List of usage examples for org.bouncycastle.asn1.x509 Certificate getSignatureAlgorithm
public AlgorithmIdentifier getSignatureAlgorithm()
From source file:net.wstech2.me.httpsclient.CertificateValidatorUtils.java
License:Apache License
/** * /* www . ja v a2s . c o m*/ * Prints common certificate informations like signature, signature * algorithm, subject and issuer details, etc. * * @param cert * The X509CertificateStructure containing the information that * will be printed. * */ public static void printCertificateDetails(org.bouncycastle.asn1.x509.Certificate cert) { HttpsConnectionUtils.logDebug( "BEGIN CERTIFICATE DUMP FOR:[[" + CertificateValidatorUtils.extractCommonName(cert, true) + "]]"); HttpsConnectionUtils.logDebug("Certificate Signature:[[" + cert.getSignature().toString() + "]]"); HttpsConnectionUtils.logDebug( "Certificate Signature Algorithm OID:[[" + cert.getSignatureAlgorithm().getAlgorithm() + "]]"); HttpsConnectionUtils.logDebug("Certificate Subject Info:[[" + cert.getSubject().toString() + "]]"); HttpsConnectionUtils .logDebug("Certificate Subject common name (CN):[[" + extractCommonName(cert, false) + "]]"); HttpsConnectionUtils .logDebug("Certificate Subject short common name (CN):[[" + extractCommonName(cert, true) + "]]"); HttpsConnectionUtils.logDebug("Certificate Issuer Info:[[" + cert.getIssuer() + "]]"); HttpsConnectionUtils.logDebug("Certificate Start Date:[[" + cert.getStartDate().getTime() + "]]"); HttpsConnectionUtils.logDebug("Certificate End Date:[[" + cert.getEndDate().getTime() + "]]"); HttpsConnectionUtils.logDebug("Certificate ASN.1 Dump:[[" + ASN1Dump.dumpAsString(cert, true) + "]]"); HttpsConnectionUtils.logDebug( "END CERTIFICATE DUMP FOR:[[" + CertificateValidatorUtils.extractCommonName(cert, true) + "]]"); }
From source file:net.wstech2.me.httpsclient.CertificateValidatorUtils.java
License:Apache License
/** * /*from w w w. ja v a 2s. c o m*/ * Obtains the digest instance corresponding to the Signature Algorithm OID * stored within the X509CertificateStructure @cert parameter. * * @param cert * The X509CertificateStructure to be analyzed. * * @return A Digest (SHA1Digest, MD5Digest, etc.) instance. Null if no * digest corresponding to the OID could be found. */ public static ExtendedDigest getDigestInstance(org.bouncycastle.asn1.x509.Certificate cert) { String digestId = cert.getSignatureAlgorithm().getAlgorithm().toString(); if (digestId.equalsIgnoreCase(SHA1_OID)) { return new SHA1Digest(); } return null; }
From source file:net.wstech2.me.httpsclient.CertificateValidatorUtils.java
License:Apache License
/** * Validates the certificate signature (hash). * //ww w .ja va 2s. com * @param cert * The certificate to be validated. * @param issuerCert * the issuer (normally a C.A.) certificate corresponding to the * key used to sign the certificate indicated at the previous * parameter. * * @param errors * a list to be filled - if needed - with errors detected during * the validation process. See * {@link CertificateValidationException#setErrors(List)}. * * @return True if the certificate signature is valid. False otherwise. * @throws IOException * @throws InvalidCipherTextException * @throws CertException * @throws OperatorCreationException * */ public static boolean verifySignature(org.bouncycastle.asn1.x509.Certificate cert, org.bouncycastle.asn1.x509.Certificate issuerCert, List errors) throws OperatorCreationException, CertException, IOException { boolean retval = false; if (!CertificateValidatorUtils.isAlgIdEqual(cert.getTBSCertificate().getSignature(), cert.getSignatureAlgorithm())) { throw new CertException("signature invalid - algorithm identifier mismatch"); } ContentVerifierProvider verifierProvider = new BcRSAContentVerifierProviderBuilder( new DefaultDigestAlgorithmIdentifierFinder()).build( PublicKeyFactory.createKey(issuerCert.getTBSCertificate().getSubjectPublicKeyInfo())); ContentVerifier verifier; try { verifier = verifierProvider.get((cert.getTBSCertificate().getSignature())); OutputStream sOut = verifier.getOutputStream(); DEROutputStream dOut = new DEROutputStream(sOut); dOut.writeObject(cert.getTBSCertificate()); sOut.close(); } catch (Exception e) { throw new CertException("unable to process signature: " + e.getMessage(), e); } retval = verifier.verify(cert.getSignature().getBytes()); if (retval == false) { String error = "Invalid certificate signature for [[" + extractCommonName(cert, true) + "]] validated against the Signer Certificate [[" + extractCommonName(issuerCert, true) + "]]."; HttpsConnectionUtils.logError(error); errors.add(error); } return retval; }
From source file:org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.java
License:LGPL
/** * Determines the hash function i.e. the digest algorithm of the signature * algorithm of a specific certificate./*from w w w .j a v a 2 s.c o m*/ * * @param certificate the certificate the hash function of which is to be * determined * @return the hash function of the specified <tt>certificate</tt> */ private static String findHashFunction(org.bouncycastle.asn1.x509.Certificate certificate) { try { AlgorithmIdentifier sigAlgId = certificate.getSignatureAlgorithm(); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); return BcDefaultDigestProvider.INSTANCE.get(digAlgId).getAlgorithmName().toLowerCase(); } catch (Throwable t) { if (t instanceof ThreadDeath) { throw (ThreadDeath) t; } else { logger.warn("Failed to find the hash function of the signature" + " algorithm of a certificate!", t); if (t instanceof RuntimeException) throw (RuntimeException) t; else throw new RuntimeException(t); } } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
@Override public ValidationResult checkCert(final byte[] certBytes, final X509IssuerInfo issuerInfo, final X500Name requestedSubject, final SubjectPublicKeyInfo requestedPublicKey, final Extensions requestedExtensions) { ParamChecker.assertNotNull("certBytes", certBytes); ParamChecker.assertNotNull("issuerInfo", issuerInfo); ParamChecker.assertNotNull("requestedSubject", requestedSubject); ParamChecker.assertNotNull("requestedPublicKey", requestedPublicKey); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); Certificate bcCert; X509Certificate cert;//from www .java 2 s. co m // certificate encoding { ValidationIssue issue = new ValidationIssue("X509.ENCODING", "certificate encoding"); resultIssues.add(issue); try { bcCert = Certificate.getInstance(certBytes); cert = X509Util.parseCert(certBytes); } catch (CertificateException | IOException e) { issue.setFailureMessage("certificate is not corrected encoded"); return new ValidationResult(resultIssues); } } // syntax version { ValidationIssue issue = new ValidationIssue("X509.VERSION", "certificate version"); resultIssues.add(issue); int versionNumber = cert.getVersion(); if (versionNumber != version.getVersion()) { issue.setFailureMessage("is '" + versionNumber + "' but expected '" + version.getVersion() + "'"); } } // signatureAlgorithm if (CollectionUtil.isNotEmpty(signatureAlgorithms)) { ValidationIssue issue = new ValidationIssue("X509.SIGALG", "signature algorithm"); resultIssues.add(issue); AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm(); AlgorithmIdentifier tbsSigAlgId = bcCert.getTBSCertificate().getSignature(); if (tbsSigAlgId.equals(sigAlgId) == false) { issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm"); } else { try { String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId); if (signatureAlgorithms.contains(sigAlgo) == false) { issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed"); } } catch (NoSuchAlgorithmException e) { issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId()); } } } // notBefore if (notBeforeMidnight) { ValidationIssue issue = new ValidationIssue("X509.NOTBEFORE", "not before midnight"); resultIssues.add(issue); Calendar c = Calendar.getInstance(UTC); c.setTime(cert.getNotBefore()); int hourOfDay = c.get(Calendar.HOUR_OF_DAY); int minute = c.get(Calendar.MINUTE); int second = c.get(Calendar.SECOND); if (hourOfDay != 0 || minute != 0 || second != 0) { issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)"); } } // validity { ValidationIssue issue = new ValidationIssue("X509.VALIDITY", "cert validity"); resultIssues.add(issue); Date expectedNotAfter = validity.add(cert.getNotBefore()); if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) { issue.setFailureMessage("cert validity is not within " + validity.toString()); } } // public key { SubjectPublicKeyInfo publicKey = bcCert.getSubjectPublicKeyInfo(); if (keyAlgorithms != null) { ValidationIssue issue = new ValidationIssue("X509.PUBKEY.SYN", "whether public key is permitted"); resultIssues.add(issue); try { checkPublicKey(publicKey); } catch (BadCertTemplateException e) { issue.setFailureMessage(e.getMessage()); } } ValidationIssue issue = new ValidationIssue("X509.PUBKEY.REQ", "whether public key matches the request one"); resultIssues.add(issue); SubjectPublicKeyInfo c14nRequestedPublicKey; try { c14nRequestedPublicKey = X509Util.toRfc3279Style(requestedPublicKey); if (c14nRequestedPublicKey.equals(publicKey) == false) { issue.setFailureMessage("public key in the certificate does not equal the requested one"); } } catch (InvalidKeySpecException e) { issue.setFailureMessage("public key in request is invalid"); } } // Signature { ValidationIssue issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA"); resultIssues.add(issue); try { cert.verify(issuerInfo.getCert().getPublicKey(), "BC"); } catch (Exception e) { issue.setFailureMessage("invalid signature"); } } // issuer { ValidationIssue issue = new ValidationIssue("X509.ISSUER", "certificate issuer"); resultIssues.add(issue); if (cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal()) == false) { issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate"); } } // subject X500Name subject = bcCert.getTBSCertificate().getSubject(); resultIssues.addAll(checkSubject(subject, requestedSubject)); // extensions resultIssues.addAll(checkExtensions(bcCert, cert, issuerInfo, requestedExtensions)); return new ValidationResult(resultIssues); }
From source file:org.xipki.pki.ca.qa.X509CertprofileQa.java
License:Open Source License
public ValidationResult checkCert(final byte[] certBytes, final X509IssuerInfo issuerInfo, final X500Name requestedSubject, final SubjectPublicKeyInfo requestedPublicKey, final Extensions requestedExtensions) { ParamUtil.requireNonNull("certBytes", certBytes); ParamUtil.requireNonNull("issuerInfo", issuerInfo); ParamUtil.requireNonNull("requestedSubject", requestedSubject); ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); Certificate bcCert; TBSCertificate tbsCert;/*from www . ja v a 2 s.c om*/ X509Certificate cert; ValidationIssue issue; // certificate size issue = new ValidationIssue("X509.SIZE", "certificate size"); resultIssues.add(issue); Integer maxSize = certProfile.getMaxSize(); if (maxSize != 0) { int size = certBytes.length; if (size > maxSize) { issue.setFailureMessage( String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize)); } } // certificate encoding issue = new ValidationIssue("X509.ENCODING", "certificate encoding"); resultIssues.add(issue); try { bcCert = Certificate.getInstance(certBytes); tbsCert = bcCert.getTBSCertificate(); cert = X509Util.parseCert(certBytes); } catch (CertificateException ex) { issue.setFailureMessage("certificate is not corrected encoded"); return new ValidationResult(resultIssues); } // syntax version issue = new ValidationIssue("X509.VERSION", "certificate version"); resultIssues.add(issue); int versionNumber = tbsCert.getVersionNumber(); X509CertVersion expVersion = certProfile.getVersion(); if (versionNumber != expVersion.getVersionNumber()) { issue.setFailureMessage( "is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'"); } // serialNumber issue = new ValidationIssue("X509.serialNumber", "certificate serial number"); resultIssues.add(issue); BigInteger serialNumber = tbsCert.getSerialNumber().getValue(); if (serialNumber.signum() != 1) { issue.setFailureMessage("not positive"); } else { if (serialNumber.bitLength() >= 160) { issue.setFailureMessage("serial number has more than 20 octets"); } } // signatureAlgorithm List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms(); if (CollectionUtil.isNonEmpty(signatureAlgorithms)) { issue = new ValidationIssue("X509.SIGALG", "signature algorithm"); resultIssues.add(issue); AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm(); AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature(); if (!tbsSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm"); } try { String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId); if (!issue.isFailed()) { if (!signatureAlgorithms.contains(sigAlgo)) { issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed"); } } // check parameters if (!issue.isFailed()) { AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo); if (!expSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("invalid parameters"); } } } catch (NoSuchAlgorithmException ex) { issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId()); } } // notBefore encoding issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding"); checkTime(tbsCert.getStartDate(), issue); // notAfter encoding issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding"); checkTime(tbsCert.getStartDate(), issue); // notBefore if (certProfile.isNotBeforeMidnight()) { issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight"); resultIssues.add(issue); Calendar cal = Calendar.getInstance(UTC); cal.setTime(cert.getNotBefore()); int hourOfDay = cal.get(Calendar.HOUR_OF_DAY); int minute = cal.get(Calendar.MINUTE); int second = cal.get(Calendar.SECOND); if (hourOfDay != 0 || minute != 0 || second != 0) { issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)"); } } // validity issue = new ValidationIssue("X509.VALIDITY", "cert validity"); resultIssues.add(issue); if (cert.getNotAfter().before(cert.getNotBefore())) { issue.setFailureMessage("notAfter must not be before notBefore"); } else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) { issue.setFailureMessage("notBefore must not be before CA's notBefore"); } else { CertValidity validity = certProfile.getValidity(); Date expectedNotAfter = validity.add(cert.getNotBefore()); if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) { expectedNotAfter = new Date(MAX_CERT_TIME_MS); } if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) { expectedNotAfter = issuerInfo.getCaNotAfter(); } if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) { issue.setFailureMessage("cert validity is not within " + validity.toString()); } } // subjectPublicKeyInfo resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey)); // Signature issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA"); resultIssues.add(issue); try { cert.verify(issuerInfo.getCert().getPublicKey(), "BC"); } catch (Exception ex) { issue.setFailureMessage("invalid signature"); } // issuer issue = new ValidationIssue("X509.ISSUER", "certificate issuer"); resultIssues.add(issue); if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) { issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate"); } // subject resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject)); // issuerUniqueID issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID"); resultIssues.add(issue); if (tbsCert.getIssuerUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // subjectUniqueID issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID"); resultIssues.add(issue); if (tbsCert.getSubjectUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // extensions issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject"); resultIssues.add(issue); resultIssues.addAll( extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject)); return new ValidationResult(resultIssues); }