Search in sources :

Example 1 with ECParamatersOption

use of org.xipki.ca.api.profile.KeyParametersOption.ECParamatersOption in project xipki by xipki.

the class BaseX509Certprofile method checkPublicKey.

@Override
public SubjectPublicKeyInfo checkPublicKey(SubjectPublicKeyInfo publicKey) throws BadCertTemplateException {
    ParamUtil.requireNonNull("publicKey", publicKey);
    Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms();
    if (CollectionUtil.isEmpty(keyAlgorithms)) {
        return publicKey;
    }
    ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm();
    if (!keyAlgorithms.containsKey(keyType)) {
        throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted");
    }
    KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType);
    if (keyParamsOption instanceof AllowAllParametersOption) {
        return publicKey;
    } else if (keyParamsOption instanceof ECParamatersOption) {
        ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption;
        // parameters
        ASN1Encodable algParam = publicKey.getAlgorithm().getParameters();
        ASN1ObjectIdentifier curveOid;
        if (algParam instanceof ASN1ObjectIdentifier) {
            curveOid = (ASN1ObjectIdentifier) algParam;
            if (!ecOption.allowsCurve(curveOid)) {
                throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId()));
            }
        } else {
            throw new BadCertTemplateException("only namedCurve EC public key is supported");
        }
        // point encoding
        if (ecOption.pointEncodings() != null) {
            byte[] keyData = publicKey.getPublicKeyData().getBytes();
            if (keyData.length < 1) {
                throw new BadCertTemplateException("invalid publicKeyData");
            }
            byte pointEncoding = keyData[0];
            if (!ecOption.pointEncodings().contains(pointEncoding)) {
                throw new BadCertTemplateException(String.format("not accepted EC point encoding '%s'", pointEncoding));
            }
        }
        byte[] keyData = publicKey.getPublicKeyData().getBytes();
        try {
            checkEcSubjectPublicKeyInfo(curveOid, keyData);
        } catch (BadCertTemplateException ex) {
            throw ex;
        } catch (Exception ex) {
            LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo");
            throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage()));
        }
        return publicKey;
    } else if (keyParamsOption instanceof RSAParametersOption) {
        RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption;
        ASN1Integer modulus;
        try {
            ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes());
            modulus = ASN1Integer.getInstance(seq.getObjectAt(0));
        } catch (IllegalArgumentException ex) {
            throw new BadCertTemplateException("invalid publicKeyData");
        }
        int modulusLength = modulus.getPositiveValue().bitLength();
        if ((rsaOption.allowsModulusLength(modulusLength))) {
            return publicKey;
        }
    } else if (keyParamsOption instanceof DSAParametersOption) {
        DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption;
        ASN1Encodable params = publicKey.getAlgorithm().getParameters();
        if (params == null) {
            throw new BadCertTemplateException("null Dss-Parms is not permitted");
        }
        int plength;
        int qlength;
        try {
            ASN1Sequence seq = ASN1Sequence.getInstance(params);
            ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0));
            ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1));
            plength = rsaP.getPositiveValue().bitLength();
            qlength = rsaQ.getPositiveValue().bitLength();
        } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) {
            throw new BadCertTemplateException("illegal Dss-Parms");
        }
        boolean match = dsaOption.allowsPlength(plength);
        if (match) {
            match = dsaOption.allowsQlength(qlength);
        }
        if (match) {
            return publicKey;
        }
    } else {
        throw new RuntimeException(String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption));
    }
    throw new BadCertTemplateException("the given publicKey is not permitted");
}
Also used : ECParamatersOption(org.xipki.ca.api.profile.KeyParametersOption.ECParamatersOption) DSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.DSAParametersOption) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CertprofileException(org.xipki.ca.api.profile.CertprofileException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) KeyParametersOption(org.xipki.ca.api.profile.KeyParametersOption) RSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.RSAParametersOption) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) AllowAllParametersOption(org.xipki.ca.api.profile.KeyParametersOption.AllowAllParametersOption) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)1 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)1 BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)1 CertprofileException (org.xipki.ca.api.profile.CertprofileException)1 KeyParametersOption (org.xipki.ca.api.profile.KeyParametersOption)1 AllowAllParametersOption (org.xipki.ca.api.profile.KeyParametersOption.AllowAllParametersOption)1 DSAParametersOption (org.xipki.ca.api.profile.KeyParametersOption.DSAParametersOption)1 ECParamatersOption (org.xipki.ca.api.profile.KeyParametersOption.ECParamatersOption)1 RSAParametersOption (org.xipki.ca.api.profile.KeyParametersOption.RSAParametersOption)1