List of usage examples for org.bouncycastle.asn1.crmf POPOSigningKey getInstance
public static POPOSigningKey getInstance(Object o)
From source file:org.ejbca.core.protocol.cmp.CmpMessageHelper.java
License:Open Source License
/** * Parses a CRMF request created with novosec library classes and return a bouncycastle CertReqMsg object * //from ww w . j a v a2 s . c o m * @param messages * @return */ public static CertReqMsg getNovosecCertReqMsg(CertReqMessages messages) { // The encoding of the ProofOfPosession in bouncycastle and novosec is different. // Novosec generator explicitly tags the PopoSigningKey while it should be implicitly tagged. // Through novosec, the ProofOfPosession comes through as: // Sequence // DERSequence // DERSequence // ObjectIdentifier(1.2.840.113549.1.1.5) // DERBitString[64,0] // // But it should be: // DERSequence // DERSequence // ObjectIdentifier(1.2.840.113549.1.1.5) // DERBitString[64,0] // // The bouncycastle parser expects an implicit tag, so to it, it looks like the sequence is containing a single element. //-------------------------------------- // A comment from bouncycastle that might not effect anything here but maybe effect something else in the future: // What's happened is the novosec generator has explicitly tagged the PopoSigningKey structure, it should be // implicitly tagged (this isn't true if it's a POPOPrivKey, but that's because it's a CHOICE item so the tag // has to be preserved, but that is a different story). // Reconstructing the CertRequest ASN1Encodable o2 = ((DERSequence) messages.toASN1Primitive()).getObjectAt(0); ASN1Encodable o3 = ((DERSequence) o2).getObjectAt(0); CertRequest cr = CertRequest.getInstance(o3); // Reconstructing the proof-of-posession ASN1TaggedObject o4 = (ASN1TaggedObject) ((DERSequence) o2).getObjectAt(1); ProofOfPossession pp; int tagnr = o4.getTagNo(); ASN1Encodable o5; switch (tagnr) { case 0: o5 = DERNull.INSTANCE; pp = new ProofOfPossession(); break; case 1: o5 = POPOSigningKey.getInstance(o4.getObject()); pp = new ProofOfPossession((POPOSigningKey) o5); break; case 2: case 3: o5 = POPOPrivKey.getInstance(o4, false); pp = new ProofOfPossession(tagnr, (POPOPrivKey) o5); break; default: throw new IllegalArgumentException("unknown tag: " + tagnr); } // Reconstructing the regToken ASN1Sequence o6 = (ASN1Sequence) ((ASN1Sequence) o2.toASN1Primitive()).getObjectAt(2); final AttributeTypeAndValue av = AttributeTypeAndValue.getInstance(((ASN1Sequence) o6).getObjectAt(0)); final AttributeTypeAndValue[] avs = { av }; // finally, recreating the CertReqMsg object return new CertReqMsg(cr, pp, avs); }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private boolean verifyPopo(final CertificateRequestMessage certRequest, final boolean allowRaPopo) { int popType = certRequest.getProofOfPossessionType(); if (popType == CertificateRequestMessage.popRaVerified && allowRaPopo) { return true; }/* www .ja v a2s . c o m*/ if (popType != CertificateRequestMessage.popSigningKey) { LOG.error("unsupported POP type: " + popType); return false; } // check the POP signature algorithm ProofOfPossession pop = certRequest.toASN1Structure().getPopo(); POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); AlgorithmIdentifier popoAlgId = popoSign.getAlgorithmIdentifier(); AlgorithmValidator algoValidator = getCmpControl().getPopoAlgoValidator(); if (!algoValidator.isAlgorithmPermitted(popoAlgId)) { String algoName; try { algoName = AlgorithmUtil.getSignatureAlgoName(popoAlgId); } catch (NoSuchAlgorithmException ex) { algoName = popoAlgId.getAlgorithm().getId(); } LOG.error("POPO signature algorithm {} not permitted", algoName); return false; } try { PublicKey publicKey = securityFactory.generatePublicKey(certRequest.getCertTemplate().getPublicKey()); ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(publicKey); return certRequest.isValidSigningKeyPOP(cvp); } catch (InvalidKeyException | IllegalStateException | CRMFException ex) { LogUtil.error(LOG, ex); } return false; }