Search in sources :

Example 86 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class AbstractCaTest method test.

@Test
public void test() throws Exception {
    CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
    CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
    ScepClient client = new ScepClient(caId, caCertValidator);
    client.setUseInsecureAlgorithms(useInsecureAlgorithms());
    client.refresh();
    CaCaps expCaCaps = getExpectedCaCaps();
    // CACaps
    CaCaps caCaps = client.getCaCaps();
    Assert.assertEquals("CACaps", expCaCaps, caCaps);
    // CA certificate
    Certificate expCaCert = scepServer.getCaCert();
    X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
    if (!equals(expCaCert, caCert)) {
        Assert.fail("Configured and received CA certificate not the same");
    }
    boolean withRa = isWithRa();
    // RA
    if (withRa) {
        Certificate expRaCert = scepServer.getRaCert();
        X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
        X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
        Assert.assertEquals("RA certificate", raSigCert, raEncCert);
        if (!equals(expRaCert, raSigCert)) {
            Assert.fail("Configured and received RA certificate not the same");
        }
    }
    // getNextCA
    if (isWithNextCa()) {
        AuthorityCertStore nextCa = client.scepNextCaCert();
        Certificate expNextCaCert = scepServer.getNextCaCert();
        X509Certificate nextCaCert = nextCa.getCaCert();
        if (!equals(expNextCaCert, nextCaCert)) {
            Assert.fail("Configured and received next CA certificate not the same");
        }
        if (withRa) {
            Certificate expNextRaCert = scepServer.getNextRaCert();
            X509Certificate nextRaSigCert = nextCa.getSignatureCert();
            X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
            Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
            if (!equals(expNextRaCert, nextRaSigCert)) {
                Assert.fail("Configured and received next RA certificate not the same");
            }
        }
    }
    // enroll
    CertificationRequest csr;
    X509Certificate selfSignedCert;
    X509Certificate enroledCert;
    X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
    PrivateKey privKey;
    {
        KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
        kpGen.initialize(2048);
        KeyPair keypair = kpGen.generateKeyPair();
        privKey = keypair.getPrivate();
        SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
        X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
        // first try without secret
        PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
        // then try invalid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
        // try with valid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        List<X509Certificate> certs = enrolResp.getCertificates();
        Assert.assertTrue("number of received certificates", certs.size() > 0);
        X509Certificate cert = certs.get(0);
        Assert.assertNotNull("enroled certificate", cert);
        enroledCert = cert;
        // try :: self-signed certificate's subject different from the one of CSR
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
    }
    // certPoll
    EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
    List<X509Certificate> certs = enrolResp.getCertificates();
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    X509Certificate cert = certs.get(0);
    Assert.assertNotNull("enrolled certificate", cert);
    // getCert
    certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    cert = certs.get(0);
    Assert.assertNotNull("received certificate", cert);
    // getCRL
    X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertNotNull("received CRL", crl);
    // getNextCA
    AuthorityCertStore nextCa = client.scepNextCaCert();
    Assert.assertNotNull("nextCa", nextCa);
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) PkiStatus(org.xipki.scep.transaction.PkiStatus) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) X509CRL(java.security.cert.X509CRL) CaIdentifier(org.xipki.scep.client.CaIdentifier) ScepClient(org.xipki.scep.client.ScepClient) X500Name(org.bouncycastle.asn1.x500.X500Name) KeyPairGenerator(java.security.KeyPairGenerator) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) X509Certificate(java.security.cert.X509Certificate) CaCertValidator(org.xipki.scep.client.CaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) CaCaps(org.xipki.scep.message.CaCaps) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore) List(java.util.List) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) Test(org.junit.Test)

Example 87 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class CaEmulator method verifyPopo.

private boolean verifyPopo(CertificationRequest csr) {
    ScepUtil.requireNonNull("csr", csr);
    try {
        PKCS10CertificationRequest p10Req = new PKCS10CertificationRequest(csr);
        SubjectPublicKeyInfo pkInfo = p10Req.getSubjectPublicKeyInfo();
        PublicKey pk = generatePublicKey(pkInfo);
        ContentVerifierProvider cvp = getContentVerifierProvider(pk);
        return p10Req.isSignatureValid(cvp);
    } catch (InvalidKeyException | PKCSException | NoSuchAlgorithmException | InvalidKeySpecException ex) {
        LOG.error("could not validate POPO of CSR", ex);
        return false;
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) PublicKey(java.security.PublicKey) DSAPublicKey(java.security.interfaces.DSAPublicKey) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) InvalidKeyException(java.security.InvalidKeyException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) PKCSException(org.bouncycastle.pkcs.PKCSException) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 88 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.

the class SecurityFactoryImpl method verifyPopo.

@Override
public boolean verifyPopo(PKCS10CertificationRequest csr, AlgorithmValidator algoValidator) {
    if (algoValidator != null) {
        AlgorithmIdentifier algId = csr.getSignatureAlgorithm();
        if (!algoValidator.isAlgorithmPermitted(algId)) {
            String algoName;
            try {
                algoName = AlgorithmUtil.getSignatureAlgoName(algId);
            } catch (NoSuchAlgorithmException ex) {
                algoName = algId.getAlgorithm().getId();
            }
            LOG.error("POPO signature algorithm {} not permitted", algoName);
            return false;
        }
    }
    try {
        SubjectPublicKeyInfo pkInfo = csr.getSubjectPublicKeyInfo();
        PublicKey pk = KeyUtil.generatePublicKey(pkInfo);
        ContentVerifierProvider cvp = getContentVerifierProvider(pk);
        return csr.isSignatureValid(cvp);
    } catch (InvalidKeyException | PKCSException | NoSuchAlgorithmException | InvalidKeySpecException ex) {
        LogUtil.error(LOG, ex, "could not validate POPO of CSR");
        return false;
    }
}
Also used : PublicKey(java.security.PublicKey) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) InvalidKeyException(java.security.InvalidKeyException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) PKCSException(org.bouncycastle.pkcs.PKCSException) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 89 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project service-proxy by membrane.

the class GeneratingSSLContext method sign.

public static X509Certificate sign(String subjectName, X509Certificate caPublic, PrivateKey caPrivate, PublicKey keyPublic) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException, OperatorCreationException, CertificateException {
    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(keyPublic.getEncoded());
    org.bouncycastle.asn1.x500.X500Name caName = new JcaX509CertificateHolder(caPublic).getSubject();
    X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(caName, new BigInteger("1"), new Date(System.currentTimeMillis() - 30 * 24 * 24 * 60 * 60 * 1000), new Date(System.currentTimeMillis() + 30 * 365 * 24 * 60 * 60 * 1000), new org.bouncycastle.asn1.x500.X500Name(subjectName), keyInfo);
    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
    X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
    org.bouncycastle.asn1.x509.Certificate eeX509CertificateStructure = holder.toASN1Structure();
    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
    is1.close();
    return theCert;
// return null;
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) ContentSigner(org.bouncycastle.operator.ContentSigner) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) CertificateFactory(java.security.cert.CertificateFactory) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) ByteArrayInputStream(java.io.ByteArrayInputStream) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) BigInteger(java.math.BigInteger)

Example 90 with SubjectPublicKeyInfo

use of org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo in project keystore-explorer by kaikramer.

the class OpenSslPubUtil method load.

/**
 * Load an unencrypted OpenSSL public key from the stream. The encoding of
 * the public key may be PEM or DER.
 *
 * @param is
 *            Stream to load the unencrypted public key from
 * @return The public key
 * @throws CryptoException
 *             Problem encountered while loading the public key
 * @throws IOException
 *             An I/O error occurred
 */
public static PublicKey load(InputStream is) throws CryptoException, IOException {
    byte[] streamContents = ReadUtil.readFully(is);
    // Check if stream is PEM encoded
    PemInfo pemInfo = PemUtil.decode(new ByteArrayInputStream(streamContents));
    if (pemInfo != null) {
        // It is - get DER from PEM
        streamContents = pemInfo.getContent();
    }
    try {
        // DER-encoded subjectPublicKeyInfo structure - the OpenSSL format
        SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(streamContents);
        return new JcaPEMKeyConverter().getPublicKey(publicKeyInfo);
    } catch (Exception ex) {
        throw new CryptoException(res.getString("NoLoadOpenSslPublicKey.exception.message"), ex);
    }
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) PemInfo(org.kse.utilities.pem.PemInfo) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) CryptoException(org.kse.crypto.CryptoException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) IOException(java.io.IOException) CryptoException(org.kse.crypto.CryptoException)

Aggregations

SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)77 X500Name (org.bouncycastle.asn1.x500.X500Name)37 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)37 Date (java.util.Date)34 IOException (java.io.IOException)31 ContentSigner (org.bouncycastle.operator.ContentSigner)24 BigInteger (java.math.BigInteger)22 KeyPair (java.security.KeyPair)21 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)21 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19 KeyPairGenerator (java.security.KeyPairGenerator)17 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)17 X509Certificate (java.security.cert.X509Certificate)17 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)16 InvalidKeyException (java.security.InvalidKeyException)15 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)15 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)15 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)13 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)13 PublicKey (java.security.PublicKey)12