Search in sources :

Example 1 with SignAlgo

use of org.xipki.security.SignAlgo in project xipki by xipki.

the class CmpControl method buildAlgorithmValidator.

private CollectionAlgorithmValidator buildAlgorithmValidator(Collection<String> algoNames) throws NoSuchAlgorithmException {
    Set<SignAlgo> algos = new HashSet<>();
    for (String algoName : algoNames) {
        SignAlgo sa;
        try {
            sa = SignAlgo.getInstance(algoName);
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("algorithm is not supported {}, ignore it", algoName);
            continue;
        }
        algos.add(sa);
    }
    if (algos.isEmpty()) {
        throw new NoSuchAlgorithmException("none of the signature algorithms " + algoNames + " are supported");
    }
    return new CollectionAlgorithmValidator(algos);
}
Also used : SignAlgo(org.xipki.security.SignAlgo) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CollectionAlgorithmValidator(org.xipki.security.CollectionAlgorithmValidator)

Example 2 with SignAlgo

use of org.xipki.security.SignAlgo in project xipki by xipki.

the class CmpControl method initPbm.

// constructor
private void initPbm(ConfPairs pairs, List<String> pbmOwfs, List<String> pbmMacs, Integer pbmIterationCount) throws InvalidConfException {
    if (pbmIterationCount == null) {
        pbmIterationCount = DFLT_PBM_ITERATIONCOUNT;
    }
    if (CollectionUtil.isEmpty(pbmOwfs)) {
        pbmOwfs = Collections.singletonList("SHA256");
    }
    if (CollectionUtil.isEmpty(pbmMacs)) {
        pbmMacs = Collections.singletonList("HMACSHA256");
    }
    if (pbmIterationCount <= 0) {
        throw new InvalidConfException("invalid pbmIterationCount " + pbmIterationCount);
    }
    this.responsePbmIterationCount = pbmIterationCount;
    pairs.putPair(KEY_PROTECTION_PBM_IC, Integer.toString(pbmIterationCount));
    this.requestPbmOwfs = new ArrayList<>(pbmOwfs.size());
    List<String> canonicalizedAlgos = new ArrayList<>(pbmOwfs.size());
    for (int i = 0; i < pbmOwfs.size(); i++) {
        String algo = pbmOwfs.get(i);
        HashAlgo ha;
        try {
            ha = HashAlgo.getInstance(algo);
        } catch (Exception ex) {
            throw new InvalidConfException("invalid pbmPwf " + algo, ex);
        }
        canonicalizedAlgos.add(ha.getJceName());
        requestPbmOwfs.add(ha);
        if (i == 0) {
            responsePbmOwf = ha;
        }
    }
    pairs.putPair(KEY_PROTECTION_PBM_OWF, algosAsString(canonicalizedAlgos));
    // PasswordBasedMac.mac
    canonicalizedAlgos.clear();
    this.requestPbmMacs = new ArrayList<>(pbmMacs.size());
    for (int i = 0; i < pbmMacs.size(); i++) {
        String algo = pbmMacs.get(i);
        SignAlgo signAlgo;
        try {
            signAlgo = SignAlgo.getInstance(algo);
        } catch (NoSuchAlgorithmException ex) {
            throw new InvalidConfException("invalid pbmMac " + algo, ex);
        }
        canonicalizedAlgos.add(signAlgo.getJceName());
        requestPbmMacs.add(signAlgo);
        if (i == 0) {
            responsePbmMac = signAlgo;
        }
    }
    pairs.putPair(KEY_PROTECTION_PBM_MAC, algosAsString(canonicalizedAlgos));
}
Also used : SignAlgo(org.xipki.security.SignAlgo) HashAlgo(org.xipki.security.HashAlgo) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 3 with SignAlgo

use of org.xipki.security.SignAlgo in project xipki by xipki.

the class OcspBenchRequestor method init.

public void init(ResponseHandler responseHandler, String responderUrl, X509Cert issuerCert, RequestOptions requestOptions, int queueSize) throws OcspRequestorException, IOException, URISyntaxException {
    notNull(issuerCert, "issuerCert");
    notNull(responseHandler, "responseHandler");
    this.requestOptions = notNull(requestOptions, "requestOptions");
    this.issuerhashAlg = requestOptions.getHashAlgorithm();
    this.issuerNameHash = new DEROctetString(issuerhashAlg.hash(issuerCert.getSubject().getEncoded()));
    this.issuerKeyHash = new DEROctetString(issuerhashAlg.hash(issuerCert.getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
    List<SignAlgo> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms();
    if (prefSigAlgs == null || prefSigAlgs.size() == 0) {
        this.extensions = null;
    } else {
        ASN1EncodableVector vec = new ASN1EncodableVector();
        for (SignAlgo algId : prefSigAlgs) {
            ASN1Sequence prefSigAlgObj = new DERSequence(algId.getAlgorithmIdentifier());
            vec.add(prefSigAlgObj);
        }
        ASN1Sequence extnValue = new DERSequence(vec);
        Extension extn;
        try {
            extn = new Extension(ObjectIdentifiers.Extn.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue));
        } catch (IOException ex) {
            throw new OcspRequestorException(ex.getMessage(), ex);
        }
        this.extensions = new Extension[] { extn };
    }
    URI uri = new URI(responderUrl);
    this.responderRawPathPost = uri.getRawPath();
    if (this.responderRawPathPost.endsWith("/")) {
        this.responderRawPathGet = this.responderRawPathPost;
    } else {
        this.responderRawPathGet = this.responderRawPathPost + "/";
    }
    int port = uri.getPort();
    if (port == -1) {
        final String scheme = uri.getScheme();
        if ("http".equalsIgnoreCase(scheme)) {
            port = 80;
        } else if ("https".equalsIgnoreCase(scheme)) {
            port = 443;
        } else {
            throw new OcspRequestorException("unknown scheme " + scheme);
        }
    }
    this.httpClient = new BenchmarkHttpClient(uri.getHost(), port, null, responseHandler, queueSize);
    this.httpClient.start();
}
Also used : OcspRequestorException(org.xipki.ocsp.client.OcspRequestorException) IOException(java.io.IOException) URI(java.net.URI) SignAlgo(org.xipki.security.SignAlgo) Extension(org.bouncycastle.asn1.x509.Extension) BenchmarkHttpClient(org.xipki.qa.BenchmarkHttpClient)

Example 4 with SignAlgo

use of org.xipki.security.SignAlgo in project xipki by xipki.

the class Client method encryptThenSign.

// method scepNextCaCert
private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey, X509Cert identityCert) throws ScepClientException {
    HashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
    ASN1ObjectIdentifier encAlgId;
    if (caCaps.supportsAES()) {
        encAlgId = CMSAlgorithm.AES128_CBC;
    } else if (caCaps.supportsDES3()) {
        encAlgId = CMSAlgorithm.DES_EDE3_CBC;
    } else {
        throw new ScepClientException("DES will not be supported by this client");
    }
    try {
        SignAlgo signatureAlgorithm = SignAlgo.getInstance(identityKey, hashAlgo, null);
        return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Cert[] { identityCert }, authorityCertStore.getEncryptionCert(), encAlgId);
    } catch (MessageEncodingException | NoSuchAlgorithmException ex) {
        throw new ScepClientException(ex);
    }
}
Also used : SignAlgo(org.xipki.security.SignAlgo) HashAlgo(org.xipki.security.HashAlgo) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 5 with SignAlgo

use of org.xipki.security.SignAlgo in project xipki by xipki.

the class XijsonCertprofile method initialize0.

// method initialize
private void initialize0(X509ProfileType conf) throws CertprofileException {
    this.version = conf.getVersion();
    if (this.version == null) {
        this.version = X509CertVersion.v3;
    }
    if (conf.getSignatureAlgorithms() != null) {
        List<String> algoNames = conf.getSignatureAlgorithms();
        List<SignAlgo> list = new ArrayList<>(algoNames.size());
        for (String algoName : algoNames) {
            try {
                list.add(SignAlgo.getInstance(algoName));
            } catch (NoSuchAlgorithmException ex) {
                LOG.warn("unsupported signature algorithm: {}, ignore it", algoName);
            }
        }
        if (list.isEmpty()) {
            throw new CertprofileException("none of the signature algorithms is supported: " + conf.getSignatureAlgorithms());
        }
        this.signatureAlgorithms = Collections.unmodifiableList(list);
    }
    this.raOnly = conf.getRaOnly() != null && conf.getRaOnly();
    this.maxSize = conf.getMaxSize();
    this.validity = Validity.getInstance(conf.getValidity());
    this.notAfterMode = conf.getNotAfterMode();
    this.certLevel = conf.getCertLevel();
    if (this.certLevel == null) {
        throw new CertprofileException("invalid CertLevel");
    }
    this.certDomain = conf.getCertDomain() == null ? CertDomain.RFC5280 : conf.getCertDomain();
    // KeypairGenControl
    KeypairGenerationType kg = conf.getKeypairGeneration();
    this.serialNumberMode = conf.getSerialNumberMode();
    if (kg == null || kg.isForbidden()) {
        this.keypairGenControl = KeypairGenControl.ForbiddenKeypairGenControl.INSTANCE;
    } else if (kg.isInheritCA()) {
        this.keypairGenControl = KeypairGenControl.InheritCAKeypairGenControl.INSTANCE;
    } else {
        KeyType keyType = kg.getKeyType();
        ASN1ObjectIdentifier keyAlgOid = new ASN1ObjectIdentifier(kg.getAlgorithm().getOid());
        Map<String, String> params = kg.getParameters();
        if (keyType == KeyType.RSA) {
            int keySize = Integer.parseInt(params.get(KeypairGenerationType.PARAM_keysize));
            this.keypairGenControl = new KeypairGenControl.RSAKeypairGenControl(keySize, keyAlgOid);
        } else if (keyType == KeyType.EC) {
            ASN1ObjectIdentifier curveOid = new ASN1ObjectIdentifier(params.get(KeypairGenerationType.PARAM_curve));
            this.keypairGenControl = new KeypairGenControl.ECKeypairGenControl(curveOid, keyAlgOid);
        } else if (keyType == KeyType.DSA) {
            int plen = Integer.parseInt(params.get(KeypairGenerationType.PARAM_plength));
            String tmp = params.get(KeypairGenerationType.PARAM_qlength);
            int qlen = tmp == null ? 0 : Integer.parseInt(tmp);
            this.keypairGenControl = new KeypairGenControl.DSAKeypairGenControl(plen, qlen, keyAlgOid);
        } else if (keyType == KeyType.ED25519 || keyType == KeyType.ED448 || keyType == KeyType.X25519 || keyType == KeyType.X448) {
            this.keypairGenControl = new KeypairGenControl.EDDSAKeypairGenControl(keyAlgOid);
        } else {
            throw new CertprofileException("unknown KeypairGeneration type " + keyType);
        }
    }
    String str = conf.getNotBeforeTime().toLowerCase().trim();
    Long offsetSeconds = null;
    TimeZone midnightTimeZone = null;
    if (str.startsWith("midnight")) {
        int seperatorIdx = str.indexOf(':');
        String timezoneId = (seperatorIdx == -1) ? "GMT+0" : str.substring(seperatorIdx + 1).toUpperCase();
        final List<String> validIds = Arrays.asList("GMT+0", "GMT+1", "GMT+2", "GMT+3", "GMT+4", "GMT+5", "GMT+6", "GMT+7", "GMT+8", "GMT+9", "GMT+10", "GMT+11", "GMT+12", "GMT-0", "GMT-1", "GMT-2", "GMT-3", "GMT-4", "GMT-5", "GMT-6", "GMT-7", "GMT-8", "GMT-9", "GMT-10", "GMT-11", "GMT-12");
        if (!validIds.contains(timezoneId)) {
            throw new CertprofileException("invalid time zone id " + timezoneId);
        }
        midnightTimeZone = TimeZone.getTimeZone(timezoneId);
    } else if ("current".equalsIgnoreCase(str)) {
        offsetSeconds = 0L;
    } else if (str.length() > 2) {
        char sign = str.charAt(0);
        char suffix = str.charAt(str.length() - 1);
        if (sign == '+' || sign == '-') {
            long digit = Long.parseLong(str.substring(1, str.length() - 1));
            long seconds;
            switch(suffix) {
                case 'd':
                    seconds = digit * (24L * 60 * 60);
                    break;
                case 'h':
                    seconds = digit * (60L * 60);
                    break;
                case 'm':
                    seconds = digit * 60L;
                    break;
                case 's':
                    seconds = digit;
                    break;
                default:
                    throw new CertprofileException("invalid notBefore " + str);
            }
            offsetSeconds = (sign == '+') ? seconds : -1 * seconds;
        } else {
            throw new CertprofileException("invalid notBefore '" + str + "'");
        }
    } else {
        throw new CertprofileException("invalid notBefore '" + str + "'");
    }
    if (offsetSeconds != null) {
        this.notBeforeOption = NotBeforeOption.getOffsetOption(offsetSeconds);
    } else {
        this.notBeforeOption = NotBeforeOption.getMidNightOption(midnightTimeZone);
    }
    this.serialNumberInReqPermitted = conf.isSerialNumberInReq();
    // KeyAlgorithms
    this.keyAlgorithms = conf.toXiKeyAlgorithms();
    // Subject
    Subject subject = conf.getSubject();
    List<RdnControl> subjectDnControls = new LinkedList<>();
    for (RdnType rdn : subject.getRdns()) {
        ASN1ObjectIdentifier type = new ASN1ObjectIdentifier(rdn.getType().getOid());
        Range range = (rdn.getMinLen() != null || rdn.getMaxLen() != null) ? new Range(rdn.getMinLen(), rdn.getMaxLen()) : null;
        ValueType value = rdn.getValue();
        RdnControl rdnControl = (value == null) ? new RdnControl(type, rdn.getMinOccurs(), rdn.getMaxOccurs()) : new RdnControl(type, value.getText(), value.isOverridable());
        subjectDnControls.add(rdnControl);
        rdnControl.setStringType(rdn.getStringType());
        rdnControl.setStringLengthRange(range);
        if (rdn.getRegex() != null) {
            rdnControl.setPattern(TextVadidator.compile(rdn.getRegex()));
        }
        rdnControl.setPrefix(rdn.getPrefix());
        rdnControl.setSuffix(rdn.getSuffix());
        rdnControl.setGroup(rdn.getGroup());
        if (rdn.getNotInSubject() != null) {
            rdnControl.setNotInSubject(rdn.getNotInSubject());
        }
        fixRdnControl(rdnControl);
    }
    this.subjectControl = new SubjectControl(subjectDnControls, subject.isKeepRdnOrder());
    // Extensions
    this.extensions = new XijsonExtensions(conf, subjectControl);
}
Also used : KeyType(org.xipki.ca.certprofile.xijson.conf.KeypairGenerationType.KeyType) DirectoryString(org.bouncycastle.asn1.x500.DirectoryString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ValueType(org.xipki.ca.certprofile.xijson.conf.Subject.ValueType) RdnType(org.xipki.ca.certprofile.xijson.conf.Subject.RdnType) SignAlgo(org.xipki.security.SignAlgo)

Aggregations

SignAlgo (org.xipki.security.SignAlgo)11 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10 HashAlgo (org.xipki.security.HashAlgo)6 X509Cert (org.xipki.security.X509Cert)5 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)3 IOException (java.io.IOException)2 CertificateException (java.security.cert.CertificateException)2 Date (java.util.Date)2 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2 JcaSimpleSignerInfoVerifierBuilder (org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder)2 BigInteger (java.math.BigInteger)1 URI (java.net.URI)1 PrivateKey (java.security.PrivateKey)1 LinkedList (java.util.LinkedList)1 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)1 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)1 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)1 Extension (org.bouncycastle.asn1.x509.Extension)1