List of usage examples for org.bouncycastle.asn1.crmf POPOSigningKey getAlgorithmIdentifier
public AlgorithmIdentifier getAlgorithmIdentifier()
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java
License:Open Source License
@Override public boolean verify() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException { boolean ret = false; final ProofOfPossession pop = getReq().getPopo(); if (log.isDebugEnabled()) { log.debug("allowRaVerifyPopo: " + allowRaVerifyPopo); log.debug("pop.getRaVerified(): " + (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED)); }//from w ww. j ava2 s .c o m if (allowRaVerifyPopo && (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED)) { ret = true; } else if (pop.getType() == ProofOfPossession.TYPE_SIGNING_KEY) { try { final POPOSigningKey sk = (POPOSigningKey) pop.getObject(); final POPOSigningKeyInput pski = sk.getPoposkInput(); ASN1Encodable protObject = pski; // Use of POPOSigningKeyInput or not, as described in RFC4211, section 4.1. if (pski == null) { if (log.isDebugEnabled()) { log.debug("Using CertRequest as POPO input because POPOSigningKeyInput is missing."); } protObject = getReq().getCertReq(); } else { // Assume POPOSigningKeyInput with the public key and name, MUST be the same as in the request according to RFC4211 if (log.isDebugEnabled()) { log.debug("Using POPOSigningKeyInput as POPO input."); } final CertRequest req = getReq().getCertReq(); // If subject is present in cert template it must be the same as in POPOSigningKeyInput final X500Name subject = req.getCertTemplate().getSubject(); if (subject != null && !subject.toString().equals(pski.getSender().getName().toString())) { log.info("Subject '" + subject.toString() + "', is not equal to '" + pski.getSender().toString() + "'."); protObject = null; // pski is not a valid protection object } // If public key is present in cert template it must be the same as in POPOSigningKeyInput final SubjectPublicKeyInfo pk = req.getCertTemplate().getPublicKey(); if (pk != null && !Arrays.areEqual(pk.getEncoded(), pski.getPublicKey().getEncoded())) { log.info( "Subject key in cert template, is not equal to subject key in POPOSigningKeyInput."); protObject = null; // pski is not a valid protection object } } // If a protectObject is present we extract the bytes and verify it if (protObject != null) { final ByteArrayOutputStream bao = new ByteArrayOutputStream(); new DEROutputStream(bao).writeObject(protObject); final byte[] protBytes = bao.toByteArray(); final AlgorithmIdentifier algId = sk.getAlgorithmIdentifier(); if (log.isDebugEnabled()) { log.debug( "POP protection bytes length: " + (protBytes != null ? protBytes.length : "null")); log.debug("POP algorithm identifier is: " + algId.getAlgorithm().getId()); } final Signature sig = Signature.getInstance(algId.getAlgorithm().getId(), "BC"); sig.initVerify(getRequestPublicKey()); sig.update(protBytes); final DERBitString bs = sk.getSignature(); ret = sig.verify(bs.getBytes()); if (log.isDebugEnabled()) { log.debug("POP verify returns: " + ret); } } } catch (IOException e) { log.error("Error encoding CertReqMsg: ", e); } catch (SignatureException e) { log.error("SignatureException verifying POP: ", e); } } return ret; }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private boolean verifyPopo(final CertificateRequestMessage certRequest, final boolean allowRaPopo) { int popType = certRequest.getProofOfPossessionType(); if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) { return true; }// w ww. j a v a2 s.c om if (popType != CertificateRequestMessage.popSigningKey) { LOG.error("unsupported POP type: " + popType); return false; } // check the POP signature algorithm ProofOfPossession pop = certRequest.toASN1Structure().getPopo(); POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); AlgorithmIdentifier popoAlgId = popoSign.getAlgorithmIdentifier(); AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator(); if (!algoValidator.isAlgorithmPermitted(popoAlgId)) { String algoName; try { algoName = AlgorithmUtil.getSignatureAlgoName(popoAlgId); } catch (NoSuchAlgorithmException ex) { algoName = popoAlgId.getAlgorithm().getId(); } LOG.error("POPO signature algorithm {} not permitted", algoName); return false; } try { PublicKey publicKey = securityFactory.generatePublicKey(certRequest.getCertTemplate().getPublicKey()); ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey); return certRequest.isValidSigningKeyPOP(cvp); } catch (InvalidKeyException | IllegalStateException | CRMFException ex) { LogUtil.error(LOG, ex); } return false; }