List of usage examples for org.bouncycastle.asn1.x9 X9ObjectIdentifiers ecdsa_with_SHA256
ASN1ObjectIdentifier ecdsa_with_SHA256
To view the source code for org.bouncycastle.asn1.x9 X9ObjectIdentifiers ecdsa_with_SHA256.
Click Source Link
From source file:org.cesecore.certificates.util.AlgorithmTools.java
License:Open Source License
/** * Get the digest algorithm corresponding to the signature algorithm. This is used for the creation of * PKCS7 file. SHA1 shall always be used, but it is not working with GOST which needs GOST3411 digest. * /*from w ww . ja va 2 s.c om*/ */ public static String getDigestFromSigAlg(String sigAlg) { if (sigAlg.toUpperCase().contains("GOST") || sigAlg.toUpperCase().contains("DSTU")) { return CMSSignedGenerator.DIGEST_GOST3411; } else { if (sigAlg.equals(X9ObjectIdentifiers.ecdsa_with_SHA1.getId()) || sigAlg.equals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_SHA1; } else if (sigAlg.equals(X9ObjectIdentifiers.ecdsa_with_SHA224.getId()) || sigAlg.equals(PKCSObjectIdentifiers.sha224WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_SHA224; } else if (sigAlg.equals(X9ObjectIdentifiers.ecdsa_with_SHA256.getId()) || sigAlg.equals(PKCSObjectIdentifiers.sha256WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_SHA256; } else if (sigAlg.equals(X9ObjectIdentifiers.ecdsa_with_SHA384.getId()) || sigAlg.equals(PKCSObjectIdentifiers.sha384WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_SHA384; } else if (sigAlg.equals(X9ObjectIdentifiers.ecdsa_with_SHA512.getId()) || sigAlg.equals(PKCSObjectIdentifiers.sha512WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_SHA512; } else if (sigAlg.equals(PKCSObjectIdentifiers.md5WithRSAEncryption.getId())) { return CMSSignedGenerator.DIGEST_MD5; } else if (sigAlg.equals(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001.getId())) { return CMSSignedGenerator.DIGEST_GOST3411; } } return CMSSignedGenerator.DIGEST_SHA1; }
From source file:org.cesecore.certificates.util.AlgorithmTools.java
License:Open Source License
/** Calculates which signature algorithm to use given a key type and a digest algorithm * /*w w w .jav a2 s. co m*/ * @param digestAlg objectId of a digest algorithm, CMSSignedGenerator.DIGEST_SHA256 etc * @param keyAlg RSA, EC, DSA * @return ASN1ObjectIdentifier with the id of PKCSObjectIdentifiers.sha1WithRSAEncryption, X9ObjectIdentifiers.ecdsa_with_SHA1, X9ObjectIdentifiers.id_dsa_with_sha1, etc */ public static ASN1ObjectIdentifier getSignAlgOidFromDigestAndKey(final String digestAlg, final String keyAlg) { if (log.isTraceEnabled()) { log.trace(">getSignAlg(" + digestAlg + "," + keyAlg + ")"); } // Default to SHA1WithRSA if everything else fails ASN1ObjectIdentifier oid = PKCSObjectIdentifiers.sha1WithRSAEncryption; if (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_EC) || keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECDSA)) { oid = X9ObjectIdentifiers.ecdsa_with_SHA1; } else if (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_DSA)) { oid = X9ObjectIdentifiers.id_dsa_with_sha1; } else if (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECGOST3410)) { oid = CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001; } else if (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_DSTU4145)) { oid = new ASN1ObjectIdentifier(CesecoreConfiguration.getOidDstu4145()); } if (digestAlg != null) { if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA256) && keyAlg.equals(AlgorithmConstants.KEYALGORITHM_RSA)) { oid = PKCSObjectIdentifiers.sha256WithRSAEncryption; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA512) && keyAlg.equals(AlgorithmConstants.KEYALGORITHM_RSA)) { oid = PKCSObjectIdentifiers.sha512WithRSAEncryption; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_MD5) && keyAlg.equals(AlgorithmConstants.KEYALGORITHM_RSA)) { oid = PKCSObjectIdentifiers.md5WithRSAEncryption; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA256) && (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECDSA) || keyAlg.equals(AlgorithmConstants.KEYALGORITHM_EC))) { oid = X9ObjectIdentifiers.ecdsa_with_SHA256; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA224) && (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECDSA) || keyAlg.equals(AlgorithmConstants.KEYALGORITHM_EC))) { oid = X9ObjectIdentifiers.ecdsa_with_SHA224; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA384) && (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECDSA) || keyAlg.equals(AlgorithmConstants.KEYALGORITHM_EC))) { oid = X9ObjectIdentifiers.ecdsa_with_SHA384; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA512) && (keyAlg.equals(AlgorithmConstants.KEYALGORITHM_ECDSA) || keyAlg.equals(AlgorithmConstants.KEYALGORITHM_EC))) { oid = X9ObjectIdentifiers.ecdsa_with_SHA512; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA256) && keyAlg.equals(AlgorithmConstants.KEYALGORITHM_DSA)) { oid = NISTObjectIdentifiers.dsa_with_sha256; } else if (digestAlg.equals(CMSSignedGenerator.DIGEST_SHA512) && keyAlg.equals(AlgorithmConstants.KEYALGORITHM_DSA)) { oid = NISTObjectIdentifiers.dsa_with_sha512; } } if (log.isDebugEnabled()) { log.debug("getSignAlgOidFromDigestAndKey: " + oid.getId()); } return oid; }
From source file:org.cesecore.certificates.util.AlgorithmTools.java
License:Open Source License
/** * Returns the name of the algorithm corresponding to the specified OID * @param sigAlgOid/* w w w. j ava 2s .c om*/ * @return The name of the algorithm corresponding sigAlgOid or null if the algorithm is not recognized. */ public static String getAlgorithmNameFromOID(ASN1ObjectIdentifier sigAlgOid) { if (sigAlgOid.equals(PKCSObjectIdentifiers.md5WithRSAEncryption)) { return AlgorithmConstants.SIGALG_MD5_WITH_RSA; } if (sigAlgOid.equals(PKCSObjectIdentifiers.sha1WithRSAEncryption)) { return AlgorithmConstants.SIGALG_SHA1_WITH_RSA; } if (sigAlgOid.equals(PKCSObjectIdentifiers.sha256WithRSAEncryption)) { return AlgorithmConstants.SIGALG_SHA256_WITH_RSA; } if (sigAlgOid.equals(PKCSObjectIdentifiers.sha384WithRSAEncryption)) { return AlgorithmConstants.SIGALG_SHA384_WITH_RSA; } if (sigAlgOid.equals(PKCSObjectIdentifiers.sha512WithRSAEncryption)) { return AlgorithmConstants.SIGALG_SHA512_WITH_RSA; } if (sigAlgOid.equals(X9ObjectIdentifiers.ecdsa_with_SHA1)) { return AlgorithmConstants.SIGALG_SHA1_WITH_ECDSA; } if (sigAlgOid.equals(X9ObjectIdentifiers.ecdsa_with_SHA224)) { return AlgorithmConstants.SIGALG_SHA224_WITH_ECDSA; } if (sigAlgOid.equals(X9ObjectIdentifiers.ecdsa_with_SHA256)) { return AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA; } if (sigAlgOid.equals(X9ObjectIdentifiers.ecdsa_with_SHA384)) { return AlgorithmConstants.SIGALG_SHA384_WITH_ECDSA; } if (sigAlgOid.equals(X9ObjectIdentifiers.ecdsa_with_SHA512)) { return AlgorithmConstants.SIGALG_SHA512_WITH_ECDSA; } // GOST3410 if (isGost3410Enabled() && sigAlgOid.getId().equalsIgnoreCase(CesecoreConfiguration.getOidGost3410())) { return AlgorithmConstants.SIGALG_GOST3411_WITH_ECGOST3410; } // DSTU4145 if (isDstu4145Enabled() && sigAlgOid.getId().startsWith(CesecoreConfiguration.getOidDstu4145() + ".")) { return AlgorithmConstants.SIGALG_GOST3411_WITH_DSTU4145; } return null; }
From source file:org.ejbca.core.protocol.cmp.AuthenticationModulesTest.java
License:Open Source License
/** * Tests the possibility to use different signature algorithms in CMP requests and responses if protection algorithm * is specified./* ww w . j a v a 2 s . c o m*/ * * A CMP request is sent to a CA that uses ECDSA with SHA256 as signature and encryption algorithms: * * 1. Send a CRMF request signed using ECDSA with SHA256 algorithm and expects a response signed by the same algorithm * 2. Send a CMP Confirm message without protection. The response is expected to be signed using ECDSA (because that's the CA's key algorithm) * and SHA1 (because that's the default digest algorithm) * 3. Sends a CMP Revocation request signed using ECDSA with SHA256 and expects a response signed by the same algorithm. * * @throws Exception */ @Test public void test22EECAuthWithSHA256AndECDSA() throws Exception { log.trace(">test22EECAuthWithSHA256AndECDSA()"); //-------------- Set the necessary configurations this.cmpConfiguration.setRAEEProfile(ALIAS, "ECDSAEEP"); this.cmpConfiguration.setRACertProfile(ALIAS, "ECDSACP"); this.cmpConfiguration.setCMPDefaultCA(ALIAS, "CmpECDSATestCA"); this.cmpConfiguration.setRACAName(ALIAS, "CmpECDSATestCA"); this.cmpConfiguration.setRAMode(ALIAS, true); this.cmpConfiguration.setRANameGenScheme(ALIAS, "DN"); this.cmpConfiguration.setRANameGenParams(ALIAS, "CN"); this.cmpConfiguration.setAuthenticationModule(ALIAS, CmpConfiguration.AUTHMODULE_ENDENTITY_CERTIFICATE); this.cmpConfiguration.setAuthenticationParameters(ALIAS, "CmpECDSATestCA"); this.globalConfigurationSession.saveConfiguration(ADMIN, this.cmpConfiguration); removeTestCA("CmpECDSATestCA"); try { final CryptoTokenManagementSessionRemote cryptoTokenManagementSession = EjbRemoteHelper.INSTANCE .getRemoteSession(CryptoTokenManagementSessionRemote.class); final int cryptoTokenId = cryptoTokenManagementSession.getIdFromName("CmpECDSATestCA").intValue(); CryptoTokenTestUtils.removeCryptoToken(ADMIN, cryptoTokenId); } catch (Exception e) {/* do nothing */ } //---------------------- Create the test CA // Create catoken String ecdsaCADN = "CN=CmpECDSATestCA"; String keyspec = "prime256v1"; int cryptoTokenId = CryptoTokenTestUtils.createCryptoTokenForCA(null, "foo123".toCharArray(), true, false, ecdsaCADN, keyspec); final CAToken catoken = CaTestUtils.createCaToken(cryptoTokenId, AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA, AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA); final List<ExtendedCAServiceInfo> extendedCaServices = new ArrayList<ExtendedCAServiceInfo>(2); extendedCaServices.add(new KeyRecoveryCAServiceInfo(ExtendedCAServiceInfo.STATUS_ACTIVE)); String caname = CertTools.getPartFromDN(ecdsaCADN, "CN"); X509CAInfo ecdsaCaInfo = new X509CAInfo(ecdsaCADN, caname, CAConstants.CA_ACTIVE, CertificateProfileConstants.CERTPROFILE_FIXED_ROOTCA, 3650, CAInfo.SELFSIGNED, null, catoken); ecdsaCaInfo.setExtendedCAServiceInfos(extendedCaServices); X509CA ecdsaCA = new X509CA(ecdsaCaInfo); ecdsaCA.setCAToken(catoken); // A CA certificate Collection<Certificate> cachain = new ArrayList<Certificate>(); final PublicKey publicKey = this.cryptoTokenManagementProxySession .getPublicKey(cryptoTokenId, catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)) .getPublicKey(); //final String keyalg = AlgorithmTools.getKeyAlgorithm(publicKey); String sigalg = AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA; final PrivateKey privateKey = this.cryptoTokenManagementProxySession.getPrivateKey(cryptoTokenId, catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; X509Certificate ecdsaCaCert = CertTools.genSelfCertForPurpose(ecdsaCADN, 10L, "1.1.1.1", privateKey, publicKey, sigalg, true, keyusage, true); assertNotNull(ecdsaCaCert); cachain.add(ecdsaCaCert); ecdsaCA.setCertificateChain(cachain); this.caSession.addCA(ADMIN, ecdsaCA); //-------------- Create the EndEntityProfile and the CertificateProfile List<Integer> availableCAs = new ArrayList<Integer>(); availableCAs.add(Integer.valueOf(ecdsaCA.getCAId())); CertificateProfile cp = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); cp.setSignatureAlgorithm(AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA); cp.setAvailableCAs(availableCAs); cp.setAllowDNOverride(true); try { this.certProfileSession.addCertificateProfile(ADMIN, "ECDSACP", cp); } catch (CertificateProfileExistsException e) {// do nothing } int cpId = this.certProfileSession.getCertificateProfileId("ECDSACP"); // Configure an EndEntity profile (CmpRA) with allow CN, O, C in DN // and rfc822Name (uncheck 'Use entity e-mail field' and check // 'Modifyable'), MS UPN in altNames in the end entity profile. EndEntityProfile eep = new EndEntityProfile(true); eep.setValue(EndEntityProfile.DEFAULTCERTPROFILE, 0, "" + cpId); eep.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, "" + cpId); eep.setValue(EndEntityProfile.DEFAULTCA, 0, "" + ecdsaCA.getCAId()); eep.setValue(EndEntityProfile.AVAILCAS, 0, "" + ecdsaCA.getCAId()); eep.setModifyable(DnComponents.RFC822NAME, 0, true); eep.setUse(DnComponents.RFC822NAME, 0, false); // Don't use field // from "email" data try { this.endEntityProfileSession.addEndEntityProfile(ADMIN, "ECDSAEEP", eep); } catch (EndEntityProfileExistsException e) {// do nothing } int eepId = this.endEntityProfileSession.getEndEntityProfileId("ECDSAEEP"); //---------------- Send a CMP initialization request AuthenticationToken admToken = null; final String testAdminDN = "CN=cmptestadmin,C=SE"; final String testAdminName = "cmptestadmin"; X509Certificate admCert = null; String fp = null, fp2 = null; try { KeyPair keys = KeyTools.genKeys(keyspec, AlgorithmConstants.KEYALGORITHM_ECDSA); final X500Name userDN = new X500Name("CN=cmpecdsauser"); final byte[] _nonce = CmpMessageHelper.createSenderNonce(); final byte[] _transid = CmpMessageHelper.createSenderNonce(); final AlgorithmIdentifier pAlg = new AlgorithmIdentifier(X9ObjectIdentifiers.ecdsa_with_SHA256); PKIMessage req = genCertReq(ecdsaCaInfo.getSubjectDN(), userDN, keys, ecdsaCaCert, _nonce, _transid, false, null, null, null, null, pAlg, null); createUser(testAdminName, testAdminDN, "foo123", true, ecdsaCaInfo.getCAId(), eepId, cpId); KeyPair admkeys = KeyTools.genKeys(keyspec, AlgorithmConstants.KEYALGORITHM_ECDSA); admToken = createAdminToken(admkeys, testAdminName, testAdminDN, ecdsaCA.getCAId(), eepId, cpId); admCert = getCertFromCredentials(admToken); fp = CertTools.getFingerprintAsString(admCert); CMPCertificate[] extraCert = getCMPCert(admCert); req = CmpMessageHelper.buildCertBasedPKIProtection(req, extraCert, admkeys.getPrivate(), AlgorithmTools.getDigestFromSigAlg(pAlg.getAlgorithm().getId()), "BC");//CMSSignedGenerator.DIGEST_SHA256 assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA256.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN, ecdsaCaCert, resp, reqId); fp2 = CertTools.getFingerprintAsString(cert); // ------------------- Send a CMP confirm message String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN, ecdsaCaCert, _nonce, _transid, hash, reqId); assertNotNull(confirm); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(confirm); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, ALIAS); //Since pAlg was not set in the ConfirmationRequest, the default DigestAlgorithm (SHA1) will be used checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA1.getId()); checkCmpPKIConfirmMessage(userDN, ecdsaCaCert, resp); //------------------------- Send a CMP revocation request PKIMessage rev = genRevReq(ecdsaCaInfo.getSubjectDN(), userDN, cert.getSerialNumber(), ecdsaCaCert, _nonce, _transid, true, pAlg, null); assertNotNull(rev); rev = CmpMessageHelper.buildCertBasedPKIProtection(rev, extraCert, admkeys.getPrivate(), AlgorithmTools.getDigestFromSigAlg(pAlg.getAlgorithm().getId()), "BC"); assertNotNull(rev); ByteArrayOutputStream baorev = new ByteArrayOutputStream(); DEROutputStream outrev = new DEROutputStream(baorev); outrev.writeObject(rev); byte[] barev = baorev.toByteArray(); // Send request and receive response resp = sendCmpHttp(barev, 200, ALIAS); checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA256.getId()); int revStatus = checkRevokeStatus(ecdsaCaInfo.getSubjectDN(), CertTools.getSerialNumber(cert)); assertNotEquals("Revocation request failed to revoke the certificate", RevokedCertInfo.NOT_REVOKED, revStatus); } finally { try { removeAuthenticationToken(admToken, admCert, testAdminName); } catch (Exception e) { //NOPMD: Ignore } try { this.endEntityManagementSession.revokeAndDeleteUser(ADMIN, "cmpecdsauser", ReasonFlags.unused); } catch (Exception e) { //NOPMD: Ignore } this.internalCertStoreSession.removeCertificate(fp); this.internalCertStoreSession.removeCertificate(fp2); this.endEntityProfileSession.removeEndEntityProfile(ADMIN, "ECDSAEEP"); this.certProfileSession.removeCertificateProfile(ADMIN, "ECDSACP"); removeTestCA("CmpECDSATestCA"); } log.trace("<test22EECAuthWithSHA256AndECDSA()"); }
From source file:org.ejbca.core.protocol.cmp.CrmfKeyUpdateTest.java
License:Open Source License
/** * Tests the possibility to use different signature algorithms in CMP requests and responses. * //from ww w . j av a 2 s .c o m * A KeyUpdate request, signed using ECDSA with SHA256, is sent to a CA that uses RSA with SHA256 as signature algorithm. * The expected response is signed by RSA with SHA256. * * @throws Exception */ @Test public void test15KeyUpdateMixAlgorithms() throws Exception { if (log.isTraceEnabled()) { log.trace(">test15KeyUpdateMixAlgorithms"); } this.cmpConfiguration.setKurAllowAutomaticUpdate(this.cmpAlias, true); this.cmpConfiguration.setKurAllowSameKey(this.cmpAlias, true); this.globalConfigurationSession.saveConfiguration(ADMIN, this.cmpConfiguration); //--------------- create the user and issue his first certificate ----------------- createUser(this.username, this.userDN.toString(), "foo123"); KeyPair keys = KeyTools.genKeys("prime192v1", AlgorithmConstants.KEYALGORITHM_ECDSA); final Certificate certificate; try { certificate = this.signSession.createCertificate(ADMIN, this.username, "foo123", new PublicKeyWrapper(keys.getPublic())); } catch (ObjectNotFoundException e) { throw new CertificateCreationException("Error encountered when creating certificate", e); } catch (CADoesntExistsException e) { throw new CertificateCreationException("Error encountered when creating certificate", e); } catch (EjbcaException e) { throw new CertificateCreationException("Error encountered when creating certificate", e); } catch (AuthorizationDeniedException e) { throw new CertificateCreationException("Error encountered when creating certificate", e); } catch (CesecoreException e) { throw new CertificateCreationException("Error encountered when creating certificate", e); } assertNotNull("Failed to create a test certificate", certificate); AlgorithmIdentifier pAlg = new AlgorithmIdentifier(X9ObjectIdentifiers.ecdsa_with_SHA256); PKIMessage req = genRenewalReq(this.userDN, this.cacert, this.nonce, this.transid, keys, false, null, null, pAlg, new DEROctetString(this.nonce)); assertNotNull("Failed to generate a CMP renewal request", req); CertReqMessages kur = (CertReqMessages) req.getBody().getContent(); int reqId = kur.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); CMPCertificate[] extraCert = getCMPCert(certificate); req = CmpMessageHelper.buildCertBasedPKIProtection(req, extraCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA256, "BC"); assertNotNull(req); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, this.cmpAlias); checkCmpResponseGeneral(resp, this.issuerDN, this.userDN, this.cacert, this.nonce, this.transid, true, null, PKCSObjectIdentifiers.sha256WithRSAEncryption.getId()); X509Certificate cert = checkKurCertRepMessage(this.userDN, this.cacert, resp, reqId); assertNotNull("Failed to renew the certificate", cert); assertTrue("The new certificate's keys are incorrect.", cert.getPublicKey().equals(keys.getPublic())); if (log.isTraceEnabled()) { log.trace("<test15KeyUpdateMixAlgorithms"); } }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** * This test tests that the OCSP response contains is signed by the preferred signature algorithm specified in the request. * //from w w w .j a v a 2 s .c o m * @throws Exception */ @Test @Deprecated // This test verifies legacy behavior from EJBCA 6.1.0 and should be removed when we no longer need to support it public void testSigAlgExtensionLegacy() throws Exception { loadUserCert(this.caid); // Try sending a request where the preferred signature algorithm in the extension is expected to be used to sign the response. // set ocsp configuration Map<String, String> map = new HashMap<String, String>(); map.put("ocsp.signaturealgorithm", AlgorithmConstants.SIGALG_SHA256_WITH_RSA + ";" + AlgorithmConstants.SIGALG_SHA1_WITH_RSA); this.helper.alterConfig(map); ASN1EncodableVector algVec = new ASN1EncodableVector(); algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256); algVec.add(PKCSObjectIdentifiers.sha1WithRSAEncryption); ASN1Sequence algSeq = new DERSequence(algVec); ExtensionsGenerator extgen = new ExtensionsGenerator(); // RFC 6960: id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq); Extensions exts = extgen.generate(); assertNotNull(exts); OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber()), exts); gen.setRequestExtensions(exts); OCSPReq req = gen.build(); assertTrue(req.hasExtensions()); BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response); assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption, response.getSignatureAlgOID()); // Try sending a request where the preferred signature algorithm is not compatible with the signing key, but // the configured algorithm is. Expected a response signed using the first configured algorithm algVec = new ASN1EncodableVector(); algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256); algSeq = new DERSequence(algVec); extgen = new ExtensionsGenerator(); extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq); exts = extgen.generate(); assertNotNull(exts); gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber()), exts); gen.setRequestExtensions(exts); req = gen.build(); assertTrue(req.hasExtensions()); response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response); assertEquals(PKCSObjectIdentifiers.sha256WithRSAEncryption, response.getSignatureAlgOID()); }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** This test tests that the OCSP response contains is signed by the preferred signature algorithm specified in the request. */ /* Example of the ASN.1 dump (with friendly names from the RFC added ) of what the extensions should look like. * //from w w w . ja va 2 s. c o m * Note that we have left out the optional * PreferredSignatureAlgorithm.pubKeyAlgIdentifier * and * AlgorithmIdentifier.parameters * * ... * 75 48: requestExtensions [2] { * 77 46: Extensions ::= SEQUENCE { * 79 44: Extension ::= SEQUENCE { * 81 9: extnID OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 1 8' * 92 31: extnValue OCTET STRING, encapsulates { * 94 29: PreferredSignatureAlgorithms ::= SEQUENCE { * 96 12: PreferredSignatureAlgorithm ::= SEQUENCE { * 98 10: sigIdentifier AlgorithmIdentifier ::= SEQUENCE { * 100 8: algorithm OBJECT IDENTIFIER * : ecdsaWithSHA256 (1 2 840 10045 4 3 2) * : } * : } * 110 13: PreferredSignatureAlgorithm ::= SEQUENCE { * 112 11: sigIdentifier AlgorithmIdentifier ::= SEQUENCE { * 114 9: algorithm OBJECT IDENTIFIER * : sha1WithRSAEncryption (1 2 840 113549 1 1 5) * : } * : ... */ @Test public void testSigAlgExtension() throws Exception { log.trace(">testSigAlgExtensionNew"); loadUserCert(caid); // Try sending a request where the preferred signature algorithm in the extension is expected to be used to sign the response. // set ocsp configuration final Map<String, String> map = new HashMap<String, String>(); map.put("ocsp.signaturealgorithm", AlgorithmConstants.SIGALG_SHA256_WITH_RSA + ";" + AlgorithmConstants.SIGALG_SHA1_WITH_RSA); helper.alterConfig(map); final ASN1Sequence preferredSignatureAlgorithms = getPreferredSignatureAlgorithms( X9ObjectIdentifiers.ecdsa_with_SHA256, PKCSObjectIdentifiers.sha1WithRSAEncryption); final ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator(); // RFC 6960: id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } extensionsGenerator.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, preferredSignatureAlgorithms); final Extensions extensions = extensionsGenerator.generate(); assertNotNull(extensions); final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); ocspReqBuilder.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber())); ocspReqBuilder.setRequestExtensions(extensions); final OCSPReq ocspRequest = ocspReqBuilder.build(); assertTrue(ocspRequest.hasExtensions()); log.debug("base64 encoded request: " + new String(Base64.encode(ocspRequest.getEncoded(), false))); final BasicOCSPResp response1 = helper.sendOCSPGet(ocspRequest.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response1); assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption, response1.getSignatureAlgOID()); }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** Test with a preferred signature algorithm specified in the request that is incompatible with the singing key. */ @Test//w w w . j a va2 s. co m public void testSigAlgExtensionMismatch() throws Exception { log.trace(">testSigAlgExtensionNewMismatch"); loadUserCert(caid); final Map<String, String> map = new HashMap<String, String>(); map.put("ocsp.signaturealgorithm", AlgorithmConstants.SIGALG_SHA256_WITH_RSA + ";" + AlgorithmConstants.SIGALG_SHA1_WITH_RSA); helper.alterConfig(map); // Try sending a request where the preferred signature algorithm is not compatible with the signing key, but // the configured algorithm is. Expected a response signed using the first configured algorithm final ASN1Sequence preferredSignatureAlgorithms = getPreferredSignatureAlgorithms( X9ObjectIdentifiers.ecdsa_with_SHA256); final ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator(); extensionsGenerator.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, preferredSignatureAlgorithms); final Extensions extensions = extensionsGenerator.generate(); assertNotNull(extensions); final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); ocspReqBuilder.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber())); ocspReqBuilder.setRequestExtensions(extensions); final OCSPReq ocspRequest = ocspReqBuilder.build(); assertTrue(ocspRequest.hasExtensions()); log.debug("base64 encoded request: " + new String(Base64.encode(ocspRequest.getEncoded(), false))); final BasicOCSPResp response2 = helper.sendOCSPGet(ocspRequest.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response2); assertEquals(PKCSObjectIdentifiers.sha256WithRSAEncryption, response2.getSignatureAlgOID()); }
From source file:org.xipki.common.util.AlgorithmUtil.java
License:Open Source License
static public String getSignatureAlgoName(final AlgorithmIdentifier sigAlgId) throws NoSuchAlgorithmException { ASN1ObjectIdentifier algOid = sigAlgId.getAlgorithm(); if (X9ObjectIdentifiers.ecdsa_with_SHA1.equals(algOid)) { return "SHA1withECDSA"; } else if (X9ObjectIdentifiers.ecdsa_with_SHA224.equals(algOid)) { return "SHA224withECDSA"; } else if (X9ObjectIdentifiers.ecdsa_with_SHA256.equals(algOid)) { return "SHA256withECDSA"; } else if (X9ObjectIdentifiers.ecdsa_with_SHA384.equals(algOid)) { return "SHA384withECDSA"; } else if (X9ObjectIdentifiers.ecdsa_with_SHA512.equals(algOid)) { return "SHA512WITHECDSA"; } else if (BSIObjectIdentifiers.ecdsa_plain_SHA1.equals(algOid)) { return "SHA1WITHPLAIN-ECDSA"; } else if (BSIObjectIdentifiers.ecdsa_plain_SHA224.equals(algOid)) { return "SHA224WITHPLAIN-ECDSA"; } else if (BSIObjectIdentifiers.ecdsa_plain_SHA256.equals(algOid)) { return "SHA256WITHPLAIN-ECDSA"; } else if (BSIObjectIdentifiers.ecdsa_plain_SHA384.equals(algOid)) { return "SHA384WITHPLAIN-ECDSA"; } else if (BSIObjectIdentifiers.ecdsa_plain_SHA512.equals(algOid)) { return "SHA512WITHPLAIN-ECDSA"; } else if (X9ObjectIdentifiers.id_dsa_with_sha1.equals(algOid)) { return "SHA1withDSA"; } else if (X9ObjectIdentifiers.id_dsa_with_sha1.equals(algOid)) { return "SHA1withDSA"; } else if (NISTObjectIdentifiers.dsa_with_sha224.equals(algOid)) { return "SHA224withDSA"; } else if (NISTObjectIdentifiers.dsa_with_sha256.equals(algOid)) { return "SHA256withDSA"; } else if (NISTObjectIdentifiers.dsa_with_sha384.equals(algOid)) { return "SHA384withDSA"; } else if (NISTObjectIdentifiers.dsa_with_sha512.equals(algOid)) { return "SHA512withDSA"; } else if (PKCSObjectIdentifiers.sha1WithRSAEncryption.equals(algOid)) { return "SHA1withRSA"; } else if (PKCSObjectIdentifiers.sha224WithRSAEncryption.equals(algOid)) { return "SHA224withRSA"; } else if (PKCSObjectIdentifiers.sha256WithRSAEncryption.equals(algOid)) { return "SHA256withRSA"; } else if (PKCSObjectIdentifiers.sha384WithRSAEncryption.equals(algOid)) { return "SHA384withRSA"; } else if (PKCSObjectIdentifiers.sha512WithRSAEncryption.equals(algOid)) { return "SHA512withRSA"; } else if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algOid)) { RSASSAPSSparams param = RSASSAPSSparams.getInstance(sigAlgId.getParameters()); ASN1ObjectIdentifier digestAlgOid = param.getHashAlgorithm().getAlgorithm(); if (X509ObjectIdentifiers.id_SHA1.equals(digestAlgOid)) { return "SHA1withRSAandMGF1"; } else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOid)) { return "SHA256withRSAandMGF1"; } else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOid)) { return "SHA384withRSAandMGF1"; } else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOid)) { return "SHA512withRSAandMGF1"; } else {/*from w w w. ja v a 2 s .c om*/ throw new NoSuchAlgorithmException("unsupported digest algorithm " + digestAlgOid.getId()); } } else { throw new NoSuchAlgorithmException("unsupported signature algorithm " + algOid.getId()); } }
From source file:org.xipki.common.util.AlgorithmUtil.java
License:Open Source License
static public AlgorithmIdentifier getSignatureAlgoId(final String signatureAlgoName) throws NoSuchAlgorithmException { String algoS = signatureAlgoName.replaceAll("-", ""); AlgorithmIdentifier signatureAlgId;//from ww w.j a v a2s. c om if ("SHA1withRSAandMGF1".equalsIgnoreCase(algoS) || "SHA224withRSAandMGF1".equalsIgnoreCase(algoS) || "SHA256withRSAandMGF1".equalsIgnoreCase(algoS) || "SHA384withRSAandMGF1".equalsIgnoreCase(algoS) || "SHA512withRSAandMGF1".equalsIgnoreCase(algoS)) { ASN1ObjectIdentifier hashAlgo; if ("SHA1withRSAandMGF1".equalsIgnoreCase(algoS)) { hashAlgo = X509ObjectIdentifiers.id_SHA1; } else if ("SHA224withRSAandMGF1".equalsIgnoreCase(algoS)) { hashAlgo = NISTObjectIdentifiers.id_sha224; } else if ("SHA256withRSAandMGF1".equalsIgnoreCase(algoS)) { hashAlgo = NISTObjectIdentifiers.id_sha256; } else if ("SHA384withRSAandMGF1".equalsIgnoreCase(algoS)) { hashAlgo = NISTObjectIdentifiers.id_sha384; } else if ("SHA512withRSAandMGF1".equalsIgnoreCase(algoS)) { hashAlgo = NISTObjectIdentifiers.id_sha512; } else { throw new NoSuchAlgorithmException("should not reach here, unknown algorithm " + algoS); } signatureAlgId = AlgorithmUtil.buildRSAPSSAlgorithmIdentifier(hashAlgo); } else { boolean withNullParam = false; ASN1ObjectIdentifier algOid; if ("SHA1withRSA".equalsIgnoreCase(algoS) || "RSAwithSHA1".equalsIgnoreCase(algoS) || PKCSObjectIdentifiers.sha1WithRSAEncryption.getId().equals(algoS)) { algOid = PKCSObjectIdentifiers.sha1WithRSAEncryption; withNullParam = true; } else if ("SHA224withRSA".equalsIgnoreCase(algoS) || "RSAwithSHA224".equalsIgnoreCase(algoS) || PKCSObjectIdentifiers.sha224WithRSAEncryption.getId().equals(algoS)) { algOid = PKCSObjectIdentifiers.sha224WithRSAEncryption; withNullParam = true; } else if ("SHA256withRSA".equalsIgnoreCase(algoS) || "RSAwithSHA256".equalsIgnoreCase(algoS) || PKCSObjectIdentifiers.sha256WithRSAEncryption.getId().equals(algoS)) { algOid = PKCSObjectIdentifiers.sha256WithRSAEncryption; withNullParam = true; } else if ("SHA384withRSA".equalsIgnoreCase(algoS) || "RSAwithSHA384".equalsIgnoreCase(algoS) || PKCSObjectIdentifiers.sha384WithRSAEncryption.getId().equals(algoS)) { algOid = PKCSObjectIdentifiers.sha384WithRSAEncryption; withNullParam = true; } else if ("SHA512withRSA".equalsIgnoreCase(algoS) || "RSAwithSHA512".equalsIgnoreCase(algoS) || PKCSObjectIdentifiers.sha512WithRSAEncryption.getId().equals(algoS)) { algOid = PKCSObjectIdentifiers.sha512WithRSAEncryption; withNullParam = true; } else if ("SHA1withECDSA".equalsIgnoreCase(algoS) || "ECDSAwithSHA1".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.ecdsa_with_SHA1.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.ecdsa_with_SHA1; } else if ("SHA224withECDSA".equalsIgnoreCase(algoS) || "ECDSAwithSHA224".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.ecdsa_with_SHA224.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.ecdsa_with_SHA224; } else if ("SHA256withECDSA".equalsIgnoreCase(algoS) || "ECDSAwithSHA256".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.ecdsa_with_SHA256.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.ecdsa_with_SHA256; } else if ("SHA384withECDSA".equalsIgnoreCase(algoS) || "ECDSAwithSHA384".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.ecdsa_with_SHA384.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.ecdsa_with_SHA384; } else if ("SHA512withECDSA".equalsIgnoreCase(algoS) || "ECDSAwithSHA512".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.ecdsa_with_SHA512.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.ecdsa_with_SHA512; } else if ("SHA1withPlainECDSA".equalsIgnoreCase(algoS) || "PlainECDSAwithSHA1".equalsIgnoreCase(algoS) || BSIObjectIdentifiers.ecdsa_plain_SHA1.getId().equals(algoS)) { algOid = BSIObjectIdentifiers.ecdsa_plain_SHA1; } else if ("SHA224withPlainECDSA".equalsIgnoreCase(algoS) || "PlainECDSAwithSHA224".equalsIgnoreCase(algoS) || BSIObjectIdentifiers.ecdsa_plain_SHA224.getId().equals(algoS)) { algOid = BSIObjectIdentifiers.ecdsa_plain_SHA224; } else if ("SHA256withPlainECDSA".equalsIgnoreCase(algoS) || "PlainECDSAwithSHA256".equalsIgnoreCase(algoS) || BSIObjectIdentifiers.ecdsa_plain_SHA256.getId().equals(algoS)) { algOid = BSIObjectIdentifiers.ecdsa_plain_SHA256; } else if ("SHA384withPlainECDSA".equalsIgnoreCase(algoS) || "PlainECDSAwithSHA384".equalsIgnoreCase(algoS) || BSIObjectIdentifiers.ecdsa_plain_SHA384.getId().equals(algoS)) { algOid = BSIObjectIdentifiers.ecdsa_plain_SHA384; } else if ("SHA512withPlainECDSA".equalsIgnoreCase(algoS) || "PlainECDSAwithSHA512".equalsIgnoreCase(algoS) || BSIObjectIdentifiers.ecdsa_plain_SHA512.getId().equals(algoS)) { algOid = BSIObjectIdentifiers.ecdsa_plain_SHA512; } else if ("SHA1withDSA".equalsIgnoreCase(algoS) || "DSAwithSHA1".equalsIgnoreCase(algoS) || X9ObjectIdentifiers.id_dsa_with_sha1.getId().equals(algoS)) { algOid = X9ObjectIdentifiers.id_dsa_with_sha1; } else if ("SHA224withDSA".equalsIgnoreCase(algoS) || "DSAwithSHA224".equalsIgnoreCase(algoS) || NISTObjectIdentifiers.dsa_with_sha224.getId().equals(algoS)) { algOid = NISTObjectIdentifiers.dsa_with_sha224; } else if ("SHA256withDSA".equalsIgnoreCase(algoS) || "DSAwithSHA256".equalsIgnoreCase(algoS) || NISTObjectIdentifiers.dsa_with_sha256.getId().equals(algoS)) { algOid = NISTObjectIdentifiers.dsa_with_sha256; } else if ("SHA384withDSA".equalsIgnoreCase(algoS) || "DSAwithSHA384".equalsIgnoreCase(algoS) || NISTObjectIdentifiers.dsa_with_sha384.getId().equals(algoS)) { algOid = NISTObjectIdentifiers.dsa_with_sha384; } else if ("SHA512withDSA".equalsIgnoreCase(algoS) || "DSAwithSHA512".equalsIgnoreCase(algoS) || NISTObjectIdentifiers.dsa_with_sha512.getId().equals(algoS)) { algOid = NISTObjectIdentifiers.dsa_with_sha512; } else { throw new NoSuchAlgorithmException("unsupported signature algorithm " + algoS); } signatureAlgId = withNullParam ? new AlgorithmIdentifier(algOid, DERNull.INSTANCE) : new AlgorithmIdentifier(algOid); } return signatureAlgId; }