Example usage for org.bouncycastle.asn1.crmf POPOSigningKey getAlgorithmIdentifier

Introduction

In this page you can find the example usage for org.bouncycastle.asn1.crmf POPOSigningKey getAlgorithmIdentifier.

Prototype

public AlgorithmIdentifier getAlgorithmIdentifier() 

Source Link

Usage

From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java

License:Open Source License

@Override
public boolean verify() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
    boolean ret = false;
    final ProofOfPossession pop = getReq().getPopo();
    if (log.isDebugEnabled()) {
        log.debug("allowRaVerifyPopo: " + allowRaVerifyPopo);
        log.debug("pop.getRaVerified(): " + (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED));
    }//from   w ww. j ava2  s  .c  o  m
    if (allowRaVerifyPopo && (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED)) {
        ret = true;
    } else if (pop.getType() == ProofOfPossession.TYPE_SIGNING_KEY) {
        try {
            final POPOSigningKey sk = (POPOSigningKey) pop.getObject();
            final POPOSigningKeyInput pski = sk.getPoposkInput();
            ASN1Encodable protObject = pski;
            // Use of POPOSigningKeyInput or not, as described in RFC4211, section 4.1.
            if (pski == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Using CertRequest as POPO input because POPOSigningKeyInput is missing.");
                }
                protObject = getReq().getCertReq();
            } else {
                // Assume POPOSigningKeyInput with the public key and name, MUST be the same as in the request according to RFC4211
                if (log.isDebugEnabled()) {
                    log.debug("Using POPOSigningKeyInput as POPO input.");
                }
                final CertRequest req = getReq().getCertReq();
                // If subject is present in cert template it must be the same as in POPOSigningKeyInput
                final X500Name subject = req.getCertTemplate().getSubject();
                if (subject != null && !subject.toString().equals(pski.getSender().getName().toString())) {
                    log.info("Subject '" + subject.toString() + "', is not equal to '"
                            + pski.getSender().toString() + "'.");
                    protObject = null; // pski is not a valid protection object
                }
                // If public key is present in cert template it must be the same as in POPOSigningKeyInput
                final SubjectPublicKeyInfo pk = req.getCertTemplate().getPublicKey();
                if (pk != null && !Arrays.areEqual(pk.getEncoded(), pski.getPublicKey().getEncoded())) {
                    log.info(
                            "Subject key in cert template, is not equal to subject key in POPOSigningKeyInput.");
                    protObject = null; // pski is not a valid protection object
                }
            }
            // If a protectObject is present we extract the bytes and verify it
            if (protObject != null) {
                final ByteArrayOutputStream bao = new ByteArrayOutputStream();
                new DEROutputStream(bao).writeObject(protObject);
                final byte[] protBytes = bao.toByteArray();
                final AlgorithmIdentifier algId = sk.getAlgorithmIdentifier();
                if (log.isDebugEnabled()) {
                    log.debug(
                            "POP protection bytes length: " + (protBytes != null ? protBytes.length : "null"));
                    log.debug("POP algorithm identifier is: " + algId.getAlgorithm().getId());
                }
                final Signature sig = Signature.getInstance(algId.getAlgorithm().getId(), "BC");
                sig.initVerify(getRequestPublicKey());
                sig.update(protBytes);
                final DERBitString bs = sk.getSignature();
                ret = sig.verify(bs.getBytes());
                if (log.isDebugEnabled()) {
                    log.debug("POP verify returns: " + ret);
                }
            }
        } catch (IOException e) {
            log.error("Error encoding CertReqMsg: ", e);
        } catch (SignatureException e) {
            log.error("SignatureException verifying POP: ", e);
        }
    }
    return ret;
}

---

From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java

License:Open Source License

private boolean verifyPopo(final CertificateRequestMessage certRequest, final boolean allowRaPopo) {
    int popType = certRequest.getProofOfPossessionType();
    if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) {
        return true;
    }//  w  ww. j  a  v a2  s.c om

    if (popType != CertificateRequestMessage.popSigningKey) {
        LOG.error("unsupported POP type: " + popType);
        return false;
    }

    // check the POP signature algorithm
    ProofOfPossession pop = certRequest.toASN1Structure().getPopo();
    POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject());
    AlgorithmIdentifier popoAlgId = popoSign.getAlgorithmIdentifier();
    AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator();
    if (!algoValidator.isAlgorithmPermitted(popoAlgId)) {
        String algoName;
        try {
            algoName = AlgorithmUtil.getSignatureAlgoName(popoAlgId);
        } catch (NoSuchAlgorithmException ex) {
            algoName = popoAlgId.getAlgorithm().getId();
        }
        LOG.error("POPO signature algorithm {} not permitted", algoName);
        return false;
    }

    try {
        PublicKey publicKey = securityFactory.generatePublicKey(certRequest.getCertTemplate().getPublicKey());
        ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey);
        return certRequest.isValidSigningKeyPOP(cvp);
    } catch (InvalidKeyException | IllegalStateException | CRMFException ex) {
        LogUtil.error(LOG, ex);
    }
    return false;
}

---