Search in sources :

Example 51 with ASN1Sequence

use of org.openecard.bouncycastle.asn1.ASN1Sequence in project xipki by xipki.

the class BaseX509Certprofile method createPostalAddressRdn.

private static RDN createPostalAddressRdn(ASN1ObjectIdentifier type, ASN1Encodable rdnValue, RdnControl control, int index) throws BadCertTemplateException {
    ParamUtil.requireNonNull("type", type);
    if (!(rdnValue instanceof ASN1Sequence)) {
        throw new BadCertTemplateException("rdnValue of RDN postalAddress has incorrect syntax");
    }
    ASN1Sequence seq = (ASN1Sequence) rdnValue;
    final int size = seq.size();
    if (size < 1 || size > 6) {
        throw new BadCertTemplateException("Sequence size of RDN postalAddress is not within [1, 6]: " + size);
    }
    ASN1EncodableVector vec = new ASN1EncodableVector();
    for (int i = 0; i < size; i++) {
        ASN1Encodable line = seq.getObjectAt(i);
        String text;
        if (line instanceof ASN1String && !(line instanceof DERUniversalString)) {
            text = ((ASN1String) line).getString();
        } else {
            throw new BadCertTemplateException(String.format("postalAddress[%d] has incorrect syntax", i));
        }
        ASN1Encodable asn1Line = createRdnValue(text, type, control, index);
        vec.add(asn1Line);
    }
    return new RDN(type, new DERSequence(vec));
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) DERUniversalString(org.bouncycastle.asn1.DERUniversalString) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ASN1String(org.bouncycastle.asn1.ASN1String) DERUniversalString(org.bouncycastle.asn1.DERUniversalString) ASN1String(org.bouncycastle.asn1.ASN1String) RDN(org.bouncycastle.asn1.x500.RDN)

Example 52 with ASN1Sequence

use of org.openecard.bouncycastle.asn1.ASN1Sequence in project xipki by xipki.

the class BaseX509Certprofile method checkPublicKey.

@Override
public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo publicKey) throws BadCertTemplateException {
    ParamUtil.requireNonNull("publicKey", publicKey);
    Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms();
    if (CollectionUtil.isEmpty(keyAlgorithms)) {
        return publicKey;
    }
    ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm();
    if (!keyAlgorithms.containsKey(keyType)) {
        throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted");
    }
    KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType);
    if (keyParamsOption instanceof AllowAllParametersOption) {
        return publicKey;
    } else if (keyParamsOption instanceof ECParamatersOption) {
        ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption;
        // parameters
        ASN1Encodable algParam = publicKey.getAlgorithm().getParameters();
        ASN1ObjectIdentifier curveOid;
        if (algParam instanceof ASN1ObjectIdentifier) {
            curveOid = (ASN1ObjectIdentifier) algParam;
            if (!ecOption.allowsCurve(curveOid)) {
                throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId()));
            }
        } else {
            throw new BadCertTemplateException("only namedCurve EC public key is supported");
        }
        // point encoding
        if (ecOption.pointEncodings() != null) {
            byte[] keyData = publicKey.getPublicKeyData().getBytes();
            if (keyData.length < 1) {
                throw new BadCertTemplateException("invalid publicKeyData");
            }
            byte pointEncoding = keyData[0];
            if (!ecOption.pointEncodings().contains(pointEncoding)) {
                throw new BadCertTemplateException(String.format("not accepted EC point encoding '%s'", pointEncoding));
            }
        }
        byte[] keyData = publicKey.getPublicKeyData().getBytes();
        try {
            checkEcSubjectPublicKeyInfo(curveOid, keyData);
        } catch (BadCertTemplateException ex) {
            throw ex;
        } catch (Exception ex) {
            LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo");
            throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage()));
        }
        return publicKey;
    } else if (keyParamsOption instanceof RSAParametersOption) {
        RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption;
        ASN1Integer modulus;
        try {
            ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes());
            modulus = ASN1Integer.getInstance(seq.getObjectAt(0));
        } catch (IllegalArgumentException ex) {
            throw new BadCertTemplateException("invalid publicKeyData");
        }
        int modulusLength = modulus.getPositiveValue().bitLength();
        if ((rsaOption.allowsModulusLength(modulusLength))) {
            return publicKey;
        }
    } else if (keyParamsOption instanceof DSAParametersOption) {
        DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption;
        ASN1Encodable params = publicKey.getAlgorithm().getParameters();
        if (params == null) {
            throw new BadCertTemplateException("null Dss-Parms is not permitted");
        }
        int plength;
        int qlength;
        try {
            ASN1Sequence seq = ASN1Sequence.getInstance(params);
            ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0));
            ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1));
            plength = rsaP.getPositiveValue().bitLength();
            qlength = rsaQ.getPositiveValue().bitLength();
        } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) {
            throw new BadCertTemplateException("illegal Dss-Parms");
        }
        boolean match = dsaOption.allowsPlength(plength);
        if (match) {
            match = dsaOption.allowsQlength(qlength);
        }
        if (match) {
            return publicKey;
        }
    } else {
        throw new RuntimeException(String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption));
    }
    throw new BadCertTemplateException("the given publicKey is not permitted");
}
Also used : ECParamatersOption(org.xipki.ca.api.profile.KeyParametersOption.ECParamatersOption) DSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.DSAParametersOption) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) KeyParametersOption(org.xipki.ca.api.profile.KeyParametersOption) RSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.RSAParametersOption) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) AllowAllParametersOption(org.xipki.ca.api.profile.KeyParametersOption.AllowAllParametersOption) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 53 with ASN1Sequence

use of org.openecard.bouncycastle.asn1.ASN1Sequence in project xipki by xipki.

the class SignerUtil method dsaSigX962ToPlain.

// CHECKSTYLE:SKIP
public static byte[] dsaSigX962ToPlain(byte[] x962Signature, int keyBitLen) throws XiSecurityException {
    ParamUtil.requireNonNull("x962Signature", x962Signature);
    ASN1Sequence seq = ASN1Sequence.getInstance(x962Signature);
    if (seq.size() != 2) {
        throw new IllegalArgumentException("invalid X962Signature");
    }
    BigInteger sigR = ASN1Integer.getInstance(seq.getObjectAt(0)).getPositiveValue();
    BigInteger sigS = ASN1Integer.getInstance(seq.getObjectAt(1)).getPositiveValue();
    return dsaSigToPlain(sigR, sigS, keyBitLen);
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) BigInteger(java.math.BigInteger)

Example 54 with ASN1Sequence

use of org.openecard.bouncycastle.asn1.ASN1Sequence in project xipki by xipki.

the class ImportCrl method importEntries.

private void importEntries(Connection conn, int caId) throws DataAccessException, ImportCrlException {
    AtomicLong maxId = new AtomicLong(datasource.getMax(conn, "CERT", "ID"));
    // import the revoked information
    Set<? extends X509CRLEntry> revokedCertList = crl.getRevokedCertificates();
    if (revokedCertList != null) {
        for (X509CRLEntry c : revokedCertList) {
            X500Principal issuer = c.getCertificateIssuer();
            BigInteger serial = c.getSerialNumber();
            if (issuer != null) {
                if (!x500PrincipalCaSubject.equals(issuer)) {
                    throw new ImportCrlException("invalid CRLEntry for certificate number " + serial);
                }
            }
            Date rt = c.getRevocationDate();
            Date rit = null;
            byte[] extnValue = c.getExtensionValue(Extension.invalidityDate.getId());
            if (extnValue != null) {
                extnValue = extractCoreValue(extnValue);
                ASN1GeneralizedTime genTime = DERGeneralizedTime.getInstance(extnValue);
                try {
                    rit = genTime.getDate();
                } catch (ParseException ex) {
                    throw new ImportCrlException(ex.getMessage(), ex);
                }
                if (rt.equals(rit)) {
                    rit = null;
                }
            }
            CrlReason reason = CrlReason.fromReason(c.getRevocationReason());
            String sql = null;
            try {
                if (reason == CrlReason.REMOVE_FROM_CRL) {
                    if (!isDeltaCrl) {
                        LOG.warn("ignore CRL entry with reason removeFromCRL in non-Delta CRL");
                    }
                    // delete the entry
                    sql = SQL_DELETE_CERT;
                    psDeleteCert.setInt(1, caId);
                    psDeleteCert.setString(2, serial.toString(16));
                    psDeleteCert.executeUpdate();
                    continue;
                }
                Long id = getId(caId, serial);
                PreparedStatement ps;
                int offset = 1;
                if (id == null) {
                    sql = SQL_INSERT_CERT_REV;
                    id = maxId.incrementAndGet();
                    ps = psInsertCertRev;
                    ps.setLong(offset++, id);
                    ps.setInt(offset++, caId);
                    ps.setString(offset++, serial.toString(16));
                } else {
                    sql = SQL_UPDATE_CERT_REV;
                    ps = psUpdateCertRev;
                }
                ps.setInt(offset++, 1);
                ps.setInt(offset++, reason.getCode());
                ps.setLong(offset++, rt.getTime() / 1000);
                if (rit != null) {
                    ps.setLong(offset++, rit.getTime() / 1000);
                } else {
                    ps.setNull(offset++, Types.BIGINT);
                }
                ps.setLong(offset++, System.currentTimeMillis() / 1000);
                if (ps == psUpdateCertRev) {
                    ps.setLong(offset++, id);
                }
                ps.executeUpdate();
            } catch (SQLException ex) {
                throw datasource.translate(sql, ex);
            }
        }
    }
    // import the certificates
    // extract the certificate
    byte[] extnValue = crl.getExtensionValue(ObjectIdentifiers.id_xipki_ext_crlCertset.getId());
    if (extnValue != null) {
        extnValue = extractCoreValue(extnValue);
        ASN1Set asn1Set = DERSet.getInstance(extnValue);
        final int n = asn1Set.size();
        for (int i = 0; i < n; i++) {
            ASN1Encodable asn1 = asn1Set.getObjectAt(i);
            ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
            BigInteger serialNumber = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue();
            Certificate cert = null;
            String profileName = null;
            final int size = seq.size();
            for (int j = 1; j < size; j++) {
                ASN1TaggedObject taggedObj = DERTaggedObject.getInstance(seq.getObjectAt(j));
                int tagNo = taggedObj.getTagNo();
                switch(tagNo) {
                    case 0:
                        cert = Certificate.getInstance(taggedObj.getObject());
                        break;
                    case 1:
                        profileName = DERUTF8String.getInstance(taggedObj.getObject()).getString();
                        break;
                    default:
                        break;
                }
            }
            if (cert == null) {
                continue;
            }
            if (!caSubject.equals(cert.getIssuer())) {
                LOG.warn("issuer not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
                continue;
            }
            if (!serialNumber.equals(cert.getSerialNumber().getValue())) {
                LOG.warn("serialNumber not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
                continue;
            }
            String certLogId = "(issuer='" + cert.getIssuer() + "', serialNumber=" + cert.getSerialNumber() + ")";
            addCertificate(maxId, caId, cert, profileName, certLogId);
        }
    } else {
        // cert dirs
        File certsDir = new File(certsDirName);
        if (!certsDir.exists()) {
            LOG.warn("the folder {} does not exist, ignore it", certsDirName);
            return;
        }
        if (!certsDir.isDirectory()) {
            LOG.warn("the path {} does not point to a folder, ignore it", certsDirName);
            return;
        }
        if (!certsDir.canRead()) {
            LOG.warn("the folder {} must not be read, ignore it", certsDirName);
            return;
        }
        File[] certFiles = certsDir.listFiles(new FilenameFilter() {

            @Override
            public boolean accept(File dir, String name) {
                return name.endsWith(".der") || name.endsWith(".crt");
            }
        });
        if (certFiles == null || certFiles.length == 0) {
            return;
        }
        for (File certFile : certFiles) {
            Certificate cert;
            try {
                byte[] encoded = IoUtil.read(certFile);
                cert = Certificate.getInstance(encoded);
            } catch (IllegalArgumentException | IOException ex) {
                LOG.warn("could not parse certificate {}, ignore it", certFile.getPath());
                continue;
            }
            String certLogId = "(file " + certFile.getName() + ")";
            addCertificate(maxId, caId, cert, null, certLogId);
        }
    }
}
Also used : SQLException(java.sql.SQLException) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) FilenameFilter(java.io.FilenameFilter) X509CRLEntry(java.security.cert.X509CRLEntry) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) PreparedStatement(java.sql.PreparedStatement) IOException(java.io.IOException) Date(java.util.Date) AtomicLong(java.util.concurrent.atomic.AtomicLong) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ASN1Set(org.bouncycastle.asn1.ASN1Set) AtomicLong(java.util.concurrent.atomic.AtomicLong) X500Principal(javax.security.auth.x500.X500Principal) BigInteger(java.math.BigInteger) ParseException(java.text.ParseException) File(java.io.File) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)

Example 55 with ASN1Sequence

use of org.openecard.bouncycastle.asn1.ASN1Sequence in project xipki by xipki.

the class OcspBenchRequestor method init.

public void init(OcspBenchmark responseHandler, String responderUrl, Certificate issuerCert, RequestOptions requestOptions, int queueSize) throws Exception {
    ParamUtil.requireNonNull("issuerCert", issuerCert);
    ParamUtil.requireNonNull("responseHandler", responseHandler);
    this.requestOptions = ParamUtil.requireNonNull("requestOptions", requestOptions);
    HashAlgo hashAlgo = HashAlgo.getInstance(requestOptions.getHashAlgorithmId());
    if (hashAlgo == null) {
        throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId());
    }
    this.issuerhashAlg = hashAlgo.getAlgorithmIdentifier();
    this.issuerNameHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubject().getEncoded()));
    this.issuerKeyHash = new DEROctetString(hashAlgo.hash(issuerCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
    List<AlgorithmIdentifier> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
    if (prefSigAlgs == null || prefSigAlgs.size() == 0) {
        this.extensions = null;
    } else {
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (AlgorithmIdentifier algId : prefSigAlgs) {
            ASN1Sequence prefSigAlgObj = new DERSequence(algId);
            vec.add(prefSigAlgObj);
        }
        ASN1Sequence extnValue = new DERSequence(vec);
        Extension extn;
        try {
            extn = new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
        } catch (IOException ex) {
            throw new OcspRequestorException(ex.getMessage(), ex);
        }
        this.extensions = new Extension[] { extn };
    }
    URI uri = new URI(responderUrl);
    this.responderRawPathPost = uri.getRawPath();
    if (this.responderRawPathPost.endsWith("/")) {
        this.responderRawPathGet = this.responderRawPathPost;
    } else {
        this.responderRawPathGet = this.responderRawPathPost + "/";
    }
    this.httpClient = new HttpClient(responderUrl, responseHandler, queueSize);
    this.httpClient.start();
}
Also used : OcspRequestorException(org.xipki.ocsp.client.api.OcspRequestorException) Extension(org.bouncycastle.asn1.x509.Extension) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) HashAlgo(org.xipki.security.HashAlgo) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) IOException(java.io.IOException) URI(java.net.URI) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Aggregations

ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)198 IOException (java.io.IOException)68 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)56 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)49 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)39 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)37 ArrayList (java.util.ArrayList)36 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)34 DEROctetString (org.bouncycastle.asn1.DEROctetString)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 X509Certificate (java.security.cert.X509Certificate)31 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)30 DERSequence (org.bouncycastle.asn1.DERSequence)30 Enumeration (java.util.Enumeration)29 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)29 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)28 DERIA5String (org.bouncycastle.asn1.DERIA5String)28 List (java.util.List)27 BigInteger (java.math.BigInteger)26 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)26