use of org.xipki.ca.api.profile.KeyParametersOption in project xipki by xipki.
the class XmlX509CertprofileUtil method convertKeyParametersOption.
private static KeyParametersOption convertKeyParametersOption(AlgorithmType type) throws CertprofileException {
ParamUtil.requireNonNull("type", type);
if (type.getParameters() == null || type.getParameters().getAny() == null) {
return KeyParametersOption.ALLOW_ALL;
}
Object paramsObj = type.getParameters().getAny();
if (paramsObj instanceof ECParameters) {
ECParameters params = (ECParameters) paramsObj;
KeyParametersOption.ECParamatersOption option = new KeyParametersOption.ECParamatersOption();
if (params.getCurves() != null) {
Curves curves = params.getCurves();
Set<ASN1ObjectIdentifier> curveOids = toOidSet(curves.getCurve());
option.setCurveOids(curveOids);
}
if (params.getPointEncodings() != null) {
List<Byte> bytes = params.getPointEncodings().getPointEncoding();
Set<Byte> pointEncodings = new HashSet<>(bytes);
option.setPointEncodings(pointEncodings);
}
return option;
} else if (paramsObj instanceof RSAParameters) {
RSAParameters params = (RSAParameters) paramsObj;
KeyParametersOption.RSAParametersOption option = new KeyParametersOption.RSAParametersOption();
Set<Range> modulusLengths = buildParametersMap(params.getModulusLength());
option.setModulusLengths(modulusLengths);
return option;
} else if (paramsObj instanceof RSAPSSParameters) {
RSAPSSParameters params = (RSAPSSParameters) paramsObj;
KeyParametersOption.RSAPSSParametersOption option = new KeyParametersOption.RSAPSSParametersOption();
Set<Range> modulusLengths = buildParametersMap(params.getModulusLength());
option.setModulusLengths(modulusLengths);
return option;
} else if (paramsObj instanceof DSAParameters) {
DSAParameters params = (DSAParameters) paramsObj;
KeyParametersOption.DSAParametersOption option = new KeyParametersOption.DSAParametersOption();
Set<Range> plengths = buildParametersMap(params.getPLength());
option.setPlengths(plengths);
Set<Range> qlengths = buildParametersMap(params.getQLength());
option.setQlengths(qlengths);
return option;
} else if (paramsObj instanceof DHParameters) {
DHParameters params = (DHParameters) paramsObj;
KeyParametersOption.DHParametersOption option = new KeyParametersOption.DHParametersOption();
Set<Range> plengths = buildParametersMap(params.getPLength());
option.setPlengths(plengths);
Set<Range> qlengths = buildParametersMap(params.getQLength());
option.setQlengths(qlengths);
return option;
} else if (paramsObj instanceof GostParameters) {
GostParameters params = (GostParameters) paramsObj;
KeyParametersOption.GostParametersOption option = new KeyParametersOption.GostParametersOption();
Set<ASN1ObjectIdentifier> set = toOidSet(params.getPublicKeyParamSet());
option.setPublicKeyParamSets(set);
set = toOidSet(params.getDigestParamSet());
option.setDigestParamSets(set);
set = toOidSet(params.getEncryptionParamSet());
option.setEncryptionParamSets(set);
return option;
} else {
throw new CertprofileException("unknown public key parameters type " + paramsObj.getClass().getName());
}
}
use of org.xipki.ca.api.profile.KeyParametersOption in project xipki by xipki.
the class XmlX509CertprofileUtil method buildKeyAlgorithms.
public static Map<ASN1ObjectIdentifier, KeyParametersOption> buildKeyAlgorithms(KeyAlgorithms keyAlgos) throws CertprofileException {
ParamUtil.requireNonNull("keyAlgos", keyAlgos);
Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = new HashMap<>();
for (AlgorithmType type : keyAlgos.getAlgorithm()) {
List<OidWithDescType> algIds = type.getAlgorithm();
List<ASN1ObjectIdentifier> oids = new ArrayList<>(algIds.size());
for (OidWithDescType algId : algIds) {
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(algId.getValue());
if (keyAlgorithms.containsKey(oid)) {
throw new CertprofileException("duplicate definition of keyAlgorithm " + oid.getId());
}
oids.add(oid);
}
KeyParametersOption keyParamsOption = convertKeyParametersOption(type);
for (ASN1ObjectIdentifier oid : oids) {
keyAlgorithms.put(oid, keyParamsOption);
}
}
return CollectionUtil.unmodifiableMap(keyAlgorithms);
}
use of org.xipki.ca.api.profile.KeyParametersOption in project xipki by xipki.
the class BaseX509Certprofile method checkPublicKey.
@Override
public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo publicKey) throws BadCertTemplateException {
ParamUtil.requireNonNull("publicKey", publicKey);
Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms();
if (CollectionUtil.isEmpty(keyAlgorithms)) {
return publicKey;
}
ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm();
if (!keyAlgorithms.containsKey(keyType)) {
throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted");
}
KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType);
if (keyParamsOption instanceof AllowAllParametersOption) {
return publicKey;
} else if (keyParamsOption instanceof ECParamatersOption) {
ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption;
// parameters
ASN1Encodable algParam = publicKey.getAlgorithm().getParameters();
ASN1ObjectIdentifier curveOid;
if (algParam instanceof ASN1ObjectIdentifier) {
curveOid = (ASN1ObjectIdentifier) algParam;
if (!ecOption.allowsCurve(curveOid)) {
throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId()));
}
} else {
throw new BadCertTemplateException("only namedCurve EC public key is supported");
}
// point encoding
if (ecOption.pointEncodings() != null) {
byte[] keyData = publicKey.getPublicKeyData().getBytes();
if (keyData.length < 1) {
throw new BadCertTemplateException("invalid publicKeyData");
}
byte pointEncoding = keyData[0];
if (!ecOption.pointEncodings().contains(pointEncoding)) {
throw new BadCertTemplateException(String.format("not accepted EC point encoding '%s'", pointEncoding));
}
}
byte[] keyData = publicKey.getPublicKeyData().getBytes();
try {
checkEcSubjectPublicKeyInfo(curveOid, keyData);
} catch (BadCertTemplateException ex) {
throw ex;
} catch (Exception ex) {
LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo");
throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage()));
}
return publicKey;
} else if (keyParamsOption instanceof RSAParametersOption) {
RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption;
ASN1Integer modulus;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes());
modulus = ASN1Integer.getInstance(seq.getObjectAt(0));
} catch (IllegalArgumentException ex) {
throw new BadCertTemplateException("invalid publicKeyData");
}
int modulusLength = modulus.getPositiveValue().bitLength();
if ((rsaOption.allowsModulusLength(modulusLength))) {
return publicKey;
}
} else if (keyParamsOption instanceof DSAParametersOption) {
DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption;
ASN1Encodable params = publicKey.getAlgorithm().getParameters();
if (params == null) {
throw new BadCertTemplateException("null Dss-Parms is not permitted");
}
int plength;
int qlength;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(params);
ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0));
ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1));
plength = rsaP.getPositiveValue().bitLength();
qlength = rsaQ.getPositiveValue().bitLength();
} catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) {
throw new BadCertTemplateException("illegal Dss-Parms");
}
boolean match = dsaOption.allowsPlength(plength);
if (match) {
match = dsaOption.allowsQlength(qlength);
}
if (match) {
return publicKey;
}
} else {
throw new RuntimeException(String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption));
}
throw new BadCertTemplateException("the given publicKey is not permitted");
}
Aggregations