List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(X500Name dirName)
From source file:ClientOCSPDriver.java
License:Open Source License
/** Generates a signed OCSP client request with the parameters specified in the constructor. This method can only be called once.//from w ww .ja v a2 s . c o m @param signingalgorithm The algorithm, that should be used to sign the OCSP client request, default is "MD5WITHRSA". @param provider The provider used to compute the hashes and sign the request, default is "BC" (Bouncy Castle). @return The raw DER encoded client OCSP request. This data has to be transported over a specific protocol (such as HTTP) to the OCSP server in order to get an OCSP server response. */ public byte[] getRequest(String signingalgorithm, String provider, String user) throws OCSPException, NoSuchProviderException, IOException { if (calledgenerate) throw new OCSPException("Request was already generated!"); map.clear(); OCSPReqGenerator gen = new OCSPReqGenerator(); for (int i = 0; i < certificates.length; ++i) { CertificateID certid = new CertificateID(CertificateID.HASH_SHA1, mastercert, certificates[i].getSerialNumber()); System.out.println("issuerNameHash: " + toHexadecimal(certid.getIssuerNameHash())); System.out.println("issuerKeyHash: " + toHexadecimal(certid.getIssuerKeyHash())); System.out.println("serialNumber: " + certid.getSerialNumber()); map.put(certid, certificates[i]); gen.addRequest(certid); } ASN1Sequence seq = null; if (usercert != null && userkey != null && user == null) { X509Name subjectName = new X509Name(true, usercert.getSubjectX500Principal().getName()); Vector oids = subjectName.getOIDs(); Vector values = subjectName.getValues(); //Create a ASNSequence object for the subject DN seq = getASNSequence(oids, values); gen.setRequestorName(new GeneralName(new X509Name(seq))); } if (user != null) { gen.setRequestorName(new GeneralName(GeneralName.rfc822Name, user)); } //Include nonce extension 1.3.6.1.5.5.7.48.1.2 /* byte[] Nonce = new byte[16]; random.nextBytes(Nonce); ASN1EncodableVector v = new ASN1EncodableVector(); ASN1EncodableVector sVec = new ASN1EncodableVector(); DERObjectIdentifier oid = new DERObjectIdentifier("1.3.6.1.5.5.7.48.1.2"); v.add(oid); v.add(new DEROctetString(Nonce)); sVec.add(new DERSequence(v)); seq = new DERSequence(sVec); gen.setRequestExtensions(new X509Extensions(seq)); */ //End byte[] ocspdata = null; if (usercert != null && userkey != null) { ocspdata = gen.generate(signingalgorithm, userkey, new X509Certificate[] { usercert }, provider) .getEncoded(); } else { ocspdata = gen.generate().getEncoded(); } calledgenerate = true; return ocspdata; }
From source file:br.gov.frameworkdemoiselle.certificate.signer.pkcs7.bc.attribute.BCSigningCertificate.java
License:Open Source License
@Override public ASN1Set getValue() { SigningCertificate attribute = (SigningCertificate) super.getAttribute(); X509Certificate cert = attribute.getValue(); Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_1); byte[] certHash = null; try {// w w w. ja va2 s. co m certHash = digest.digest(cert.getEncoded()); } catch (CertificateEncodingException ex) { ex.printStackTrace(); } X509Name dirName = new X509Name(cert.getSubjectDN().getName()); GeneralName name = new GeneralName(dirName); GeneralNames issuer = new GeneralNames(name); DERInteger serialNumber = new DERInteger(cert.getSerialNumber()); IssuerSerial issuerSerial = new IssuerSerial(issuer, serialNumber); ESSCertID essCertId = new ESSCertID(certHash, issuerSerial); return new DERSet(new DERSequence( new ASN1Encodable[] { new DERSequence(essCertId), new DERSequence(new DERNull()) })); }
From source file:br.gov.frameworkdemoiselle.certificate.signer.pkcs7.bc.attribute.BCSigningCertificateV2.java
License:Open Source License
@Override public ASN1Set getValue() { SigningCertificateV2 attribute = (SigningCertificateV2) super.getAttribute(); X509Certificate cert = attribute.getValue(); Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_256); byte[] certHash = null; try {// w w w .jav a2 s .c o m certHash = digest.digest(cert.getEncoded()); } catch (CertificateEncodingException ex) { ex.printStackTrace(); } X509Name dirName = new X509Name(cert.getSubjectDN().getName()); GeneralName name = new GeneralName(dirName); GeneralNames issuer = new GeneralNames(name); DERInteger serial = new DERInteger(cert.getSerialNumber()); IssuerSerial issuerSerial = new IssuerSerial(issuer, serial); String algorithmHashOID = SignerAlgorithmEnum.getSignerAlgorithmEnum(attribute.getAlgorithmHash()) .getOIDAlgorithmHash(); AlgorithmIdentifier algorithmId = new AlgorithmIdentifier(algorithmHashOID); ESSCertIDv2 essCertIDv2 = new ESSCertIDv2(algorithmId, certHash, issuerSerial); return new DERSet(new DERSequence( new ASN1Encodable[] { new DERSequence(essCertIDv2), new DERSequence(new DERNull()) })); }
From source file:com.example.androidtest.SslUtil.java
License:Open Source License
/** * Creates an AuthorityKeyIdentifier from a public key, name, and serial * number./*from w w w .j a v a 2 s . c o m*/ * <p> * {@link AuthorityKeyIdentifierStructure} is <i>almost</i> perfect for this, * but sadly it does not have a constructor suitable for us: * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(PublicKey)} * does not set the serial number or name (which is important to us), while * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(X509Certificate)} * sets those fields but needs a completed certificate to do so. * <p> * This method addresses the gap in available {@link AuthorityKeyIdentifier} * constructors provided by BouncyCastle; its implementation is derived from * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(X509Certificate)}. * * @param publicKey the public key * @param name the name * @param serialNumber the serial number * @return a new {@link AuthorityKeyIdentifier} */ private static AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey publicKey, X509Name name, BigInteger serialNumber) { GeneralName genName = new GeneralName(name); SubjectPublicKeyInfo info; try { info = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(publicKey.getEncoded()).readObject()); } catch (IOException e) { throw new RuntimeException("Error encoding public key"); } return new AuthorityKeyIdentifier(info, new GeneralNames(genName), serialNumber); }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * Set Name Constraints (RFC3280 4.2.1.11) *///from w ww . j a v a2 s .c o m protected void setNameConstraints() { // FIXME: add constraints inherited from parent? if (!permittedNames.isEmpty() || !excludedNames.isEmpty()) { // convert permitted names. Vector<org.bouncycastle.asn1.x509.GeneralSubtree> permitted = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>(); for (int i = 0; i < permittedNames.size(); i++) { GeneralSubtree g = permittedNames.get(i); GeneralName name = new GeneralName(new X500Name(g.getName().getName())); permitted.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax())); } // convert excluded names. Vector<org.bouncycastle.asn1.x509.GeneralSubtree> excluded = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>(); for (int i = 0; i < excludedNames.size(); i++) { GeneralSubtree g = excludedNames.get(i); GeneralName name = new GeneralName(new X500Name(g.getName().getName())); excluded.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax())); } generator.addExtension(X509Extensions.NameConstraints, false, new NameConstraints(permitted, excluded)); } }
From source file:ee.sk.digidoc.factory.BouncyCastleNotaryFactory.java
License:Open Source License
/** * Creates a new OCSP request/*from ww w . ja v a2 s . c om*/ * @param nonce 128 byte RSA+SHA1 signatures digest * Use null if you want to verify only the certificate * and this is not related to any signature * @param signersCert signature owners cert * @param caCert CA cert for this signer * @param bSigned flag signed request or not */ private OCSPReq createOCSPRequest(byte[] nonce, X509Certificate signersCert, X509Certificate caCert, boolean bSigned) throws DigiDocException { OCSPReq req = null; OCSPReqGenerator ocspRequest = new OCSPReqGenerator(); try { //Create certificate id, for OCSP request CertificateID certId = creatCertReq(signersCert, caCert); if (m_logger.isDebugEnabled()) m_logger.debug("Request for: " + certId.getHashAlgOID() + " serial: " + certId.getSerialNumber() + " issuer: " + Base64Util.encode(certId.getIssuerKeyHash()) + " subject: " + Base64Util.encode(certId.getIssuerNameHash())); ocspRequest.addRequest(certId); if (nonce != null) { ASN1OctetString ocset = new BERConstructedOctetString(nonce); X509Extension ext = new X509Extension(false, ocset); //nonce Identifier DERObjectIdentifier nonceIdf = new DERObjectIdentifier(nonceOid); Hashtable tbl = new Hashtable(1); tbl.put(nonceIdf, ext); // create extendions, with one extendion(NONCE) X509Extensions extensions = new X509Extensions(tbl); ocspRequest.setRequestExtensions(extensions); } //X509Name n = new X509Name() GeneralName name = null; if (bSigned) { if (m_logger.isDebugEnabled()) m_logger.debug("SignCert: " + ((m_signCert != null) ? m_signCert.toString() : "NULL")); name = new GeneralName(PrincipalUtil.getSubjectX509Principal(m_signCert)); } else { name = new GeneralName(PrincipalUtil.getSubjectX509Principal(signersCert)); // VS: Mihhails patch for accepting Hansa's cert /* Hashtable myLookUp=new Hashtable(X509Name.DefaultLookUp); DERObjectIdentifier SERIALNUMBER = new DERObjectIdentifier("2.5.4.5"); myLookUp.put(SERIALNUMBER, "SERIALNUMBER"); name = new GeneralName(new X509Name(X509Name.DefaultReverse, myLookUp,signersCert.getSubjectDN().toString())); */ } ocspRequest.setRequestorName(name); if (bSigned) { // lets generate signed request X509Certificate[] chain = { m_signCert }; req = ocspRequest.generate("SHA1WITHRSA", m_signKey, chain, "BC"); if (!req.verify(m_signCert.getPublicKey(), "BC")) { m_logger.error("Verify failed"); } } else { // unsigned request req = ocspRequest.generate(); } } catch (Exception ex) { DigiDocException.handleException(ex, DigiDocException.ERR_OCSP_REQ_CREATE); } return req; }
From source file:es.gob.afirma.envelopers.cades.CAdESUtils.java
License:Open Source License
/** Método que genera la parte que contiene la información del * Usuario. Se generan los atributos que se necesitan para generar la firma. * @param cert Certificado del firmante//www . j a v a2s . c o m * @param datos Datos firmados * @param policy Política de firma * @param messageDigest * @return Los datos necesarios para generar la firma referente a los datos * del usuario. * @throws java.security.NoSuchAlgorithmException * @throws java.io.IOException * @throws CertificateEncodingException */ static ASN1EncodableVector generateSignerInfo(final X509Certificate cert, final String digestAlgorithmName, final byte[] datos, final AdESPolicy policy, final byte[] messageDigest) throws NoSuchAlgorithmException, IOException, CertificateEncodingException { // ALGORITMO DE HUELLA DIGITAL final AlgorithmIdentifier digestAlgorithmOID = SigUtils .makeAlgId(AOAlgorithmID.getOID(digestAlgorithmName)); // // ATRIBUTOS // authenticatedAttributes final ASN1EncodableVector contexExpecific = initContexExpecific(digestAlgorithmName, datos, PKCSObjectIdentifiers.data.getId(), messageDigest); // Serial Number // comentar lo de abajo para version del rfc 3852 contexExpecific.add(new Attribute(RFC4519Style.serialNumber, new DERSet(new DERPrintableString(cert.getSerialNumber().toString())))); if (!"SHA1".equals(AOSignConstants.getDigestAlgorithmName(digestAlgorithmName))) { //$NON-NLS-1$ //********************************************/ //***** La Nueva operatividad esta comentada */ //********************************************/ // INICIO SINGING CERTIFICATE-V2 /** IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber * CertificateSerialNumber */ final TBSCertificateStructure tbs = TBSCertificateStructure .getInstance(ASN1Primitive.fromByteArray(cert.getTBSCertificate())); /** ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier * DEFAULT {algorithm id-sha256}, certHash Hash, issuerSerial * IssuerSerial OPTIONAL } * Hash ::= OCTET STRING */ final byte[] certHash = MessageDigest.getInstance(digestAlgorithmName).digest(cert.getEncoded()); final ESSCertIDv2[] essCertIDv2 = { new ESSCertIDv2(digestAlgorithmOID, certHash, new IssuerSerial(new GeneralNames(new GeneralName(tbs.getIssuer())), tbs.getSerialNumber())) }; /** PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo * OPTIONAL } * CertPolicyId ::= OBJECT IDENTIFIER * PolicyQualifierInfo ::= SEQUENCE { policyQualifierId * PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } */ final SigningCertificateV2 scv2; if (policy.getPolicyIdentifier() != null) { /** SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF * ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL * } */ scv2 = new SigningCertificateV2(essCertIDv2, getPolicyInformation(policy)); // con // politica } else { scv2 = new SigningCertificateV2(essCertIDv2); // Sin politica } // Secuencia con singningCertificate contexExpecific.add(new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2))); // FIN SINGING CERTIFICATE-V2 } else { // INICIO SINGNING CERTIFICATE /** IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber * CertificateSerialNumber } */ final TBSCertificateStructure tbs = TBSCertificateStructure .getInstance(ASN1Primitive.fromByteArray(cert.getTBSCertificate())); final IssuerSerial isuerSerial = new IssuerSerial(new GeneralNames(new GeneralName(tbs.getIssuer())), tbs.getSerialNumber()); /** ESSCertID ::= SEQUENCE { certHash Hash, issuerSerial IssuerSerial * OPTIONAL } * Hash ::= OCTET STRING -- SHA1 hash of entire certificate */ final ESSCertID essCertID = new ESSCertID( MessageDigest.getInstance(digestAlgorithmName).digest(cert.getEncoded()), isuerSerial); /** PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo * OPTIONAL } * CertPolicyId ::= OBJECT IDENTIFIER * PolicyQualifierInfo ::= SEQUENCE { policyQualifierId * PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } */ final SigningCertificate scv; if (policy.getPolicyIdentifier() != null) { /** SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF * ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL * } */ /* * HAY QUE HACER UN SEQUENCE, YA QUE EL CONSTRUCTOR DE BOUNCY * CASTLE NO TIENE DICHO CONSTRUCTOR. */ final ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(essCertID)); v.add(new DERSequence(getPolicyInformation(policy))); scv = SigningCertificate.getInstance(new DERSequence(v)); // con politica } else { scv = new SigningCertificate(essCertID); // Sin politica } /** id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1) * member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) * id-aa(2) 12 } */ // Secuencia con singningCertificate contexExpecific.add(new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(scv))); } // INICIO SIGPOLICYID ATTRIBUTE if (policy.getPolicyIdentifier() != null) { /* * SigPolicyId ::= OBJECT IDENTIFIER Politica de firma. */ final ASN1ObjectIdentifier doiSigPolicyId = new ASN1ObjectIdentifier( policy.getPolicyIdentifier().toLowerCase().replace("urn:oid:", "")); //$NON-NLS-1$ //$NON-NLS-2$ /* * OtherHashAlgAndValue ::= SEQUENCE { * hashAlgorithm AlgorithmIdentifier, * hashValue OCTET STRING } * */ // Algoritmo para el hash final AlgorithmIdentifier hashid; // si tenemos algoritmo de calculo de hash, lo ponemos if (policy.getPolicyIdentifierHashAlgorithm() != null) { hashid = SigUtils.makeAlgId(AOAlgorithmID .getOID(AOSignConstants.getDigestAlgorithmName(policy.getPolicyIdentifierHashAlgorithm()))); } // si no tenemos, ponemos el algoritmo de firma. else { hashid = digestAlgorithmOID; } // hash del documento, descifrado en b64 final byte[] hashed; if (policy.getPolicyIdentifierHash() != null) { hashed = Base64.decode(policy.getPolicyIdentifierHash()); } else { hashed = new byte[] { 0 }; } final DigestInfo otherHashAlgAndValue = new DigestInfo(hashid, hashed); /* * SigPolicyQualifierInfo ::= SEQUENCE { * SigPolicyQualifierId SigPolicyQualifierId, * SigQualifier ANY DEFINED BY policyQualifierId } */ SigPolicyQualifierInfo spqInfo = null; if (policy.getPolicyQualifier() != null) { spqInfo = new SigPolicyQualifierInfo(policy.getPolicyQualifier().toString()); } /* * SignaturePolicyId ::= SEQUENCE { * sigPolicyId SigPolicyId, * sigPolicyHash SigPolicyHash, * sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF * SigPolicyQualifierInfo OPTIONAL} * */ final ASN1EncodableVector v = new ASN1EncodableVector(); // sigPolicyId v.add(doiSigPolicyId); // sigPolicyHash v.add(otherHashAlgAndValue.toASN1Primitive()); // como sequence // sigPolicyQualifiers if (spqInfo != null) { v.add(spqInfo.toASN1Primitive()); } final DERSequence ds = new DERSequence(v); // Secuencia con singningCertificate contexExpecific.add( new Attribute(PKCSObjectIdentifiers.id_aa_ets_sigPolicyId, new DERSet(ds.toASN1Primitive()))); // FIN SIGPOLICYID ATTRIBUTE } return contexExpecific; }
From source file:es.gob.afirma.signers.cades.CAdESUtils.java
License:Open Source License
/** Genera una estructura <i>SigningCertificateV2</i> según RFC 5035: * * <pre>/*from ww w. j a va 2 s . c o m*/ * id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1) * member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) * smime(16) id-aa(2) 47 * } * * SigningCertificateV2 ::= SEQUENCE { * certs SEQUENCE OF ESSCertIDv2, * policies SEQUENCE OF PolicyInformation OPTIONAL * } * </pre> * * @param cert Certificado del firmante * @param digestAlgorithmName Nombre del algoritmo de huella digital a usar * @param policy Política de firma * @return Estructura <i>SigningCertificateV2</i> según RFC 5035 * @throws CertificateEncodingException Si el certificado proporcionado no es válido * @throws NoSuchAlgorithmException Si no se soporta el algoritmo de huella indicado * @throws IOException Si hay errores en el tratamiento de datos */ private static Attribute getSigningCertificateV2(final X509Certificate cert, final String digestAlgorithmName, final AdESPolicy policy) throws CertificateEncodingException, NoSuchAlgorithmException, IOException { // ALGORITMO DE HUELLA DIGITAL final AlgorithmIdentifier digestAlgorithmOID = SigUtils .makeAlgId(AOAlgorithmID.getOID(digestAlgorithmName)); // INICIO SINGING CERTIFICATE-V2 /** IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber * CertificateSerialNumber */ final GeneralNames gns = new GeneralNames( new GeneralName(X500Name.getInstance(cert.getIssuerX500Principal().getEncoded()))); final IssuerSerial isuerSerial = new IssuerSerial(gns, cert.getSerialNumber()); /** ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier * DEFAULT {algorithm id-sha256}, certHash Hash, issuerSerial * IssuerSerial OPTIONAL } * Hash ::= OCTET STRING */ final byte[] certHash = MessageDigest.getInstance(digestAlgorithmName).digest(cert.getEncoded()); final ESSCertIDv2[] essCertIDv2 = { new ESSCertIDv2(digestAlgorithmOID, certHash, isuerSerial) }; /** PolicyInformation ::= SEQUENCE { * policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL * } * CertPolicyId ::= OBJECT IDENTIFIER * PolicyQualifierInfo ::= SEQUENCE { * policyQualifierId PolicyQualifierId, * qualifier ANY DEFINED BY policyQualifierId * } */ final SigningCertificateV2 scv2; if (policy != null && policy.getPolicyIdentifier() != null) { /** SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF * ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL * } */ scv2 = new SigningCertificateV2(essCertIDv2, getPolicyInformation(policy)); // con politica } else { scv2 = new SigningCertificateV2(essCertIDv2); // Sin politica } return new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2)); }
From source file:es.gob.afirma.signers.cades.CAdESUtils.java
License:Open Source License
/** Genera una estructura <i>SigningCertificateV2</i> según RFC 5035: * * <pre>/*from w w w . j av a 2s.com*/ * id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1) * member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) * smime(16) id-aa(2) 12 * } * * SigningCertificate ::= SEQUENCE { * certs SEQUENCE OF ESSCertID, * policies SEQUENCE OF PolicyInformation OPTIONAL * } * </pre> * * @param cert Certificado del firmante * @param digestAlgorithmName Nombre del algoritmo de huella digital a usar * @param policy Política de firma * @return Estructura <i>SigningCertificate</i> según RFC 5035 * @throws CertificateEncodingException Si el certificado proporcionado no es válido * @throws NoSuchAlgorithmException Si no se soporta el algoritmo de huella indicado */ private static Attribute getSigningCertificateV1(final X509Certificate cert, final String digestAlgorithmName, final AdESPolicy policy) throws CertificateEncodingException, NoSuchAlgorithmException { // INICIO SINGNING CERTIFICATE /** IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber * CertificateSerialNumber } */ final GeneralName gn = new GeneralName(X500Name.getInstance(cert.getIssuerX500Principal().getEncoded())); final GeneralNames gns = new GeneralNames(gn); final IssuerSerial isuerSerial = new IssuerSerial(gns, cert.getSerialNumber()); /** ESSCertID ::= SEQUENCE { certHash Hash, issuerSerial IssuerSerial * OPTIONAL } * Hash ::= OCTET STRING -- SHA1 hash of entire certificate */ final byte[] certHash = MessageDigest.getInstance(digestAlgorithmName).digest(cert.getEncoded()); final ESSCertID essCertID = new ESSCertID(certHash, isuerSerial); /** PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, * policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo * OPTIONAL } * CertPolicyId ::= OBJECT IDENTIFIER * PolicyQualifierInfo ::= SEQUENCE { policyQualifierId * PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } */ final SigningCertificate scv; if (policy != null && policy.getPolicyIdentifier() != null) { /** SigningCertificateV2 ::= SEQUENCE { * certs SEQUENCE OF ESSCertIDv2, * policies SEQUENCE OF PolicyInformation OPTIONAL * } */ /* * HAY QUE HACER UN SEQUENCE, YA QUE EL CONSTRUCTOR DE BOUNCY * CASTLE NO TIENE DICHO CONSTRUCTOR. */ final ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(essCertID)); v.add(new DERSequence(getPolicyInformation(policy))); scv = SigningCertificate.getInstance(new DERSequence(v)); // con politica } else { scv = new SigningCertificate(essCertID); // Sin politica } /** id-aa-signingCertificate OBJECT IDENTIFIER ::= { * iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 12 * } */ return new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(scv)); }
From source file:es.uji.security.crypto.openxades.digidoc.factory.BouncyCastleNotaryFactory.java
License:Open Source License
/** * Creates a new OCSP request//from w ww .j a v a 2 s. c o m * * @param nonce * 128 byte RSA+SHA1 signatures digest Use null if you want to verify only the * certificate and this is not related to any signature * @param signersCert * signature owners cert * @param caCert * CA cert for this signer * @param bSigned * flag signed request or not */ private OCSPReq createOCSPRequest(byte[] nonce, X509Certificate signersCert, X509Certificate caCert, boolean bSigned) throws DigiDocException { OCSPReq req = null; OCSPReqGenerator ocspRequest = new OCSPReqGenerator(); try { // Create certificate id, for OCSP request CertificateID certId = creatCertReq(signersCert, caCert); if (m_logger.isDebugEnabled()) m_logger.debug("Request for: " + certId.getHashAlgOID() + " serial: " + certId.getSerialNumber() + " issuer: " + Base64.encodeBytes(certId.getIssuerKeyHash()) + " subject: " + Base64.encodeBytes(certId.getIssuerNameHash())); ocspRequest.addRequest(certId); if (nonce != null) { ASN1OctetString ocset = new BERConstructedOctetString(nonce); X509Extension ext = new X509Extension(false, ocset); // nonce Identifier DERObjectIdentifier nonceIdf = new DERObjectIdentifier(nonceOid); Hashtable tbl = new Hashtable(1); tbl.put(nonceIdf, ext); // create extendions, with one extendion(NONCE) X509Extensions extensions = new X509Extensions(tbl); ocspRequest.setRequestExtensions(extensions); } // X509Name n = new X509Name() GeneralName name = null; if (bSigned) { if (m_logger.isDebugEnabled()) m_logger.debug("SignCert: " + ((m_signCert != null) ? m_signCert.toString() : "NULL")); name = new GeneralName(PrincipalUtil.getSubjectX509Principal(m_signCert)); } else { name = new GeneralName(PrincipalUtil.getSubjectX509Principal(signersCert)); // VS: Mihhails patch for accepting Hansa's cert /* * Hashtable myLookUp=new Hashtable(X509Name.DefaultLookUp); DERObjectIdentifier * SERIALNUMBER = new DERObjectIdentifier("2.5.4.5"); myLookUp.put(SERIALNUMBER, * "SERIALNUMBER"); name = new GeneralName(new X509Name(X509Name.DefaultReverse, * myLookUp,signersCert.getSubjectDN().toString())); */ } ocspRequest.setRequestorName(name); if (bSigned) { // lets generate signed request X509Certificate[] chain = { m_signCert }; req = ocspRequest.generate("SHA1WITHRSA", m_signKey, chain, "BC"); if (!req.verify(m_signCert.getPublicKey(), "BC")) { m_logger.error("Verify failed"); } } else { // unsigned request req = ocspRequest.generate(); } } catch (Exception e) { DigiDocException.handleException(e, DigiDocException.ERR_OCSP_REQ_CREATE); } return req; }