use of org.xwiki.crypto.pkix.params.CertifiedPublicKey in project xwiki-platform by xwiki.
the class RSACryptoScriptService method cmsSign.
/**
* Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature
* might contains the content itself and the certificate chain of the key used to sign.
*
* @param data the data to be signed
* @param keyPair the certified key pair used for signing
* @param certificateProvider Optionally, a certificate provider for obtaining the chain of certificate to embed.
* If null, no certificate are embedded with the signature.
* @param existingSignature if not null, a existing signature on the same data that should be kept.
* @param embedContent if true, the signed content is embedded with the signature.
* @return the resulting signature encoded ASN.1 and in accordance with RFC 3852.
* @throws GeneralSecurityException on error.
*/
public byte[] cmsSign(byte[] data, CertifiedKeyPair keyPair, CertificateProvider certificateProvider, CMSSignedDataVerified existingSignature, boolean embedContent) throws GeneralSecurityException {
CMSSignedDataGeneratorParameters parameters = new CMSSignedDataGeneratorParameters().addSigner(CertifyingSigner.getInstance(true, keyPair, signerFactory));
if (existingSignature != null) {
for (CMSSignerInfo existingSigner : existingSignature.getSignatures()) {
parameters.addSignature(existingSigner);
}
}
Set<CertifiedPublicKey> certs = new HashSet<CertifiedPublicKey>();
if (existingSignature != null && existingSignature.getCertificates() != null) {
certs.addAll(existingSignature.getCertificates());
}
if (certificateProvider != null) {
if (existingSignature != null) {
for (CMSSignerInfo existingSigner : existingSignature.getSignatures()) {
if (existingSigner.getSubjectKeyIdentifier() != null) {
addCertificateChain(certificateProvider.getCertificate(existingSigner.getSubjectKeyIdentifier()), certificateProvider, certs);
} else {
addCertificateChain(certificateProvider.getCertificate(existingSigner.getIssuer(), existingSigner.getSerialNumber()), certificateProvider, certs);
}
}
}
addCertificateChain(keyPair.getCertificate(), certificateProvider, certs);
}
if (!certs.isEmpty()) {
parameters.addCertificates(certs);
}
return cmsSignedDataGenerator.generate(data, parameters, embedContent);
}
use of org.xwiki.crypto.pkix.params.CertifiedPublicKey in project xwiki-platform by xwiki.
the class RSACryptoScriptService method checkX509CertificateChainValidity.
/**
* Check that an X509 certificate chain is complete and is valid on a given date.
*
* @param chain the ordered chain of certificate starting from root CA.
* @param date the date to check the validity for, or null to check for now.
* @return true if the chain is a X509 certificate chain complete and valid on the given date.
*/
public boolean checkX509CertificateChainValidity(Collection<CertifiedPublicKey> chain, Date date) {
if (chain == null || chain.isEmpty()) {
return false;
}
Date checkDate = (date != null) ? date : new Date();
boolean rootExpected = true;
for (CertifiedPublicKey cert : chain) {
if (!(cert instanceof X509CertifiedPublicKey)) {
return false;
}
if (rootExpected) {
if (!((X509CertifiedPublicKey) cert).isRootCA()) {
return false;
}
rootExpected = false;
}
if (!((X509CertifiedPublicKey) cert).isValidOn(checkDate)) {
return false;
}
}
return true;
}
use of org.xwiki.crypto.pkix.params.CertifiedPublicKey in project xwiki-platform by xwiki.
the class X509CertificateWikiStoreTest method testRetrievingCertificateUsingIssueAndSerialFromDocument.
@Test
public void testRetrievingCertificateUsingIssueAndSerialFromDocument() throws Exception {
CertifiedPublicKey certificate = mockSingleCertQuery();
assertThat(store.getCertificateProvider(DOC_STORE_REF).getCertificate(new DistinguishedName(ISSUER), SERIAL), equalTo(certificate));
verify(query).bindValue(BIND_ISSUER, ISSUER);
verify(query).bindValue(BIND_SERIAL, SERIAL.toString());
verify(query, times(3)).bindValue(BIND_STORE, FULLNAME);
}
use of org.xwiki.crypto.pkix.params.CertifiedPublicKey in project xwiki-platform by xwiki.
the class X509CertificateWikiStoreTest method mockMultiCertsQuery.
private CertifiedPublicKey[] mockMultiCertsQuery() throws Exception {
CertifiedPublicKey[] certs = new CertifiedPublicKey[2];
byte[] cert2 = "certificate2".getBytes();
String encodedCert2 = "encoded_certificate2";
certs[0] = getMockedCertificate(true);
certs[1] = getMockedCertificate(false);
CertificateFactory factory = this.mocker.getInstance(CertificateFactory.class, "X509");
when(factory.decode(CERTIFICATE)).thenReturn(certs[0]);
when(factory.decode(cert2)).thenReturn(certs[1]);
BinaryStringEncoder encoder = this.mocker.getInstance(BinaryStringEncoder.class, "Base64");
when(encoder.encode(cert2, 64)).thenReturn(encodedCert2);
when(encoder.decode(encodedCert2)).thenReturn(cert2);
when(this.query.<String>execute()).thenReturn(Arrays.asList(ENCODED_CERTIFICATE, encodedCert2));
return certs;
}
use of org.xwiki.crypto.pkix.params.CertifiedPublicKey in project xwiki-platform by xwiki.
the class X509CertificateWikiStoreTest method testRetrievingCertificateUsingIssueAndSerialFromSpace.
@Test
public void testRetrievingCertificateUsingIssueAndSerialFromSpace() throws Exception {
CertifiedPublicKey certificate = mockSingleCertQuery();
assertThat(store.getCertificateProvider(SPACE_STORE_REF).getCertificate(new DistinguishedName(ISSUER), SERIAL), equalTo(certificate));
verify(query).bindValue(BIND_ISSUER, ISSUER);
verify(query).bindValue(BIND_SERIAL, SERIAL.toString());
verify(query, times(3)).bindValue(BIND_STORE, SPACE);
}
Aggregations