List of usage examples for org.bouncycastle.operator.bc BcDSAContentSignerBuilder BcDSAContentSignerBuilder
public BcDSAContentSignerBuilder(AlgorithmIdentifier sigAlgId, AlgorithmIdentifier digAlgId)
From source file:dorkbox.util.crypto.CryptoX509.java
License:Apache License
/** * Creates a NEW signature block that contains the pkcs7 (minus content, which is the .SF file) * signature of the .SF file./*www . jav a2s .com*/ * * It contains the hash of the data, and the verification signature. */ public static byte[] createSignature(byte[] signatureSourceData, X509CertificateHolder x509CertificateHolder, AsymmetricKeyParameter privateKey) { try { CMSTypedData content = new CMSProcessableByteArray(signatureSourceData); ASN1ObjectIdentifier contentTypeOID = new ASN1ObjectIdentifier(content.getContentType().getId()); ASN1EncodableVector digestAlgs = new ASN1EncodableVector(); ASN1EncodableVector signerInfos = new ASN1EncodableVector(); AlgorithmIdentifier sigAlgId = x509CertificateHolder.getSignatureAlgorithm(); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); // use the bouncy-castle lightweight API to generate a hash of the signature source data (usually the signature file bytes) BcContentSignerBuilder contentSignerBuilder; AlgorithmIdentifier digEncryptionAlgorithm; if (privateKey instanceof ECPrivateKeyParameters) { contentSignerBuilder = new BcECDSAContentSignerBuilder(sigAlgId, digAlgId); digEncryptionAlgorithm = new AlgorithmIdentifier(DSAUtil.dsaOids[0], null); // 1.2.840.10040.4.1 // DSA hashID } else if (privateKey instanceof DSAPrivateKeyParameters) { contentSignerBuilder = new BcDSAContentSignerBuilder(sigAlgId, digAlgId); digEncryptionAlgorithm = new AlgorithmIdentifier(DSAUtil.dsaOids[0], null); // 1.2.840.10040.4.1 // DSA hashID } else if (privateKey instanceof RSAPrivateCrtKeyParameters) { contentSignerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId); digEncryptionAlgorithm = new AlgorithmIdentifier(RSAUtil.rsaOids[0], null); // 1.2.840.113549.1.1.1 // RSA hashID } else { throw new RuntimeException("Invalid signature type. Only ECDSA, DSA, RSA supported."); } ContentSigner hashSigner = contentSignerBuilder.build(privateKey); OutputStream outputStream = hashSigner.getOutputStream(); outputStream.write(signatureSourceData, 0, signatureSourceData.length); outputStream.flush(); byte[] sigBytes = hashSigner.getSignature(); SignerIdentifier sigId = new SignerIdentifier( new IssuerAndSerialNumber(x509CertificateHolder.toASN1Structure())); SignerInfo inf = new SignerInfo(sigId, digAlgId, null, digEncryptionAlgorithm, new DEROctetString(sigBytes), (ASN1Set) null); digestAlgs.add(inf.getDigestAlgorithm()); signerInfos.add(inf); ASN1EncodableVector certs = new ASN1EncodableVector(); certs.add(x509CertificateHolder.toASN1Structure()); ContentInfo encInfo = new ContentInfo(contentTypeOID, null); SignedData sd = new SignedData(new DERSet(digestAlgs), encInfo, new BERSet(certs), null, new DERSet(signerInfos)); ContentInfo contentInfo = new ContentInfo(CMSObjectIdentifiers.signedData, sd); CMSSignedData cmsSignedData2 = new CMSSignedData(content, contentInfo); return cmsSignedData2.getEncoded(); } catch (Throwable t) { logger.error("Error signing data.", t); throw new RuntimeException("Error trying to sign data. " + t.getMessage()); } }
From source file:org.kontalk.certgen.X509Bridge.java
License:Open Source License
/** * Creates a self-signed certificate from a public and private key. The * (critical) key-usage extension is set up with: digital signature, * non-repudiation, key-encipherment, key-agreement and certificate-signing. * The (non-critical) Netscape extension is set up with: SSL client and * S/MIME. A URI subjectAltName may also be set up. * * @param pubKey// w w w .j av a 2s . co m * public key * @param privKey * private key * @param subject * subject (and issuer) DN for this certificate, RFC 2253 format * preferred. * @param startDate * date from which the certificate will be valid * (defaults to current date and time if null) * @param endDate * date until which the certificate will be valid * (defaults to start date and time if null) * @param subjectAltName * URI to be placed in subjectAltName * @return self-signed certificate */ private static X509Certificate createCertificate(PublicKey pubKey, PrivateKey privKey, X500Name subject, Date startDate, Date endDate, String subjectAltName, byte[] publicKeyData) throws InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, NoSuchProviderException, IOException, OperatorCreationException { /* * Sets the signature algorithm. */ BcContentSignerBuilder signerBuilder; String pubKeyAlgorithm = pubKey.getAlgorithm(); if (pubKeyAlgorithm.equals("DSA")) { AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1WithDSA"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); signerBuilder = new BcDSAContentSignerBuilder(sigAlgId, digAlgId); } else if (pubKeyAlgorithm.equals("RSA")) { AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1WithRSAEncryption"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); signerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId); } /* else if (pubKeyAlgorithm.equals("ECDSA")) { // TODO is this even legal? certGenerator.setSignatureAlgorithm("SHA1WithECDSA"); } */ else { throw new RuntimeException("Algorithm not recognised: " + pubKeyAlgorithm); } AsymmetricKeyParameter keyp = PrivateKeyFactory.createKey(privKey.getEncoded()); ContentSigner signer = signerBuilder.build(keyp); /* * Sets up the validity dates. */ if (startDate == null) { startDate = new Date(System.currentTimeMillis()); } if (endDate == null) { endDate = startDate; } X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( /* * Sets up the subject distinguished name. * Since it's a self-signed certificate, issuer and subject are the * same. */ subject, /* * The serial-number of this certificate is 1. It makes sense * because it's self-signed. */ BigInteger.ONE, startDate, endDate, subject, /* * Sets the public-key to embed in this certificate. */ SubjectPublicKeyInfo.getInstance(new ASN1InputStream(pubKey.getEncoded()).readObject())); /* * Adds the Basic Constraint (CA: true) extension. */ certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); /* * Adds the Key Usage extension. */ certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment | KeyUsage.keyAgreement | KeyUsage.keyCertSign)); /* * Adds the Netscape certificate type extension. */ certBuilder.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime)); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); /* * Adds the subject key identifier extension. */ SubjectKeyIdentifier subjectKeyIdentifier = extUtils.createSubjectKeyIdentifier(pubKey); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); /* * Adds the authority key identifier extension. */ AuthorityKeyIdentifier authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(pubKey); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); /* * Adds the subject alternative-name extension. */ if (subjectAltName != null) { GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, subjectAltName)); certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } /* * Adds the PGP public key block extension. */ SubjectPGPPublicKeyInfo publicKeyExtension = new SubjectPGPPublicKeyInfo(publicKeyData); certBuilder.addExtension(SubjectPGPPublicKeyInfo.OID, false, publicKeyExtension); /* * Creates and sign this certificate with the private key * corresponding to the public key of the certificate * (hence the name "self-signed certificate"). */ X509CertificateHolder holder = certBuilder.build(signer); /* * Checks that this certificate has indeed been correctly signed. */ X509Certificate cert = new JcaX509CertificateConverter().getCertificate(holder); cert.verify(pubKey); return cert; }
From source file:org.xipki.commons.security.pkcs12.P12KeypairGenerator.java
License:Open Source License
private static ContentSigner getContentSigner(final PrivateKey key) throws Exception { BcContentSignerBuilder builder;/* w w w . j a v a 2 s. c om*/ if (key instanceof RSAPrivateKey) { ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1; ASN1ObjectIdentifier sigOid = PKCSObjectIdentifiers.sha1WithRSAEncryption; builder = new BcRSAContentSignerBuilder(buildAlgId(sigOid), buildAlgId(hashOid)); } else if (key instanceof DSAPrivateKey) { ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1; AlgorithmIdentifier sigId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa_with_sha1); builder = new BcDSAContentSignerBuilder(sigId, buildAlgId(hashOid)); } else if (key instanceof ECPrivateKey) { HashAlgoType hashAlgo; ASN1ObjectIdentifier sigOid; int keysize = ((ECPrivateKey) key).getParams().getOrder().bitLength(); if (keysize > 384) { hashAlgo = HashAlgoType.SHA512; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA512; } else if (keysize > 256) { hashAlgo = HashAlgoType.SHA384; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA384; } else if (keysize > 224) { hashAlgo = HashAlgoType.SHA224; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA224; } else if (keysize > 160) { hashAlgo = HashAlgoType.SHA256; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA256; } else { hashAlgo = HashAlgoType.SHA1; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA1; } builder = new BcECContentSignerBuilder(new AlgorithmIdentifier(sigOid), buildAlgId(hashAlgo.getOid())); } else { throw new IllegalArgumentException("unknown type of key " + key.getClass().getName()); } return builder.build(KeyUtil.generatePrivateKeyParameter(key)); }
From source file:org.xipki.security.P12KeypairGenerator.java
License:Open Source License
private ContentSigner getContentSigner(final PrivateKey key) throws Exception { BcContentSignerBuilder builder;/*ww w. j a v a2 s . c om*/ if (key instanceof RSAPrivateKey) { ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1; ASN1ObjectIdentifier sigOid = PKCSObjectIdentifiers.sha1WithRSAEncryption; builder = new BcRSAContentSignerBuilder(buildAlgId(sigOid), buildAlgId(hashOid)); } else if (key instanceof DSAPrivateKey) { ASN1ObjectIdentifier hashOid = X509ObjectIdentifiers.id_SHA1; AlgorithmIdentifier sigId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa_with_sha1); builder = new BcDSAContentSignerBuilder(sigId, buildAlgId(hashOid)); } else if (key instanceof ECPrivateKey) { ASN1ObjectIdentifier hashOid; ASN1ObjectIdentifier sigOid; int keySize = ((ECPrivateKey) key).getParams().getOrder().bitLength(); if (keySize > 384) { hashOid = NISTObjectIdentifiers.id_sha512; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA512; } else if (keySize > 256) { hashOid = NISTObjectIdentifiers.id_sha384; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA384; } else if (keySize > 224) { hashOid = NISTObjectIdentifiers.id_sha224; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA224; } else if (keySize > 160) { hashOid = NISTObjectIdentifiers.id_sha256; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA256; } else { hashOid = X509ObjectIdentifiers.id_SHA1; sigOid = X9ObjectIdentifiers.ecdsa_with_SHA1; } builder = new ECDSAContentSignerBuilder(new AlgorithmIdentifier(sigOid), buildAlgId(hashOid)); } else { throw new IllegalArgumentException("unknown type of key " + key.getClass().getName()); } return builder.build(KeyUtil.generatePrivateKeyParameter(key)); }