Search in sources :

Example 81 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class X509Util method toRfc3279Style.

public static SubjectPublicKeyInfo toRfc3279Style(SubjectPublicKeyInfo publicKeyInfo) throws InvalidKeySpecException {
    ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
    ASN1ObjectIdentifier algOid = publicKeyInfo.getAlgorithm().getAlgorithm();
    ASN1Encodable keyParameters = publicKeyInfo.getAlgorithm().getParameters();
    if (PKCSObjectIdentifiers.rsaEncryption.equals(algOid)) {
        if (DERNull.INSTANCE.equals(keyParameters)) {
            return publicKeyInfo;
        } else {
            AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid, DERNull.INSTANCE);
            return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
        }
    } else if (X9ObjectIdentifiers.id_dsa.equals(algOid)) {
        if (keyParameters == null) {
            return publicKeyInfo;
        } else if (DERNull.INSTANCE.equals(keyParameters)) {
            AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid);
            return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
        } else {
            try {
                DSAParameter.getInstance(keyParameters);
            } catch (IllegalArgumentException ex) {
                throw new InvalidKeySpecException("keyParameters is not null and Dss-Parms");
            }
            return publicKeyInfo;
        }
    } else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algOid)) {
        if (keyParameters == null) {
            throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
        }
        try {
            ASN1ObjectIdentifier.getInstance(keyParameters);
        } catch (IllegalArgumentException ex) {
            throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
        }
        return publicKeyInfo;
    } else {
        return publicKeyInfo;
    }
}
Also used : ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)

Example 82 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class PublicKeyChecker method checkPublicKey.

public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
    ParamUtil.requireNonNull("publicKey", publicKey);
    ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
    List<ValidationIssue> resultIssues = new LinkedList<>();
    if (keyAlgorithms != null) {
        ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
        resultIssues.add(issue);
        try {
            checkPublicKey(publicKey);
        } catch (BadCertTemplateException ex) {
            issue.setFailureMessage(ex.getMessage());
        }
    }
    ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
    resultIssues.add(issue);
    SubjectPublicKeyInfo c14nRequestedPublicKey;
    try {
        c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
        if (!c14nRequestedPublicKey.equals(publicKey)) {
            issue.setFailureMessage("public key in the certificate does not equal the requested one");
        }
    } catch (InvalidKeySpecException ex) {
        issue.setFailureMessage("public key in request is invalid");
    }
    return resultIssues;
}
Also used : BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) ValidationIssue(org.xipki.common.qa.ValidationIssue) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) LinkedList(java.util.LinkedList)

Example 83 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class X509CertprofileQa method checkCert.

// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
    ParamUtil.requireNonNull("certBytes", certBytes);
    ParamUtil.requireNonNull("issuerInfo", issuerInfo);
    ParamUtil.requireNonNull("requestedSubject", requestedSubject);
    ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
    List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
    Certificate bcCert;
    TBSCertificate tbsCert;
    X509Certificate cert;
    ValidationIssue issue;
    // certificate size
    issue = new ValidationIssue("X509.SIZE", "certificate size");
    resultIssues.add(issue);
    Integer maxSize = certProfile.getMaxSize();
    if (maxSize != 0) {
        int size = certBytes.length;
        if (size > maxSize) {
            issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
        }
    }
    // certificate encoding
    issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
    resultIssues.add(issue);
    try {
        bcCert = Certificate.getInstance(certBytes);
        tbsCert = bcCert.getTBSCertificate();
        cert = X509Util.parseCert(certBytes);
    } catch (CertificateException ex) {
        issue.setFailureMessage("certificate is not corrected encoded");
        return new ValidationResult(resultIssues);
    }
    // syntax version
    issue = new ValidationIssue("X509.VERSION", "certificate version");
    resultIssues.add(issue);
    int versionNumber = tbsCert.getVersionNumber();
    X509CertVersion expVersion = certProfile.getVersion();
    if (versionNumber != expVersion.getVersionNumber()) {
        issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
    }
    // serialNumber
    issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
    resultIssues.add(issue);
    BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
    if (serialNumber.signum() != 1) {
        issue.setFailureMessage("not positive");
    } else {
        if (serialNumber.bitLength() >= 160) {
            issue.setFailureMessage("serial number has more than 20 octets");
        }
    }
    // signatureAlgorithm
    List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
    if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
        issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
        resultIssues.add(issue);
        AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
        AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
        if (!tbsSigAlgId.equals(sigAlgId)) {
            issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
        }
        try {
            String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
            if (!issue.isFailed()) {
                if (!signatureAlgorithms.contains(sigAlgo)) {
                    issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
                }
            }
            // check parameters
            if (!issue.isFailed()) {
                AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
                if (!expSigAlgId.equals(sigAlgId)) {
                    issue.setFailureMessage("invalid parameters");
                }
            }
        } catch (NoSuchAlgorithmException ex) {
            issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
        }
    }
    // notBefore encoding
    issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
    checkTime(tbsCert.getStartDate(), issue);
    // notAfter encoding
    issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
    checkTime(tbsCert.getStartDate(), issue);
    // notBefore
    if (certProfile.isNotBeforeMidnight()) {
        issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
        resultIssues.add(issue);
        Calendar cal = Calendar.getInstance(UTC);
        cal.setTime(cert.getNotBefore());
        int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
        int minute = cal.get(Calendar.MINUTE);
        int second = cal.get(Calendar.SECOND);
        if (hourOfDay != 0 || minute != 0 || second != 0) {
            issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
        }
    }
    // validity
    issue = new ValidationIssue("X509.VALIDITY", "cert validity");
    resultIssues.add(issue);
    if (cert.getNotAfter().before(cert.getNotBefore())) {
        issue.setFailureMessage("notAfter must not be before notBefore");
    } else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
        issue.setFailureMessage("notBefore must not be before CA's notBefore");
    } else {
        CertValidity validity = certProfile.getValidity();
        Date expectedNotAfter = validity.add(cert.getNotBefore());
        if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
            expectedNotAfter = new Date(MAX_CERT_TIME_MS);
        }
        if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
            expectedNotAfter = issuerInfo.getCaNotAfter();
        }
        if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
            issue.setFailureMessage("cert validity is not within " + validity.toString());
        }
    }
    // subjectPublicKeyInfo
    resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
    // Signature
    issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
    resultIssues.add(issue);
    try {
        cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
    } catch (Exception ex) {
        issue.setFailureMessage("invalid signature");
    }
    // issuer
    issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
    resultIssues.add(issue);
    if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
        issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
    }
    // subject
    resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
    // issuerUniqueID
    issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
    resultIssues.add(issue);
    if (tbsCert.getIssuerUniqueId() != null) {
        issue.setFailureMessage("is present but not permitted");
    }
    // subjectUniqueID
    issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
    resultIssues.add(issue);
    if (tbsCert.getSubjectUniqueId() != null) {
        issue.setFailureMessage("is present but not permitted");
    }
    // extensions
    issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
    resultIssues.add(issue);
    resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
    return new ValidationResult(resultIssues);
}
Also used : CertValidity(org.xipki.ca.api.profile.CertValidity) Calendar(java.util.Calendar) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ValidationResult(org.xipki.common.qa.ValidationResult) ValidationIssue(org.xipki.common.qa.ValidationIssue) LinkedList(java.util.LinkedList) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) CertprofileException(org.xipki.ca.api.profile.CertprofileException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) BigInteger(java.math.BigInteger) X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion) BigInteger(java.math.BigInteger) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)

Example 84 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class ScepServer method issueSubCaCert.

private static Certificate issueSubCaCert(PrivateKey rcaKey, X500Name issuer, SubjectPublicKeyInfo pubKeyInfo, X500Name subject, BigInteger serialNumber, Date startTime) throws CertIOException, OperatorCreationException {
    Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650);
    X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo);
    X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
    certGenerator.addExtension(Extension.keyUsage, true, ku);
    BasicConstraints bc = new BasicConstraints(0);
    certGenerator.addExtension(Extension.basicConstraints, true, bc);
    String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgo.SHA256);
    ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey);
    return certGenerator.build(contentSigner).toASN1Structure();
}
Also used : X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) Date(java.util.Date) X509KeyUsage(org.bouncycastle.jce.X509KeyUsage)

Example 85 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class ScepServer method getServlet.

public ScepServlet getServlet() throws Exception {
    if (servlet != null) {
        return servlet;
    }
    KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
    X500Name rcaSubject;
    kpGen.initialize(2048);
    KeyPair keypair = kpGen.generateKeyPair();
    // CHECKSTYLE:SKIP
    PrivateKey rcaKey = keypair.getPrivate();
    rcaSubject = new X500Name("CN=RCA1, OU=emulator, O=xipki.org, C=DE");
    kpGen.initialize(2048);
    keypair = kpGen.generateKeyPair();
    SubjectPublicKeyInfo pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
    X500Name subject = new X500Name("CN=CA1, OU=emulator, O=xipki.org, C=DE");
    this.caCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), new Date(System.currentTimeMillis() - 10 * CaEmulator.MIN_IN_MS));
    CaEmulator ca = new CaEmulator(keypair.getPrivate(), this.caCert, generateCrl);
    RaEmulator ra = null;
    if (withRa) {
        kpGen.initialize(2048);
        keypair = kpGen.generateKeyPair();
        pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
        subject = new X500Name("CN=RA1, OU=emulator, O=xipki.org, C=DE");
        this.raCert = ca.generateCert(pkInfo, subject);
        ra = new RaEmulator(keypair.getPrivate(), this.raCert);
    }
    NextCaAndRa nextCaAndRa = null;
    if (withNextCa) {
        kpGen.initialize(2048);
        keypair = kpGen.generateKeyPair();
        pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
        subject = new X500Name("CN=CA2, OU=emulator, O=xipki.org, C=DE");
        Date startTime = new Date(System.currentTimeMillis() + 365 * CaEmulator.DAY_IN_MS);
        this.nextCaCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), startTime);
        CaEmulator tmpCa = new CaEmulator(keypair.getPrivate(), this.nextCaCert, generateCrl);
        if (withRa) {
            kpGen.initialize(2048);
            keypair = kpGen.generateKeyPair();
            pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
            subject = new X500Name("CN=RA2, OU=emulator, O=xipki.org, C=DE");
            Date raStartTime = new Date(startTime.getTime() + 10 * CaEmulator.DAY_IN_MS);
            this.nextRaCert = tmpCa.generateCert(pkInfo, subject, raStartTime);
        }
        // end if(withRA)
        nextCaAndRa = new NextCaAndRa(this.nextCaCert, this.nextRaCert);
    }
    // end if(withNextCA)
    ScepResponder scepResponder = new ScepResponder(caCaps, ca, ra, nextCaAndRa, control);
    if (maxSigningTimeBiasInMs != null) {
        scepResponder.setMaxSigningTimeBias(maxSigningTimeBiasInMs);
    }
    this.servlet = new ScepServlet(scepResponder);
    return this.servlet;
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) KeyPairGenerator(java.security.KeyPairGenerator) X500Name(org.bouncycastle.asn1.x500.X500Name) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date)

Aggregations

SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)77 X500Name (org.bouncycastle.asn1.x500.X500Name)37 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)37 Date (java.util.Date)34 IOException (java.io.IOException)31 ContentSigner (org.bouncycastle.operator.ContentSigner)24 BigInteger (java.math.BigInteger)22 KeyPair (java.security.KeyPair)21 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)21 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19 KeyPairGenerator (java.security.KeyPairGenerator)17 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)17 X509Certificate (java.security.cert.X509Certificate)17 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)16 InvalidKeyException (java.security.InvalidKeyException)15 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)15 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)15 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)13 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)13 PublicKey (java.security.PublicKey)12