Search in sources :

Example 1 with SignatureCmpCaClient

use of org.xipki.litecaclient.SignatureCmpCaClient in project xipki by xipki.

the class SignatureCmpCaClientExample method main.

public static void main(String[] args) {
    if (!new File(KEYCERT_DIR).exists()) {
        System.err.println("Please call \"mvn generate-resources\" first.");
        return;
    }
    Security.addProvider(new BouncyCastleProvider());
    try {
        KeyStore ks = KeyStore.getInstance("PKCS12");
        char[] password = REQUESTOR_KEYSTORE_PASSWORD.toCharArray();
        InputStream ksStream = Files.newInputStream(Paths.get(expandPath(REQUESTOR_KEYSTORE_FILE)));
        ks.load(ksStream, password);
        ksStream.close();
        Enumeration<String> aliases = ks.aliases();
        String alias = null;
        while (aliases.hasMoreElements()) {
            String tmp = aliases.nextElement();
            if (ks.isKeyEntry(tmp)) {
                alias = tmp;
                break;
            }
        }
        PrivateKey requestorKey = (PrivateKey) ks.getKey(alias, password);
        X509Certificate requestorCert = (X509Certificate) ks.getCertificate(alias);
        X509Certificate responderCert = SdkUtil.parseCert(new File(expandPath(RESPONDER_CERT_FILE)));
        CmpCaClient client = new SignatureCmpCaClient(CMP_URL, null, requestorKey, requestorCert, responderCert, HASH_ALGO);
        client.init();
        X509Certificate caCert = client.getCaCert();
        X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
        // retrieve CA certificate
        printCert("===== CA Certificate =====", client.getCaCert());
        // Enroll certificate via CRMF - (CA generate keypair)
        KeyAndCert[] keyAndCerts = client.enrollCertsViaCrmfCaGenKeypair(new String[] { CERT_PROFILE, CERT_PROFILE }, new String[] { getSubject(), getSubject() });
        for (int i = 0; i < keyAndCerts.length; i++) {
            printKeyAndCert("===== Enroll via CRMF (CMP, CA generate keypair) =====", keyAndCerts[i]);
        }
        // Enroll certificate via CSR - RSA
        MyKeypair kp = generateRsaKeypair();
        CertificationRequest csr = genCsr(kp, getSubject());
        X509Certificate cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll RSA via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - EC
        kp = generateEcKeypair();
        csr = genCsr(kp, getSubject());
        cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll Enroll EC via CSR (CMP) =====", cert);
        // Enroll certificate via CSR - DSA
        kp = generateDsaKeypair();
        csr = genCsr(kp, getSubject());
        cert = client.enrollCertViaCsr(CERT_PROFILE, csr);
        printCert("===== Enroll DSA via CSR (CMP) =====", cert);
        // Enroll certificate via CRMF - RSA
        kp = generateRsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll Enroll RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update RSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - RSA (CA generate key pair)
        KeyAndCert keyAndCert = client.updateCertViaCrmfCaGenKeypair(issuer, cert.getSerialNumber());
        printKeyAndCert("===== Update via CRMF (CMP, CA generate keypair) =====", keyAndCert);
        // Enroll certificate via CRMF - EC
        kp = generateEcKeypair();
        MyKeypair kp2 = generateEcKeypair();
        X509Certificate[] certs = client.enrollCertsViaCrmf(new String[] { CERT_PROFILE, CERT_PROFILE }, new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, new SubjectPublicKeyInfo[] { kp.getPublic(), kp2.getPublic() }, new String[] { getSubject(), getSubject() });
        for (int i = 0; i < certs.length; i++) {
            printCert("===== Enroll EC via CRMF (CMP) =====", certs[i]);
        }
        // Update certificate via CRMF - EC
        certs = client.updateCertsViaCrmf(new PrivateKey[] { kp.getPrivate(), kp2.getPrivate() }, issuer, new BigInteger[] { certs[0].getSerialNumber(), certs[1].getSerialNumber() });
        for (int i = 0; i < certs.length; i++) {
            printCert("===== Update EC via CRMF (CMP) =====", certs[i]);
        }
        // Enroll certificate via CRMF - DSA
        kp = generateDsaKeypair();
        cert = client.enrollCertViaCrmf(CERT_PROFILE, kp.getPrivate(), kp.getPublic(), getSubject());
        printCert("===== Enroll DSA via CRMF (CMP) =====", cert);
        // Update certificate via CRMF - DSA
        cert = client.updateCertViaCrmf(kp.getPrivate(), issuer, cert.getSerialNumber());
        printCert("===== Update DSA via CRMF (CMP) =====", cert);
        BigInteger serialNumber = cert.getSerialNumber();
        // Suspend certificate
        boolean flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.certificateHold));
        if (flag) {
            System.out.println("(CMP) suspended certificate");
        } else {
            System.err.println("(CMP) suspending certificate failed");
        }
        // Unsuspend certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.removeFromCRL));
        if (flag) {
            System.out.println("(CMP) unsuspended certificate");
        } else {
            System.err.println("(CMP) unsuspending certificate failed");
        }
        // Revoke certificate
        flag = client.revokeCert(serialNumber, CRLReason.lookup(CRLReason.keyCompromise));
        if (flag) {
            System.out.println("(CMP) revoked certificate");
        } else {
            System.err.println("(CMP) revoking certificate failed");
        }
        client.close();
    } catch (Exception ex) {
        ex.printStackTrace();
        System.exit(-1);
    }
}
Also used : KeyAndCert(org.xipki.litecaclient.KeyAndCert) PrivateKey(java.security.PrivateKey) InputStream(java.io.InputStream) X500Name(org.bouncycastle.asn1.x500.X500Name) SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger) SignatureCmpCaClient(org.xipki.litecaclient.SignatureCmpCaClient) CmpCaClient(org.xipki.litecaclient.CmpCaClient) File(java.io.File) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Aggregations

File (java.io.File)1 InputStream (java.io.InputStream)1 BigInteger (java.math.BigInteger)1 KeyStore (java.security.KeyStore)1 PrivateKey (java.security.PrivateKey)1 X509Certificate (java.security.cert.X509Certificate)1 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1 X500Name (org.bouncycastle.asn1.x500.X500Name)1 BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)1 CmpCaClient (org.xipki.litecaclient.CmpCaClient)1 KeyAndCert (org.xipki.litecaclient.KeyAndCert)1 SignatureCmpCaClient (org.xipki.litecaclient.SignatureCmpCaClient)1