List of usage examples for org.bouncycastle.cert X509CertificateHolder isSignatureValid
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException
From source file:CAModulePackage.CertificateHelper.java
/** * * @param cert - X.509 Certificate to be validated. * @param issuingCert - X.509 Certificate that signed the other Certificate. * @return - True if the Certificate is valid, False otherwise. *//*from w ww . j a va 2 s.co m*/ public static boolean validateCert(X509CertificateHolder cert, X509CertificateHolder issuingCert) { JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder(); ContentVerifierProvider verifier = null; try { verifier = builder.build(issuingCert); } catch (OperatorCreationException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } if (!cert.isValidOn(new Date())) { return false; } try { if (!cert.isSignatureValid(verifier)) { return false; } } catch (CertException e) { e.printStackTrace(); } return true; }
From source file:eu.betaas.service.securitymanager.service.impl.AuthorizationService.java
License:Apache License
public boolean checkAuthApplication(String appId, byte[] credential) throws Exception { // the credential is actually a .p12 file, so we need to decode it first // X509CertificateHolder cert = null; // try { // cert = new X509CertificateHolder(credential); // } catch (IOException e1) { // log.error("Error in decoding the submitted certificate!!"); // e1.printStackTrace(); // }/* w w w . j av a2 s. c om*/ // ServiceTracker certTracker = authActivator.getCertTracker(); // first load the BcCredential that contains certificates that signs Apps // certificate boolean isValid = false; // String credStr = ""; // // for(byte b: credential) // credStr = credStr + b; // log.info("Submitted credential from SM: "+ credStr); // the received credential from Application and Instance manager is in // Base64 encoding --> we need to decode it first to normal byte [] // byte[] decoded = Base64.decodeBase64(credential); // int n = 0; // Object[] certProviders = certTracker.getServices(); // if(certProviders != null && certProviders.length > 0){ // log.info("Found certificate service provider"); // if(n>=certProviders.length ) // n=0; // certServ = (IGatewayCertificateService) // certProviders[n++]; // the credential is actually a .p12 file, so we need to decode it first BcCredential appsCred = certServ.readAppsCertificate(credential); log.debug("Read the submitted credential by application"); // application's certificate is the only in the cred X509CertificateHolder appsCert = appsCred.getCertificateChain()[0]; // log.info("Get the application's certificate: "+appsCert.toString()); // load the credential of the CA's certificate (e.g. for signing) appsCaCredential = certServ.loadAppStoreCertificate(certPath + APPS_CERT_NAME_INTER); log.debug("Load the CA's credential from taas certificate service"); SubjectPublicKeyInfo info = appsCaCredential.getCertificateChain()[0].getSubjectPublicKeyInfo(); // X509CertificateHolder[] certList = appsCaCredential.getCertificateChain(); AsymmetricKeyParameter verKey = PublicKeyFactory.createKey(info); isValid = appsCert.isSignatureValid( new BcECDSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()) .build(verKey)); // isValid = true; log.info("Is credential valid? " + isValid); // add the submitted certificate by apps into the catalog appCertCatalog.addAppCert(appId, appsCert); // } return isValid; }
From source file:eu.betaas.service.securitymanager.service.impl.AuthorizationService.java
License:Apache License
/** * to validate capability's issuer certificate * @param cert//from w w w .j ava 2 s .c om * @param it * @return * @throws IOException * @throws OperatorException * @throws CertException */ private boolean validateIssuerCert(X509CertificateHolder cert, String it) throws IOException, OperatorException, CertException { // validate it using the certificate from GW* if (it.equals(IssuerType.GATEWAY_TYPE)) { AsymmetricKeyParameter verKey = PublicKeyFactory .createKey(myCredential.getCertificateChain()[1].getSubjectPublicKeyInfo()); if (cert.isSignatureValid( new BcECDSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()) .build(verKey))) { log.info("The issuer certificate is valid!!"); return true; } } // validate it using the certificate from the BETaaS Apps Store else if (it.equals(IssuerType.APPLICATION_TYPE)) { X509CertificateHolder[] certList = appsCaCredential.getCertificateChain(); AsymmetricKeyParameter verKey = PublicKeyFactory.createKey(certList[0].getSubjectPublicKeyInfo()); if (cert.isSignatureValid( new BcECDSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()) .build(verKey))) { log.info("The issuer certificate is valid!!"); return true; } } // think about it later else if (it.equals(IssuerType.USER_TYPE)) { } log.error("The issuer certificate is NOT valid!!"); return false; }
From source file:eu.betaas.taas.securitymanager.authentication.service.impl.GWEcmqvExtService.java
License:Apache License
private boolean validateCert(X509CertificateHolder cert) throws Exception { // ServiceTracker certTracker = authActivator.getCertTracker(); // first load the KeyStore that contains certificates from GW* as well as // my own certificate issued by GW* // refer to GWCertificateService directly from blueprint BcCredential myCredential = gwCertificateService.loadMyCertificate(PKCS12Utils.GW_CERT); // get the public key of intermediate certificate from GW* AsymmetricKeyParameter verKey = ECKeyPairGen .generateECPublicKey(myCredential.getCertificateChain()[1].getSubjectPublicKeyInfo()); // get my own certificate myCert = (X509CertificateHolder) myCredential.getCertificateChain()[0]; // get the static/long term public and private key // statPub = (ECPublicKey) myCert.getPublicKey(); statPriv = (ECPrivateKeyParameters) myCredential.getPrivateKey(); if (cert.isSignatureValid( new BcECDSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()) .build(verKey)))/*www . jav a 2 s. c o m*/ return true; return false; }
From source file:eu.betaas.taas.securitymanager.authentication.service.impl.GWEcmqvIntService.java
License:Apache License
private boolean validateCert(X509CertificateHolder cert) throws Exception { // first load the KeyStore that contains certificates from GW* as well as // my own certificate issued by GW* // refer to GWCertificateService directly from blueprint BcCredential myCredential = gwCertificateService.loadMyCertificate(PKCS12Utils.GW_CERT); // get the public key of intermediate certificate from GW* AsymmetricKeyParameter verKey = ECKeyPairGen .generateECPublicKey(myCredential.getCertificateChain()[1].getSubjectPublicKeyInfo()); // get my own certificate myCert = (X509CertificateHolder) myCredential.getCertificateChain()[0]; // get the static/long term public and private key // statPub = (ECPublicKey) myCert.getPublicKey(); statPriv = (ECPrivateKeyParameters) myCredential.getPrivateKey(); if (cert.isSignatureValid( new BcECDSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()) .build(verKey)))// www. j av a 2s.c om return true; return false; }
From source file:net.maritimecloud.pki.ocsp.OCSPClient.java
License:Open Source License
public CertStatus getCertificateStatus() throws OCSPValidationException { try {/*from ww w. j a v a 2 s .c o m*/ if (null == url) { throw new OCSPValidationException("Certificate not validated by OCSP"); } byte[] encodedOcspRequest = generateOCSPRequest(issuer, certificate.getSerialNumber()).getEncoded(); HttpURLConnection httpConnection; httpConnection = (HttpURLConnection) url.openConnection(); httpConnection.setRequestProperty("Content-Type", "application/ocsp-request"); httpConnection.setRequestProperty("Accept", "application/ocsp-response"); httpConnection.setDoOutput(true); try (DataOutputStream dataOut = new DataOutputStream( new BufferedOutputStream(httpConnection.getOutputStream()))) { dataOut.write(encodedOcspRequest); dataOut.flush(); } InputStream in = (InputStream) httpConnection.getContent(); if (httpConnection.getResponseCode() != HttpURLConnection.HTTP_OK) { throw new OCSPValidationException( "Received HTTP code != 200 [" + httpConnection.getResponseCode() + "]"); } OCSPResp ocspResponse = new OCSPResp(in); BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject(); byte[] receivedNonce = basicResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnId() .getEncoded(); if (!Arrays.equals(receivedNonce, sentNonce)) { throw new OCSPValidationException("Nonce in ocsp response does not match nonce of ocsp request"); } X509CertificateHolder certHolder = basicResponse.getCerts()[0]; if (!basicResponse .isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))) { if (!certHolder.isValidOn(Date.from(Instant.now()))) { throw new OCSPValidationException("Certificate is not valid today!"); } // Certificate must have a Key Purpose ID for authorized responders if (!ExtendedKeyUsage.fromExtensions(certHolder.getExtensions()) .hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) { throw new OCSPValidationException( "Certificate does not contain required extension (id_kp_OCSPSigning)"); } // Certificate must be issued by the same CA of the certificate that we are verifying if (!certHolder.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))) { throw new OCSPValidationException("Certificate is not signed by the same issuer"); } // Validate signature in OCSP response if (!basicResponse.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider("BC").build(certHolder))) { throw new OCSPValidationException("Could not validate OCSP response!"); } } else { if (!certHolder.isValidOn(Date.from(Instant.now()))) { throw new OCSPValidationException("Certificate is not valid today!"); } } // SCEE Certificate Policy (?) /*if (null == certHolder.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck) || null == certHolder.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck).getExtnId()) { throw new OCSPValidationException("Extension id_pkix_ocsp_nocheck not found in certificate"); }*/ SingleResp[] responses = basicResponse.getResponses(); if (responses[0].getCertID().getSerialNumber().equals(certificate.getSerialNumber())) { CertificateStatus status = responses[0].getCertStatus(); if (status == CertificateStatus.GOOD) { return CertStatus.GOOD; } else { if (status instanceof RevokedStatus) { revokedStatus = (RevokedStatus) status; return CertStatus.REVOKED; } else { return CertStatus.UNKNOWN; } } } else { throw new OCSPValidationException( "Serial number of certificate in response ocsp does not match certificate serial number"); } } catch (CertificateEncodingException | OperatorCreationException | OCSPException | IOException ex) { throw new OCSPValidationException("Unable to perform validation through OCSP (" + certificate.getSubjectX500Principal().getName() + ")", ex); } catch (CertException | CertificateException ex) { throw new OCSPValidationException("Unable to perform validation through OCSP (" + certificate.getSubjectX500Principal().getName() + ")", ex); } }
From source file:org.poreid.verify.ocsp.OCSPClient.java
License:Open Source License
public CertStatus getCertificateStatus() throws OCSPValidationException { try {//from w w w . j ava 2 s . c om if (null == url) { throw new OCSPValidationException("Certificado no tem validao por OCSP"); } byte[] encodedOcspRequest = generateOCSPRequest(issuer, certificate.getSerialNumber()).getEncoded(); HttpURLConnection httpConnection; httpConnection = (HttpURLConnection) url.openConnection(); httpConnection.setRequestProperty("Content-Type", "application/ocsp-request"); httpConnection.setRequestProperty("Accept", "application/ocsp-response"); httpConnection.setDoOutput(true); try (DataOutputStream dataOut = new DataOutputStream( new BufferedOutputStream(httpConnection.getOutputStream()))) { dataOut.write(encodedOcspRequest); dataOut.flush(); } InputStream in = (InputStream) httpConnection.getContent(); if (httpConnection.getResponseCode() != HttpURLConnection.HTTP_OK) { throw new OCSPValidationException( "Cdigo HTTP recebido != 200 [" + httpConnection.getResponseCode() + "]"); } OCSPResp ocspResponse = new OCSPResp(in); BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject(); byte[] receivedNonce = basicResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnId() .getEncoded(); if (!Arrays.equals(receivedNonce, sentNonce)) { throw new OCSPValidationException("Nonce na resposta ocsp no coincide com nonce do pedido ocsp"); } X509CertificateHolder certHolder = basicResponse.getCerts()[0]; if (!basicResponse .isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))) { if (!certHolder.isValidOn(Date.from(Instant.now()))) { throw new OCSPValidationException("Certificado no vlido na data atual"); } // Certificado tem de ter uma Key Purpose ID for authorized responders if (!ExtendedKeyUsage.fromExtensions(certHolder.getExtensions()) .hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) { throw new OCSPValidationException( "Certificado no contm extenso necessria (id_kp_OCSPSigning)"); } // Certificado tem de ser emitido pela mesma CA do certificado que estamos a verificar if (!certHolder.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))) { throw new OCSPValidationException("Certificado no assinado pelo mesmo issuer"); } // Validar assinatura na resposta ocsp if (!basicResponse.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider("BC").build(certHolder))) { throw new OCSPValidationException("No foi possivel validar resposta ocsp"); } } else { if (!certHolder.isValidOn(Date.from(Instant.now()))) { throw new OCSPValidationException("Certificado no vlido na data atual"); } } // Politica de Certificados do SCEE if (null == certHolder.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck).getExtnId()) { throw new OCSPValidationException( "Extenso id_pkix_ocsp_nocheck no encontrada no certificado (Politica de Certificados do SCEE)"); } SingleResp[] responses = basicResponse.getResponses(); if (responses[0].getCertID().getSerialNumber().equals(certificate.getSerialNumber())) { CertificateStatus status = responses[0].getCertStatus(); if (status == CertificateStatus.GOOD) { return CertStatus.GOOD; } else { if (status instanceof RevokedStatus) { revokedStatus = (RevokedStatus) status; return CertStatus.REVOKED; } else { return CertStatus.UNKNOWN; } } } else { throw new OCSPValidationException( "Nmero de srie do certificado na resposta ocsp no coincide com nmero de srie do certificado"); } } catch (CertificateEncodingException | OperatorCreationException | OCSPException | IOException ex) { throw new OCSPValidationException("No foi possivel efetuar a validao atravs de OCSP (" + certificate.getSubjectX500Principal().getName() + ")", ex); } catch (CertException | CertificateException ex) { throw new OCSPValidationException("No foi possivel efetuar a validao atravs de OCSP (" + certificate.getSubjectX500Principal().getName() + ")", ex); } }