List of usage examples for org.bouncycastle.jce ECKeyUtil publicToExplicitParameters
public static PublicKey publicToExplicitParameters(PublicKey key, Provider provider) throws IllegalArgumentException, NoSuchAlgorithmException
From source file:org.cesecore.keys.token.BaseCryptoToken.java
License:Open Source License
/** @see #getPublicKey(String) * @param warn if we should log a warning if the key does not exist *//* w w w. jav a2 s. c o m*/ private PublicKey getPublicKey(final String alias, boolean warn) throws CryptoTokenOfflineException { // Auto activate is done in the call to getKeyStore below (from readPublicKey) try { PublicKey publicK = readPublicKey(alias, warn); if (publicK == null) { final String msg = intres.getLocalizedMessage("token.errornosuchkey", alias); throw new CryptoTokenOfflineException(msg); } final String str = getProperties().getProperty(CryptoToken.EXPLICIT_ECC_PUBLICKEY_PARAMETERS); final boolean explicitEccParameters = Boolean.parseBoolean(str); if (explicitEccParameters && publicK.getAlgorithm().equals("EC")) { if (log.isDebugEnabled()) { log.debug("Using explicit parameter encoding for ECC key."); } publicK = ECKeyUtil.publicToExplicitParameters(publicK, "BC"); } return publicK; } catch (KeyStoreException e) { throw new CryptoTokenOfflineException(e); } catch (NoSuchProviderException e) { throw new CryptoTokenOfflineException(e); } catch (IllegalArgumentException e) { throw new CryptoTokenOfflineException(e); } catch (NoSuchAlgorithmException e) { throw new CryptoTokenOfflineException(e); } }
From source file:org.cesecore.keys.util.KeyStoreTools.java
License:Open Source License
/** Generates a certificate request (CSR) in PKCS#10 format and writes to file * @param alias for the key to be used/* w w w . j av a 2 s. com*/ * @param dn the DN to be used. If null the 'CN=alias' will be used * @param explicitEccParameters false should be default and will use NamedCurve encoding of ECC public keys (IETF recommendation), use true to include all parameters explicitly (ICAO ePassport requirement). * @throws Exception */ public void generateCertReq(String alias, String sDN, boolean explicitEccParameters) throws Exception { PublicKey publicKey = getCertificate(alias).getPublicKey(); final PrivateKey privateKey = getPrivateKey(alias); if (log.isDebugEnabled()) { log.debug("alias: " + alias + " SHA1 of public key: " + CertTools.getFingerprintAsString(publicKey.getEncoded())); } String sigAlg = (String) AlgorithmTools.getSignatureAlgorithms(publicKey).iterator().next(); if (sigAlg == null) { sigAlg = "SHA1WithRSA"; } if (sigAlg.contains("ECDSA") && explicitEccParameters) { log.info("Using explicit parameter encoding for ECC key."); publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } else { log.info("Using named curve parameter encoding for ECC key."); } X500Name sDNName = sDN != null ? new X500Name(sDN) : new X500Name("CN=" + alias); final PKCS10CertificationRequest certReq = CertTools.genPKCS10CertificationRequest(sigAlg, sDNName, publicKey, new DERSet(), privateKey, this.keyStore.getProvider().getName()); ContentVerifierProvider verifier = CertTools.genContentVerifierProvider(publicKey); if (!certReq.isSignatureValid(verifier)) { String msg = intres.getLocalizedMessage("token.errorcertreqverify", alias); throw new Exception(msg); } String filename = alias + ".pem"; final Writer writer = new FileWriter(filename); writer.write(CertTools.BEGIN_CERTIFICATE_REQUEST + "\n"); writer.write(new String(Base64.encode(certReq.getEncoded()))); writer.write("\n" + CertTools.END_CERTIFICATE_REQUEST + "\n"); writer.close(); log.info("Wrote csr to file: " + filename); }
From source file:org.ejbca.util.keystore.KeyStoreContainerBase.java
License:Open Source License
@Override public void generateCertReq(String alias, String sDN, boolean explicitEccParameters) throws Exception { PublicKey publicKey = getCertificate(alias).getPublicKey(); final PrivateKey privateKey = getPrivateKey(alias); if (log.isDebugEnabled()) { log.debug("alias: " + alias + " SHA1 of public key: " + CertTools.getFingerprintAsString(publicKey.getEncoded())); }/* w w w .j a v a2s. c om*/ String sigAlg = (String) AlgorithmTools.getSignatureAlgorithms(publicKey).iterator().next(); if (sigAlg == null) { sigAlg = "SHA1WithRSA"; } if (sigAlg.contains("ECDSA") && explicitEccParameters) { log.info("Using explicit parameter encoding for ECC key."); publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } else { log.info("Using named curve parameter encoding for ECC key."); } X500Name sDNName = sDN != null ? new X500Name(sDN) : new X500Name("CN=" + alias); final PKCS10CertificationRequest certReq = CertTools.genPKCS10CertificationRequest(sigAlg, sDNName, publicKey, new DERSet(), privateKey, this.keyStore.getProvider().getName()); ContentVerifierProvider verifier = CertTools.genContentVerifierProvider(publicKey); if (!certReq.isSignatureValid(verifier)) { String msg = intres.getLocalizedMessage("token.errorcertreqverify", alias); throw new Exception(msg); } String filename = alias + ".pem"; final Writer writer = new FileWriter(filename); writer.write(CertTools.BEGIN_CERTIFICATE_REQUEST + "\n"); writer.write(new String(Base64.encode(certReq.getEncoded()))); writer.write("\n" + CertTools.END_CERTIFICATE_REQUEST + "\n"); writer.close(); log.info("Wrote csr to file: " + filename); }
From source file:org.signserver.module.mrtdsodsigner.MRTDSODSignerUnitTest.java
License:Open Source License
/** * Creates and verifies a simple SODFile * @throws Exception/*from www . j ava 2 s .co m*/ */ public void test01SODFile() throws Exception { Map<Integer, byte[]> dataGroupHashes = new HashMap<Integer, byte[]>(); dataGroupHashes.put(Integer.valueOf(1), "12345".getBytes()); dataGroupHashes.put(Integer.valueOf(4), "abcdef".getBytes()); // RSA KeyPair keys = KeyTools.genKeys("1024", "RSA"); X509Certificate cert = CertTools.genSelfCert("CN=mrtdsodtest", 33, null, keys.getPrivate(), keys.getPublic(), "SHA256WithRSA", false); SODFile sod = new SODFile("SHA256", "SHA256withRSA", dataGroupHashes, keys.getPrivate(), cert); assertNotNull(sod); boolean verify = sod.checkDocSignature(cert); assertTrue(verify); byte[] encoded = sod.getEncoded(); SODFile sod2 = new SODFile(new ByteArrayInputStream(encoded)); verify = sod2.checkDocSignature(cert); assertTrue(verify); // ECC KeyPair keysec = KeyTools.genKeys("secp256r1", "ECDSA"); PublicKey publicKey = ECKeyUtil.publicToExplicitParameters(keysec.getPublic(), "BC"); X509Certificate certec = CertTools.genSelfCert("CN=mrtdsodtest", 33, null, keysec.getPrivate(), publicKey, "SHA256WithECDSA", false); SODFile sodec = new SODFile("SHA256", "SHA256withECDSA", dataGroupHashes, keysec.getPrivate(), cert); assertNotNull(sodec); boolean verifyec = sodec.checkDocSignature(certec); assertTrue(verifyec); byte[] encodedec = sodec.getEncoded(); SODFile sod2ec = new SODFile(new ByteArrayInputStream(encodedec)); verifyec = sod2ec.checkDocSignature(certec); assertTrue(verifyec); }
From source file:org.signserver.module.xmlsigner.AnySignerTest.java
License:Open Source License
@Test public void test03GenerateRequestNamedCurve() throws Exception { final boolean explicitEcc = false; // Generate CSR final PKCS10CertReqInfo certReqInfo = new PKCS10CertReqInfo("SHA1WithECDSA", "CN=test02GenerateKey", null); Base64SignerCertReqData data = (Base64SignerCertReqData) workerSession.getCertificateRequest(WORKERID, certReqInfo, explicitEcc, false); byte[] reqBytes = data.getBase64CertReq(); final PKCS10CertificationRequest req = new PKCS10CertificationRequest(Base64.decode(reqBytes)); final PublicKey actualPubKey = req.getPublicKey(); final PublicKey afterConvert = ECKeyUtil.publicToExplicitParameters(actualPubKey, "BC"); // The following assertion assumes that publicToExplicitParameters // returns a new/different PublicKey instance if it was not already // converted and if it already was explicit the same instance was // returned/*from w ww . j a va 2s . com*/ // Not the same object assertNotSame("Not converted to explicit", actualPubKey.hashCode(), afterConvert.hashCode()); }
From source file:org.signserver.module.xmlsigner.AnySignerTest.java
License:Open Source License
@Test public void test04GenerateRequestExplicitParams() throws Exception { final boolean explicitEcc = true; // Generate CSR final PKCS10CertReqInfo certReqInfo = new PKCS10CertReqInfo("SHA1WithECDSA", "CN=test02GenerateKey", null); Base64SignerCertReqData data = (Base64SignerCertReqData) workerSession.getCertificateRequest(WORKERID, certReqInfo, explicitEcc, false); byte[] reqBytes = data.getBase64CertReq(); final PKCS10CertificationRequest req = new PKCS10CertificationRequest(Base64.decode(reqBytes)); final PublicKey actualPubKey = req.getPublicKey(); final PublicKey afterConvert = ECKeyUtil.publicToExplicitParameters(actualPubKey, "BC"); // The following assertion assumes that publicToExplicitParameters // returns a new/different PublicKey instance if it was not already // converted and if it already was explicit the same instance was // returned// www . ja va2s. c o m // The same object assertTrue("Not converted to explicit", actualPubKey.hashCode() == afterConvert.hashCode()); }
From source file:org.signserver.server.cryptotokens.CryptoTokenBase.java
License:Open Source License
@Override public ICertReqData genCertificateRequest(ISignerCertReqInfo info, final boolean explicitEccParameters, final boolean defaultKey) throws CryptoTokenOfflineException { Base64SignerCertReqData retval = null; if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; final int purpose = defaultKey ? PURPOSE_SIGN : PURPOSE_NEXTKEY; if (log.isDebugEnabled()) { log.debug("Purpose: " + purpose); log.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm()); log.debug("subjectDN: " + reqInfo.getSubjectDN()); log.debug("explicitEccParameters: " + explicitEccParameters); }/*from w w w.jav a 2 s .com*/ try { PublicKey publicKey = getPublicKey(purpose); // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(getProvider(ICryptoToken.PROVIDERUSAGE_SIGN)).build(getPrivateKey(purpose)); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } catch (IOException e) { log.error("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { log.error("Certificate request error: signer could not be initialized", e); } catch (NoSuchAlgorithmException e) { log.error("Certificate request error: " + e.getMessage(), e); } catch (NoSuchProviderException e) { log.error("Certificate request error: " + e.getMessage(), e); } } return retval; }
From source file:org.signserver.server.cryptotokens.CryptoTokenHelper.java
License:Open Source License
/** * Generate a certificate signing request (PKCS#10). * @param info A PKCS10CertReqInfo//ww w . j a v a2s .c om * @param privateKey Private key for signing the request * @param signatureProvider Name of provider to sign with * @param publicKey Public key to include in the request * @param explicitEccParameters True if the EC domain parameters should be included (ie. not a named curve) * @return the certificate request data */ public static ICertReqData genCertificateRequest(ISignerCertReqInfo info, final PrivateKey privateKey, final String signatureProvider, PublicKey publicKey, final boolean explicitEccParameters) throws IllegalArgumentException { LOG.debug(">genCertificateRequest"); final Base64SignerCertReqData retval; if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; if (LOG.isDebugEnabled()) { LOG.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm()); LOG.debug("subjectDN: " + reqInfo.getSubjectDN()); LOG.debug("explicitEccParameters: " + explicitEccParameters); } try { // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } if (LOG.isDebugEnabled()) { LOG.debug("Public key SHA1: " + createKeyHash(publicKey)); LOG.debug("Public key SHA256: " + KeyUsageCounterHash.create(publicKey)); } // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(signatureProvider).build(privateKey); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (NoSuchProviderException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } LOG.debug("<genCertificateRequest"); return retval; } else { throw new IllegalArgumentException( "Unsupported certificate request info type: " + info.getClass().getName()); } }
From source file:org.signserver.server.cryptotokens.OldPKCS11CryptoToken.java
License:Open Source License
@Override public ICertReqData genCertificateRequest(ISignerCertReqInfo info, final boolean explicitEccParameters, boolean defaultKey) throws CryptoTokenOfflineException { LOG.debug(">genCertificateRequest PKCS11CryptoToken"); Base64SignerCertReqData retval = null; if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; final String alias; if (defaultKey) { alias = properties.getProperty("defaultKey"); } else {/*from w w w .ja v a 2 s .c om*/ alias = properties.getProperty("nextCertSignKey"); } if (LOG.isDebugEnabled()) { LOG.debug("defaultKey: " + defaultKey); LOG.debug("alias: " + alias); LOG.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm()); LOG.debug("subjectDN: " + reqInfo.getSubjectDN()); LOG.debug("explicitEccParameters: " + explicitEccParameters); } try { final KeyStore keyStore = getKeyStore(authenticationCode); final PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, authenticationCode); final Certificate cert = keyStore.getCertificate(alias); if (cert == null) { throw new CryptoTokenOfflineException( "Certificate request error: No key with the configured alias"); } PublicKey publicKey = cert.getPublicKey(); // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } if (LOG.isDebugEnabled()) { LOG.debug("Public key SHA1: " + CryptoTokenHelper.createKeyHash(cert.getPublicKey())); LOG.debug("Public key SHA256: " + KeyUsageCounterHash.create(cert.getPublicKey())); } // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(getProvider(ICryptoToken.PROVIDERUSAGE_SIGN)).build(privateKey); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } catch (IOException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { LOG.error("Certificate request error: signer could not be initialized", e); } catch (UnrecoverableKeyException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } catch (KeyStoreException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } catch (NoSuchAlgorithmException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } catch (NoSuchProviderException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } } LOG.debug("<genCertificateRequest PKCS11CryptoToken"); return retval; }
From source file:org.signserver.server.cryptotokens.SoftCryptoToken.java
License:Open Source License
/** * Special method that generates a new key pair that is written to the worker configuration * before the request is generated. The new keys aren't activated until reload is issued. * /*from w ww . j av a 2 s . c o m*/ */ @Override public ICertReqData genCertificateRequest(ISignerCertReqInfo info, final boolean explicitEccParameters, final boolean defaultKey) throws CryptoTokenOfflineException { Base64SignerCertReqData retval = null; try { KeyPair newKeys = KeyTools.genKeys(keySpec, keyAlg); ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos); byte[] pubKeyData = newKeys.getPublic().getEncoded(); byte[] prvKeyData = newKeys.getPrivate().getEncoded(); dos.writeInt(pubKeyData.length); dos.write(pubKeyData); dos.writeInt(prvKeyData.length); dos.write(prvKeyData); getWorkerSession().setWorkerProperty(workerId, PROPERTY_KEYDATA, new String(Base64.encode(baos.toByteArray()))); if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; PublicKey publicKey = newKeys.getPublic(); // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } // Generate request // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(getProvider(ICryptoToken.PROVIDERUSAGE_SIGN)).build(newKeys.getPrivate()); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } } catch (IOException e) { LOG.error("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { LOG.error("Certificate request error: signer could not be initialized", e); } catch (NoSuchAlgorithmException e1) { LOG.error("Error generating new certificate request : " + e1.getMessage(), e1); } catch (NoSuchProviderException e1) { LOG.error("Error generating new certificate request : " + e1.getMessage(), e1); } catch (InvalidAlgorithmParameterException e1) { LOG.error("Error generating new certificate request : " + e1.getMessage(), e1); } catch (NamingException e1) { LOG.error("Error generating new certificate request : " + e1.getMessage(), e1); } return retval; }