Example 21 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CsrGenAction method generateRequest.
private PKCS10CertificationRequest generateRequest(ConcurrentContentSigner signer, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name subjectDn, Map<ASN1ObjectIdentifier, ASN1Encodable> attributes) throws XiSecurityException {
ParamUtil.requireNonNull("signer", signer);
ParamUtil.requireNonNull("subjectPublicKeyInfo", subjectPublicKeyInfo);
ParamUtil.requireNonNull("subjectDn", subjectDn);
PKCS10CertificationRequestBuilder csrBuilder = new PKCS10CertificationRequestBuilder(subjectDn, subjectPublicKeyInfo);
if (CollectionUtil.isNonEmpty(attributes)) {
for (ASN1ObjectIdentifier attrType : attributes.keySet()) {
csrBuilder.addAttribute(attrType, attributes.get(attrType));
}
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
try {
return csrBuilder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 22 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class SoftTokenMacContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
boolean gmac = false;
ASN1ObjectIdentifier oid = signatureAlgId.getAlgorithm();
if (oid.equals(NISTObjectIdentifiers.id_aes128_GCM) || oid.equals(NISTObjectIdentifiers.id_aes192_GCM) || oid.equals(NISTObjectIdentifiers.id_aes256_GCM)) {
gmac = true;
}
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (gmac) {
signer = new AESGmacContentSigner(oid, key);
} else {
signer = new HmacContentSigner(signatureAlgId, key);
}
signers.add(signer);
}
final boolean mac = true;
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
concurrentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(key.getEncoded()));
return concurrentSigner;
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
XiContentSigner(org.xipki.security.XiContentSigner)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 23 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class SoftTokenContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException, NoSuchPaddingException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
final String provName = "SunJCE";
if (Security.getProvider(provName) != null) {
String algoName;
try {
algoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgId);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage());
}
try {
for (int i = 0; i < parallelism; i++) {
Signature signature = Signature.getInstance(algoName, provName);
signature.initSign(key);
if (i == 0) {
signature.update(new byte[] { 1, 2, 3, 4 });
signature.sign();
}
XiContentSigner signer = new SignatureSigner(signatureAlgId, signature, key);
signers.add(signer);
}
} catch (Exception ex) {
signers.clear();
}
}
if (CollectionUtil.isEmpty(signers)) {
BcContentSignerBuilder signerBuilder;
AsymmetricKeyParameter keyparam;
try {
if (key instanceof RSAPrivateKey) {
keyparam = SignerUtil.generateRSAPrivateKeyParameter((RSAPrivateKey) key);
signerBuilder = new RSAContentSignerBuilder(signatureAlgId);
} else if (key instanceof DSAPrivateKey) {
keyparam = DSAUtil.generatePrivateKeyParameter(key);
signerBuilder = new DSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
} else if (key instanceof ECPrivateKey) {
keyparam = ECUtil.generatePrivateKeyParameter(key);
EllipticCurve curve = ((ECPrivateKey) key).getParams().getCurve();
if (GMUtil.isSm2primev2Curve(curve)) {
signerBuilder = new SM2ContentSignerBuilder();
} else {
signerBuilder = new ECDSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
}
} else {
throw new XiSecurityException("unsupported key " + key.getClass().getName());
}
} catch (InvalidKeyException ex) {
throw new XiSecurityException("invalid key", ex);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException("no such algorithm", ex);
}
for (int i = 0; i < parallelism; i++) {
if (random != null) {
signerBuilder.setSecureRandom(random);
}
ContentSigner signer;
try {
signer = signerBuilder.build(keyparam);
} catch (OperatorCreationException ex) {
throw new XiSecurityException("operator creation error", ex);
}
signers.add(new XiWrappedContentSigner(signer, true));
}
}
final boolean mac = false;
ConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
Also used :
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
XiContentSigner(org.xipki.security.XiContentSigner)
BcContentSignerBuilder(org.bouncycastle.operator.bc.BcContentSignerBuilder)
ECPrivateKey(java.security.interfaces.ECPrivateKey)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ContentSigner(org.bouncycastle.operator.ContentSigner)
XiContentSigner(org.xipki.security.XiContentSigner)
XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
InvalidKeyException(java.security.InvalidKeyException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchProviderException(java.security.NoSuchProviderException)
SignatureSigner(org.xipki.security.SignatureSigner)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
EllipticCurve(java.security.spec.EllipticCurve)
Signature(java.security.Signature)
DSAPrivateKey(java.security.interfaces.DSAPrivateKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Example 24 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CaConf method init.
private void init(CAConfType jaxb, String baseDir, ZipFile zipFile, SecurityFactory securityFactory) throws IOException, InvalidConfException, CaMgmtException {
// Properties
if (baseDir != null) {
properties.put("baseDir", baseDir);
}
if (jaxb.getProperties() != null) {
for (NameValueType m : jaxb.getProperties().getProperty()) {
String name = m.getName();
if (properties.containsKey(name)) {
throw new InvalidConfException("Property " + name + " already defined");
}
properties.put(name, m.getValue());
}
}
// CMP controls
if (jaxb.getCmpcontrols() != null) {
for (CmpcontrolType m : jaxb.getCmpcontrols().getCmpcontrol()) {
CmpControlEntry en = new CmpControlEntry(m.getName(), getValue(m.getConf(), zipFile));
addCmpControl(en);
}
}
// Responders
if (jaxb.getResponders() != null) {
for (ResponderType m : jaxb.getResponders().getResponder()) {
ResponderEntry en = new ResponderEntry(m.getName(), expandConf(m.getType()), getValue(m.getConf(), zipFile), getBase64Binary(m.getCert(), zipFile));
addResponder(en);
}
}
// Environments
if (jaxb.getEnvironments() != null) {
for (NameValueType m : jaxb.getEnvironments().getEnvironment()) {
addEnvironment(m.getName(), expandConf(m.getValue()));
}
}
// CRL signers
if (jaxb.getCrlsigners() != null) {
for (CrlsignerType m : jaxb.getCrlsigners().getCrlsigner()) {
X509CrlSignerEntry en = new X509CrlSignerEntry(m.getName(), expandConf(m.getSignerType()), getValue(m.getSignerConf(), zipFile), getBase64Binary(m.getSignerCert(), zipFile), expandConf(m.getCrlControl()));
addCrlSigner(en);
}
}
// Requestors
if (jaxb.getRequestors() != null) {
for (RequestorType m : jaxb.getRequestors().getRequestor()) {
RequestorEntry en = new RequestorEntry(new NameId(null, m.getName()), getBase64Binary(m.getCert(), zipFile));
addRequestor(en);
}
}
// Users
if (jaxb.getUsers() != null) {
for (UserType m : jaxb.getUsers().getUser()) {
boolean active = (m.isActive() != null) ? m.isActive() : true;
String password = m.getPassword();
if (password != null) {
AddUserEntry en = new AddUserEntry(new NameId(null, m.getName()), active, password);
addUser(en);
} else {
UserEntry en = new UserEntry(new NameId(null, m.getName()), active, m.getHashedPassword());
addUser(en);
}
}
}
// Publishers
if (jaxb.getPublishers() != null) {
for (PublisherType m : jaxb.getPublishers().getPublisher()) {
PublisherEntry en = new PublisherEntry(new NameId(null, m.getName()), expandConf(m.getType()), getValue(m.getConf(), zipFile));
addPublisher(en);
}
}
// CertProfiles
if (jaxb.getProfiles() != null) {
for (ProfileType m : jaxb.getProfiles().getProfile()) {
CertprofileEntry en = new CertprofileEntry(new NameId(null, m.getName()), expandConf(m.getType()), getValue(m.getConf(), zipFile));
addProfile(en);
}
}
// CAs
if (jaxb.getCas() != null) {
for (CaType m : jaxb.getCas().getCa()) {
String name = m.getName();
GenSelfIssued genSelfIssued = null;
X509CaEntry caEntry = null;
if (m.getCaInfo() != null) {
X509CaInfoType ci = m.getCaInfo().getX509Ca();
if (ci.getGenSelfIssued() != null) {
String certFilename = null;
if (ci.getCert() != null) {
if (ci.getCert().getFile() != null) {
certFilename = expandConf(ci.getCert().getFile());
} else {
throw new InvalidConfException("cert.file of CA " + name + " must not be null");
}
}
byte[] csr = getBinary(ci.getGenSelfIssued().getCsr(), zipFile);
BigInteger serialNumber = null;
String str = ci.getGenSelfIssued().getSerialNumber();
if (str != null) {
if (str.startsWith("0x") || str.startsWith("0X")) {
serialNumber = new BigInteger(str.substring(2), 16);
} else {
serialNumber = new BigInteger(str);
}
}
genSelfIssued = new GenSelfIssued(ci.getGenSelfIssued().getProfile(), csr, serialNumber, certFilename);
}
X509CaUris caUris = new X509CaUris(getStrings(ci.getCacertUris()), getStrings(ci.getOcspUris()), getStrings(ci.getCrlUris()), getStrings(ci.getDeltacrlUris()));
int exprirationPeriod = (ci.getExpirationPeriod() == null) ? 365 : ci.getExpirationPeriod().intValue();
int numCrls = (ci.getNumCrls() == null) ? 30 : ci.getNumCrls().intValue();
caEntry = new X509CaEntry(new NameId(null, name), ci.getSnSize(), ci.getNextCrlNo(), expandConf(ci.getSignerType()), getValue(ci.getSignerConf(), zipFile), caUris, numCrls, exprirationPeriod);
caEntry.setCmpControlName(ci.getCmpcontrolName());
caEntry.setCrlSignerName(ci.getCrlsignerName());
caEntry.setDuplicateKeyPermitted(ci.isDuplicateKey());
caEntry.setDuplicateSubjectPermitted(ci.isDuplicateSubject());
if (ci.getExtraControl() != null) {
String value = getValue(ci.getExtraControl(), zipFile);
if (value != null) {
caEntry.setExtraControl(new ConfPairs(value).unmodifiable());
}
}
int keepExpiredCertDays = (ci.getKeepExpiredCertDays() == null) ? -1 : ci.getKeepExpiredCertDays().intValue();
caEntry.setKeepExpiredCertInDays(keepExpiredCertDays);
caEntry.setMaxValidity(CertValidity.getInstance(ci.getMaxValidity()));
caEntry.setPermission(ci.getPermission());
caEntry.setResponderName(ci.getResponderName());
caEntry.setSaveRequest(ci.isSaveReq());
caEntry.setStatus(CaStatus.forName(ci.getStatus()));
if (ci.getValidityMode() != null) {
caEntry.setValidityMode(ValidityMode.forName(ci.getValidityMode()));
}
if (ci.getGenSelfIssued() == null) {
X509Certificate caCert;
if (ci.getCert() != null) {
byte[] bytes = getBinary(ci.getCert(), zipFile);
try {
caCert = X509Util.parseCert(bytes);
} catch (CertificateException ex) {
throw new InvalidConfException("invalid certificate of CA " + name, ex);
}
} else {
// extract from the signer configuration
ConcurrentContentSigner signer;
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(getValue(ci.getSignerConf(), zipFile));
SignerConf signerConf = new SignerConf(signerConfs.get(0)[1]);
signer = securityFactory.createSigner(expandConf(ci.getSignerType()), signerConf, (X509Certificate) null);
} catch (ObjectCreationException | XiSecurityException ex) {
throw new InvalidConfException("could not create CA signer for CA " + name, ex);
}
caCert = signer.getCertificate();
}
caEntry.setCert(caCert);
}
}
List<CaHasRequestorEntry> caHasRequestors = null;
if (m.getRequestors() != null) {
caHasRequestors = new LinkedList<>();
for (CaHasRequestorType req : m.getRequestors().getRequestor()) {
CaHasRequestorEntry en = new CaHasRequestorEntry(new NameId(null, req.getRequestorName()));
en.setRa(req.isRa());
List<String> strs = getStrings(req.getProfiles());
if (strs != null) {
en.setProfiles(new HashSet<>(strs));
}
en.setPermission(req.getPermission());
caHasRequestors.add(en);
}
}
List<CaHasUserEntry> caHasUsers = null;
if (m.getUsers() != null) {
caHasUsers = new LinkedList<>();
for (CaHasUserType req : m.getUsers().getUser()) {
CaHasUserEntry en = new CaHasUserEntry(new NameId(null, req.getUserName()));
en.setPermission(req.getPermission());
List<String> strs = getStrings(req.getProfiles());
if (strs != null) {
en.setProfiles(new HashSet<>(strs));
}
caHasUsers.add(en);
}
}
List<String> aliases = getStrings(m.getAliases());
List<String> profileNames = getStrings(m.getProfiles());
List<String> publisherNames = getStrings(m.getPublishers());
SingleCaConf singleCa = new SingleCaConf(name, genSelfIssued, caEntry, aliases, profileNames, caHasRequestors, caHasUsers, publisherNames);
addSingleCa(singleCa);
}
}
// SCEPs
if (jaxb.getSceps() != null) {
for (ScepType m : jaxb.getSceps().getScep()) {
String name = m.getName();
NameId caIdent = new NameId(null, m.getCaName());
List<String> certProfiles = getStrings(m.getProfiles());
ScepEntry dbEntry = new ScepEntry(name, caIdent, true, m.getResponderName(), new HashSet<>(certProfiles), m.getControl());
sceps.put(name, dbEntry);
}
}
}
Also used :
CmpcontrolType(org.xipki.ca.server.mgmt.api.conf.jaxb.CmpcontrolType)
CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry)
NameValueType(org.xipki.ca.server.mgmt.api.conf.jaxb.NameValueType)
NameId(org.xipki.ca.api.NameId)
PublisherType(org.xipki.ca.server.mgmt.api.conf.jaxb.PublisherType)
RequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.RequestorType)
CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType)
CertificateException(java.security.cert.CertificateException)
CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType)
CaType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaType)
PublisherEntry(org.xipki.ca.server.mgmt.api.PublisherEntry)
CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry)
ResponderEntry(org.xipki.ca.server.mgmt.api.ResponderEntry)
SignerConf(org.xipki.security.SignerConf)
ResponderType(org.xipki.ca.server.mgmt.api.conf.jaxb.ResponderType)
X509Certificate(java.security.cert.X509Certificate)
ScepEntry(org.xipki.ca.server.mgmt.api.x509.ScepEntry)
AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry)
BigInteger(java.math.BigInteger)
UserType(org.xipki.ca.server.mgmt.api.conf.jaxb.UserType)
CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType)
CrlsignerType(org.xipki.ca.server.mgmt.api.conf.jaxb.CrlsignerType)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
ScepType(org.xipki.ca.server.mgmt.api.conf.jaxb.ScepType)
RequestorEntry(org.xipki.ca.server.mgmt.api.RequestorEntry)
CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)
InvalidConfException(org.xipki.common.InvalidConfException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
X509CrlSignerEntry(org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry)
ProfileType(org.xipki.ca.server.mgmt.api.conf.jaxb.ProfileType)
ConfPairs(org.xipki.common.ConfPairs)
CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry)
X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
ObjectCreationException(org.xipki.common.ObjectCreationException)
CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType)
X509CaInfoType(org.xipki.ca.server.mgmt.api.conf.jaxb.X509CaInfoType)
CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry)
AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry)
UserEntry(org.xipki.ca.server.mgmt.api.UserEntry)
CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)
Example 25 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CaEntry method splitCaSignerConfs.
public static List<String[]> splitCaSignerConfs(String conf) throws XiSecurityException {
ConfPairs pairs = new ConfPairs(conf);
String str = pairs.value("algo");
if (str == null) {
throw new XiSecurityException("no algo is defined in CA signerConf");
}
List<String> list = StringUtil.split(str, ":");
if (CollectionUtil.isEmpty(list)) {
throw new XiSecurityException("empty algo is defined in CA signerConf");
}
List<String[]> signerConfs = new ArrayList<>(list.size());
for (String n : list) {
String c14nAlgo;
try {
c14nAlgo = AlgorithmUtil.canonicalizeSignatureAlgo(n);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
pairs.putPair("algo", c14nAlgo);
signerConfs.add(new String[] { c14nAlgo, pairs.getEncoded() });
}
return signerConfs;
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ArrayList(java.util.ArrayList)
ConfPairs(org.xipki.common.ConfPairs)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Aggregations
XiSecurityException (org.xipki.security.exception.XiSecurityException)36
P11TokenException (org.xipki.security.exception.P11TokenException)16
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
X509Certificate (java.security.cert.X509Certificate)6
ObjectCreationException (org.xipki.common.ObjectCreationException)6
SignerConf (org.xipki.security.SignerConf)6
IOException (java.io.IOException)5
CertificateException (java.security.cert.CertificateException)5
ConcurrentContentSigner (org.xipki.security.ConcurrentContentSigner)5
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
PublicKey (java.security.PublicKey)4
ArrayList (java.util.ArrayList)4
OperationException (org.xipki.ca.api.OperationException)4
ConfPairs (org.xipki.common.ConfPairs)4
InvalidConfException (org.xipki.common.InvalidConfException)4
P11ObjectIdentifier (org.xipki.security.pkcs11.P11ObjectIdentifier)4
SignatureException (java.security.SignatureException)3
DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)3
XiContentSigner (org.xipki.security.XiContentSigner)3
Session (iaik.pkcs.pkcs11.Session)2
