Search in sources :

Example 6 with CertificateList

use of org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList in project jasn1 by openmuc.

the class LoadCRLRequest method decode.

public int decode(InputStream is, boolean withTag) throws IOException {
    int codeLength = 0;
    int subCodeLength = 0;
    BerTag berTag = new BerTag();
    if (withTag) {
        codeLength += tag.decodeAndCheck(is);
    }
    BerLength length = new BerLength();
    codeLength += length.decode(is);
    int totalLength = length.val;
    if (totalLength == -1) {
        subCodeLength += berTag.decode(is);
        if (berTag.tagNumber == 0 && berTag.tagClass == 0 && berTag.primitive == 0) {
            int nextByte = is.read();
            if (nextByte != 0) {
                if (nextByte == -1) {
                    throw new EOFException("Unexpected end of input stream.");
                }
                throw new IOException("Decoded sequence has wrong end of contents octets");
            }
            codeLength += subCodeLength + 1;
            return codeLength;
        }
        if (berTag.equals(BerTag.CONTEXT_CLASS, BerTag.CONSTRUCTED, 0)) {
            crl = new CertificateList();
            subCodeLength += crl.decode(is, false);
            subCodeLength += berTag.decode(is);
        }
        int nextByte = is.read();
        if (berTag.tagNumber != 0 || berTag.tagClass != 0 || berTag.primitive != 0 || nextByte != 0) {
            if (nextByte == -1) {
                throw new EOFException("Unexpected end of input stream.");
            }
            throw new IOException("Decoded sequence has wrong end of contents octets");
        }
        codeLength += subCodeLength + 1;
        return codeLength;
    }
    codeLength += totalLength;
    subCodeLength += berTag.decode(is);
    if (berTag.equals(BerTag.CONTEXT_CLASS, BerTag.CONSTRUCTED, 0)) {
        crl = new CertificateList();
        subCodeLength += crl.decode(is, false);
        if (subCodeLength == totalLength) {
            return codeLength;
        }
    }
    throw new IOException("Unexpected end of sequence, length tag: " + totalLength + ", actual sequence length: " + subCodeLength);
}
Also used : EOFException(java.io.EOFException) CertificateList(org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList) IOException(java.io.IOException)

Example 7 with CertificateList

use of org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList in project xipki by xipki.

the class ScepImpl method getCrl.

// method buildSignedData
private SignedData getCrl(X509Ca ca, BigInteger serialNumber) throws FailInfoException, OperationException {
    if (!control.isSupportGetCrl()) {
        throw FailInfoException.BAD_REQUEST;
    }
    CertificateList crl = ca.getBcCurrentCrl();
    if (crl == null) {
        throw FailInfoException.BAD_REQUEST;
    }
    CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
    cmsSignedDataGen.addCRL(new X509CRLHolder(crl));
    CMSSignedData signedData;
    try {
        signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
    } catch (CMSException ex) {
        LogUtil.error(LOG, ex, "could not generate CMSSignedData");
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    return SignedData.getInstance(signedData.toASN1Structure().getContent());
}
Also used : CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) CertificateList(org.bouncycastle.asn1.x509.CertificateList) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) CMSSignedData(org.bouncycastle.cms.CMSSignedData) OperationException(org.xipki.ca.api.OperationException) CMSException(org.bouncycastle.cms.CMSException)

Example 8 with CertificateList

use of org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList in project jruby-openssl by jruby.

the class SecurityHelper method verify.

static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent) throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
    if (crl instanceof X509CRLObject) {
        final CertificateList crlList = (CertificateList) getCertificateList(crl);
        final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
        if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) {
            if (silent)
                return false;
            throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
        }
        final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);
        signature.initVerify(publicKey);
        signature.update(crl.getTBSCertList());
        if (!signature.verify(crl.getSignature())) {
            if (silent)
                return false;
            throw new SignatureException("CRL does not verify with supplied public key.");
        }
        return true;
    } else {
        try {
            final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
            final ContentVerifierProvider verifierProvider;
            if ("DSA".equalsIgnoreCase(publicKey.getAlgorithm())) {
                BigInteger y = ((DSAPublicKey) publicKey).getY();
                DSAParams params = ((DSAPublicKey) publicKey).getParams();
                DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
                AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
                verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
            } else {
                BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
                BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
                AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
                verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
            }
            return new X509CRLHolder(crl.getEncoded()).isSignatureValid(verifierProvider);
        } catch (OperatorException e) {
            throw new SignatureException(e);
        } catch (CertException e) {
            throw new SignatureException(e);
        }// can happen if the input is DER but does not match expected strucure
         catch (ClassCastException e) {
            throw new SignatureException(e);
        } catch (IOException e) {
            throw new SignatureException(e);
        }
    }
}
Also used : DSAPublicKeyParameters(org.bouncycastle.crypto.params.DSAPublicKeyParameters) X509CRLObject(org.bouncycastle.jce.provider.X509CRLObject) BcRSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder) CertificateList(org.bouncycastle.asn1.x509.CertificateList) CertException(org.bouncycastle.cert.CertException) SignatureException(java.security.SignatureException) DSAParams(java.security.interfaces.DSAParams) IOException(java.io.IOException) DigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DigestAlgorithmIdentifierFinder) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) RSAKeyParameters(org.bouncycastle.crypto.params.RSAKeyParameters) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DSAPublicKey(java.security.interfaces.DSAPublicKey) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) RSAPublicKey(java.security.interfaces.RSAPublicKey) Signature(java.security.Signature) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) BcDSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder) CRLException(java.security.cert.CRLException) DSAParameters(org.bouncycastle.crypto.params.DSAParameters) OperatorException(org.bouncycastle.operator.OperatorException) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 9 with CertificateList

use of org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCertStatus.

protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    // use BC X509CRLObject so that indirect CRLs are supported
    X509CRLObject bcCRL = null;
    try {
        bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded())));
    } catch (Exception exception) {
        throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception);
    }
    // use BC X509CRLEntryObject, so that getCertificateIssuer() is
    // supported.
    X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert));
    if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl)))) {
        DEREnumerated reasonCode = null;
        if (crl_entry.hasExtensions()) {
            try {
                reasonCode = DEREnumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
            } catch (Exception e) {
                new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
            }
        }
        // unspecified
        if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) {
            // (i) or (j) (1)
            if (reasonCode != null) {
                certStatus.setCertStatus(reasonCode.getValue().intValue());
            } else // (i) or (j) (2)
            {
                certStatus.setCertStatus(CRLReason.unspecified);
            }
            certStatus.setRevocationDate(crl_entry.getRevocationDate());
        }
    }
}
Also used : DEREnumerated(org.bouncycastle.asn1.DEREnumerated) CertificateList(org.bouncycastle.asn1.x509.CertificateList) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException)

Example 10 with CertificateList

use of org.openmuc.jasn1.compiler.pkix1explicit88.CertificateList in project XobotOS by xamarin.

the class X509CertFactoryImpl method engineGenerateCRLs.

/**
     * @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
     * method documentation for more info
     */
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
    if (inStream == null) {
        throw new CRLException("inStream == null");
    }
    ArrayList<CRL> result = new ArrayList<CRL>();
    try {
        if (!inStream.markSupported()) {
            inStream = new RestoringInputStream(inStream);
        }
        // if it is PEM encoded form this array will contain the encoding
        // so ((it is PEM) <-> (encoding != null))
        byte[] encoding = null;
        // The following by SEQUENCE ASN.1 tag, used for
        // recognizing the data format
        // (is it PKCS7 ContentInfo structure, X.509 CRL, or
        // unsupported encoding)
        int second_asn1_tag = -1;
        inStream.mark(1);
        int ch;
        while ((ch = inStream.read()) != -1) {
            // check if it is PEM encoded form
            if (ch == '-') {
                // beginning of PEM encoding ('-' char)
                // decode PEM chunk and store its content (ASN.1 encoding)
                encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
            } else if (ch == 0x30) {
                // beginning of ASN.1 sequence (0x30)
                encoding = null;
                inStream.reset();
                // prepare for data format determination
                inStream.mark(CRL_CACHE_SEED_LENGTH);
            } else {
                // unsupported data
                if (result.size() == 0) {
                    throw new CRLException("Unsupported encoding");
                } else {
                    // it can be trailing user data,
                    // so keep it in the stream
                    inStream.reset();
                    return result;
                }
            }
            // Check the data format
            BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
            // read the next ASN.1 tag
            second_asn1_tag = in.next();
            if (encoding == null) {
                // keep whole structure in the stream
                inStream.reset();
            }
            // check if it is a TBSCertList structure
            if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
                if (result.size() == 0) {
                    // whether it is PKCS7 structure
                    break;
                } else {
                    // so return what we already read
                    return result;
                }
            } else {
                if (encoding == null) {
                    result.add(getCRL(inStream));
                } else {
                    result.add(getCRL(encoding));
                }
            }
            inStream.mark(1);
        }
        if (result.size() != 0) {
            // the stream was read out
            return result;
        } else if (ch == -1) {
            throw new CRLException("There is no data in the stream");
        }
        // else: check if it is PKCS7
        if (second_asn1_tag == ASN1Constants.TAG_OID) {
            // it is PKCS7 ContentInfo structure, so decode it
            ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
            // retrieve SignedData
            SignedData data = info.getSignedData();
            if (data == null) {
                throw new CRLException("Invalid PKCS7 data provided");
            }
            List<CertificateList> crls = data.getCRLs();
            if (crls != null) {
                for (CertificateList crl : crls) {
                    result.add(new X509CRLImpl(crl));
                }
            }
            return result;
        }
        // else: Unknown data format
        throw new CRLException("Unsupported encoding");
    } catch (IOException e) {
        throw new CRLException(e);
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) ArrayList(java.util.ArrayList) CertificateList(org.apache.harmony.security.x509.CertificateList) IOException(java.io.IOException) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CRL(java.security.cert.X509CRL) CRL(java.security.cert.CRL) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) CRLException(java.security.cert.CRLException)

Aggregations

CertificateList (org.bouncycastle.asn1.x509.CertificateList)10 IOException (java.io.IOException)6 CRLException (java.security.cert.CRLException)6 X509CRL (java.security.cert.X509CRL)5 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)5 CertificateException (java.security.cert.CertificateException)3 ArrayList (java.util.ArrayList)3 DERSequence (org.bouncycastle.asn1.DERSequence)3 OperationException (org.xipki.ca.api.OperationException)3 BigInteger (java.math.BigInteger)2 CRL (java.security.cert.CRL)2 X509Certificate (java.security.cert.X509Certificate)2 Date (java.util.Date)2 BerInputStream (org.apache.harmony.security.asn1.BerInputStream)2 ContentInfo (org.apache.harmony.security.pkcs7.ContentInfo)2 SignedData (org.apache.harmony.security.pkcs7.SignedData)2 CertificateList (org.apache.harmony.security.x509.CertificateList)2 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)2 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)2 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2