List of usage examples for org.bouncycastle.asn1 ASN1Integer ASN1Integer
public ASN1Integer(byte[] bytes)
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private CertRepMessage processCertReqMessages(final PKIMessage request, final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertReqMessages kur, final boolean keyUpdate, final CmpControl cmpControl, final String msgId, final AuditEvent event) { CmpRequestorInfo tmpRequestor = (CmpRequestorInfo) requestor; CertReqMsg[] certReqMsgs = kur.toCertReqMsgArray(); final int n = certReqMsgs.length; Map<Integer, CertTemplateData> certTemplateDatas = new HashMap<>(n * 10 / 6); Map<Integer, CertResponse> certResponses = new HashMap<>(n * 10 / 6); Map<Integer, ASN1Integer> certReqIds = new HashMap<>(n * 10 / 6); // pre-process requests for (int i = 0; i < n; i++) { if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != i) { // last certReqMsg cannot be used to enroll certificate break; }//from www. java 2 s . com CertReqMsg reqMsg = certReqMsgs[i]; CertificateRequestMessage req = new CertificateRequestMessage(reqMsg); ASN1Integer certReqId = reqMsg.getCertReq().getCertReqId(); certReqIds.put(i, certReqId); if (!req.hasProofOfPossession()) { certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "no POP", null)); continue; } if (!verifyPopo(req, tmpRequestor.isRa())) { LOG.warn("could not validate POP for request {}", certReqId.getValue()); certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP", null)); continue; } CmpUtf8Pairs keyvalues = CmpUtil.extract(reqMsg.getRegInfo()); String certprofileName = (keyvalues == null) ? null : keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); if (certprofileName == null) { String msg = "no certificate profile"; certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, msg)); continue; } if (!isCertProfilePermitted(tmpRequestor, certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg)); continue; } CertTemplate certTemp = req.getCertTemplate(); OptionalValidity validity = certTemp.getValidity(); Date notBefore = null; Date notAfter = null; if (validity != null) { Time time = validity.getNotBefore(); if (time != null) { notBefore = time.getDate(); } time = validity.getNotAfter(); if (time != null) { notAfter = time.getDate(); } } CertTemplateData certTempData = new CertTemplateData(certTemp.getSubject(), certTemp.getPublicKey(), notBefore, notAfter, certTemp.getExtensions(), certprofileName); certTemplateDatas.put(i, certTempData); } // end for if (certResponses.size() == n) { // all error CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { certResps[i] = certResponses.get(i); } return new CertRepMessage(null, certResps); } if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != n) { // at least one certRequest cannot be used to enroll certificate int lastFailureIndex = certTemplateDatas.size(); BigInteger failCertReqId = certReqIds.get(lastFailureIndex).getPositiveValue(); CertResponse failCertResp = certResponses.get(lastFailureIndex); PKIStatus failStatus = PKIStatus.getInstance(new ASN1Integer(failCertResp.getStatus().getStatus())); PKIFailureInfo failureInfo = new PKIFailureInfo(failCertResp.getStatus().getFailInfo()); CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { if (i == lastFailureIndex) { certResps[i] = failCertResp; continue; } ASN1Integer certReqId = certReqIds.get(i); String msg = "error in certReq " + failCertReqId; PKIStatusInfo tmpStatus = generateRejectionStatus(failStatus, failureInfo.intValue(), msg); certResps[i] = new CertResponse(certReqId, tmpStatus); } return new CertRepMessage(null, certResps); } final int k = certTemplateDatas.size(); List<CertTemplateData> certTemplateList = new ArrayList<>(k); List<ASN1Integer> certReqIdList = new ArrayList<>(k); Map<Integer, Integer> reqIndexToCertIndexMap = new HashMap<>(k * 10 / 6); for (int i = 0; i < n; i++) { if (!certTemplateDatas.containsKey(i)) { continue; } certTemplateList.add(certTemplateDatas.get(i)); certReqIdList.add(certReqIds.get(i)); reqIndexToCertIndexMap.put(i, certTemplateList.size() - 1); } List<CertResponse> generateCertResponses = generateCertificates(certTemplateList, certReqIdList, tmpRequestor, user, tid, keyUpdate, request, cmpControl, msgId, event); boolean anyCertEnrolled = false; CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { if (certResponses.containsKey(i)) { certResps[i] = certResponses.get(i); } else { int respIndex = reqIndexToCertIndexMap.get(i); certResps[i] = generateCertResponses.get(respIndex); if (!anyCertEnrolled && certResps[i].getCertifiedKeyPair() != null) { anyCertEnrolled = true; } } } CMPCertificate[] caPubs = null; if (anyCertEnrolled && cmpControl.isSendCaCert()) { caPubs = new CMPCertificate[] { getCa().getCaInfo().getCertInCmpFormat() }; } return new CertRepMessage(caPubs, certResps); }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
/** * handle the PKI body with the choice {@code p10cr}<br/> * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within * PKIHeader.generalInfo//w w w .jav a 2 s. c o m * */ private PKIBody processP10cr(final PKIMessage request, final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertificationRequest p10cr, final CmpControl cmpControl, final String msgId, final AuditEvent event) { // verify the POP first CertResponse certResp; ASN1Integer certReqId = new ASN1Integer(-1); boolean certGenerated = false; X509Ca ca = getCa(); if (!securityFactory.verifyPopo(p10cr, getCmpControl().getPopoAlgoValidator())) { LOG.warn("could not validate POP for the pkcs#10 requst"); certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP"); } else { CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = CaUtil.getExtensions(certTemp); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); String certprofileName = null; Date notBefore = null; Date notAfter = null; if (keyvalues != null) { certprofileName = keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); String str = keyvalues.getValue(CmpUtf8Pairs.KEY_NOT_BEFORE); if (str != null) { notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } str = keyvalues.getValue(CmpUtf8Pairs.KEY_NOT_AFTER); if (str != null) { notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } } if (certprofileName == null) { certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null); } else { if (!isCertProfilePermitted(requestor, certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg); } else { CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName); certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, user, tid, false, request, cmpControl, msgId, event).get(0); certGenerated = true; } } } CMPCertificate[] caPubs = null; if (certGenerated && cmpControl.isSendCaCert()) { caPubs = new CMPCertificate[] { ca.getCaInfo().getCertInCmpFormat() }; } CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[] { certResp }); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private X509CRL doGenerateCrl(final boolean deltaCrl, final Date thisUpdate, final Date nextUpdate, final AuditEvent event, final String msgId) throws OperationException { X509CrlSignerEntryWrapper crlSigner = getCrlSigner(); if (crlSigner == null) { throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed"); }/*from w ww . j av a 2 s. c o m*/ String caName = caInfo.getName(); LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caName, deltaCrl, nextUpdate); event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL"); if (nextUpdate == null) { event.addEventData(CaAuditConstants.NAME_nextUpdate, "null"); } else { event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate)); if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) { // less than 10 minutes throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close"); } } CrlControl crlControl = crlSigner.getCrlControl(); boolean successful = false; try { ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner(); CrlControl control = crlSigner.getCrlControl(); boolean directCrl; X500Name crlIssuer; if (tmpCrlSigner == null) { directCrl = true; crlIssuer = caInfo.getPublicCaInfo().getX500Subject(); } else { directCrl = false; crlIssuer = X500Name .getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded()); } X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate); if (nextUpdate != null) { crlBuilder.setNextUpdate(nextUpdate); } final int numEntries = 100; X509Cert caCert = caInfo.getCertificate(); List<CertRevInfoWithSerial> revInfos; boolean isFirstCrlEntry = true; Date notExpireAt; if (control.isIncludeExpiredCerts()) { notExpireAt = new Date(0); } else { // 10 minutes buffer notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND); } long startId = 1; do { if (deltaCrl) { revInfos = certstore.getCertsForDeltaCrl(caCert, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts()); } else { revInfos = certstore.getRevokedCerts(caCert, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts()); } long maxId = 1; for (CertRevInfoWithSerial revInfo : revInfos) { if (revInfo.getId() > maxId) { maxId = revInfo.getId(); } CrlReason reason = revInfo.getReason(); if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) { reason = CrlReason.UNSPECIFIED; } Date revocationTime = revInfo.getRevocationTime(); Date invalidityTime = revInfo.getInvalidityTime(); switch (crlControl.getInvalidityDateMode()) { case FORBIDDEN: invalidityTime = null; break; case OPTIONAL: break; case REQUIRED: if (invalidityTime == null) { invalidityTime = revocationTime; } break; default: throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode()); } BigInteger serial = revInfo.getSerial(); LOG.debug("added cert ca={} serial={} to CRL", caName, serial); if (directCrl || !isFirstCrlEntry) { if (invalidityTime != null) { crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime); } else { crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode()); } continue; } List<Extension> extensions = new ArrayList<>(3); if (reason != CrlReason.UNSPECIFIED) { Extension ext = createReasonExtension(reason.getCode()); extensions.add(ext); } if (invalidityTime != null) { Extension ext = createInvalidityDateExtension(invalidityTime); extensions.add(ext); } Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject()); extensions.add(ext); crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0]))); isFirstCrlEntry = false; } // end for startId = maxId + 1; } while (revInfos.size() >= numEntries); // end do BigInteger crlNumber = caInfo.nextCrlNumber(); event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber); boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts(); boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts(); if (onlyUserCerts && onlyCaCerts) { throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true"); } try { // AuthorityKeyIdentifier byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier(); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki); // add extension CRL Number crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber)); // IssuingDistributionPoint if (onlyUserCerts || onlyCaCerts || !directCrl) { IssuingDistributionPoint idp = new IssuingDistributionPoint((DistributionPointName) null, // distributionPoint, onlyUserCerts, // onlyContainsUserCerts, onlyCaCerts, // onlyContainsCACerts, (ReasonFlags) null, // onlySomeReasons, !directCrl, // indirectCRL, false); // onlyContainsAttributeCerts crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp); } // freshestCRL List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris(); if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) { CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer); crlBuilder.addExtension(Extension.freshestCRL, false, cdp); } } catch (CertIOException ex) { LogUtil.error(LOG, ex, "crlBuilder.addExtension"); throw new OperationException(ErrorCode.INVALID_EXTENSION, ex); } addXipkiCertset(crlBuilder, deltaCrl, control, caCert, notExpireAt, onlyCaCerts, onlyUserCerts); ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner; X509CRLHolder crlHolder; try { crlHolder = concurrentSigner.build(crlBuilder); } catch (NoIdleSignerException ex) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage()); } try { X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure()); caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1); caInfo.commitNextCrlNo(); publishCrl(crl); successful = true; LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caName, crlNumber, crl.getThisUpdate()); if (!deltaCrl) { // clean up the CRL cleanupCrlsWithoutException(msgId); } return crl; } catch (CRLException | CertificateException ex) { throw new OperationException(ErrorCode.CRL_FAILURE, ex); } } finally { if (!successful) { LOG.info(" FAILED generateCrl: ca={}", caName); } } }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
/** * Add XiPKI extension CrlCertSet.//from ww w . ja v a2 s. c o m * * <pre> * Xipki-CrlCertSet ::= SET OF Xipki-CrlCert * * Xipki-CrlCert ::= SEQUENCE { * serial INTEGER * cert [0] EXPLICIT Certificate OPTIONAL * profileName [1] EXPLICIT UTF8String OPTIONAL * } * </pre> */ private void addXipkiCertset(final X509v2CRLBuilder crlBuilder, final boolean deltaCrl, final CrlControl control, final X509Cert caCert, final Date notExpireAt, final boolean onlyCaCerts, final boolean onlyUserCerts) throws OperationException { if (deltaCrl || !control.isXipkiCertsetIncluded()) { return; } ASN1EncodableVector vector = new ASN1EncodableVector(); final int numEntries = 100; long startId = 1; List<SerialWithId> serials; do { serials = certstore.getCertSerials(caCert, notExpireAt, startId, numEntries, false, onlyCaCerts, onlyUserCerts); long maxId = 1; for (SerialWithId sid : serials) { if (sid.getId() > maxId) { maxId = sid.getId(); } ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(new ASN1Integer(sid.getSerial())); String profileName = null; if (control.isXipkiCertsetCertIncluded()) { X509CertificateInfo certInfo; try { certInfo = certstore.getCertificateInfoForId(caCert, sid.getId()); } catch (CertificateException ex) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CertificateException: " + ex.getMessage()); } Certificate cert = Certificate.getInstance(certInfo.getCert().getEncodedCert()); vec.add(new DERTaggedObject(true, 0, cert)); if (control.isXipkiCertsetProfilenameIncluded()) { profileName = certInfo.getProfileName(); } } else if (control.isXipkiCertsetProfilenameIncluded()) { profileName = certstore.getCertProfileForId(caCert, sid.getId()); } if (StringUtil.isNotBlank(profileName)) { vec.add(new DERTaggedObject(true, 1, new DERUTF8String(profileName))); } vector.add(new DERSequence(vec)); } // end for startId = maxId + 1; } while (serials.size() >= numEntries); // end do try { crlBuilder.addExtension(ObjectIdentifiers.id_xipki_ext_crlCertset, false, new DERSet(vector)); } catch (CertIOException ex) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "CertIOException: " + ex.getMessage()); } }
From source file:org.xipki.pki.ocsp.client.api.RequestOptions.java
License:Open Source License
public static RSASSAPSSparams createPSSRSAParams(final ASN1ObjectIdentifier digestAlgOid) { int saltSize; if (X509ObjectIdentifiers.id_SHA1.equals(digestAlgOid)) { saltSize = 20;//from ww w .ja va2 s .c om } else if (NISTObjectIdentifiers.id_sha224.equals(digestAlgOid)) { saltSize = 28; } else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOid)) { saltSize = 32; } else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOid)) { saltSize = 48; } else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOid)) { saltSize = 64; } else { throw new RuntimeException("unknown digest algorithm " + digestAlgOid); } AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(digestAlgOid, DERNull.INSTANCE); return new RSASSAPSSparams(digAlgId, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, digAlgId), new ASN1Integer(saltSize), RSASSAPSSparams.DEFAULT_TRAILER_FIELD); }
From source file:org.xipki.pki.scep.serveremulator.CaEmulator.java
License:Open Source License
public synchronized CertificateList getCrl(final X500Name issuer, final BigInteger serialNumber) throws Exception { if (crl != null) { return crl; }//from w w w . jav a 2s . co m Date thisUpdate = new Date(); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(caSubject, thisUpdate); Date nextUpdate = new Date(thisUpdate.getTime() + 30 * DAY_IN_MS); crlBuilder.setNextUpdate(nextUpdate); Date caStartTime = caCert.getTBSCertificate().getStartDate().getDate(); Date revocationTime = new Date(caStartTime.getTime() + 1); if (revocationTime.after(thisUpdate)) { revocationTime = caStartTime; } crlBuilder.addCRLEntry(BigInteger.valueOf(2), revocationTime, CRLReason.keyCompromise); crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber.getAndAdd(1))); String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(caKey, ScepHashAlgoType.SHA256); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(caKey); X509CRLHolder crl = crlBuilder.build(contentSigner); return crl.toASN1Structure(); }
From source file:org.xipki.remotep11.server.impl.CmpResponder.java
License:Open Source License
PKIMessage processPKIMessage(final LocalP11CryptServicePool localP11CryptServicePool, final String moduleName, final PKIMessage pkiMessage) { GeneralPKIMessage message = new GeneralPKIMessage(pkiMessage); PKIHeader reqHeader = message.getHeader(); ASN1OctetString tid = reqHeader.getTransactionID(); if (tid == null) { byte[] randomBytes = randomTransactionId(); tid = new DEROctetString(randomBytes); }//from ww w . ja va 2s.c om String tidStr = Hex.toHexString(tid.getOctets()); PKIHeaderBuilder respHeaderBuilder = new PKIHeaderBuilder(reqHeader.getPvno().getValue().intValue(), sender, reqHeader.getSender()); respHeaderBuilder.setTransactionID(tid); PKIBody reqBody = message.getBody(); final int type = reqBody.getType(); PKIHeader respHeader = respHeaderBuilder.build(); if (type != PKIBody.TYPE_GEN_MSG) { ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("unsupported type " + type), new PKIFailureInfo(PKIFailureInfo.badRequest))); PKIBody respBody = new PKIBody(PKIBody.TYPE_ERROR, emc); return new PKIMessage(respHeader, respBody); } GenMsgContent genMsgBody = (GenMsgContent) reqBody.getContent(); InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray(); InfoTypeAndValue itv = null; if (itvs != null && itvs.length > 0) { for (InfoTypeAndValue m : itvs) { ASN1ObjectIdentifier itvType = m.getInfoType(); if (ObjectIdentifiers.id_xipki_cmp.equals(itvType)) { itv = m; break; } } } if (itv == null) { final String statusMessage = String.format("PKIBody type %s is only supported with the sub-knownTypes", ObjectIdentifiers.id_xipki_cmp.getId()); return createRejectionPKIMessage(respHeader, PKIFailureInfo.badRequest, statusMessage); } try { ASN1Encodable asn1 = itv.getInfoValue(); ASN1Integer asn1Code = null; ASN1Encodable reqValue = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { reqValue = seq.getObjectAt(1); } } catch (IllegalArgumentException e) { final String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp.getId(); return createRejectionPKIMessage(respHeader, PKIFailureInfo.badRequest, statusMessage); } int action = asn1Code.getPositiveValue().intValue(); ASN1Encodable respItvInfoValue; P11CryptService p11CryptService = localP11CryptServicePool.getP11CryptService(moduleName); switch (action) { case XipkiCmpConstants.ACTION_RP11_VERSION: { respItvInfoValue = new ASN1Integer(localP11CryptServicePool.getVersion()); break; } case XipkiCmpConstants.ACTION_RP11_PSO_DSA_PLAIN: case XipkiCmpConstants.ACTION_RP11_PSO_DSA_X962: case XipkiCmpConstants.ACTION_RP11_PSO_ECDSA_PLAIN: case XipkiCmpConstants.ACTION_RP11_PSO_ECDSA_X962: case XipkiCmpConstants.ACTION_RP11_PSO_RSA_PKCS: case XipkiCmpConstants.ACTION_RP11_PSO_RSA_X509: { byte[] psoMessage = null; P11SlotIdentifier slot = null; P11KeyIdentifier keyId = null; { try { PSOTemplate psoTemplate = PSOTemplate.getInstance(reqValue); psoMessage = psoTemplate.getMessage(); SlotAndKeyIdentifer slotAndKeyIdentifier = psoTemplate.getSlotAndKeyIdentifer(); slot = slotAndKeyIdentifier.getSlotIdentifier().getSlotId(); KeyIdentifier keyIdentifier = slotAndKeyIdentifier.getKeyIdentifier(); keyId = keyIdentifier.getKeyId(); } catch (IllegalArgumentException e) { final String statusMessage = "invalid PSOTemplate"; return createRejectionPKIMessage(respHeader, PKIFailureInfo.badRequest, statusMessage); } } byte[] signature; if (XipkiCmpConstants.ACTION_RP11_PSO_ECDSA_PLAIN == action) { signature = p11CryptService.CKM_ECDSA_Plain(psoMessage, slot, keyId); } else if (XipkiCmpConstants.ACTION_RP11_PSO_ECDSA_X962 == action) { signature = p11CryptService.CKM_ECDSA_X962(psoMessage, slot, keyId); } else if (XipkiCmpConstants.ACTION_RP11_PSO_DSA_PLAIN == action) { signature = p11CryptService.CKM_DSA_Plain(psoMessage, slot, keyId); } else if (XipkiCmpConstants.ACTION_RP11_PSO_DSA_X962 == action) { signature = p11CryptService.CKM_DSA_X962(psoMessage, slot, keyId); } else if (XipkiCmpConstants.ACTION_RP11_PSO_RSA_X509 == action) { signature = p11CryptService.CKM_RSA_X509(psoMessage, slot, keyId); } else if (XipkiCmpConstants.ACTION_RP11_PSO_RSA_PKCS == action) { signature = p11CryptService.CKM_RSA_PKCS(psoMessage, slot, keyId); } else { throw new RuntimeException("should not reach here"); } respItvInfoValue = new DEROctetString(signature); break; } case XipkiCmpConstants.ACTION_RP11_GET_CERTIFICATE: case XipkiCmpConstants.ACTION_RP11_GET_PUBLICKEY: { P11SlotIdentifier slot = null; P11KeyIdentifier keyId = null; try { SlotAndKeyIdentifer slotAndKeyIdentifier = SlotAndKeyIdentifer.getInstance(reqValue); slot = slotAndKeyIdentifier.getSlotIdentifier().getSlotId(); KeyIdentifier keyIdentifier = slotAndKeyIdentifier.getKeyIdentifier(); keyId = keyIdentifier.getKeyId(); } catch (IllegalArgumentException e) { final String statusMessage = "invalid SlotAndKeyIdentifier"; return createRejectionPKIMessage(respHeader, PKIFailureInfo.badRequest, statusMessage); } byte[] encodeCertOrKey; if (XipkiCmpConstants.ACTION_RP11_GET_CERTIFICATE == action) { encodeCertOrKey = p11CryptService.getCertificate(slot, keyId).getEncoded(); } else if (XipkiCmpConstants.ACTION_RP11_GET_PUBLICKEY == action) { encodeCertOrKey = p11CryptService.getPublicKey(slot, keyId).getEncoded(); } else { throw new RuntimeException("should not reach here"); } respItvInfoValue = new DEROctetString(encodeCertOrKey); break; } case XipkiCmpConstants.ACTION_RP11_LIST_SLOTS: { P11SlotIdentifier[] slotIds = p11CryptService.getSlotIdentifiers(); ASN1EncodableVector vector = new ASN1EncodableVector(); for (P11SlotIdentifier slotId : slotIds) { vector.add(new SlotIdentifier(slotId)); } respItvInfoValue = new DERSequence(vector); break; } case XipkiCmpConstants.ACTION_RP11_LIST_KEYLABELS: { SlotIdentifier slotId = SlotIdentifier.getInstance(reqValue); String[] keyLabels = p11CryptService.getKeyLabels(slotId.getSlotId()); ASN1EncodableVector vector = new ASN1EncodableVector(); for (String keyLabel : keyLabels) { vector.add(new DERUTF8String(keyLabel)); } respItvInfoValue = new DERSequence(vector); break; } default: { final String statusMessage = "unsupported XiPKI action code '" + action + "'"; return createRejectionPKIMessage(respHeader, PKIFailureInfo.badRequest, statusMessage); } } // end switch(code) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new ASN1Integer(action)); if (respItvInfoValue != null) { v.add(respItvInfoValue); } InfoTypeAndValue respItv = new InfoTypeAndValue(ObjectIdentifiers.id_xipki_cmp, new DERSequence(v)); GenRepContent genRepContent = new GenRepContent(respItv); PKIBody respBody = new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent); return new PKIMessage(respHeader, respBody); } catch (Throwable t) { LOG.error("error while processing CMP message {}, message: {}", tidStr, t.getMessage()); LOG.debug("error while processing CMP message " + tidStr, t); return createRejectionPKIMessage(respHeader, PKIFailureInfo.systemFailure, t.getMessage()); } }
From source file:org.xipki.security.api.p11.remote.SlotIdentifier.java
License:Open Source License
@Override public ASN1Primitive toASN1Primitive() { ASN1EncodableVector vector = new ASN1EncodableVector(); if (slotId.getSlotIndex() != null) { vector.add(new ASN1Integer(slotId.getSlotIndex())); }/*from ww w. j a va 2s . c om*/ if (slotId.getSlotId() != null) { DERTaggedObject taggedObj = new DERTaggedObject(true, 1, new ASN1Integer(slotId.getSlotId())); vector.add(taggedObj); } return new DERSequence(vector); }
From source file:org.xipki.security.KeyUtil.java
License:Open Source License
/** * Create a SubjectPublicKeyInfo public key. * * @param publicKey the SubjectPublicKeyInfo encoding * @return the appropriate key parameter * @throws java.io.IOException on an error encoding the key */// w w w . j a v a 2 s.c o m public static SubjectPublicKeyInfo creatDSASubjectPublicKeyInfo(final DSAPublicKey publicKey) throws IOException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new ASN1Integer(publicKey.getParams().getP())); v.add(new ASN1Integer(publicKey.getParams().getQ())); v.add(new ASN1Integer(publicKey.getParams().getG())); ASN1Sequence dssParams = new DERSequence(v); return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, dssParams), new ASN1Integer(publicKey.getY())); }
From source file:org.xipki.security.p11.iaik.IaikP11Slot.java
License:Open Source License
private PrivateKeyAndPKInfo generateDSAKeyPair(final Session session, final int pLength, final int qLength, final byte[] id, final String label) throws Exception { DSAParametersGenerator paramGen = new DSAParametersGenerator(new SHA512Digest()); DSAParameterGenerationParameters genParams = new DSAParameterGenerationParameters(pLength, qLength, 80, new SecureRandom()); paramGen.init(genParams);/* w w w. jav a 2 s. co m*/ DSAParameters dsaParams = paramGen.generateParameters(); DSAPrivateKey privateKey = new DSAPrivateKey(); DSAPublicKey publicKey = new DSAPublicKey(); setKeyAttributes(id, label, PKCS11Constants.CKK_DSA, privateKey, publicKey); publicKey.getPrime().setByteArrayValue(dsaParams.getP().toByteArray()); publicKey.getSubprime().setByteArrayValue(dsaParams.getQ().toByteArray()); publicKey.getBase().setByteArrayValue(dsaParams.getG().toByteArray()); KeyPair kp = session.generateKeyPair(Mechanism.get(PKCS11Constants.CKM_DSA_KEY_PAIR_GEN), publicKey, privateKey); publicKey = (DSAPublicKey) kp.getPublicKey(); BigInteger value = new BigInteger(1, publicKey.getValue().getByteArrayValue()); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new ASN1Integer(dsaParams.getP())); v.add(new ASN1Integer(dsaParams.getQ())); v.add(new ASN1Integer(dsaParams.getG())); ASN1Sequence dssParams = new DERSequence(v); SubjectPublicKeyInfo pkInfo = new SubjectPublicKeyInfo( new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, dssParams), new ASN1Integer(value)); return new PrivateKeyAndPKInfo((DSAPrivateKey) kp.getPrivateKey(), pkInfo); }