List of usage examples for org.bouncycastle.asn1.x509 Extension Extension
public Extension(ASN1ObjectIdentifier extnId, boolean critical, ASN1OctetString value)
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static Extension createReasonExtension(final int reasonCode) { CRLReason crlReason = CRLReason.lookup(reasonCode); try {/*from w w w. j a v a2s . c om*/ return new Extension(Extension.reasonCode, false, crlReason.getEncoded()); } catch (IOException ex) { throw new IllegalArgumentException("error encoding reason: " + ex.getMessage(), ex); } }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static Extension createInvalidityDateExtension(final Date invalidityDate) { try {/* w ww.j a v a2 s.co m*/ ASN1GeneralizedTime asnTime = new ASN1GeneralizedTime(invalidityDate); return new Extension(Extension.invalidityDate, false, asnTime.getEncoded()); } catch (IOException ex) { throw new IllegalArgumentException("error encoding reason: " + ex.getMessage(), ex); } }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static Extension createCertificateIssuerExtension(final X500Name certificateIssuer) { try {//from w w w . ja v a 2 s . c o m GeneralNames generalNames = new GeneralNames(new GeneralName(certificateIssuer)); return new Extension(Extension.certificateIssuer, true, generalNames.getEncoded()); } catch (IOException ex) { throw new IllegalArgumentException("error encoding reason: " + ex.getMessage(), ex); } }
From source file:org.xipki.pki.ocsp.client.impl.AbstractOcspRequestor.java
License:Open Source License
private OCSPReq buildRequest(final X509Certificate caCert, final BigInteger[] serialNumbers, final byte[] nonce, final RequestOptions requestOptions) throws OcspRequestorException { HashAlgoType hashAlgo = HashAlgoType.getHashAlgoType(requestOptions.getHashAlgorithmId()); if (hashAlgo == null) { throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId()); }/*from w w w .j av a2 s .c om*/ List<AlgorithmIdentifier> prefSigAlgs = requestOptions.getPreferredSignatureAlgorithms(); DigestCalculator digestCalculator; switch (hashAlgo) { case SHA1: digestCalculator = new SHA1DigestCalculator(); break; case SHA224: digestCalculator = new SHA224DigestCalculator(); break; case SHA256: digestCalculator = new SHA256DigestCalculator(); break; case SHA384: digestCalculator = new SHA384DigestCalculator(); break; case SHA512: digestCalculator = new SHA512DigestCalculator(); break; case SHA3_224: digestCalculator = new SHA3_224DigestCalculator(); break; case SHA3_256: digestCalculator = new SHA3_256DigestCalculator(); break; case SHA3_384: digestCalculator = new SHA3_384DigestCalculator(); break; case SHA3_512: digestCalculator = new SHA3_512DigestCalculator(); break; default: throw new RuntimeException("unknown HashAlgoType: " + hashAlgo); } OCSPReqBuilder reqBuilder = new OCSPReqBuilder(); List<Extension> extensions = new LinkedList<>(); if (nonce != null) { Extension extn = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)); extensions.add(extn); } if (prefSigAlgs != null && prefSigAlgs.size() > 0) { ASN1EncodableVector vec = new ASN1EncodableVector(); for (AlgorithmIdentifier algId : prefSigAlgs) { ASN1Sequence prefSigAlgObj = new DERSequence(algId); vec.add(prefSigAlgObj); } ASN1Sequence extnValue = new DERSequence(vec); Extension extn; try { extn = new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(extnValue)); } catch (IOException ex) { throw new OcspRequestorException(ex.getMessage(), ex); } extensions.add(extn); } if (CollectionUtil.isNonEmpty(extensions)) { reqBuilder.setRequestExtensions(new Extensions(extensions.toArray(new Extension[0]))); } try { for (BigInteger serialNumber : serialNumbers) { CertificateID certId = new CertificateID(digestCalculator, new X509CertificateHolder(caCert.getEncoded()), serialNumber); reqBuilder.addRequest(certId); } if (requestOptions.isSignRequest()) { synchronized (signerLock) { if (signer == null) { if (StringUtil.isBlank(signerType)) { throw new OcspRequestorException("signerType is not configured"); } if (StringUtil.isBlank(signerConf)) { throw new OcspRequestorException("signerConf is not configured"); } X509Certificate cert = null; if (StringUtil.isNotBlank(signerCertFile)) { try { cert = X509Util.parseCert(signerCertFile); } catch (CertificateException ex) { throw new OcspRequestorException( "could not parse certificate " + signerCertFile + ": " + ex.getMessage()); } } try { signer = getSecurityFactory().createSigner(signerType, new SignerConf(signerConf), cert); } catch (Exception ex) { throw new OcspRequestorException("could not create signer: " + ex.getMessage()); } } // end if } // end synchronized reqBuilder.setRequestorName(signer.getCertificateAsBcObject().getSubject()); try { return signer.build(reqBuilder, signer.getCertificateChainAsBcObjects()); } catch (NoIdleSignerException ex) { throw new OcspRequestorException("NoIdleSignerException: " + ex.getMessage()); } } else { return reqBuilder.build(); } // end if } catch (OCSPException | CertificateEncodingException | IOException ex) { throw new OcspRequestorException(ex.getMessage(), ex); } }
From source file:org.xipki.pki.ocsp.server.impl.OcspServer.java
License:Open Source License
public OcspRespWithCacheInfo answer(final Responder responder, final OCSPReq request, final boolean viaGet, final AuditEvent event) { ParamUtil.requireNonNull("responder", responder); ParamUtil.requireNonNull("request", request); RequestOption reqOpt = responder.getRequestOption(); ResponderSigner signer = responder.getSigner(); ResponseOption repOpt = responder.getResponseOption(); String msgId = null;/*from ww w.jav a 2s. c om*/ if (event != null) { msgId = RandomUtil.nextHexLong(); event.addEventData(OcspAuditConstants.NAME_mid, msgId); } int version = request.getVersionNumber(); if (!reqOpt.isVersionAllowed(version)) { String message = "invalid request version " + version; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } try { OcspRespWithCacheInfo resp = checkSignature(request, reqOpt, event); if (resp != null) { return resp; } OcspRespControl repControl = new OcspRespControl(); repControl.couldCacheInfo = viaGet; List<Extension> responseExtensions = new ArrayList<>(2); Req[] requestList = request.getRequestList(); // CHECKSTYLE:SKIP int requestsSize = requestList.length; Set<ASN1ObjectIdentifier> criticalExtensionOids = new HashSet<>(); Set<?> tmp = request.getCriticalExtensionOIDs(); if (tmp != null) { for (Object oid : tmp) { criticalExtensionOids.add((ASN1ObjectIdentifier) oid); } } RespID respId = signer.getResponder(repOpt.isResponderIdByName()); BasicOCSPRespBuilder basicOcspBuilder = new BasicOCSPRespBuilder(respId); ASN1ObjectIdentifier extensionType = OCSPObjectIdentifiers.id_pkix_ocsp_nonce; criticalExtensionOids.remove(extensionType); Extension nonceExtn = request.getExtension(extensionType); if (nonceExtn != null) { byte[] nonce = nonceExtn.getExtnValue().getOctets(); int len = nonce.length; int min = reqOpt.getNonceMinLen(); int max = reqOpt.getNonceMaxLen(); if (len < min || len > max) { LOG.warn("length of nonce {} not within [{},{}]", len, min, max); StringBuilder sb = new StringBuilder(50); sb.append("length of nonce ").append(len); sb.append(" not within [").append(min).append(", ").append(max).append("]"); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, sb.toString()); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } repControl.couldCacheInfo = false; responseExtensions.add(nonceExtn); } else if (reqOpt.isNonceRequired()) { String message = "nonce required, but is not present in the request"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } for (int i = 0; i < requestsSize; i++) { AuditEvent singleEvent = null; if (event != null) { singleEvent = new AuditEvent(new Date()); singleEvent.setApplicationName(OcspAuditConstants.APPNAME); singleEvent.setName(OcspAuditConstants.NAME_PERF); singleEvent.addEventData(OcspAuditConstants.NAME_mid, msgId); } OcspRespWithCacheInfo ocspResp = null; try { ocspResp = processCertReq(requestList[i], basicOcspBuilder, responder, reqOpt, repOpt, repControl, singleEvent); } finally { if (singleEvent != null) { singleEvent.finish(); auditServiceRegister.getAuditService().doLogEvent(singleEvent); } } if (ocspResp != null) { return ocspResp; } } if (repControl.includeExtendedRevokeExtension) { responseExtensions.add(new Extension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke, true, Arrays.copyOf(DERNullBytes, DERNullBytes.length))); } if (CollectionUtil.isNonEmpty(responseExtensions)) { basicOcspBuilder .setResponseExtensions(new Extensions(responseExtensions.toArray(new Extension[0]))); } ConcurrentContentSigner concurrentSigner = null; if (responder.getResponderOption().getMode() != OcspMode.RFC2560) { extensionType = ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs; criticalExtensionOids.remove(extensionType); Extension ext = request.getExtension(extensionType); if (ext != null) { ASN1Sequence preferredSigAlgs = ASN1Sequence.getInstance(ext.getParsedValue()); concurrentSigner = signer.getSignerForPreferredSigAlgs(preferredSigAlgs); } } if (CollectionUtil.isNonEmpty(criticalExtensionOids)) { return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } if (concurrentSigner == null) { concurrentSigner = signer.getFirstSigner(); } X509CertificateHolder[] certsInResp; EmbedCertsMode certsMode = repOpt.getEmbedCertsMode(); if (certsMode == null || certsMode == EmbedCertsMode.SIGNER) { certsInResp = new X509CertificateHolder[] { signer.getBcCertificate() }; } else if (certsMode == EmbedCertsMode.SIGNER_AND_CA) { certsInResp = signer.getBcCertificateChain(); } else { // NONE certsInResp = null; } BasicOCSPResp basicOcspResp; try { basicOcspResp = concurrentSigner.build(basicOcspBuilder, certsInResp, new Date()); } catch (NoIdleSignerException ex) { return createUnsuccessfulOcspResp(OcspResponseStatus.tryLater); } catch (OCSPException ex) { LogUtil.error(LOG, ex, "answer() basicOcspBuilder.build"); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "BasicOCSPRespBuilder.build() with OCSPException"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); try { OCSPResp ocspResp = ocspRespBuilder.build(OcspResponseStatus.successful.getStatus(), basicOcspResp); if (repControl.couldCacheInfo) { ResponseCacheInfo cacheInfo = new ResponseCacheInfo(repControl.cacheThisUpdate); if (repControl.cacheNextUpdate != Long.MAX_VALUE) { cacheInfo.setNextUpdate(repControl.cacheNextUpdate); } return new OcspRespWithCacheInfo(ocspResp, cacheInfo); } else { return new OcspRespWithCacheInfo(ocspResp, null); } } catch (OCSPException ex) { LogUtil.error(LOG, ex, "answer() ocspRespBuilder.build"); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "OCSPRespBuilder.build() with OCSPException"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } } catch (Throwable th) { LogUtil.error(LOG, th); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "internal error"); return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } }
From source file:org.xipki.pki.ocsp.server.impl.OcspServer.java
License:Open Source License
private OcspRespWithCacheInfo processCertReq(Req req, BasicOCSPRespBuilder builder, Responder responder, RequestOption reqOpt, ResponseOption repOpt, OcspRespControl repControl, AuditEvent event) throws IOException { CertificateID certId = req.getCertID(); String certIdHashAlgo = certId.getHashAlgOID().getId(); HashAlgoType reqHashAlgo = HashAlgoType.getHashAlgoType(certIdHashAlgo); if (reqHashAlgo == null) { LOG.warn("unknown CertID.hashAlgorithm {}", certIdHashAlgo); if (event != null) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "unknown CertID.hashAlgorithm " + certIdHashAlgo); }//from w ww . jav a 2 s.c om return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } else if (!reqOpt.allows(reqHashAlgo)) { LOG.warn("CertID.hashAlgorithm {} not allowed", certIdHashAlgo); if (event != null) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "not allowed CertID.hashAlgorithm " + certIdHashAlgo); } return createUnsuccessfulOcspResp(OcspResponseStatus.malformedRequest); } if (event != null) { event.addEventData(OcspAuditConstants.NAME_serial, certId.getSerialNumber()); } CertStatusInfo certStatusInfo = null; OcspStore answeredStore = null; boolean exceptionOccurs = false; Date now = new Date(); for (OcspStore store : responder.getStores()) { try { certStatusInfo = store.getCertStatus(now, reqHashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash(), certId.getSerialNumber(), repOpt.isIncludeCerthash(), repOpt.getCertHashAlgo(), responder.getCertprofileOption()); if (certStatusInfo != null && certStatusInfo.getCertStatus() != CertStatus.ISSUER_UNKNOWN) { answeredStore = store; break; } } catch (OcspStoreException ex) { exceptionOccurs = true; LogUtil.error(LOG, ex, "getCertStatus() of CertStatusStore " + store.getName()); } // end try } // end for if (certStatusInfo == null) { if (exceptionOccurs) { fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, "no CertStatusStore can answer the request"); return createUnsuccessfulOcspResp(OcspResponseStatus.tryLater); } else { certStatusInfo = CertStatusInfo.getIssuerUnknownCertStatusInfo(new Date(), null); } } else if (answeredStore != null && responder.getResponderOption().isInheritCaRevocation()) { CertRevocationInfo caRevInfo = answeredStore.getCaRevocationInfo(reqHashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash()); if (caRevInfo != null) { CertStatus certStatus = certStatusInfo.getCertStatus(); boolean replaced = false; if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) { replaced = true; } else if (certStatus == CertStatus.REVOKED) { if (certStatusInfo.getRevocationInfo().getRevocationTime() .after(caRevInfo.getRevocationTime())) { replaced = true; } } if (replaced) { CertRevocationInfo newRevInfo; if (caRevInfo.getReason() == CrlReason.CA_COMPROMISE) { newRevInfo = caRevInfo; } else { newRevInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime()); } certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile()); } // end if(replaced) } // end if } // end if if (event != null) { String certprofile = certStatusInfo.getCertprofile(); String auditCertType; if (certprofile != null) { auditCertType = responder.getAuditOption().getCertprofileMapping().get(certprofile); if (auditCertType == null) { auditCertType = certprofile; } } else { auditCertType = "UNKNOWN"; } event.addEventData(OcspAuditConstants.NAME_type, auditCertType); } // certStatusInfo must not be null in any case, since at least one store // is configured Date thisUpdate = certStatusInfo.getThisUpdate(); if (thisUpdate == null) { thisUpdate = new Date(); } Date nextUpdate = certStatusInfo.getNextUpdate(); List<Extension> extensions = new LinkedList<>(); boolean unknownAsRevoked = false; CertificateStatus bcCertStatus; switch (certStatusInfo.getCertStatus()) { case GOOD: bcCertStatus = null; break; case ISSUER_UNKNOWN: repControl.couldCacheInfo = false; bcCertStatus = new UnknownStatus(); break; case UNKNOWN: case IGNORE: repControl.couldCacheInfo = false; if (responder.getResponderOption().getMode() == OcspMode.RFC2560) { bcCertStatus = new UnknownStatus(); } else { // (ocspMode == OCSPMode.RFC6960) unknownAsRevoked = true; repControl.includeExtendedRevokeExtension = true; bcCertStatus = new RevokedStatus(new Date(0L), CrlReason.CERTIFICATE_HOLD.getCode()); } break; case REVOKED: CertRevocationInfo revInfo = certStatusInfo.getRevocationInfo(); ASN1GeneralizedTime revTime = new ASN1GeneralizedTime(revInfo.getRevocationTime()); org.bouncycastle.asn1.x509.CRLReason tmpReason = null; if (repOpt.isIncludeRevReason()) { tmpReason = org.bouncycastle.asn1.x509.CRLReason.lookup(revInfo.getReason().getCode()); } RevokedInfo tmpRevInfo = new RevokedInfo(revTime, tmpReason); bcCertStatus = new RevokedStatus(tmpRevInfo); Date invalidityDate = revInfo.getInvalidityTime(); if (repOpt.isIncludeInvalidityDate() && invalidityDate != null && !invalidityDate.equals(revInfo.getRevocationTime())) { Extension extension = new Extension(Extension.invalidityDate, false, new ASN1GeneralizedTime(invalidityDate).getEncoded()); extensions.add(extension); } break; default: throw new RuntimeException("unknown CertificateStatus:" + certStatusInfo.getCertStatus()); } // end switch byte[] certHash = certStatusInfo.getCertHash(); if (certHash != null) { ASN1ObjectIdentifier hashAlgOid = certStatusInfo.getCertHashAlgo().getOid(); AlgorithmIdentifier hashAlgId = new AlgorithmIdentifier(hashAlgOid, DERNull.INSTANCE); CertHash bcCertHash = new CertHash(hashAlgId, certHash); byte[] encodedCertHash; try { encodedCertHash = bcCertHash.getEncoded(); } catch (IOException ex) { LogUtil.error(LOG, ex, "answer() bcCertHash.getEncoded"); if (event != null) { fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, "CertHash.getEncoded() with IOException"); } return createUnsuccessfulOcspResp(OcspResponseStatus.internalError); } Extension extension = new Extension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash, false, encodedCertHash); extensions.add(extension); } // end if(certHash != null) if (certStatusInfo.getArchiveCutOff() != null) { Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff, false, new ASN1GeneralizedTime(certStatusInfo.getArchiveCutOff()).getEncoded()); extensions.add(extension); } String certStatusText; if (bcCertStatus instanceof UnknownStatus) { certStatusText = "unknown"; } else if (bcCertStatus instanceof RevokedStatus) { certStatusText = unknownAsRevoked ? "unknown_as_revoked" : "revoked"; } else if (bcCertStatus == null) { certStatusText = "good"; } else { certStatusText = "should-not-happen"; } if (event != null) { event.setLevel(AuditLevel.INFO); event.setStatus(AuditStatus.SUCCESSFUL); event.addEventData(OcspAuditConstants.NAME_status, certStatusText); } if (LOG.isDebugEnabled()) { StringBuilder sb = new StringBuilder(250); sb.append("certHashAlgo: ").append(certId.getHashAlgOID().getId()).append(", "); sb.append("issuerNameHash: ").append(Hex.toHexString(certId.getIssuerNameHash()).toUpperCase()) .append(", "); sb.append("issuerKeyHash: ").append(Hex.toHexString(certId.getIssuerKeyHash()).toUpperCase()) .append(", "); sb.append("serialNumber: ").append(LogUtil.formatCsn(certId.getSerialNumber())).append(", "); sb.append("certStatus: ").append(certStatusText).append(", "); sb.append("thisUpdate: ").append(thisUpdate).append(", "); sb.append("nextUpdate: ").append(nextUpdate); if (certHash != null) { sb.append(", certHash: ").append(Hex.toHexString(certHash).toUpperCase()); } LOG.debug(sb.toString()); } Extensions extns = null; if (CollectionUtil.isNonEmpty(extensions)) { extns = new Extensions(extensions.toArray(new Extension[0])); } builder.addResponse(certId, bcCertStatus, thisUpdate, nextUpdate, extns); repControl.cacheThisUpdate = Math.max(repControl.cacheThisUpdate, thisUpdate.getTime()); if (nextUpdate != null) { repControl.cacheNextUpdate = Math.min(repControl.cacheNextUpdate, nextUpdate.getTime()); } return null; }
From source file:org.xipki.security.P10RequestGenerator.java
License:Open Source License
public static Extension createExtensionSubjectAltName(final List<String> taggedValues, final boolean critical) throws BadInputException { GeneralNames names = createGeneralNames(taggedValues); if (names == null) { return null; }// ww w. ja va 2 s .c om try { return new Extension(Extension.subjectAlternativeName, critical, names.getEncoded()); } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } }
From source file:org.xipki.security.P10RequestGenerator.java
License:Open Source License
public static Extension createExtensionSubjectInfoAccess(final List<String> accessMethodAndLocations, final boolean critical) throws BadInputException { if (CollectionUtil.isEmpty(accessMethodAndLocations)) { return null; }//from www . j a v a2s .c o m ASN1EncodableVector vector = new ASN1EncodableVector(); for (String accessMethodAndLocation : accessMethodAndLocations) { vector.add(createAccessDescription(accessMethodAndLocation)); } ASN1Sequence seq = new DERSequence(vector); try { return new Extension(Extension.subjectInfoAccess, critical, seq.getEncoded()); } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } }
From source file:org.xipki.security.p11.iaik.IaikP11Slot.java
License:Open Source License
private X509CertificateHolder generateCertificate(final Session session, final byte[] id, final String label, final String subject, final AlgorithmIdentifier signatureAlgId, final PrivateKeyAndPKInfo privateKeyAndPkInfo, Integer keyUsage, List<ASN1ObjectIdentifier> extendedKeyUsage) throws Exception { BigInteger serialNumber = BigInteger.ONE; Date startDate = new Date(); Date endDate = new Date(startDate.getTime() + 20 * YEAR); X500Name x500Name_subject = new X500Name(subject); x500Name_subject = X509Util.sortX509Name(x500Name_subject); V3TBSCertificateGenerator tbsGen = new V3TBSCertificateGenerator(); tbsGen.setSerialNumber(new ASN1Integer(serialNumber)); tbsGen.setSignature(signatureAlgId); tbsGen.setIssuer(x500Name_subject); tbsGen.setStartDate(new Time(startDate)); tbsGen.setEndDate(new Time(endDate)); tbsGen.setSubject(x500Name_subject); tbsGen.setSubjectPublicKeyInfo(privateKeyAndPkInfo.getPublicKeyInfo()); List<Extension> extensions = new ArrayList<>(2); if (keyUsage == null) { keyUsage = KeyUsage.keyCertSign | KeyUsage.cRLSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment; }//from w w w.ja v a2 s . c om extensions.add(new Extension(Extension.keyUsage, true, new DEROctetString(new KeyUsage(keyUsage)))); if (CollectionUtil.isNotEmpty(extendedKeyUsage)) { KeyPurposeId[] kps = new KeyPurposeId[extendedKeyUsage.size()]; int i = 0; for (ASN1ObjectIdentifier oid : extendedKeyUsage) { kps[i++] = KeyPurposeId.getInstance(oid); } extensions.add(new Extension(Extension.extendedKeyUsage, false, new DEROctetString(new ExtendedKeyUsage(kps)))); } Extensions paramX509Extensions = new Extensions(extensions.toArray(new Extension[0])); tbsGen.setExtensions(paramX509Extensions); TBSCertificate tbsCertificate = tbsGen.generateTBSCertificate(); byte[] encodedTbsCertificate = tbsCertificate.getEncoded(); byte[] signature = null; Digest digest = null; Mechanism sigMechanism = null; ASN1ObjectIdentifier sigAlgID = signatureAlgId.getAlgorithm(); if (sigAlgID.equals(PKCSObjectIdentifiers.sha256WithRSAEncryption)) { sigMechanism = Mechanism.get(PKCS11Constants.CKM_SHA256_RSA_PKCS); session.signInit(sigMechanism, privateKeyAndPkInfo.getPrivateKey()); signature = session.sign(encodedTbsCertificate); } else if (sigAlgID.equals(NISTObjectIdentifiers.dsa_with_sha256)) { digest = new SHA256Digest(); byte[] digestValue = new byte[digest.getDigestSize()]; digest.update(encodedTbsCertificate, 0, encodedTbsCertificate.length); digest.doFinal(digestValue, 0); session.signInit(Mechanism.get(PKCS11Constants.CKM_DSA), privateKeyAndPkInfo.getPrivateKey()); byte[] rawSignature = session.sign(digestValue); signature = convertToX962Signature(rawSignature); } else { if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA1)) { digest = new SHA1Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA256)) { digest = new SHA256Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA384)) { digest = new SHA384Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA512)) { digest = new SHA512Digest(); } else { System.err.println("unknown algorithm ID: " + sigAlgID.getId()); return null; } byte[] digestValue = new byte[digest.getDigestSize()]; digest.update(encodedTbsCertificate, 0, encodedTbsCertificate.length); digest.doFinal(digestValue, 0); session.signInit(Mechanism.get(PKCS11Constants.CKM_ECDSA), privateKeyAndPkInfo.getPrivateKey()); byte[] rawSignature = session.sign(digestValue); signature = convertToX962Signature(rawSignature); } // build DER certificate ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCertificate); v.add(signatureAlgId); v.add(new DERBitString(signature)); DERSequence cert = new DERSequence(v); // build and store PKCS#11 certificate object X509PublicKeyCertificate certTemp = new X509PublicKeyCertificate(); certTemp.getToken().setBooleanValue(true); certTemp.getId().setByteArrayValue(id); certTemp.getLabel().setCharArrayValue(label.toCharArray()); certTemp.getSubject().setByteArrayValue(x500Name_subject.getEncoded()); certTemp.getIssuer().setByteArrayValue(x500Name_subject.getEncoded()); certTemp.getSerialNumber().setByteArrayValue(serialNumber.toByteArray()); certTemp.getValue().setByteArrayValue(cert.getEncoded()); session.createObject(certTemp); return new X509CertificateHolder(Certificate.getInstance(cert)); }
From source file:org.xipki.security.shell.CertRequestGenCommand.java
License:Open Source License
@Override protected Object _doExecute() throws Exception { P10RequestGenerator p10Gen = new P10RequestGenerator(); hashAlgo = hashAlgo.trim().toUpperCase(); if (hashAlgo.indexOf('-') != -1) { hashAlgo = hashAlgo.replaceAll("-", ""); }/*from w w w. j a va 2 s.c o m*/ if (needExtensionTypes == null) { needExtensionTypes = new LinkedList<>(); } // SubjectAltNames List<Extension> extensions = new LinkedList<>(); if (isNotEmpty(subjectAltNames)) { extensions.add(P10RequestGenerator.createExtensionSubjectAltName(subjectAltNames, false)); needExtensionTypes.add(Extension.subjectAlternativeName.getId()); } // SubjectInfoAccess if (isNotEmpty(subjectInfoAccesses)) { extensions.add(P10RequestGenerator.createExtensionSubjectInfoAccess(subjectInfoAccesses, false)); needExtensionTypes.add(Extension.subjectInfoAccess.getId()); } // Keyusage if (isNotEmpty(keyusages)) { Set<KeyUsage> usages = new HashSet<>(); for (String usage : keyusages) { usages.add(KeyUsage.getKeyUsage(usage)); } org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages); ASN1ObjectIdentifier extType = Extension.keyUsage; extensions.add(new Extension(extType, false, extValue.getEncoded())); needExtensionTypes.add(extType.getId()); } // ExtendedKeyusage if (isNotEmpty(extkeyusages)) { Set<ASN1ObjectIdentifier> oids = new HashSet<>(SecurityUtil.textToASN1ObjectIdentifers(extkeyusages)); ExtendedKeyUsage extValue = X509Util.createExtendedUsage(oids); ASN1ObjectIdentifier extType = Extension.extendedKeyUsage; extensions.add(new Extension(extType, false, extValue.getEncoded())); needExtensionTypes.add(extType.getId()); } if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) { ExtensionExistence ee = new ExtensionExistence( SecurityUtil.textToASN1ObjectIdentifers(needExtensionTypes), SecurityUtil.textToASN1ObjectIdentifers(wantExtensionTypes)); extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded())); } ConcurrentContentSigner identifiedSigner = getSigner(hashAlgo, new SignatureAlgoControl(rsaMgf1, dsaPlain)); Certificate cert = Certificate.getInstance(identifiedSigner.getCertificate().getEncoded()); X500Name subjectDN; if (subject != null) { subjectDN = new X500Name(subject); } else { subjectDN = cert.getSubject(); } SubjectPublicKeyInfo subjectPublicKeyInfo = cert.getSubjectPublicKeyInfo(); ContentSigner signer = identifiedSigner.borrowContentSigner(); PKCS10CertificationRequest p10Req; try { p10Req = p10Gen.generateRequest(signer, subjectPublicKeyInfo, subjectDN, extensions); } finally { identifiedSigner.returnContentSigner(signer); } File file = new File(outputFilename); saveVerbose("saved PKCS#10 request to file", file, p10Req.getEncoded()); return null; }