurityFactory().createSigner(signerType, new SignerConf(signerConf), cert);
} catch (Exception ex) {
throw new OcspRequestorException("could not create signer: " + ex.getMessage());
}
}
// end if
}
// end synchronized
reqBuilder.setRequestorName(signer.getBcCertificate().getSubject());
X509CertificateHolder[] certChain0 = signer.getBcCertificateChain();
Certificate[] certChain = new Certificate[certChain0.length];
for (int i = 0; i < certChain.length; i++) {
certChain[i] = certChain0[i].toASN1Structure();
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OcspRequestorException("NoIdleSignerException: " + ex.getMessage());
}
try {
return reqBuilder.build(signer0.value(), certChain);
} finally {
signer.requiteSigner(signer0);
}
} else {
return reqBuilder.build();
}
// end if
} catch (OCSPException | IOException ex) {
throw new OcspRequestorException(ex.getMessage(), ex);
}
}
use of org.openecard.bouncycastle.asn1.ASN1Integer in project xipki by xipki.
the class Asn1ImportSecretKeyParams method toASN1Primitive.
@Override
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector vector = new ASN1EncodableVector();
vector.add(new Asn1P11SlotIdentifier(slotId));
vector.add(new DERUTF8String(label));
vector.add(new ASN1Integer(keyType));
vector.add(new DEROctetString(keyValue));
return new DERSequence(vector);
}
use of org.openecard.bouncycastle.asn1.ASN1Integer in project xipki by xipki.
the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.
private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
RevDetails[] revContent = rr.toRevDetailsArray();
RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
final int n = revContent.length;
// test the request
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
X500Name issuer = certDetails.getIssuer();
ASN1Integer serialNumber = certDetails.getSerialNumber();
try {
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
if (issuer == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
}
if (!issuer.equals(caSubject)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
if (serialNumber == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
}
if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
}
if (certDetails.getExtensions() == null) {
if (cmpControl.isRrAkiRequired()) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
} else {
Extensions exts = certDetails.getExtensions();
ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
if (oids != null) {
for (ASN1ObjectIdentifier oid : oids) {
if (!Extension.authorityKeyIdentifier.equals(oid)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
}
}
}
Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
if (ext == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
} else {
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
if (aki.getKeyIdentifier() == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
boolean issuerMatched = true;
byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
issuerMatched = false;
}
if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
issuerMatched = false;
}
}
if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
for (GeneralName name : names) {
if (name.getTagNo() != GeneralName.directoryName) {
issuerMatched = false;
break;
}
if (!caSubject.equals(name.getName())) {
issuerMatched = false;
break;
}
}
}
if (!issuerMatched) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
}
}
} catch (IllegalArgumentException ex) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
}
}
// end for
byte[] encodedRequest = null;
if (getCa().getCaInfo().isSaveRequest()) {
try {
encodedRequest = request.getEncoded();
} catch (IOException ex) {
LOG.warn("could not encode request");
}
}
Long reqDbId = null;
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
ASN1Integer serialNumber = certDetails.getSerialNumber();
// serialNumber is not null due to the check in the previous for-block.
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
BigInteger snBigInt = serialNumber.getPositiveValue();
CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
PKIStatusInfo status;
try {
Object returnedObj = null;
Long certDbId = null;
X509Ca ca = getCa();
if (PermissionConstants.UNREVOKE_CERT == permission) {
// unrevoke
returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithDbId) returnedObj).getCertId();
}
} else if (PermissionConstants.REMOVE_CERT == permission) {
// remove
returnedObj = ca.removeCertificate(snBigInt, msgId);
} else {
// revoke
Date invalidityDate = null;
CrlReason reason = null;
Extensions crlDetails = revDetails.getCrlEntryDetails();
if (crlDetails != null) {
ASN1ObjectIdentifier extId = Extension.reasonCode;
ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
reason = CrlReason.forReasonCode(reasonCode);
}
extId = Extension.invalidityDate;
extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
try {
invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
} catch (ParseException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
}
}
}
if (reason == null) {
reason = CrlReason.UNSPECIFIED;
}
returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
}
}
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null) {
reqDbId = ca.addRequest(encodedRequest);
}
ca.addRequestCert(reqDbId, certDbId);
}
status = new PKIStatusInfo(PKIStatus.granted);
} catch (OperationException ex) {
ErrorCode code = ex.getErrorCode();
LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
// end switch code
int failureInfo = getPKiFailureInfo(ex);
status = generateRejectionStatus(failureInfo, errorMessage);
}
// end try
repContentBuilder.add(status, certId);
}
return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
Aggregations