Example 1 with KeyAndCert
use of org.xipki.litecaclient.KeyAndCert in project xipki by xipki.
the class PbmMacCmpCaClientExample method main.
public static void main(String[] args) {
if (!new File(KEYCERT_DIR).exists()) {
System.err.println("Please call \"mvn generate-resources\" first.");
return;
}
Security.addProvider(new BouncyCastleProvider());
try {
X509Certificate responderCert = SdkUtil.parseCert(new File(expandPath(RESPONDER_CERT_FILE)));
X500Name requestorSubject = new X500Name("CN=PBMMAC");
X500Name responderSubject = X500Name.getInstance(responderCert.getSubjectX500Principal().getEncoded());
PbmMacCmpCaClient client = new PbmMacCmpCaClient(CMP_URL, null, requestorSubject, responderSubject, HASH_ALGO);
// SHA1("requestor-mac1".getBytes("UTF-8"))
client.setKid(Hex.decode("466827c7757a70af71ca0338c01361aab2019dcf"));
client.setPassword("123456".toCharArray());
client.setRequestInterationCount(10240);
client.setRequestMac(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256, DERNull.INSTANCE));
client.setRequestOwf(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE));
Set<ASN1ObjectIdentifier> owfOids = new HashSet<>();
owfOids.add(NISTObjectIdentifiers.id_sha256);
client.setTrustedOwfOids(owfOids);
Set<ASN1ObjectIdentifier> macOids = new HashSet<>();
macOids.add(PKCSObjectIdentifiers.id_hmacWithSHA256);
client.setTrustedMacOids(macOids);
client.init();
X509Certificate caCert = client.getCaCert();
X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
// retrieve CA certificate
printCert("===== CA Certificate =====", client.getCaCert());
// Enroll certificate via CRMF - (CA generate keypair)
KeyAndCert[] keyAndCerts = client.enrollCertsViaCrmfCaGenKeypair(new String[] { CERT_PROFILE, CERT_PROFILE }, new String[] { getSubject(), getSubject() });
for (KeyAndCert kc : keyAndCerts) {
printKeyAndCert("===== Enroll via CRMF (CMP, CA generate keypair) =====", kc);
}
// Enroll certificate via CSR - RSA
X509Certificate cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateRsaKeypair(), getSubject()));
printCert("===== Enroll RSA via CSR (CMP) =====", cert);
// Enroll certificate via CSR - EC
cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateEcKeypair(), getSubject()));
printCert("===== Enroll EC via CSR (CMP) =====", cert);
// Enroll certificate via CSR - DSA
cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateDsaKeypair(), getSubject()));
printCert("===== Enroll DSA via CSR (CMP) =====", cert);
// Enroll certificate via CRMF - RSA
MyKeypair kp = generateRsaKeypair();
cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
printCert("===== Enroll RSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - RSA
cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
printCert("===== Update RSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - RSA (CA generate key pair)
KeyAndCert keyAndCert = client.updateCertViaCrmfCaGenKeypair(issuer, cert.getSerialNumber());
printKeyAndCert("===== Update via CRMF (CMP, CA generate keypair) =====", keyAndCert);
// Enroll certificate via CRMF - EC
kp = generateEcKeypair();
MyKeypair kp2 = generateEcKeypair();
X509Certificate[] certs = client.enrollCertsViaCrmf(new String[] { CERT_PROFILE, CERT_PROFILE }, new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, new SubjectPublicKeyInfo[] { kp.getPublic(), kp2.getPublic() }, new String[] { getSubject(), getSubject() });
for (X509Certificate c : certs) {
printCert("===== Enroll EC via CRMF (CMP) =====", c);
}
// Update certificate via CRMF - EC
certs = client.updateCertsViaCrmf(new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, issuer, new BigInteger[] { certs[0].getSerialNumber(), certs[1].getSerialNumber() });
for (X509Certificate c : certs) {
printCert("===== Update EC via CRMF (CMP) =====", c);
}
// Enroll certificate via CRMF - DSA
kp = generateDsaKeypair();
cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
printCert("===== Enroll DSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - DSA
cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
printCert("===== Update DSA via CRMF (CMP) =====", cert);
BigInteger serialNumber = cert.getSerialNumber();
// Suspend certificate
boolean flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.certificateHold));
if (flag) {
System.out.println("(CMP) suspended certificate");
} else {
System.err.println("(CMP) suspending certificate failed");
}
// Unsuspend certificate
flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.removeFromCRL));
if (flag) {
System.out.println("(CMP) unsuspended certificate");
} else {
System.err.println("(CMP) unsuspending certificate failed");
}
// Revoke certificate
flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.keyCompromise));
if (flag) {
System.out.println("(CMP) revoked certificate");
} else {
System.err.println("(CMP) revoking certificate failed");
}
client.close();
} catch (Exception ex) {
ex.printStackTrace();
System.exit(-1);
}
}
Also used :
PbmMacCmpCaClient(org.xipki.litecaclient.PbmMacCmpCaClient)
KeyAndCert(org.xipki.litecaclient.KeyAndCert)
PrivateKey(java.security.PrivateKey)
X500Name(org.bouncycastle.asn1.x500.X500Name)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
BigInteger(java.math.BigInteger)
File(java.io.File)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
HashSet(java.util.HashSet)
Example 2 with KeyAndCert
use of org.xipki.litecaclient.KeyAndCert in project xipki by xipki.
the class SignatureCmpCaClientExample method main.
public static void main(String[] args) {
if (!new File(KEYCERT_DIR).exists()) {
System.err.println("Please call \"mvn generate-resources\" first.");
return;
}
Security.addProvider(new BouncyCastleProvider());
try {
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] password = REQUESTOR_KEYSTORE_PASSWORD.toCharArray();
InputStream ksStream = Files.newInputStream(Paths.get(expandPath(REQUESTOR_KEYSTORE_FILE)));
ks.load(ksStream, password);
ksStream.close();
Enumeration<String> aliases = ks.aliases();
String alias = null;
while (aliases.hasMoreElements()) {
String tmp = aliases.nextElement();
if (ks.isKeyEntry(tmp)) {
alias = tmp;
break;
}
}
PrivateKey requestorKey = (PrivateKey) ks.getKey(alias, password);
X509Certificate requestorCert = (X509Certificate) ks.getCertificate(alias);
X509Certificate responderCert = SdkUtil.parseCert(new File(expandPath(RESPONDER_CERT_FILE)));
CmpCaClient client = new SignatureCmpCaClient(CMP_URL, null, requestorKey, requestorCert, responderCert, HASH_ALGO);
client.init();
X509Certificate caCert = client.getCaCert();
X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
// retrieve CA certificate
printCert("===== CA Certificate =====", client.getCaCert());
// Enroll certificate via CRMF - (CA generate keypair)
KeyAndCert[] keyAndCerts = client.enrollCertsViaCrmfCaGenKeypair(new String[] { CERT_PROFILE, CERT_PROFILE }, new String[] { getSubject(), getSubject() });
for (int i = 0; i < keyAndCerts.length; i++) {
printKeyAndCert("===== Enroll via CRMF (CMP, CA generate keypair) =====", keyAndCerts[i]);
}
// Enroll certificate via CSR - RSA
MyKeypair kp = generateRsaKeypair();
CertificationRequest csr = genCsr(kp, getSubject());
X509Certificate cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
printCert("===== Enroll RSA via CSR (CMP) =====", cert);
// Enroll certificate via CSR - EC
kp = generateEcKeypair();
csr = genCsr(kp, getSubject());
cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
printCert("===== Enroll Enroll EC via CSR (CMP) =====", cert);
// Enroll certificate via CSR - DSA
kp = generateDsaKeypair();
csr = genCsr(kp, getSubject());
cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
printCert("===== Enroll DSA via CSR (CMP) =====", cert);
// Enroll certificate via CRMF - RSA
kp = generateRsaKeypair();
cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
printCert("===== Enroll Enroll RSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - RSA
cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
printCert("===== Update RSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - RSA (CA generate key pair)
KeyAndCert keyAndCert = client.updateCertViaCrmfCaGenKeypair(issuer, cert.getSerialNumber());
printKeyAndCert("===== Update via CRMF (CMP, CA generate keypair) =====", keyAndCert);
// Enroll certificate via CRMF - EC
kp = generateEcKeypair();
MyKeypair kp2 = generateEcKeypair();
X509Certificate[] certs = client.enrollCertsViaCrmf(new String[] { CERT_PROFILE, CERT_PROFILE }, new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, new SubjectPublicKeyInfo[] { kp.getPublic(), kp2.getPublic() }, new String[] { getSubject(), getSubject() });
for (int i = 0; i < certs.length; i++) {
printCert("===== Enroll EC via CRMF (CMP) =====", certs[i]);
}
// Update certificate via CRMF - EC
certs = client.updateCertsViaCrmf(new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, issuer, new BigInteger[] { certs[0].getSerialNumber(), certs[1].getSerialNumber() });
for (int i = 0; i < certs.length; i++) {
printCert("===== Update EC via CRMF (CMP) =====", certs[i]);
}
// Enroll certificate via CRMF - DSA
kp = generateDsaKeypair();
cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
printCert("===== Enroll DSA via CRMF (CMP) =====", cert);
// Update certificate via CRMF - DSA
cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
printCert("===== Update DSA via CRMF (CMP) =====", cert);
BigInteger serialNumber = cert.getSerialNumber();
// Suspend certificate
boolean flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.certificateHold));
if (flag) {
System.out.println("(CMP) suspended certificate");
} else {
System.err.println("(CMP) suspending certificate failed");
}
// Unsuspend certificate
flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.removeFromCRL));
if (flag) {
System.out.println("(CMP) unsuspended certificate");
} else {
System.err.println("(CMP) unsuspending certificate failed");
}
// Revoke certificate
flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.keyCompromise));
if (flag) {
System.out.println("(CMP) revoked certificate");
} else {
System.err.println("(CMP) revoking certificate failed");
}
client.close();
} catch (Exception ex) {
ex.printStackTrace();
System.exit(-1);
}
}
Also used :
KeyAndCert(org.xipki.litecaclient.KeyAndCert)
PrivateKey(java.security.PrivateKey)
InputStream(java.io.InputStream)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
BigInteger(java.math.BigInteger)
SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient)
CmpCaClient(org.xipki.litecaclient.CmpCaClient)
File(java.io.File)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Aggregations
File (java.io.File)2
BigInteger (java.math.BigInteger)2
PrivateKey (java.security.PrivateKey)2
X509Certificate (java.security.cert.X509Certificate)2
X500Name (org.bouncycastle.asn1.x500.X500Name)2
BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)2
KeyAndCert (org.xipki.litecaclient.KeyAndCert)2
InputStream (java.io.InputStream)1
KeyStore (java.security.KeyStore)1
HashSet (java.util.HashSet)1
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1
CmpCaClient (org.xipki.litecaclient.CmpCaClient)1
PbmMacCmpCaClient (org.xipki.litecaclient.PbmMacCmpCaClient)1
SignatureCmpCaClient (org.xipki.litecaclient.SignatureCmpCaClient)1
