List of usage examples for org.bouncycastle.operator.jcajce JcaDigestCalculatorProviderBuilder JcaDigestCalculatorProviderBuilder
public JcaDigestCalculatorProviderBuilder()
From source file:org.signserver.validationservice.server.OCSPPathChecker.java
License:Open Source License
/** * Generates basic ocsp request//ww w .j a v a2 s . c om * @param issuerCert certificate of the issuer of the certificate to be queried for status * @param cert certificate to be queried for status * @return basic ocsp request for single certificate * @throws OCSPException */ protected OCSPReq generateOCSPRequest(X509Certificate issuerCert, X509Certificate cert) throws OCSPException, CertificateEncodingException, OperatorCreationException { CertificateID idToCheck = new JcaCertificateID( new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), issuerCert, cert.getSerialNumber()); OCSPReqBuilder reqgen = new OCSPReqBuilder(); reqgen.addRequest(idToCheck); return reqgen.build(); }
From source file:org.signserver.validationservice.server.ValidationUtils.java
License:Open Source License
/** * Sends a request to the OCSP responder and returns the results. * * Note: Based on code from the EJBCA ValidationTool. * * @param url of the OCSP responder/*w w w.ja va2 s . c o m*/ * @param request to send * @return An OCSPResponse object filled with information about the response * @throws IOException in case of networking related errors * @throws OCSPException in case of error parsing the response */ public static OCSPResponse queryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { final OCSPResponse result = new OCSPResponse(); final HttpURLConnection con; final URLConnection urlCon = url.openConnection(); if (!(urlCon instanceof HttpURLConnection)) { throw new IOException("Unsupported protocol in URL: " + url); } con = (HttpURLConnection) urlCon; // POST the OCSP request con.setDoOutput(true); con.setRequestMethod("POST"); // POST it con.setRequestProperty("Content-Type", "application/ocsp-request"); OutputStream os = null; try { os = con.getOutputStream(); os.write(request.getEncoded()); } finally { if (os != null) { os.close(); } } result.setHttpReturnCode(con.getResponseCode()); if (result.getHttpReturnCode() != 200) { if (result.getHttpReturnCode() == 401) { result.setError(OCSPResponse.Error.httpUnauthorized); } else { result.setError(OCSPResponse.Error.unknown); } return result; } OCSPResp response = null; InputStream in = null; try { in = con.getInputStream(); if (in != null) { ByteArrayOutputStream bout = new ByteArrayOutputStream(); int b; while ((b = in.read()) != -1) { bout.write(b); } response = new OCSPResp(bout.toByteArray()); } } finally { if (in != null) { try { in.close(); } catch (IOException ignored) { } // NOPMD } } if (response == null) { result.setError(OCSPResponse.Error.noResponse); return result; } result.setResp(response); if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) { result.setError(OCSPResponse.Error.fromBCOCSPResponseStatus(response.getStatus())); return result; } final BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject(); result.setResponseObject(brep); if (brep == null) { result.setError(OCSPResponse.Error.noResponse); return result; } final RespID id = brep.getResponderId(); final DERTaggedObject to = (DERTaggedObject) id.toASN1Object().toASN1Object(); final RespID respId; final X509CertificateHolder[] chain = brep.getCerts(); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); X509Certificate signerCertificate; try { signerCertificate = converter.getCertificate(chain[0]); } catch (CertificateException ex) { throw new IOException("Could not convert certificate: " + ex.getMessage()); } result.setSignerCertificate(signerCertificate); if (to.getTagNo() == 1) { // This is Name respId = new JcaRespID(signerCertificate.getSubjectX500Principal()); } else { // This is KeyHash final PublicKey signerPub = signerCertificate.getPublicKey(); try { respId = new JcaRespID(signerPub, new JcaDigestCalculatorProviderBuilder().build().get(RespID.HASH_SHA1)); } catch (OperatorCreationException ex) { throw new IOException("Could not create respId: " + ex.getMessage()); } } if (!id.equals(respId)) { // Response responderId does not match signer certificate responderId! result.setError(OCSPResponse.Error.invalidSignerId); } result.setIssuerDN(signerCertificate.getIssuerX500Principal()); if (result.getError() == null) { result.setError(OCSPResponse.Error.responseSuccess); } return result; }
From source file:org.structr.function.CreateJarFileFunction.java
License:Open Source License
private void writeSignatureBlock(final JarOutputStream jos, final String algorithm, final CMSTypedData data, final X509Certificate publicKey, final PrivateKey privateKey) throws IOException, CertificateEncodingException, OperatorCreationException, CMSException { final List<X509Certificate> certList = new ArrayList<>(); certList.add(publicKey);//from w ww. ja va 2 s .c o m final JcaCertStore certs = new JcaCertStore(certList); final CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); final ContentSigner signer = new JcaContentSignerBuilder(algorithm + "with" + privateKey.getAlgorithm()) .build(privateKey); final SignerInfoGenerator infoGenerator = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().build()).setDirectSignature(true).build(signer, publicKey); gen.addSignerInfoGenerator(infoGenerator); gen.addCertificates(certs); final CMSSignedData sigData = gen.generate(data, false); final ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded()); final DEROutputStream dos = new DEROutputStream(jos); dos.writeObject(asn1.readObject()); }
From source file:org.structr.jar.CreateJarFileFunction.java
License:Open Source License
private void writeSignatureBlock(final JarOutputStream jos, final String algorithm, final CMSTypedData data, final X509Certificate publicKey, final PrivateKey privateKey) throws IOException, CertificateEncodingException, OperatorCreationException, CMSException { final List<X509Certificate> certList = new ArrayList<>(); certList.add(publicKey);/*from ww w . j av a2s. c o m*/ final JcaCertStore certs = new JcaCertStore(certList); final CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); final ContentSigner signer = new JcaContentSignerBuilder(algorithm + "with" + privateKey.getAlgorithm()) .build(privateKey); final SignerInfoGenerator infoGenerator = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().build()).setDirectSignature(true).build(signer, publicKey); gen.addSignerInfoGenerator(infoGenerator); gen.addCertificates(certs); final CMSSignedData sigData = gen.generate(data, false); final ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded()); final DEROutputStream dos = new DEROutputStream(jos); final ASN1Primitive obj = asn1.readObject(); dos.writeObject(obj); }
From source file:org.structr.jar.SignedJarBuilder.java
License:Open Source License
/** * Write the certificate file with a digital signature. */// w ww . ja v a 2 s . co m private void writeSignatureBlock(final JarOutputStream jos, final CMSTypedData data, final X509Certificate publicKey, final PrivateKey privateKey) throws IOException, CertificateEncodingException, OperatorCreationException, CMSException { final List<X509Certificate> certList = new ArrayList<>(); certList.add(publicKey); final JcaCertStore certs = new JcaCertStore(certList); final CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); final ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1with" + privateKey.getAlgorithm()) .build(privateKey); gen.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()) .setDirectSignature(true).build(sha1Signer, publicKey)); gen.addCertificates(certs); final CMSSignedData sigData = gen.generate(data, false); final ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded()); final DEROutputStream dos = new DEROutputStream(jos); dos.writeObject(asn1.readObject()); }
From source file:org.usrz.libs.crypto.utils.PKCS7.java
License:Apache License
/** * Prepare a detached <code>PKCS7</code> signature. * * @param privateKey The private key to use for signing * @param certificate The certificate associated with the private key. * @param authorities An optional list of certificate authorities to include. * @param data The {@linkplain Hash hashing algorithm} to use for signing. * @param data The binary data to sign.//from w w w .java 2 s .c o m * @return The <code>PKCS7</code> as a byte array. * @throws SignatureException If there was a problem generating the signature. */ public static byte[] sign(final PrivateKey privateKey, final X509Certificate certificate, final List<X509Certificate> authorities, final Hash hash, final byte[] data) throws SignatureException { try { final String signatureAlgorithm = CryptoUtils.getSignatureAlgorithm(privateKey, hash); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(privateKey); final CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()) .setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator()) .build(signer, certificate)); final Set<Certificate> certificates = new HashSet<>(); if (authorities != null) { for (Certificate authority : authorities) certificates.add(authority); } certificates.add(certificate); generator.addCertificates(new JcaCertStore(certificates)); final CMSTypedData cmsData = new CMSProcessableByteArray(data); final CMSSignedData signeddata = generator.generate(cmsData, false); return signeddata.getEncoded(); } catch (Exception exception) { throw new SignatureException("Signature could not be generated", exception); } }
From source file:org.votingsystem.signature.util.TimeStampResponseGenerator.java
License:Open Source License
public TimeStampResponseGenerator(InputStream requestInputStream, SignatureData signingData, Date timeStampDate) throws ExceptionVS, OperatorCreationException, CertificateEncodingException, TSPException { TimeStampRequest timeStampRequest;//from ww w. j ava 2 s .c o m try { timeStampRequest = new TimeStampRequest(requestInputStream); } catch (Exception ex) { throw new ExceptionVS("request null"); } this.statusStrings = new ASN1EncodableVector(); serialNumber = KeyGeneratorVS.INSTANCE.getSerno(); log.info("getTimeStampResponse - serialNumber: " + serialNumber + " - CertReq: " + timeStampRequest.getCertReq()); JcaSignerInfoGeneratorBuilder infoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider(ContextVS.PROVIDER).build()); tokenGenerator = new TimeStampTokenGenerator( infoGeneratorBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM) .setProvider(ContextVS.PROVIDER).build(signingData.getSigningKey()), signingData.getSigningCert()), new ASN1ObjectIdentifier(DEFAULT_TSA_POLICY_OID)); tokenGenerator.setAccuracyMicros(ACCURACYMICROS); tokenGenerator.setAccuracyMillis(ACCURACYMILLIS); tokenGenerator.setAccuracySeconds(ACCURACYSECONDS); tokenGenerator.setOrdering(ORDERING); tokenGenerator.addCertificates(signingData.getCerts()); token = tokenGenerator.generate(timeStampRequest, serialNumber, timeStampDate); }
From source file:org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.java
License:MIT License
@Override public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {/*from w ww. j a v a 2 s . c om*/ X509Certificate issuer = issuers.get(0); ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN); try { Principal subjectX500Principal = certificate.getSubjectX500Principal(); String ocspUrl = getOCSPUrl(certificate); if (ocspUrl == null) { log.error("OCSP URL for '" + subjectX500Principal + "' is empty"); return status; } log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'"); DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build() .get(CertificateID.HASH_SHA1); CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber()); // Generate OCSP request OCSPReq ocspReq = generateOCSPRequest(certificateId); // Get OCSP response from server OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq); if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) { log.error("OCSP response is invalid!"); status.setValidity(CertificateValidity.INVALID); return status; } boolean foundResponse = false; BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject(); SingleResp[] singleResps = basicOCSPResp.getResponses(); for (SingleResp singleResp : singleResps) { CertificateID responseCertificateId = singleResp.getCertID(); if (!certificateId.equals(responseCertificateId)) { continue; } foundResponse = true; log.debug("OCSP validationDate: " + validationDate); log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate()); log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate()); status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt()); Object certStatus = singleResp.getCertStatus(); if (certStatus == CertificateStatus.GOOD) { log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'"); status.setValidity(CertificateValidity.VALID); } else { if (singleResp.getCertStatus() instanceof RevokedStatus) { log.warn("OCSP status is revoked for: " + subjectX500Principal); if (validationDate .before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) { log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate); status.setValidity(CertificateValidity.VALID); } else { Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime(); log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate); status.setRevocationDate(revocationDate); status.setRevocationObjectIssuingTime(singleResp.getThisUpdate()); status.setValidity(CertificateValidity.REVOKED); } } } } if (!foundResponse) { log.error("There is no matching OCSP response entries"); } } catch (Exception ex) { log.error("OCSP exception: ", ex); } return status; }
From source file:test.integ.be.fedict.commons.eid.client.CMSTest.java
License:Open Source License
@Test public void testCMSSignature() throws Exception { Security.addProvider(new BeIDProvider()); Security.addProvider(new BouncyCastleProvider()); KeyStore keyStore = KeyStore.getInstance("BeID"); keyStore.load(null);//www .j a v a2s. c o m PrivateKey privateKey = (PrivateKey) keyStore.getKey("Authentication", null); X509Certificate certificate = (X509Certificate) keyStore.getCertificate("Authentication"); CMSTypedData msg = new CMSProcessableByteArray("Hello world!".getBytes()); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1withRSA").build(privateKey); gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(sha1Signer, certificate)); CMSSignedData sigData = gen.generate(msg, false); }