Example 81 with SubjectPublicKeyInfo
use of org.spongycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class X509Util method toRfc3279Style.
public static SubjectPublicKeyInfo toRfc3279Style(SubjectPublicKeyInfo publicKeyInfo) throws InvalidKeySpecException {
ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo);
ASN1ObjectIdentifier algOid = publicKeyInfo.getAlgorithm().getAlgorithm();
ASN1Encodable keyParameters = publicKeyInfo.getAlgorithm().getParameters();
if (PKCSObjectIdentifiers.rsaEncryption.equals(algOid)) {
if (DERNull.INSTANCE.equals(keyParameters)) {
return publicKeyInfo;
} else {
AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid, DERNull.INSTANCE);
return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
}
} else if (X9ObjectIdentifiers.id_dsa.equals(algOid)) {
if (keyParameters == null) {
return publicKeyInfo;
} else if (DERNull.INSTANCE.equals(keyParameters)) {
AlgorithmIdentifier keyAlgId = new AlgorithmIdentifier(algOid);
return new SubjectPublicKeyInfo(keyAlgId, publicKeyInfo.getPublicKeyData().getBytes());
} else {
try {
DSAParameter.getInstance(keyParameters);
} catch (IllegalArgumentException ex) {
throw new InvalidKeySpecException("keyParameters is not null and Dss-Parms");
}
return publicKeyInfo;
}
} else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algOid)) {
if (keyParameters == null) {
throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
}
try {
ASN1ObjectIdentifier.getInstance(keyParameters);
} catch (IllegalArgumentException ex) {
throw new InvalidKeySpecException("keyParameters is not an OBJECT IDENTIFIER");
}
return publicKeyInfo;
} else {
return publicKeyInfo;
}
}
Also used :
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 82 with SubjectPublicKeyInfo
use of org.spongycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class PublicKeyChecker method checkPublicKey.
public List<ValidationIssue> checkPublicKey(SubjectPublicKeyInfo publicKey, SubjectPublicKeyInfo requestedPublicKey) {
ParamUtil.requireNonNull("publicKey", publicKey);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<>();
if (keyAlgorithms != null) {
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether the public key in certificate is permitted");
resultIssues.add(issue);
try {
checkPublicKey(publicKey);
} catch (BadCertTemplateException ex) {
issue.setFailureMessage(ex.getMessage());
}
}
ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one");
resultIssues.add(issue);
SubjectPublicKeyInfo c14nRequestedPublicKey;
try {
c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey);
if (!c14nRequestedPublicKey.equals(publicKey)) {
issue.setFailureMessage("public key in the certificate does not equal the requested one");
}
} catch (InvalidKeySpecException ex) {
issue.setFailureMessage("public key in request is invalid");
}
return resultIssues;
}
Also used :
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
LinkedList(java.util.LinkedList)
Example 83 with SubjectPublicKeyInfo
use of org.spongycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class X509CertprofileQa method checkCert.
// constructor
public ValidationResult checkCert(byte[] certBytes, X509IssuerInfo issuerInfo, X500Name requestedSubject, SubjectPublicKeyInfo requestedPublicKey, Extensions requestedExtensions) {
ParamUtil.requireNonNull("certBytes", certBytes);
ParamUtil.requireNonNull("issuerInfo", issuerInfo);
ParamUtil.requireNonNull("requestedSubject", requestedSubject);
ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey);
List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>();
Certificate bcCert;
TBSCertificate tbsCert;
X509Certificate cert;
ValidationIssue issue;
// certificate size
issue = new ValidationIssue("X509.SIZE", "certificate size");
resultIssues.add(issue);
Integer maxSize = certProfile.getMaxSize();
if (maxSize != 0) {
int size = certBytes.length;
if (size > maxSize) {
issue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize));
}
}
// certificate encoding
issue = new ValidationIssue("X509.ENCODING", "certificate encoding");
resultIssues.add(issue);
try {
bcCert = Certificate.getInstance(certBytes);
tbsCert = bcCert.getTBSCertificate();
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
issue.setFailureMessage("certificate is not corrected encoded");
return new ValidationResult(resultIssues);
}
// syntax version
issue = new ValidationIssue("X509.VERSION", "certificate version");
resultIssues.add(issue);
int versionNumber = tbsCert.getVersionNumber();
X509CertVersion expVersion = certProfile.getVersion();
if (versionNumber != expVersion.getVersionNumber()) {
issue.setFailureMessage("is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'");
}
// serialNumber
issue = new ValidationIssue("X509.serialNumber", "certificate serial number");
resultIssues.add(issue);
BigInteger serialNumber = tbsCert.getSerialNumber().getValue();
if (serialNumber.signum() != 1) {
issue.setFailureMessage("not positive");
} else {
if (serialNumber.bitLength() >= 160) {
issue.setFailureMessage("serial number has more than 20 octets");
}
}
// signatureAlgorithm
List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms();
if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
issue = new ValidationIssue("X509.SIGALG", "signature algorithm");
resultIssues.add(issue);
AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm();
AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature();
if (!tbsSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
}
try {
String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId);
if (!issue.isFailed()) {
if (!signatureAlgorithms.contains(sigAlgo)) {
issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed");
}
}
// check parameters
if (!issue.isFailed()) {
AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo);
if (!expSigAlgId.equals(sigAlgId)) {
issue.setFailureMessage("invalid parameters");
}
}
} catch (NoSuchAlgorithmException ex) {
issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId());
}
}
// notBefore encoding
issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding");
checkTime(tbsCert.getStartDate(), issue);
// notAfter encoding
issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding");
checkTime(tbsCert.getStartDate(), issue);
// notBefore
if (certProfile.isNotBeforeMidnight()) {
issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
resultIssues.add(issue);
Calendar cal = Calendar.getInstance(UTC);
cal.setTime(cert.getNotBefore());
int hourOfDay = cal.get(Calendar.HOUR_OF_DAY);
int minute = cal.get(Calendar.MINUTE);
int second = cal.get(Calendar.SECOND);
if (hourOfDay != 0 || minute != 0 || second != 0) {
issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)");
}
}
// validity
issue = new ValidationIssue("X509.VALIDITY", "cert validity");
resultIssues.add(issue);
if (cert.getNotAfter().before(cert.getNotBefore())) {
issue.setFailureMessage("notAfter must not be before notBefore");
} else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) {
issue.setFailureMessage("notBefore must not be before CA's notBefore");
} else {
CertValidity validity = certProfile.getValidity();
Date expectedNotAfter = validity.add(cert.getNotBefore());
if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) {
expectedNotAfter = new Date(MAX_CERT_TIME_MS);
}
if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) {
expectedNotAfter = issuerInfo.getCaNotAfter();
}
if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) {
issue.setFailureMessage("cert validity is not within " + validity.toString());
}
}
// subjectPublicKeyInfo
resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey));
// Signature
issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
resultIssues.add(issue);
try {
cert.verify(issuerInfo.getCert().getPublicKey(), "BC");
} catch (Exception ex) {
issue.setFailureMessage("invalid signature");
}
// issuer
issue = new ValidationIssue("X509.ISSUER", "certificate issuer");
resultIssues.add(issue);
if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) {
issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
}
// subject
resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject));
// issuerUniqueID
issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
resultIssues.add(issue);
if (tbsCert.getIssuerUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// subjectUniqueID
issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
resultIssues.add(issue);
if (tbsCert.getSubjectUniqueId() != null) {
issue.setFailureMessage("is present but not permitted");
}
// extensions
issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject");
resultIssues.add(issue);
resultIssues.addAll(extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject));
return new ValidationResult(resultIssues);
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Calendar(java.util.Calendar)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ValidationResult(org.xipki.common.qa.ValidationResult)
ValidationIssue(org.xipki.common.qa.ValidationIssue)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
X509CertVersion(org.xipki.ca.api.profile.x509.X509CertVersion)
BigInteger(java.math.BigInteger)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Example 84 with SubjectPublicKeyInfo
use of org.spongycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class ScepServer method issueSubCaCert.
private static Certificate issueSubCaCert(PrivateKey rcaKey, X500Name issuer, SubjectPublicKeyInfo pubKeyInfo, X500Name subject, BigInteger serialNumber, Date startTime) throws CertIOException, OperatorCreationException {
Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650);
X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo);
X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
certGenerator.addExtension(Extension.keyUsage, true, ku);
BasicConstraints bc = new BasicConstraints(0);
certGenerator.addExtension(Extension.basicConstraints, true, bc);
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgo.SHA256);
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey);
return certGenerator.build(contentSigner).toASN1Structure();
}
Also used :
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
X509KeyUsage(org.bouncycastle.jce.X509KeyUsage)
Example 85 with SubjectPublicKeyInfo
use of org.spongycastle.asn1.x509.SubjectPublicKeyInfo in project xipki by xipki.
the class ScepServer method getServlet.
public ScepServlet getServlet() throws Exception {
if (servlet != null) {
return servlet;
}
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
X500Name rcaSubject;
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
// CHECKSTYLE:SKIP
PrivateKey rcaKey = keypair.getPrivate();
rcaSubject = new X500Name("CN=RCA1, OU=emulator, O=xipki.org, C=DE");
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
SubjectPublicKeyInfo pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=CA1, OU=emulator, O=xipki.org, C=DE");
this.caCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), new Date(System.currentTimeMillis() - 10 * CaEmulator.MIN_IN_MS));
CaEmulator ca = new CaEmulator(keypair.getPrivate(), this.caCert, generateCrl);
RaEmulator ra = null;
if (withRa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=RA1, OU=emulator, O=xipki.org, C=DE");
this.raCert = ca.generateCert(pkInfo, subject);
ra = new RaEmulator(keypair.getPrivate(), this.raCert);
}
NextCaAndRa nextCaAndRa = null;
if (withNextCa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=CA2, OU=emulator, O=xipki.org, C=DE");
Date startTime = new Date(System.currentTimeMillis() + 365 * CaEmulator.DAY_IN_MS);
this.nextCaCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), startTime);
CaEmulator tmpCa = new CaEmulator(keypair.getPrivate(), this.nextCaCert, generateCrl);
if (withRa) {
kpGen.initialize(2048);
keypair = kpGen.generateKeyPair();
pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
subject = new X500Name("CN=RA2, OU=emulator, O=xipki.org, C=DE");
Date raStartTime = new Date(startTime.getTime() + 10 * CaEmulator.DAY_IN_MS);
this.nextRaCert = tmpCa.generateCert(pkInfo, subject, raStartTime);
}
// end if(withRA)
nextCaAndRa = new NextCaAndRa(this.nextCaCert, this.nextRaCert);
}
// end if(withNextCA)
ScepResponder scepResponder = new ScepResponder(caCaps, ca, ra, nextCaAndRa, control);
if (maxSigningTimeBiasInMs != null) {
scepResponder.setMaxSigningTimeBias(maxSigningTimeBiasInMs);
}
this.servlet = new ScepServlet(scepResponder);
return this.servlet;
}
Also used :
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
KeyPairGenerator(java.security.KeyPairGenerator)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
Aggregations
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)77
X500Name (org.bouncycastle.asn1.x500.X500Name)37
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)37
Date (java.util.Date)34
IOException (java.io.IOException)31
ContentSigner (org.bouncycastle.operator.ContentSigner)24
BigInteger (java.math.BigInteger)22
KeyPair (java.security.KeyPair)21
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)21
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19
KeyPairGenerator (java.security.KeyPairGenerator)17
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)17
X509Certificate (java.security.cert.X509Certificate)17
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)16
InvalidKeyException (java.security.InvalidKeyException)15
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)15
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)15
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)13
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)13
PublicKey (java.security.PublicKey)12
