Example 91 with X500Name
use of org.spongycastle.asn1.x500.X500Name in project xipki by xipki.
the class ScepResponder method servicePkiOperation0.
private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
TransactionId tid = req.getTransactionId();
PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
rep.setPkiStatus(PkiStatus.SUCCESS);
rep.setRecipientNonce(req.getSenderNonce());
if (req.getFailureMessage() != null) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Boolean bo = req.isSignatureValid();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
}
bo = req.isDecryptionSuccessful();
if (bo != null && !bo.booleanValue()) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Date signingTime = req.getSigningTime();
if (maxSigningTimeBiasInMs > 0) {
boolean isTimeBad = false;
if (signingTime == null) {
isTimeBad = true;
} else {
long now = System.currentTimeMillis();
long diff = now - signingTime.getTime();
if (diff < 0) {
diff = -1 * diff;
}
isTimeBad = diff > maxSigningTimeBiasInMs;
}
if (isTimeBad) {
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
}
}
// check the digest algorithm
String oid = req.getDigestAlgorithm().getId();
ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
if (hashAlgo == null) {
LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
boolean supported = false;
if (hashAlgo == ScepHashAlgo.SHA1) {
if (caCaps.containsCapability(CaCapability.SHA1)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA256) {
if (caCaps.containsCapability(CaCapability.SHA256)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.SHA512) {
if (caCaps.containsCapability(CaCapability.SHA512)) {
supported = true;
}
} else if (hashAlgo == ScepHashAlgo.MD5) {
if (control.isUseInsecureAlg()) {
supported = true;
}
}
if (!supported) {
LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
// end if
// check the content encryption algorithm
ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
if (!caCaps.containsCapability(CaCapability.DES3)) {
LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (AES_ENC_ALGS.contains(encOid)) {
if (!caCaps.containsCapability(CaCapability.AES)) {
LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
if (!control.isUseInsecureAlg()) {
LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
} else {
LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
}
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
return rep;
}
MessageType messageType = req.getMessageType();
switch(messageType) {
case PKCSReq:
boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
if (selfSigned) {
X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
}
String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
LOG.warn("challengePassword is not trusted");
return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
Certificate cert;
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null && control.isPendingCert()) {
rep.setPkiStatus(PkiStatus.PENDING);
} else if (cert != null) {
ContentInfo messageData = createSignedData(cert);
rep.setMessageData(messageData);
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case CertPoll:
IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case GetCert:
IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
case RenewalReq:
if (!caCaps.containsCapability(CaCapability.Renewal)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badCertId);
}
}
break;
case UpdateReq:
if (!caCaps.containsCapability(CaCapability.Update)) {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
} else {
csr = CertificationRequest.getInstance(req.getMessageData());
try {
cert = caEmulator.generateCert(csr);
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (cert != null) {
rep.setMessageData(createSignedData(cert));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
}
break;
case GetCRL:
isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
CertificateList crl;
try {
crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
} catch (Exception ex) {
throw new CaException("system failure: " + ex.getMessage(), ex);
}
if (crl != null) {
rep.setMessageData(createSignedData(crl));
} else {
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
}
break;
default:
buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
}
return rep;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ASN1String(org.bouncycastle.asn1.ASN1String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject)
TransactionId(org.xipki.scep.transaction.TransactionId)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
MessageType(org.xipki.scep.transaction.MessageType)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 92 with X500Name
use of org.spongycastle.asn1.x500.X500Name in project xipki by xipki.
the class HttpsHostnameVerifier method verify.
/**
* Verify that the host name is an acceptable match with
* the server's authentication scheme.
*
* @param hostname the host name
* @param session SSLSession used on the connection to host
* @return true if the host name is acceptable
*/
@Override
public boolean verify(String hostname, SSLSession session) {
ParamUtil.requireNonNull("hostname", hostname);
if (trustAll) {
return true;
}
LOG.info("hostname: {}", hostname);
String commonName = null;
try {
Principal peerPrincipal = session.getPeerPrincipal();
if (peerPrincipal == null) {
return false;
}
commonName = X509Util.getCommonName(new X500Name(peerPrincipal.getName()));
LOG.info("commonName: {}", commonName);
} catch (Exception ex) {
LogUtil.error(LOG, ex);
return false;
}
Set<String> hostnames = hostnameMap.get(commonName);
return (hostnames == null) ? false : hostnames.contains(hostname);
}Example 93 with X500Name
use of org.spongycastle.asn1.x500.X500Name in project xipki by xipki.
the class P12ComplexCsrGenCmd method getSubject.
@Override
protected X500Name getSubject(String subject) {
X500Name name = new X500Name(subject);
List<RDN> list = new LinkedList<>();
RDN[] rs = name.getRDNs();
for (RDN m : rs) {
list.add(m);
}
ASN1ObjectIdentifier id;
// dateOfBirth
if (complexSubject.booleanValue()) {
id = ObjectIdentifiers.DN_DATE_OF_BIRTH;
RDN[] rdns = name.getRDNs(id);
if (rdns == null || rdns.length == 0) {
ASN1Encodable atvValue = new DERGeneralizedTime("19950102120000Z");
RDN rdn = new RDN(id, atvValue);
list.add(rdn);
}
}
// postalAddress
if (complexSubject.booleanValue()) {
id = ObjectIdentifiers.DN_POSTAL_ADDRESS;
RDN[] rdns = name.getRDNs(id);
if (rdns == null || rdns.length == 0) {
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new DERUTF8String("my street 1"));
vec.add(new DERUTF8String("12345 Germany"));
ASN1Sequence atvValue = new DERSequence(vec);
RDN rdn = new RDN(id, atvValue);
list.add(rdn);
}
}
// DN_UNIQUE_IDENTIFIER
id = ObjectIdentifiers.DN_UNIQUE_IDENTIFIER;
RDN[] rdns = name.getRDNs(id);
if (rdns == null || rdns.length == 0) {
DERUTF8String atvValue = new DERUTF8String("abc-def-ghi");
RDN rdn = new RDN(id, atvValue);
list.add(rdn);
}
return new X500Name(list.toArray(new RDN[0]));
}
Also used :
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
RDN(org.bouncycastle.asn1.x500.RDN)
LinkedList(java.util.LinkedList)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 94 with X500Name
use of org.spongycastle.asn1.x500.X500Name in project airavata by apache.
the class X509SecurityContext method generateShortLivedCredential.
public KeyAndCertCredential generateShortLivedCredential(String userDN, String caCertPath, String caKeyPath, String caPwd) throws Exception {
// 15 minutes
final long CredentialGoodFromOffset = 1000L * 60L * 15L;
// ago
final long startTime = System.currentTimeMillis() - CredentialGoodFromOffset;
final long endTime = startTime + 30 * 3600 * 1000;
String keyLengthProp = "1024";
int keyLength = Integer.parseInt(keyLengthProp);
String signatureAlgorithm = "SHA1withRSA";
KeyAndCertCredential caCred = getCACredential(caCertPath, caKeyPath, caPwd);
KeyPairGenerator kpg = KeyPairGenerator.getInstance(caCred.getKey().getAlgorithm());
kpg.initialize(keyLength);
KeyPair pair = kpg.generateKeyPair();
X500Principal subjectDN = new X500Principal(userDN);
Random rand = new Random();
SubjectPublicKeyInfo publicKeyInfo;
try {
publicKeyInfo = SubjectPublicKeyInfo.getInstance(new ASN1InputStream(pair.getPublic().getEncoded()).readObject());
} catch (IOException e) {
throw new InvalidKeyException("Can not parse the public key" + "being included in the short lived certificate", e);
}
X500Name issuerX500Name = CertificateHelpers.toX500Name(caCred.getCertificate().getSubjectX500Principal());
X500Name subjectX500Name = CertificateHelpers.toX500Name(subjectDN);
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuerX500Name, new BigInteger(20, rand), new Date(startTime), new Date(endTime), subjectX500Name, publicKeyInfo);
AlgorithmIdentifier sigAlgId = X509v3CertificateBuilder.extractAlgorithmId(caCred.getCertificate());
X509Certificate certificate = certBuilder.build(caCred.getKey(), sigAlgId, signatureAlgorithm, null, null);
certificate.checkValidity(new Date());
certificate.verify(caCred.getCertificate().getPublicKey());
KeyAndCertCredential result = new KeyAndCertCredential(pair.getPrivate(), new X509Certificate[] { certificate, caCred.getCertificate() });
return result;
}
Also used :
KeyPair(java.security.KeyPair)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
KeyPairGenerator(java.security.KeyPairGenerator)
IOException(java.io.IOException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
InvalidKeyException(java.security.InvalidKeyException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Random(java.util.Random)
X509v3CertificateBuilder(eu.emi.security.authn.x509.helpers.proxy.X509v3CertificateBuilder)
KeyAndCertCredential(eu.emi.security.authn.x509.impl.KeyAndCertCredential)
X500Principal(javax.security.auth.x500.X500Principal)
BigInteger(java.math.BigInteger)
Example 95 with X500Name
use of org.spongycastle.asn1.x500.X500Name in project airavata by apache.
the class MyProxyLogon method generateCertificationRequest.
private PKCS10CertificationRequest generateCertificationRequest(String dn, KeyPair kp) throws Exception {
X500Name subject = new X500Name(dn);
PublicKey pubKey = kp.getPublic();
PrivateKey privKey = kp.getPrivate();
AsymmetricKeyParameter pubkeyParam = PublicKeyFactory.createKey(pubKey.getEncoded());
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(pubkeyParam);
PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(subject, publicKeyInfo);
AlgorithmIdentifier signatureAi = new AlgorithmIdentifier(OIWObjectIdentifiers.sha1WithRSA);
BcRSAContentSignerBuilder signerBuilder = new BcRSAContentSignerBuilder(signatureAi, AlgorithmIdentifier.getInstance(OIWObjectIdentifiers.idSHA1));
AsymmetricKeyParameter pkParam = PrivateKeyFactory.createKey(privKey.getEncoded());
ContentSigner signer = signerBuilder.build(pkParam);
return builder.build(signer);
}
Also used :
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
PrivateKey(java.security.PrivateKey)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
PublicKey(java.security.PublicKey)
ContentSigner(org.bouncycastle.operator.ContentSigner)
PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Aggregations
X500Name (org.bouncycastle.asn1.x500.X500Name)193
X509Certificate (java.security.cert.X509Certificate)88
Date (java.util.Date)72
BigInteger (java.math.BigInteger)63
X500Name (sun.security.x509.X500Name)53
IOException (java.io.IOException)49
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)47
ContentSigner (org.bouncycastle.operator.ContentSigner)45
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)44
RDN (org.bouncycastle.asn1.x500.RDN)43
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)42
KeyPair (java.security.KeyPair)41
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)41
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)36
PrivateKey (java.security.PrivateKey)33
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)33
KeyPairGenerator (java.security.KeyPairGenerator)31
GeneralName (org.bouncycastle.asn1.x509.GeneralName)31
SecureRandom (java.security.SecureRandom)28
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)28
