List of usage examples for org.bouncycastle.asn1 ASN1Primitive equals
public final boolean equals(ASN1Primitive other)
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
public static boolean isValidUserCertificate(PKIXCertificate zac, PKIXCertificate dac, PKIXCertificate uc) throws CryptoCertificateException { // check the TDMX zone info extension exists and the TDMX certs are correctly formed. if (!zac.isTdmxZoneAdminCertificate() || !dac.isTdmxDomainAdminCertificate() || !uc.isTdmxUserCertificate()) { return false; }//from ww w . j a v a 2 s . com // check that the zone info is identical in ZAC,DAC,UC ASN1Primitive zi_zac = zac.getTdmxZoneInfo().toASN1Primitive(); ASN1Primitive zi_dac = dac.getTdmxZoneInfo().toASN1Primitive(); ASN1Primitive zi_uc = uc.getTdmxZoneInfo().toASN1Primitive(); if (!zi_zac.equals(zi_dac) || !zi_dac.equals(zi_uc)) { return false; } // check the signing of the chain terminating in the trust root anchor of the zac KeyStore trustStore = KeyStoreUtils.createTrustStore(new PKIXCertificate[] { zac }, "jks"); PKIXCertificate[] publicCertChain = new PKIXCertificate[] { uc, dac }; return CertificateIOUtils.pkixValidate(CertificateIOUtils.cast(publicCertChain), trustStore); }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
public static boolean isValidDomainAdministratorCertificate(PKIXCertificate zac, PKIXCertificate dac) throws CryptoCertificateException { // check the TDMX zone info extension exists and the TDMX certs are correctly formed. if (!zac.isTdmxZoneAdminCertificate() || !dac.isTdmxDomainAdminCertificate()) { return false; }/*from w ww.j a v a2 s . c om*/ // check that the zone info is identical in ZAC,DAC,UC ASN1Primitive zi_zac = zac.getTdmxZoneInfo().toASN1Primitive(); ASN1Primitive zi_dac = dac.getTdmxZoneInfo().toASN1Primitive(); if (!zi_zac.equals(zi_dac)) { return false; } // check the signing of the chain terminating in the trust root anchor of the zac KeyStore trustStore = KeyStoreUtils.createTrustStore(new PKIXCertificate[] { zac }, "jks"); PKIXCertificate[] publicCertChain = new PKIXCertificate[] { dac }; return CertificateIOUtils.pkixValidate(CertificateIOUtils.cast(publicCertChain), trustStore); }
From source file:support.revocation.OCSP.java
License:Apache License
/** * Processes the given OCSP response for a certificate that was issued by * the issuer which the given issuer certificate is issued for * @return the parsed OCSP result/*from w w w . j av a 2s .co m*/ * @param response * @param issuerCertificate * @throws IOException * @throws GeneralSecurityException */ private static Response processOCSPResponse(OCSPResponse response, X509Certificate issuerCertificate) throws IOException, GeneralSecurityException { CertificateFactory factory = CertificateFactory.getInstance("X.509"); try { if (response.getResponseBytes() == null) return new Response(false, null); // create basic response object BasicOCSPResponse basicResponse = BasicOCSPResponse .getInstance(parseASN1(response.getResponseBytes().getResponse())); // create signature object // is creating signatures from OIDs a well-defined process? String algorithm = basicResponse.getSignatureAlgorithm().getAlgorithm().getId(); Signature signature = Signature.getInstance(algorithm); // set signature algorithm parameters ASN1Encodable encodableParams = basicResponse.getSignatureAlgorithm().getParameters(); if (encodableParams != null && !encodableParams.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { ASN1Primitive primitiveParams = encodableParams.toASN1Primitive(); if (primitiveParams != null && !primitiveParams.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { AlgorithmParameters params = AlgorithmParameters.getInstance(algorithm); params.init(primitiveParams.getEncoded()); signature.setParameter(params.getParameterSpec(AlgorithmParameterSpec.class)); } } // validate and use the certificate supplied by the OCSP response // where necessary ASN1Sequence certs = basicResponse.getCerts(); if (certs != null && !certs.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { List<X509Certificate> certList = new ArrayList<>(); for (int i = 0; i < certs.size(); i++) { X509Certificate cert = (X509Certificate) factory.generateCertificate( new ByteArrayInputStream(certs.getObjectAt(0).toASN1Primitive().getEncoded())); cert.checkValidity(); certList.add(cert); } CertPath path = factory.generateCertPath(certList); PKIXParameters params = new PKIXParameters( Collections.singleton(new TrustAnchor(issuerCertificate, null))); params.setRevocationEnabled(false); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params); if (result.getTrustAnchor().getTrustedCert() == null) throw new CertPathValidatorException( "Validation failed for certificate supplied by OCSP response", null, path, -1, PKIXReason.NO_TRUST_ANCHOR); issuerCertificate = certList.get(0); } // verify OCSP response signature signature.initVerify(issuerCertificate.getPublicKey()); signature.update(basicResponse.getTbsResponseData().getEncoded()); if (!signature.verify(basicResponse.getSignature().getBytes())) throw new SignatureException("OCSP signature verification failed"); // process response ASN1Sequence responses = basicResponse.getTbsResponseData().getResponses(); if (responses.size() != 1) throw new GeneralSecurityException("OCSP response mismatch"); SingleResponse singleResponse = SingleResponse.getInstance(responses.getObjectAt(0)); // single response choices // good [0] IMPLICIT NULL // revoked [1] IMPLICIT RevokedInfo // unknown [2] IMPLICIT UnknownInfo return new Response(singleResponse.getCertStatus().getTagNo() == 1, singleResponse.getNextUpdate() != null ? singleResponse.getNextUpdate().getDate() : null); } catch (ClassCastException | IllegalArgumentException | ParseException e) { throw new IOException(e); } }