List of usage examples for org.bouncycastle.operator.jcajce JcaContentVerifierProviderBuilder JcaContentVerifierProviderBuilder
public JcaContentVerifierProviderBuilder()
From source file:AAModulePackage.ACHelper.java
/** * Validate the AC's cryptographic signature, checking against trusted * issuing entity's ACs.// w ww .j a v a 2s . com * @param ac - X.509 Attribute Certificate to have its signature checked. * @param trustedIssuers - Set of certificates owned by trust AC Issuing * Entities. * @return True if the signature is valid, False if it is not. */ public static boolean validateACSignature(X509AttributeCertificateHolder ac, HashSet<X509CertificateHolder> trustedIssuers) { JcaContentVerifierProviderBuilder b = new JcaContentVerifierProviderBuilder(); b.setProvider("BC"); for (X509CertificateHolder issuerCert : trustedIssuers) { try { if (ac.isSignatureValid(b.build(issuerCert))) { System.out.println("Signature for AC has been validated"); return true; } } catch (CertException ex) { Logger.getLogger(ACHelper.class.getName()).log(Level.SEVERE, null, ex); } catch (OperatorCreationException ex) { Logger.getLogger(ACHelper.class.getName()).log(Level.SEVERE, null, ex); } catch (CertificateException ex) { Logger.getLogger(ACHelper.class.getName()).log(Level.SEVERE, null, ex); } } return false; }
From source file:be.fedict.trust.ocsp.OcspTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { URI ocspUri = getOcspUri(childCertificate); if (null == ocspUri) { return TrustLinkerResult.UNDECIDED; }/*from ww w. j a va 2 s . c om*/ LOG.debug("OCSP URI: " + ocspUri); OCSPResp ocspResp = this.ocspRepository.findOcspResponse(ocspUri, childCertificate, certificate, validationDate); if (null == ocspResp) { LOG.debug("OCSP response not found"); return TrustLinkerResult.UNDECIDED; } int ocspRespStatus = ocspResp.getStatus(); if (OCSPResponseStatus.SUCCESSFUL != ocspRespStatus) { LOG.debug("OCSP response status: " + ocspRespStatus); return TrustLinkerResult.UNDECIDED; } Object responseObject = ocspResp.getResponseObject(); BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject; X509CertificateHolder[] responseCertificates = basicOCSPResp.getCerts(); for (X509CertificateHolder responseCertificate : responseCertificates) { LOG.debug("OCSP response cert: " + responseCertificate.getSubject()); LOG.debug("OCSP response cert issuer: " + responseCertificate.getIssuer()); } algorithmPolicy.checkSignatureAlgorithm(basicOCSPResp.getSignatureAlgOID().getId(), validationDate); if (0 == responseCertificates.length) { /* * This means that the OCSP response has been signed by the issuing * CA itself. */ ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate.getPublicKey()); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP response signature invalid"); return TrustLinkerResult.UNDECIDED; } } else { /* * We're dealing with a dedicated authorized OCSP Responder * certificate, or of course with a CA that issues the OCSP * Responses itself. */ X509CertificateHolder ocspResponderCertificate = responseCertificates[0]; ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(ocspResponderCertificate); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP Responser response signature invalid"); return TrustLinkerResult.UNDECIDED; } if (false == Arrays.equals(certificate.getEncoded(), ocspResponderCertificate.getEncoded())) { // check certificate signature algorithm algorithmPolicy.checkSignatureAlgorithm( ocspResponderCertificate.getSignatureAlgorithm().getAlgorithm().getId(), validationDate); X509Certificate issuingCaCertificate; if (responseCertificates.length < 2) { // so the OCSP certificate chain only contains a single // entry LOG.debug("OCSP responder complete certificate chain missing"); /* * Here we assume that the OCSP Responder is directly signed * by the CA. */ issuingCaCertificate = certificate; } else { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); issuingCaCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(responseCertificates[1].getEncoded())); /* * Is next check really required? */ if (false == certificate.equals(issuingCaCertificate)) { LOG.debug("OCSP responder certificate not issued by CA"); return TrustLinkerResult.UNDECIDED; } } // check certificate signature algorithmPolicy.checkSignatureAlgorithm(issuingCaCertificate.getSigAlgOID(), validationDate); PublicKeyTrustLinker publicKeyTrustLinker = new PublicKeyTrustLinker(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate x509OcspResponderCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(ocspResponderCertificate.getEncoded())); LOG.debug("OCSP Responder public key fingerprint: " + DigestUtils.sha1Hex(x509OcspResponderCertificate.getPublicKey().getEncoded())); publicKeyTrustLinker.hasTrustLink(x509OcspResponderCertificate, issuingCaCertificate, validationDate, revocationData, algorithmPolicy); if (null == x509OcspResponderCertificate .getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())) { LOG.debug("OCSP Responder certificate should have id-pkix-ocsp-nocheck"); /* * TODO: perform CRL validation on the OCSP Responder * certificate. On the other hand, do we really want to * check the checker? */ return TrustLinkerResult.UNDECIDED; } List<String> extendedKeyUsage = x509OcspResponderCertificate.getExtendedKeyUsage(); if (null == extendedKeyUsage) { LOG.debug("OCSP Responder certificate has no extended key usage extension"); return TrustLinkerResult.UNDECIDED; } if (false == extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) { LOG.debug("OCSP Responder certificate should have a OCSPSigning extended key usage"); return TrustLinkerResult.UNDECIDED; } } else { LOG.debug("OCSP Responder certificate equals the CA certificate"); // and the CA certificate is already trusted at this point } } DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certificateId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(certificate), childCertificate.getSerialNumber()); SingleResp[] singleResps = basicOCSPResp.getResponses(); for (SingleResp singleResp : singleResps) { CertificateID responseCertificateId = singleResp.getCertID(); if (false == certificateId.equals(responseCertificateId)) { continue; } DateTime thisUpdate = new DateTime(singleResp.getThisUpdate()); DateTime nextUpdate; if (null != singleResp.getNextUpdate()) { nextUpdate = new DateTime(singleResp.getNextUpdate()); } else { LOG.debug("no OCSP nextUpdate"); nextUpdate = thisUpdate; } LOG.debug("OCSP thisUpdate: " + thisUpdate); LOG.debug("(OCSP) nextUpdate: " + nextUpdate); DateTime beginValidity = thisUpdate.minus(this.freshnessInterval); DateTime endValidity = nextUpdate.plus(this.freshnessInterval); DateTime validationDateTime = new DateTime(validationDate); if (validationDateTime.isBefore(beginValidity)) { LOG.warn("OCSP response not yet valid"); continue; } if (validationDateTime.isAfter(endValidity)) { LOG.warn("OCSP response expired"); continue; } if (null == singleResp.getCertStatus()) { LOG.debug("OCSP OK for: " + childCertificate.getSubjectX500Principal()); addRevocationData(revocationData, ocspResp, ocspUri); return TrustLinkerResult.TRUSTED; } else { LOG.debug("OCSP certificate status: " + singleResp.getCertStatus().getClass().getName()); if (singleResp.getCertStatus() instanceof RevokedStatus) { LOG.debug("OCSP status revoked"); } addRevocationData(revocationData, ocspResp, ocspUri); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by OCSP"); } } LOG.debug("no matching OCSP response entry"); return TrustLinkerResult.UNDECIDED; }
From source file:beta01.CertSigningRequest.java
private void genaretKeyPairDsa() throws Exception { String signatureAlg = "SHA1withDSA"; KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA", "BC"); kpg.initialize(2048);//from ww w . ja v a 2s .c o m KeyPair kp = kpg.genKeyPair(); X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE); x500NameBuilder.addRDN(BCStyle.C, "ID"); x500NameBuilder.addRDN(BCStyle.CN, "Pizaini"); //x500NameBuilder.addRDN(BCStyle.O, "Institut Pertanian Bogor"); X500Name subject = x500NameBuilder.build(); PKCS10CertificationRequestBuilder requestBuilder = new JcaPKCS10CertificationRequestBuilder(subject, kp.getPublic()); try { PKCS10CertificationRequest request = requestBuilder .build(new JcaContentSignerBuilder(signatureAlg).setProvider("BC").build(kp.getPrivate())); //verify signature if (request.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider("BC").build(kp.getPublic()))) { System.out.println(signatureAlg + ": PKCS#10 request verified."); //CSR Output ByteArrayOutputStream baos = new ByteArrayOutputStream(); //PemWriter pemWrtb = new PemWriter(new OutputStreamWriter(baos)); JcaPEMWriter jcaPem = new JcaPEMWriter(new OutputStreamWriter(baos)); jcaPem.writeObject(request); jcaPem.close(); try { File file = new File("D:\\CSR_" + kpg.getAlgorithm() + ".p10"); FileOutputStream fos = new FileOutputStream(file); baos.close(); fos.write(baos.toByteArray()); fos.flush(); fos.close(); } catch (IOException ex) { } //store Private Key p8 try { File file = new File("D:\\PrivateKey_" + kpg.getAlgorithm() + ".p8"); FileOutputStream fos = new FileOutputStream(file); fos.write(kp.getPrivate().getEncoded()); fos.flush(); fos.close(); System.out.println("Privated key stored as " + kp.getPrivate().getFormat()); } catch (IOException ex) { } //p12 /*KeyStore pkcs12 = KeyStore.getInstance("PKCS12", "BC"); pkcs12.load(null, null); //pkcs12.setCertificateEntry("r2oot", holderRoot); pkcs12.setKeyEntry("PIZAINI_ECDSA", kp.getPrivate(), null, null); char[] password = "pass".toCharArray(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); pkcs12.store(bOut, password); ASN1InputStream asnInput = new ASN1InputStream(bOut.toByteArray()); bOut.reset(); DEROutputStream derOut = new DEROutputStream(bOut); derOut.writeObject(asnInput.readObject()); byte[] derFormat = bOut.toByteArray(); try{ File file = new File("D:\\Pizaini_ECDSA_Private.p12"); FileOutputStream fos = new FileOutputStream(file); bOut.close(); fos.write(derFormat); fos.flush(); fos.close(); }catch(IOException ex){ }*/ } else { System.out.println(signatureAlg + ": Failed verify check."); } } catch (OperatorCreationException | PKCSException ex) { } }
From source file:CAModulePackage.CertificateHelper.java
/** * * @param cert - X.509 Certificate to be validated. * @param issuingCert - X.509 Certificate that signed the other Certificate. * @return - True if the Certificate is valid, False otherwise. *//*from w w w . j a v a 2s . c o m*/ public static boolean validateCert(X509CertificateHolder cert, X509CertificateHolder issuingCert) { JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder(); ContentVerifierProvider verifier = null; try { verifier = builder.build(issuingCert); } catch (OperatorCreationException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } if (!cert.isValidOn(new Date())) { return false; } try { if (!cert.isSignatureValid(verifier)) { return false; } } catch (CertException e) { e.printStackTrace(); } return true; }
From source file:com.itextpdf.signatures.SignUtils.java
License:Open Source License
static boolean isSignatureValid(BasicOCSPResp validator, Certificate certStoreX509, String provider) throws OperatorCreationException, OCSPException { if (provider == null) provider = "BC"; return validator.isSignatureValid( new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey())); }
From source file:com.itextpdf.text.pdf.security.CertificateVerification.java
License:Open Source License
/** * Verifies an OCSP response against a KeyStore. * @param ocsp the OCSP response/*from w w w . j ava2 s . c o m*/ * @param keystore the <CODE>KeyStore</CODE> * @param provider the provider or <CODE>null</CODE> to use the BouncyCastle provider * @return <CODE>true</CODE> is a certificate was found */ public static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider) { if (provider == null) provider = "BC"; try { for (Enumeration<String> aliases = keystore.aliases(); aliases.hasMoreElements();) { try { String alias = aliases.nextElement(); if (!keystore.isCertificateEntry(alias)) continue; X509Certificate certStoreX509 = (X509Certificate) keystore.getCertificate(alias); if (ocsp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider) .build(certStoreX509.getPublicKey()))) return true; } catch (Exception ex) { } } } catch (Exception e) { } return false; }
From source file:com.itextpdf.text.pdf.security.OCSPVerifier.java
License:Open Source License
/** * Checks if an OCSP response is genuine * @param ocspResp the OCSP response// www .j a v a 2s . co m * @param responderCert the responder certificate * @return true if the OCSP response verifies against the responder certificate */ public boolean isSignatureValid(BasicOCSPResp ocspResp, Certificate responderCert) { try { ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().setProvider("BC") .build(responderCert.getPublicKey()); return ocspResp.isSignatureValid(verifierProvider); } catch (OperatorCreationException e) { return false; } catch (OCSPException e) { return false; } }
From source file:de.carne.certmgr.store.provider.bouncycastle.BouncyCastlePKCS10Object.java
License:Open Source License
@Override public void verify(PublicKey publicKey) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException { JcaContentVerifierProviderBuilder verifierBuilder = new JcaContentVerifierProviderBuilder(); boolean isSignatureValid = false; try {//from www. jav a 2 s .c om isSignatureValid = this.pkcs10Object.isSignatureValid(verifierBuilder.build(publicKey)); } catch (OperatorCreationException e) { throw new NoSuchAlgorithmException(e.getLocalizedMessage(), e); } catch (PKCSException e) { throw new SignatureException(e.getLocalizedMessage(), e); } if (!isSignatureValid) { throw new SignatureException("Verification failed for: " + this.pkcs10Object); } }
From source file:ec.rubrica.pdf.FirmaPDF.java
License:Open Source License
/** * TODO: Mas de dos firmas?/*from ww w . j ava 2 s .co m*/ * * @param pdf * @throws IOException * @throws SignatureException */ public static boolean verificar(byte[] pdf) throws IOException, SignatureException { PdfReader reader = new PdfReader(pdf); AcroFields af = reader.getAcroFields(); ArrayList<String> names = af.getSignatureNames(); for (int k = 0; k < names.size(); ++k) { String name = (String) names.get(k); System.out.println("Signature name: " + name); System.out.println("Signature covers whole document: " + af.signatureCoversWholeDocument(name)); System.out.println("Document revision: " + af.getRevision(name) + " of " + af.getTotalRevisions()); PdfPKCS7 pk = af.verifySignature(name); Calendar cal = pk.getSignDate(); Certificate[] pkc = pk.getCertificates(); TimeStampToken ts = pk.getTimeStampToken(); if (ts != null) { cal = pk.getTimeStampDate(); } if (!pk.isTsp() && ts != null) { boolean impr; try { impr = pk.verifyTimestampImprint(); System.out.println("Timestamp imprint verifies: " + impr); System.out.println("Timestamp date: " + cal); } catch (NoSuchAlgorithmException e) { throw new SignatureException(e); } } System.out.println("Subject: " + CertificateInfo.getSubjectFields(pk.getSigningCertificate())); System.out.println("Document modified: " + !pk.verify()); KeyStore kall = KeyStoreUtil.loadCacertsKeyStore(); Object fails[] = CertificateVerification.verifyCertificates(pkc, kall, null, cal); if (fails == null) { System.out.println("Certificates verified against the KeyStore"); } else { System.out.println("Certificate failed: " + fails[0]); return false; } BasicOCSPResp ocsp = pk.getOcsp(); if (ocsp != null) { try { X509Certificate cert = new SecurityDataSubCaCert(); boolean verifies = ocsp.isSignatureValid(new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(cert.getPublicKey())); System.out.println("OCSP signature verifies: " + verifies); System.out.println("OCSP revocation refers to this certificate: " + pk.isRevocationValid()); return verifies; } catch (OperatorCreationException e) { throw new SignatureException(e); } catch (OCSPException e) { throw new SignatureException(e); } } else { return true; } } return false; }
From source file:es.gob.afirma.cert.signvalidation.ValidateBinarySignature.java
License:Open Source License
/** Verifica la valides de una firma. Si la firma es válida, no hace nada. Si no es * válida, lanza una excepción. * @param sign Firma que se desea validar. * @param data Datos para la comprobación. * @throws CMSException Cuando la firma no tenga una estructura válida. * @throws CertStoreException Cuando se encuentra un error en los certificados de * firma o estos no pueden recuperarse.//from w w w.ja v a2s. c om * @throws CertificateExpiredException Cuando el certificado estáa caducado. * @throws CertificateNotYetValidException Cuando el certificado aun no es válido. * @throws NoSuchAlgorithmException Cuando no se reconoce o soporta alguno de los * algoritmos utilizados en la firma. * @throws NoMatchDataException Cuando los datos introducidos no coinciden con los firmados. * @throws CRLException Cuando ocurre un error con las CRL de la firma. * @throws NoSuchProviderException Cuando no se encuentran los proveedores de seguridad necesarios para validar la firma * @throws IOException Cuando no se puede crear un certificado desde la firma para validarlo * @throws OperatorCreationException Cuando no se puede crear el validado de contenido de firma*/ private static void verifySignatures(final byte[] sign, final byte[] data) throws CMSException, CertStoreException, NoSuchAlgorithmException, NoMatchDataException, CRLException, NoSuchProviderException, CertificateException, IOException, OperatorCreationException { final CMSSignedData s; if (data == null) { s = new CMSSignedData(sign); } else { s = new CMSSignedData(new CMSProcessableByteArray(data), sign); } final Store<X509CertificateHolder> store = s.getCertificates(); final CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); //$NON-NLS-1$ for (final Object si : s.getSignerInfos().getSigners()) { final SignerInformation signer = (SignerInformation) si; final Iterator<X509CertificateHolder> certIt = store .getMatches(new CertHolderBySignerIdSelector(signer.getSID())).iterator(); final X509Certificate cert = (X509Certificate) certFactory .generateCertificate(new ByteArrayInputStream(certIt.next().getEncoded())); if (!signer .verify(new SignerInformationVerifier(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new JcaContentVerifierProviderBuilder() .setProvider(new BouncyCastleProvider()).build(cert), new BcDigestCalculatorProvider()))) { throw new CMSException("Firma no valida"); //$NON-NLS-1$ } } }