Example 1 with Certificate
use of org.openecard.bouncycastle.tls.Certificate in project open-ecard by ecsec.
the class KeyTools method convertCertificates.
/**
* Converts the given certificate chain to a JCA CertPath.
*
* @param chain BouncyCastle list of certificates.
* @return CertPath instance with the exact same certificate chain.
* @throws CertificateException Thrown in case the JCA has problems supporting X509 or one of the certificates.
* @throws IOException Thrown in case there is en encoding error.
*/
public static CertPath convertCertificates(TlsCertificate... chain) throws CertificateException, IOException {
final int numCerts = chain.length;
ArrayList<java.security.cert.Certificate> result = new ArrayList<>(numCerts);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (TlsCertificate next : chain) {
byte[] nextData = next.getEncoded();
ByteArrayInputStream nextDataStream = new ByteArrayInputStream(nextData);
java.security.cert.Certificate nextConverted = cf.generateCertificate(nextDataStream);
result.add(nextConverted);
}
return cf.generateCertPath(result);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
ArrayList(java.util.ArrayList)
CertificateFactory(java.security.cert.CertificateFactory)
Certificate(org.openecard.bouncycastle.tls.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 2 with Certificate
use of org.openecard.bouncycastle.tls.Certificate in project open-ecard by ecsec.
the class SmartCardCredentialFactory method getClientCredentials.
@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
LOG.debug("Selecting a suitable DID for the following requested algorithms:");
ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
removeUnsupportedAlgs(crSigAlgs);
for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
LOG.debug(" {}", reqAlgStr);
}
try {
DidInfos didInfos = tokenCache.getInfo(null, handle);
List<DidInfo> infos = didInfos.getCryptoDidInfos();
printCerts(infos);
// remove unsuitable DIDs
LOG.info("Sorting out DIDs not able to handle the TLS request.");
infos = removeSecretCertDids(infos);
infos = removeNonAuthDids(infos);
infos = removeUnsupportedAlgs(infos);
infos = removeUnsupportedCerts(cr, infos);
// infos = nonRawFirst(infos);
LOG.info("Creating signer instances for the TLS Client Certificate signature.");
// TLS < 1.2
if (crSigAlgs.isEmpty()) {
LOG.info("Looking for a raw RSA DID.");
for (DidInfo info : infos) {
try {
LOG.debug("Checking DID= {}.", info.getDidName());
TlsCredentialedSigner cred;
List<X509Certificate> chain = info.getRelatedCertificateChain();
Certificate clientCert = convertCert(context.getCrypto(), chain);
if (isRawRSA(info)) {
LOG.debug("Adding raw RSA signer.");
TlsSigner signer = new SmartCardSignerCredential(info);
cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
credentials.add(cred);
}
} catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
} catch (UnsupportedAlgorithmException ex) {
LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
} catch (WSHelper.WSException ex) {
LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
}
}
} else {
// TLS >= 1.2
LOG.info("Looking for most specific DIDs.");
// looping over the servers alg list preserves its ordering
for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
for (DidInfo info : infos) {
LOG.debug("Checking DID={}.", info.getDidName());
try {
AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
TlsCredentialedSigner cred;
List<X509Certificate> chain = info.getRelatedCertificateChain();
Certificate clientCert = convertCert(context.getCrypto(), chain);
// find one DID for this problem, then continue with the next algorithm
if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
LOG.debug("Adding {} signer.", alg.getJcaAlg());
TlsSigner signer = new SmartCardSignerCredential(info);
cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
credentials.add(cred);
// break;
return credentials;
}
} catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
} catch (UnsupportedAlgorithmException ex) {
LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
} catch (WSHelper.WSException ex) {
LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
}
}
}
}
} catch (NoSuchDid | WSHelper.WSException ex) {
LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
}
return credentials;
}
Also used :
ArrayList(java.util.ArrayList)
SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable)
CertificateException(java.security.cert.CertificateException)
SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)
DidInfo(org.openecard.crypto.common.sal.did.DidInfo)
AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)
DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)
TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters)
TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner)
WSHelper(org.openecard.common.WSHelper)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException)
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)
TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner)
NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid)
DidInfos(org.openecard.crypto.common.sal.did.DidInfos)
X509Certificate(java.security.cert.X509Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Certificate(org.openecard.bouncycastle.tls.Certificate)
Aggregations
ArrayList (java.util.ArrayList)2
Certificate (org.openecard.bouncycastle.tls.Certificate)2
TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)2
AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
IOException (java.io.IOException)1
CertificateException (java.security.cert.CertificateException)1
CertificateFactory (java.security.cert.CertificateFactory)1
X509Certificate (java.security.cert.X509Certificate)1
DefaultTlsCredentialedSigner (org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)1
SignatureAndHashAlgorithm (org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)1
TlsCredentialedSigner (org.openecard.bouncycastle.tls.TlsCredentialedSigner)1
TlsCryptoParameters (org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters)1
TlsSigner (org.openecard.bouncycastle.tls.crypto.TlsSigner)1
SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)1
WSHelper (org.openecard.common.WSHelper)1
SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)1
UnsupportedAlgorithmException (org.openecard.crypto.common.UnsupportedAlgorithmException)1
DidInfo (org.openecard.crypto.common.sal.did.DidInfo)1
DidInfos (org.openecard.crypto.common.sal.did.DidInfos)1
