Search in sources :

Example 1 with KeyAndCert

use of org.xipki.litecaclient.KeyAndCert in project xipki by xipki.

the class PbmMacCmpCaClientExample method main.

public static void main(String[] args) {
    if (!new File(KEYCERT_DIR).exists()) {
        System.err.println("Please call \"mvn generate-resources\" first.");
        return;
    }
    Security.addProvider(new BouncyCastleProvider());
    try {
        X509Certificate responderCert = SdkUtil.parseCert(new File(expandPath(RESPONDER_CERT_FILE)));
        X500Name requestorSubject = new X500Name("CN=PBMMAC");
        X500Name responderSubject = X500Name.getInstance(responderCert.getSubjectX500Principal().getEncoded());
        PbmMacCmpCaClient client = new PbmMacCmpCaClient(CMP_URL, null, requestorSubject, responderSubject, HASH_ALGO);
        // SHA1("requestor-mac1".getBytes("UTF-8"))
        client.setKid(Hex.decode("466827c7757a70af71ca0338c01361aab2019dcf"));
        client.setPassword("123456".toCharArray());
        client.setRequestInterationCount(10240);
        client.setRequestMac(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256, DERNull.INSTANCE));
        client.setRequestOwf(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE));
        Set<ASN1ObjectIdentifier> owfOids = new HashSet<>();
        owfOids.add(NISTObjectIdentifiers.id_sha256);
        client.setTrustedOwfOids(owfOids);
        Set<ASN1ObjectIdentifier> macOids = new HashSet<>();
        macOids.add(PKCSObjectIdentifiers.id_hmacWithSHA256);
        client.setTrustedMacOids(macOids);
        client.init();
        X509Certificate caCert = client.getCaCert();
        X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
        // retrieve CA certificate
        printCert("===== CA Certificate =====", client.getCaCert());
        // Enroll certificate via CRMF - (CA generate keypair)
        KeyAndCert[] keyAndCerts = client.enrollCertsViaCrmfCaGenKeypair(new String[] { CERT_PROFILE, CERT_PROFILE }, new String[] { getSubject(), getSubject() });
        for (KeyAndCert kc : keyAndCerts) {
            printKeyAndCert("===== Enroll via CRMF (CMP, CA generate keypair) =====", kc);
        }
        // Enroll certificate via CSR - RSA
        X509Certificate cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateRsaKeypair(), getSubject()));
        printCert("===== Enroll RSA via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - EC
        cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateEcKeypair(), getSubject()));
        printCert("===== Enroll EC via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - DSA
        cert = client.enrollCertViaCsr(CERT_PROFILE, genCsr(generateDsaKeypair(), getSubject()));
        printCert("===== Enroll DSA via CSR (CMP) =====", cert);
        // Enroll certificate via CRMF - RSA
        MyKeypair kp = generateRsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA (CA generate key pair)
        KeyAndCert keyAndCert = client.updateCertViaCrmfCaGenKeypair(issuer, cert.getSerialNumber());
        printKeyAndCert("===== Update via CRMF (CMP, CA generate keypair) =====", keyAndCert);
        // Enroll certificate via CRMF - EC
        kp = generateEcKeypair();
        MyKeypair kp2 = generateEcKeypair();
        X509Certificate[] certs = client.enrollCertsViaCrmf(new String[] { CERT_PROFILE, CERT_PROFILE }, new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, new SubjectPublicKeyInfo[] { kp.getPublic(), kp2.getPublic() }, new String[] { getSubject(), getSubject() });
        for (X509Certificate c : certs) {
            printCert("===== Enroll EC via CRMF (CMP) =====", c);
        }
        // Update certificate via CRMF - EC
        certs = client.updateCertsViaCrmf(new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, issuer, new BigInteger[] { certs[0].getSerialNumber(), certs[1].getSerialNumber() });
        for (X509Certificate c : certs) {
            printCert("===== Update EC via CRMF (CMP) =====", c);
        }
        // Enroll certificate via CRMF - DSA
        kp = generateDsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll DSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - DSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update DSA via CRMF (CMP) =====", cert);
        BigInteger serialNumber = cert.getSerialNumber();
        // Suspend certificate
        boolean flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.certificateHold));
        if (flag) {
            System.out.println("(CMP) suspended certificate");
        } else {
            System.err.println("(CMP) suspending certificate failed");
        }
        // Unsuspend certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.removeFromCRL));
        if (flag) {
            System.out.println("(CMP) unsuspended certificate");
        } else {
            System.err.println("(CMP) unsuspending certificate failed");
        }
        // Revoke certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.keyCompromise));
        if (flag) {
            System.out.println("(CMP) revoked certificate");
        } else {
            System.err.println("(CMP) revoking certificate failed");
        }
        client.close();
    } catch (Exception ex) {
        ex.printStackTrace();
        System.exit(-1);
    }
}
Also used : PbmMacCmpCaClient(org.xipki.litecaclient.PbmMacCmpCaClient) KeyAndCert(org.xipki.litecaclient.KeyAndCert) PrivateKey(java.security.PrivateKey) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) BigInteger(java.math.BigInteger) File(java.io.File) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) HashSet(java.util.HashSet)

Example 2 with KeyAndCert

use of org.xipki.litecaclient.KeyAndCert in project xipki by xipki.

the class SignatureCmpCaClientExample method main.

public static void main(String[] args) {
    if (!new File(KEYCERT_DIR).exists()) {
        System.err.println("Please call \"mvn generate-resources\" first.");
        return;
    }
    Security.addProvider(new BouncyCastleProvider());
    try {
        KeyStore ks = KeyStore.getInstance("PKCS12");
        char[] password = REQUESTOR_KEYSTORE_PASSWORD.toCharArray();
        InputStream ksStream = Files.newInputStream(Paths.get(expandPath(REQUESTOR_KEYSTORE_FILE)));
        ks.load(ksStream, password);
        ksStream.close();
        Enumeration<String> aliases = ks.aliases();
        String alias = null;
        while (aliases.hasMoreElements()) {
            String tmp = aliases.nextElement();
            if (ks.isKeyEntry(tmp)) {
                alias = tmp;
                break;
            }
        }
        PrivateKey requestorKey = (PrivateKey) ks.getKey(alias, password);
        X509Certificate requestorCert = (X509Certificate) ks.getCertificate(alias);
        X509Certificate responderCert = SdkUtil.parseCert(new File(expandPath(RESPONDER_CERT_FILE)));
        CmpCaClient client = new SignatureCmpCaClient(CMP_URL, null, requestorKey, requestorCert, responderCert, HASH_ALGO);
        client.init();
        X509Certificate caCert = client.getCaCert();
        X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
        // retrieve CA certificate
        printCert("===== CA Certificate =====", client.getCaCert());
        // Enroll certificate via CRMF - (CA generate keypair)
        KeyAndCert[] keyAndCerts = client.enrollCertsViaCrmfCaGenKeypair(new String[] { CERT_PROFILE, CERT_PROFILE }, new String[] { getSubject(), getSubject() });
        for (int i = 0; i < keyAndCerts.length; i++) {
            printKeyAndCert("===== Enroll via CRMF (CMP, CA generate keypair) =====", keyAndCerts[i]);
        }
        // Enroll certificate via CSR - RSA
        MyKeypair kp = generateRsaKeypair();
        CertificationRequest csr = genCsr(kp, getSubject());
        X509Certificate cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll RSA via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - EC
        kp = generateEcKeypair();
        csr = genCsr(kp, getSubject());
        cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll Enroll EC via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - DSA
        kp = generateDsaKeypair();
        csr = genCsr(kp, getSubject());
        cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll DSA via CSR (CMP) =====", cert);
        // Enroll certificate via CRMF - RSA
        kp = generateRsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll Enroll RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA (CA generate key pair)
        KeyAndCert keyAndCert = client.updateCertViaCrmfCaGenKeypair(issuer, cert.getSerialNumber());
        printKeyAndCert("===== Update via CRMF (CMP, CA generate keypair) =====", keyAndCert);
        // Enroll certificate via CRMF - EC
        kp = generateEcKeypair();
        MyKeypair kp2 = generateEcKeypair();
        X509Certificate[] certs = client.enrollCertsViaCrmf(new String[] { CERT_PROFILE, CERT_PROFILE }, new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, new SubjectPublicKeyInfo[] { kp.getPublic(), kp2.getPublic() }, new String[] { getSubject(), getSubject() });
        for (int i = 0; i < certs.length; i++) {
            printCert("===== Enroll EC via CRMF (CMP) =====", certs[i]);
        }
        // Update certificate via CRMF - EC
        certs = client.updateCertsViaCrmf(new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, issuer, new BigInteger[] { certs[0].getSerialNumber(), certs[1].getSerialNumber() });
        for (int i = 0; i < certs.length; i++) {
            printCert("===== Update EC via CRMF (CMP) =====", certs[i]);
        }
        // Enroll certificate via CRMF - DSA
        kp = generateDsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll DSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - DSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update DSA via CRMF (CMP) =====", cert);
        BigInteger serialNumber = cert.getSerialNumber();
        // Suspend certificate
        boolean flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.certificateHold));
        if (flag) {
            System.out.println("(CMP) suspended certificate");
        } else {
            System.err.println("(CMP) suspending certificate failed");
        }
        // Unsuspend certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.removeFromCRL));
        if (flag) {
            System.out.println("(CMP) unsuspended certificate");
        } else {
            System.err.println("(CMP) unsuspending certificate failed");
        }
        // Revoke certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.keyCompromise));
        if (flag) {
            System.out.println("(CMP) revoked certificate");
        } else {
            System.err.println("(CMP) revoking certificate failed");
        }
        client.close();
    } catch (Exception ex) {
        ex.printStackTrace();
        System.exit(-1);
    }
}
Also used : KeyAndCert(org.xipki.litecaclient.KeyAndCert) PrivateKey(java.security.PrivateKey) InputStream(java.io.InputStream) X500Name(org.bouncycastle.asn1.x500.X500Name) SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger) SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient) CmpCaClient(org.xipki.litecaclient.CmpCaClient) File(java.io.File) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Aggregations

File (java.io.File)2 BigInteger (java.math.BigInteger)2 PrivateKey (java.security.PrivateKey)2 X509Certificate (java.security.cert.X509Certificate)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)2 KeyAndCert (org.xipki.litecaclient.KeyAndCert)2 InputStream (java.io.InputStream)1 KeyStore (java.security.KeyStore)1 HashSet (java.util.HashSet)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1 CmpCaClient (org.xipki.litecaclient.CmpCaClient)1 PbmMacCmpCaClient (org.xipki.litecaclient.PbmMacCmpCaClient)1 SignatureCmpCaClient (org.xipki.litecaclient.SignatureCmpCaClient)1