use of org.openmuc.jasn1.compiler.pkix1explicit88.Certificate in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
use of org.openmuc.jasn1.compiler.pkix1explicit88.Certificate in project open-ecard by ecsec.
the class ExpirationVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
try {
Date now = new Date();
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate c = Certificate.getInstance(next.getEncoded());
Date expDate = c.getEndDate().getDate();
if (now.after(expDate)) {
String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
throw new CertificateVerificationException(msg);
}
}
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
use of org.openmuc.jasn1.compiler.pkix1explicit88.Certificate in project jruby-openssl by jruby.
the class OCSPRequest method verify.
@JRubyMethod(name = "verify", rest = true)
public IRubyObject verify(IRubyObject[] args) {
Ruby runtime = getRuntime();
ThreadContext context = runtime.getCurrentContext();
int flags = 0;
boolean ret = false;
if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) {
flags = RubyFixnum.fix2int((RubyFixnum) args[2]);
}
IRubyObject certificates = args[0];
IRubyObject store = args[1];
OCSPReq bcOCSPReq = getBCOCSPReq();
if (bcOCSPReq == null) {
throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
}
if (!bcOCSPReq.isSigned()) {
return RubyBoolean.newBoolean(runtime, ret);
}
GeneralName genName = bcOCSPReq.getRequestorName();
if (genName.getTagNo() != 4) {
return RubyBoolean.newBoolean(runtime, ret);
}
X500Name genX500Name = X500Name.getInstance(genName.getName());
X509StoreContext storeContext = null;
JcaContentVerifierProviderBuilder jcacvpb = new JcaContentVerifierProviderBuilder();
jcacvpb.setProvider("BC");
try {
java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags);
if (signer == null)
return RubyBoolean.newBoolean(runtime, ret);
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0))
flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY));
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) {
PublicKey signerPubKey = signer.getPublicKey();
ContentVerifierProvider cvp = jcacvpb.build(signerPubKey);
ret = bcOCSPReq.isSignatureValid(cvp);
if (!ret) {
return RubyBoolean.newBoolean(runtime, ret);
}
}
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) {
if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) {
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil);
} else {
RubyArray certs = RubyArray.newEmptyArray(runtime);
ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts();
if (bcCerts != null) {
Iterator<ASN1Encodable> it = bcCerts.iterator();
while (it.hasNext()) {
Certificate cert = Certificate.getInstance(it.next());
certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert)));
}
}
storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs);
}
storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER"));
storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST"));
ret = storeContext.verify(context).isTrue();
if (!ret)
return RubyBoolean.newBoolean(runtime, false);
}
} catch (Exception e) {
debugStackTrace(e);
throw newOCSPError(runtime, e);
}
return RubyBoolean.newBoolean(getRuntime(), ret);
}
use of org.openmuc.jasn1.compiler.pkix1explicit88.Certificate in project robovm by robovm.
the class X509CertPathImpl method getCertPathFromContentInfo.
/**
* Extract a CertPath from a PKCS#7 {@code contentInfo} object.
*/
private static X509CertPathImpl getCertPathFromContentInfo(ContentInfo contentInfo) throws CertificateException {
final SignedData sd = contentInfo.getSignedData();
if (sd == null) {
throw new CertificateException("Incorrect PKCS7 encoded form: missing signed data");
}
List<Certificate> certs = sd.getCertificates();
if (certs == null) {
certs = Collections.emptyList();
}
final List<X509Certificate> result = new ArrayList<X509Certificate>(certs.size());
for (Certificate cert : certs) {
result.add(new X509CertImpl(cert));
}
return new X509CertPathImpl(result, Encoding.PKCS7);
}
use of org.openmuc.jasn1.compiler.pkix1explicit88.Certificate in project platformlayer by platformlayer.
the class SimpleCertificateAuthority method selfSign.
public static X509Certificate selfSign(String csr, KeyPair keyPair) throws OpsException {
try {
PKCS10CertificationRequest csrHolder = parseCsr(csr);
SubjectPublicKeyInfo subjectPublicKeyInfo = csrHolder.getSubjectPublicKeyInfo();
X500Name subject = csrHolder.getSubject();
// Self sign
X500Name issuer = subject;
PrivateKey issuerPrivateKey = keyPair.getPrivate();
Certificate certificate = signCertificate(issuer, issuerPrivateKey, subject, subjectPublicKeyInfo);
return toX509(certificate);
} catch (IOException e) {
throw new OpsException("Error reading CSR", e);
}
}
Aggregations