Search in sources :

Example 1 with DhpocControl

use of org.xipki.ca.server.DhpocControl in project xipki by xipki.

the class BaseCmpResponder method verifyPopo.

protected boolean verifyPopo(CertificateRequestMessage certRequest, SubjectPublicKeyInfo spki, boolean allowRaPopo) {
    int popType = certRequest.getProofOfPossessionType();
    if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) {
        return true;
    }
    if (popType != CertificateRequestMessage.popSigningKey) {
        LOG.error("unsupported POP type: " + popType);
        return false;
    }
    // check the POP signature algorithm
    ProofOfPossession pop = certRequest.toASN1Structure().getPopo();
    POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject());
    SignAlgo popoAlg;
    try {
        popoAlg = SignAlgo.getInstance(popoSign.getAlgorithmIdentifier());
    } catch (NoSuchAlgorithmException ex) {
        LogUtil.error(LOG, ex, "Cannot parse POPO signature algorithm");
        return false;
    }
    AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator();
    if (!algoValidator.isAlgorithmPermitted(popoAlg)) {
        LOG.error("POPO signature algorithm {} not permitted", popoAlg.getJceName());
        return false;
    }
    try {
        PublicKey publicKey = securityFactory.generatePublicKey(spki);
        DhpocControl dhpocControl = getCa().getCaInfo().getDhpocControl();
        DHSigStaticKeyCertPair kaKeyAndCert = null;
        if (SignAlgo.DHPOP_X25519 == popoAlg || SignAlgo.DHPOP_X448 == popoAlg) {
            if (dhpocControl != null) {
                DhSigStatic dhSigStatic = DhSigStatic.getInstance(popoSign.getSignature().getBytes());
                IssuerAndSerialNumber isn = dhSigStatic.getIssuerAndSerial();
                ASN1ObjectIdentifier keyAlgOid = spki.getAlgorithm().getAlgorithm();
                kaKeyAndCert = dhpocControl.getKeyCertPair(isn.getName(), isn.getSerialNumber().getValue(), EdECConstants.getName(keyAlgOid));
            }
            if (kaKeyAndCert == null) {
                return false;
            }
        }
        ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey, kaKeyAndCert);
        return certRequest.isValidSigningKeyPOP(cvp);
    } catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
        LogUtil.error(LOG, ex);
    }
    return false;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession) DhSigStatic(org.bouncycastle.asn1.crmf.DhSigStatic) CRMFException(org.bouncycastle.cert.crmf.CRMFException) DhpocControl(org.xipki.ca.server.DhpocControl) POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Aggregations

ECPublicKey (java.security.interfaces.ECPublicKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1 IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)1 DhSigStatic (org.bouncycastle.asn1.crmf.DhSigStatic)1 POPOSigningKey (org.bouncycastle.asn1.crmf.POPOSigningKey)1 ProofOfPossession (org.bouncycastle.asn1.crmf.ProofOfPossession)1 CRMFException (org.bouncycastle.cert.crmf.CRMFException)1 ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)1 DhpocControl (org.xipki.ca.server.DhpocControl)1