Example 81 with SubjectPublicKeyInfo
use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class X509Util method toRfc3279Style.
public static SubjectPublicKeyInfo toRfc3279Style(SubjectPublicKeyInfo publicKeyInfo) throws InvalidKeySpecException {
ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
ASN1ObjectIdentifier algOid = publicKeyInfo.getAlgorithm().getAlgorithm();
ASN1Encodable keyParameters = publicKeyInfo.getAlgorithm().getParameters();
if (PKCSObjectIdentifiers.rsaEncryption.equals(algOid)) {
if (DERNull.INSTANCE.equals(keyParameters)) {
return publicKeyInfo;
} else {
AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid, DERNull.INSTANCE);
return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
}
} else if (X9ObjectIdentifiers.id_dsa.equals(algOid)) {
if (keyParameters == null) {
return publicKeyInfo;
} else if (DERNull.INSTANCE.equals(keyParameters)) {
AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid);
return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
} else {
try {
DSAParameter.getInstance(keyParameters);
} catch (IllegalArgumentException ex) {
throw new InvalidKeySpecException("keyParameters is not null and Dss-Parms");
}
return publicKeyInfo;
}
} else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algOid)) {
if (keyParameters == null) {
throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
}
try {
ASN1ObjectIdentifier.getInstance(keyParameters);
} catch (IllegalArgumentException ex) {
throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
}
return publicKeyInfo;
} else {
return publicKeyInfo;
}
}
Also used :
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 82 with SubjectPublicKeyInfo
use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class PublicKeyChecker method checkPublicKey.
public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
ParamUtil.requireNonNull("publicKey", publicKey);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<>();
if (keyAlgorithms != null) {
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
resultIssues.add(issue);
try {
checkPublicKey(publicKey);
} catch (BadCertTemplateException ex) {
issue.setFailureMessage(ex.getMessage());
}
}
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
resultIssues.add(issue);
SubjectPublicKeyInfo c14nRequestedPublicKey;
try {
c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
if (!c14nRequestedPublicKey.equals(publicKey)) {
issue.setFailureMessage("public key in the certificate does not equal the requested one");
}
} catch (InvalidKeySpecException ex) {
issue.setFailureMessage("public key in request is invalid");
}
return resultIssues;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
LinkedList(java.util.LinkedList)
Example 83 with SubjectPublicKeyInfo
use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class X509CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
ParamUtil.requireNonNull("certBytes", certBytes);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
Certificate bcCert;
TBSCertificate tbsCert;
X509Certificate cert;
ValidationIssue issue;
// certificate size
issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
Integer maxSize = certProfile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
try {
bcCert = Certificate.getInstance(certBytes);
tbsCert = bcCert.getTBSCertificate();
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
issue.setFailureMessage("certificate is not corrected encoded");
return new ValidationResult(resultIssues);
}
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersionNumber();
X509CertVersion expVersion = certProfile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
if (!issue.isFailed()) {
if (!signatureAlgorithms.contains(sigAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
}
}
// check parameters
if (!issue.isFailed()) {
AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
if (!expSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("invalid parameters");
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
// notBefore
if (certProfile.isNotBeforeMidnight()) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (hourOfDay != 0 || minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter must not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore must not be before CA's notBefore");
} else {
CertValidity validity = certProfile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Calendar(java.util.Calendar)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion)
BigInteger(java.math.BigInteger)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Example 84 with SubjectPublicKeyInfo
use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class ScepServer method issueSubCaCert.
private static Certificate issueSubCaCert(PrivateKey rcaKey, X500Name issuer, SubjectPublicKeyInfo pubKeyInfo, X500Name subject, BigInteger serialNumber, Date startTime) throws CertIOException, OperatorCreationException {
Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650);
X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo);
X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
certGenerator.addExtension(Extension.keyUsage, true, ku);
BasicConstraints bc = new BasicConstraints(0);
certGenerator.addExtension(Extension.basicConstraints, true, bc);
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgo.SHA256);
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey);
return certGenerator.build(contentSigner).toASN1Structure();
}
Also used :
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
X509KeyUsage(org.bouncycastle.jce.X509KeyUsage)
Example 85 with SubjectPublicKeyInfo
use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class ScepServer method getServlet.
public ScepServlet getServlet() throws Exception {
if (servlet != null) {
return servlet;
}
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
X500Name rcaSubject;
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
// CHECKSTYLE:SKIP
PrivateKey rcaKey = keypair.getPrivate();
rcaSubject = new X500Name("CN=RCA1, OU=emulator, O=xipki.org, C=DE");
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
SubjectPublicKeyInfo pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=CA1, OU=emulator, O=xipki.org, C=DE");
this.caCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), new Date(System.currentTimeMillis() - 10 * CaEmulator.MIN_IN_MS));
CaEmulator ca = new CaEmulator(keypair.getPrivate(), this.caCert, generateCrl);
RaEmulator ra = null;
if (withRa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=RA1, OU=emulator, O=xipki.org, C=DE");
this.raCert = ca.generateCert(pkInfo, subject);
ra = new RaEmulator(keypair.getPrivate(), this.raCert);
}
NextCaAndRa nextCaAndRa = null;
if (withNextCa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=CA2, OU=emulator, O=xipki.org, C=DE");
Date startTime = new Date(System.currentTimeMillis() + 365 * CaEmulator.DAY_IN_MS);
this.nextCaCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), startTime);
CaEmulator tmpCa = new CaEmulator(keypair.getPrivate(), this.nextCaCert, generateCrl);
if (withRa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=RA2, OU=emulator, O=xipki.org, C=DE");
Date raStartTime = new Date(startTime.getTime() + 10 * CaEmulator.DAY_IN_MS);
this.nextRaCert = tmpCa.generateCert(pkInfo, subject, raStartTime);
}
// end if(withRA)
nextCaAndRa = new NextCaAndRa(this.nextCaCert, this.nextRaCert);
}
// end if(withNextCA)
ScepResponder scepResponder = new ScepResponder(caCaps, ca, ra, nextCaAndRa, control);
if (maxSigningTimeBiasInMs != null) {
scepResponder.setMaxSigningTimeBias(maxSigningTimeBiasInMs);
}
this.servlet = new ScepServlet(scepResponder);
return this.servlet;
}
Also used :
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
KeyPairGenerator(java.security.KeyPairGenerator)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
Aggregations
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)77
X500Name (org.bouncycastle.asn1.x500.X500Name)37
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)37
Date (java.util.Date)34
IOException (java.io.IOException)31
ContentSigner (org.bouncycastle.operator.ContentSigner)24
BigInteger (java.math.BigInteger)22
KeyPair (java.security.KeyPair)21
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)21
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19
KeyPairGenerator (java.security.KeyPairGenerator)17
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)17
X509Certificate (java.security.cert.X509Certificate)17
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)16
InvalidKeyException (java.security.InvalidKeyException)15
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)15
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)15
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)13
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)13
PublicKey (java.security.PublicKey)12
