use of org.webpki.asn1.CompositeContextSpecific in project openkeystore by cyberphone.
the class CA method createCert.
public X509Certificate createCert(CertSpec certSpec, DistinguishedName issuerName, BigInteger serialNumber, Date startDate, Date endDate, AsymKeySignerInterface signer, PublicKey issuerPublicKey, PublicKey subjectPublicKey) throws IOException, GeneralSecurityException {
Extensions extensions = new Extensions();
BaseASN1Object version = new CompositeContextSpecific(0, new ASN1Integer(2));
DistinguishedName subjectName = certSpec.getSubjectDistinguishedName();
BaseASN1Object validity = new ASN1Sequence(new BaseASN1Object[] { getASN1Time(startDate), getASN1Time(endDate) });
AsymSignatureAlgorithms certSignAlg = signer.getAlgorithm();
BaseASN1Object signatureAlgorithm = new ASN1Sequence(certSignAlg.getKeyType() == KeyTypes.RSA ? new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()), // Relic from the RSA hey-days...
new ASN1Null() } : new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()) });
BaseASN1Object subjectPublicKeyInfo = DerDecoder.decode(subjectPublicKey.getEncoded());
// ////////////////////////////////////////////////////
if (certSpec.endEntity) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, false, new ASN1Sequence(new BaseASN1Object[] {}));
}
// ////////////////////////////////////////////////////
if (certSpec.caCert) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, true, new ASN1Sequence(new ASN1Boolean(true)));
}
// ////////////////////////////////////////////////////
if (!certSpec.keyUsageSet.isEmpty()) {
int i = 0;
for (KeyUsageBits kubit : certSpec.keyUsageSet) {
i |= 1 << kubit.ordinal();
}
byte[] keyUsage = new byte[i > 255 ? 2 : 1];
keyUsage[0] = reverseBits(i);
if (i > 255) {
keyUsage[1] = reverseBits(i >> 8);
}
extensions.add(CertificateExtensions.KEY_USAGE, true, new ASN1BitString(keyUsage));
}
// ////////////////////////////////////////////////////
if (!certSpec.extendedKeyUsageSet.isEmpty()) {
int i = 0;
BaseASN1Object[] ekus = new BaseASN1Object[certSpec.extendedKeyUsageSet.size()];
for (ExtendedKeyUsages eku : certSpec.extendedKeyUsageSet.toArray(new ExtendedKeyUsages[0])) {
ekus[i++] = new ASN1ObjectID(eku.getOID());
}
extensions.add(CertificateExtensions.EXTENDED_KEY_USAGE, false, new ASN1Sequence(ekus));
}
// ////////////////////////////////////////////////////
if (certSpec.skiExtension) {
extensions.add(CertificateExtensions.SUBJECT_KEY_IDENTIFIER, createKeyID(subjectPublicKey));
}
// ////////////////////////////////////////////////////
if (certSpec.akiExtension) {
extensions.add(CertificateExtensions.AUTHORITY_KEY_IDENTIFIER, new ASN1Sequence(new SimpleContextSpecific(0, createKeyID(issuerPublicKey))));
}
// ////////////////////////////////////////////////////
if (!certSpec.subjectAltName.isEmpty()) {
int i = 0;
BaseASN1Object[] san = new BaseASN1Object[certSpec.subjectAltName.size()];
for (CertSpec.NameValue nameValue : certSpec.subjectAltName) {
int type = nameValue.name;
// We currently only handle simple IA5String types.
if (type == SubjectAltNameTypes.RFC822_NAME || type == SubjectAltNameTypes.DNS_NAME || type == SubjectAltNameTypes.UNIFORM_RESOURCE_IDENTIFIER) {
if (!(nameValue.value instanceof ASN1IA5String)) {
throw new IOException("Wrong argument type to SubjectAltNames of type " + type);
}
} else // Or IP addresses.
if (type == SubjectAltNameTypes.IP_ADDRESS) {
if (!(nameValue.value instanceof ASN1OctetString)) {
throw new IOException("Wrong argument type to SubjectAltNames of type IP address");
}
} else {
throw new IOException("SubjectAltNames of type " + type + " are not handled.");
}
san[i++] = new SimpleContextSpecific(type, nameValue.value);
}
extensions.add(CertificateExtensions.SUBJECT_ALT_NAME, new ASN1Sequence(san));
}
// ////////////////////////////////////////////////////
if (!certSpec.certPolicyOids.isEmpty()) {
int i = 0;
BaseASN1Object[] policies = new BaseASN1Object[certSpec.certPolicyOids.size()];
for (String oid : certSpec.certPolicyOids) {
policies[i++] = new ASN1Sequence(new ASN1ObjectID(oid));
}
extensions.add(CertificateExtensions.CERTIFICATE_POLICIES, new ASN1Sequence(policies));
}
// ////////////////////////////////////////////////////
if (!certSpec.aiaLocators.isEmpty()) {
int i = 0;
BaseASN1Object[] locators = new BaseASN1Object[certSpec.aiaLocators.size()];
for (String[] loc_info : certSpec.aiaLocators) {
locators[i++] = new ASN1Sequence(new BaseASN1Object[] { new ASN1ObjectID(loc_info[0]), new SimpleContextSpecific(6, new ASN1IA5String(loc_info[1])) });
}
extensions.add(CertificateExtensions.AUTHORITY_INFO_ACCESS, new ASN1Sequence(locators));
}
// ////////////////////////////////////////////////////
if (!certSpec.crlDistPoints.isEmpty()) {
int i = 0;
BaseASN1Object[] cdps = new BaseASN1Object[certSpec.crlDistPoints.size()];
for (String uri : certSpec.crlDistPoints) {
cdps[i++] = new ASN1Sequence(new CompositeContextSpecific(0, new CompositeContextSpecific(0, new SimpleContextSpecific(6, new ASN1IA5String(uri)))));
}
extensions.add(CertificateExtensions.CRL_DISTRIBUTION_POINTS, new ASN1Sequence(cdps));
}
// ////////////////////////////////////////////////////
// Certificate Creation!
// ////////////////////////////////////////////////////
BaseASN1Object[] inner = new BaseASN1Object[extensions.isEmpty() ? 7 : 8];
inner[0] = version;
inner[1] = new ASN1Integer(serialNumber);
inner[2] = signatureAlgorithm;
inner[3] = issuerName.toASN1();
inner[4] = validity;
inner[5] = subjectName.toASN1();
inner[6] = subjectPublicKeyInfo;
if (!extensions.isEmpty()) {
inner[7] = new CompositeContextSpecific(3, extensions.getExtensionData());
}
BaseASN1Object tbsCertificate = new ASN1Sequence(inner);
BaseASN1Object signature = new ASN1BitString(signer.signData(tbsCertificate.encode()));
byte[] certificate = new ASN1Sequence(new BaseASN1Object[] { tbsCertificate, signatureAlgorithm, signature }).encode();
return CertificateUtil.getCertificateFromBlob(certificate);
}
use of org.webpki.asn1.CompositeContextSpecific in project openkeystore by cyberphone.
the class CertificateUtil method getSortedPathFromPKCS7Bag.
public static X509Certificate[] getSortedPathFromPKCS7Bag(byte[] bag) throws IOException, GeneralSecurityException {
ArrayList<byte[]> certs = new ArrayList<>();
ASN1Sequence outer = ParseUtil.sequence(DerDecoder.decode(bag));
for (int i = 0; i < outer.size(); i++) {
if (ParseUtil.isCompositeContext(outer.get(i), 0)) {
ASN1Sequence inner = ParseUtil.sequence(ParseUtil.singleContext(outer.get(i), 0));
for (int j = 0; j < inner.size(); j++) {
if (ParseUtil.isCompositeContext(inner.get(j), 0)) {
CompositeContextSpecific cert_entries = ParseUtil.compositeContext(inner.get(j));
for (int k = 0; k < cert_entries.size(); k++) {
certs.add(cert_entries.get(k).encode());
}
return getSortedPathFromBlobs(certs);
}
}
}
}
throw new IOException("PKCS7 bag error");
}
use of org.webpki.asn1.CompositeContextSpecific in project openkeystore by cyberphone.
the class PKCS7Signer method sign.
private byte[] sign(byte[] message, boolean detached) throws IOException, GeneralSecurityException {
ArrayList<BaseASN1Object> cert_path = new ArrayList<>();
for (X509Certificate c : certificatePath) {
cert_path.add(ASN1Util.x509Certificate(c));
}
BaseASN1Object signer_cert = cert_path.get(0);
int i = ParseUtil.isContext(signer_cert.get(new int[] { 0, 0 }), 0) ? 1 : 0;
BaseASN1Object sign_info = signer_cert.get(new int[] { 0, i + 2 });
BaseASN1Object cert_ref = signer_cert.get(new int[] { 0, i });
String digest_oid = signer_implem.getAlgorithm().getDigestAlgorithm().getOid();
String encryption_oid = AsymEncryptionAlgorithms.RSA_ES_PKCS_1_5.getOid();
byte[] signed_data = signer_implem.signData(message);
BaseASN1Object r = ASN1Util.oidValue(PKCS7_SIGNED_DATA, new CompositeContextSpecific(0, new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), ASN1Util.oidValueSet(digest_oid, new ASN1Null()), detached ? new ASN1Sequence((BaseASN1Object) new ASN1ObjectID(PKCS7_DATA)) : (BaseASN1Object) ASN1Util.oidValue(PKCS7_DATA, new CompositeContextSpecific(0, new ASN1OctetString(message))), new CompositeContextSpecific(0, cert_path), new ASN1Set(new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), new ASN1Sequence(new BaseASN1Object[] { sign_info, cert_ref }), ASN1Util.oidNull(digest_oid), ASN1Util.oidNull(encryption_oid), new ASN1OctetString(signed_data) })) })));
return r.encode();
}
use of org.webpki.asn1.CompositeContextSpecific in project openkeystore by cyberphone.
the class KeyStore2PEMConverter method writePrivateKey.
public void writePrivateKey(PrivateKey privateKey, PublicKey publicKey) throws Exception {
byte[] encoded;
KeyAlgorithms keyAlgorithm = KeyAlgorithms.getKeyAlgorithm(privateKey);
if (privateKey instanceof RSAKey) {
encoded = privateKey.getEncoded();
} else if (privateKey instanceof ECKey) {
JSONObjectReader jwk = JSONParser.parse(new KeyStore2JWKConverter().writePrivateKey(privateKey, publicKey));
encoded = new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(0), new ASN1Sequence(new BaseASN1Object[] { new ASN1ObjectID(EC_PUBLIC_KEY_OID), new ASN1ObjectID(keyAlgorithm.getECDomainOID()) }), new ASN1OctetString(new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), new ASN1OctetString(jwk.getBinary("d")), new CompositeContextSpecific(1, new ASN1BitString(ArrayUtil.add(new byte[] { 4 }, ArrayUtil.add(jwk.getBinary("x"), jwk.getBinary("y"))))) }).encode()) }).encode();
} else {
encoded = new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), new ASN1Sequence(new ASN1ObjectID(keyAlgorithm.getECDomainOID())), new ASN1OctetString(new ASN1OctetString(OkpSupport.private2RawOkpKey(privateKey, keyAlgorithm)).encode()), new SimpleContextSpecific(1, // BITSTRING unused bits
ArrayUtil.add(// BITSTRING unused bits
new byte[] { 0 }, OkpSupport.public2RawOkpKey(publicKey, keyAlgorithm))) }).encode();
}
writeObject("PRIVATE KEY", encoded);
}
Aggregations