List of usage examples for org.bouncycastle.tsp TSPUtil validateCertificate
public static void validateCertificate(X509CertificateHolder cert) throws TSPValidationException
From source file:be.fedict.trust.constraints.TSACertificateConstraint.java
License:Open Source License
@Override public void check(X509Certificate certificate) throws TrustLinkerResultException { // check ExtendedKeyUsage extension: id-kp-timeStamping X509CertificateHolder x509CertificateHolder; try {/*from ww w. j av a 2s . c o m*/ x509CertificateHolder = new X509CertificateHolder(certificate.getEncoded()); } catch (CertificateEncodingException e) { throw new RuntimeException("certificate encoding error: " + e.getMessage(), e); } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } try { TSPUtil.validateCertificate(x509CertificateHolder); } catch (TSPValidationException e) { LOG.error("ExtendedKeyUsage extension with value \"id-kp-timeStamping\" not present."); throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "id-kp-timeStamping ExtendedKeyUsage not present"); } }
From source file:de.rub.dez6a3.jpdfsigner.TimeStampToken.java
License:Open Source License
/** * Validate the time stamp token./*from w ww. ja v a 2 s . c om*/ * <p> * To be valid the token must be signed by the passed in certificate and * the certificate must be the one refered to by the SigningCertificate * attribute included in the hashed attributes of the token. The * certifcate must also have the ExtendedKeyUsageExtension with only * KeyPurposeId.id_kp_timeStamping and have been valid at the time the * timestamp was created. * </p> * <p> * A successful call to validate means all the above are true. * </p> */ public void validate(X509Certificate cert, String provider) throws TSPException, TSPValidationException, CertificateExpiredException, CertificateNotYetValidException, NoSuchProviderException { try { if (!MessageDigest.isEqual(certID.getCertHash(), MessageDigest.getInstance("SHA-1").digest(cert.getEncoded()))) { throw new TSPValidationException("certificate hash does not match certID hash."); } if (certID.getIssuerSerial() != null) { if (!certID.getIssuerSerial().getSerial().getValue().equals(cert.getSerialNumber())) { throw new TSPValidationException( "certificate serial number does not match certID for signature."); } GeneralName[] names = certID.getIssuerSerial().getIssuer().getNames(); X509Principal principal = PrincipalUtil.getIssuerX509Principal(cert); boolean found = false; for (int i = 0; i != names.length; i++) { if (names[i].getTagNo() == 4 && new X509Principal(X509Name.getInstance(names[i].getName())).equals(principal)) { found = true; break; } } if (!found) { throw new TSPValidationException("certificate name does not match certID for signature. "); } } TSPUtil.validateCertificate(cert); cert.checkValidity(tstInfo.getGenTime()); if (!tsaSignerInfo.verify(cert, provider)) { throw new TSPValidationException("signature not created by certificate."); } } catch (CMSException e) { if (e.getUnderlyingException() != null) { throw new TSPException(e.getMessage(), e.getUnderlyingException()); } else { throw new TSPException("CMS exception: " + e, e); } } catch (NoSuchAlgorithmException e) { throw new TSPException("cannot find algorithm: " + e, e); } catch (CertificateEncodingException e) { throw new TSPException("problem processing certificate: " + e, e); } }
From source file:eu.europa.esig.dss.test.gen.CertificateServiceTest.java
License:Open Source License
@Test public void generateTspCertificate() throws Exception { DSSPrivateKeyEntry keyEntry = service.generateTspCertificate(SignatureAlgorithm.RSA_SHA256); assertNotNull(keyEntry);// w w w.j a v a 2 s .c o m CertificateToken certificate = keyEntry.getCertificate(); TSPUtil.validateCertificate(new X509CertificateHolder(certificate.getEncoded())); }
From source file:org.votingsystem.services.impl.TimeStampServiceImpl.java
License:Open Source License
public TimeStampServiceImpl(byte[] keyStoreBytes, String keyAlias, String password) { log.info("init"); try {/*w ww. j ava 2s. c om*/ KeyStore keyStore = KeyStoreUtil.getKeyStoreFromBytes(keyStoreBytes, password.toCharArray()); PrivateKey signingKey = (PrivateKey) keyStore.getKey(keyAlias, password.toCharArray()); X509Certificate signingCert = (X509Certificate) keyStore.getCertificate(keyAlias); signingCertPEMBytes = CertUtils.getPEMEncoded(signingCert); timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider(ContextVS.PROVIDER) .build(signingCert); X509CertificateHolder certHolder = timeStampSignerInfoVerifier.getAssociatedCertificate(); TSPUtil.validateCertificate(certHolder); Certificate[] chain = keyStore.getCertificateChain(keyAlias); signingCertChainPEMBytes = CertUtils.getPEMEncoded(Arrays.asList(chain)); Store certs = new JcaCertStore(Arrays.asList(chain)); signingData = new SignatureData(signingCert, signingKey, certs); } catch (Exception ex) { log.log(Level.SEVERE, ex.getMessage(), ex); } }
From source file:org.votingsystem.web.ejb.TimeStampBean.java
License:Open Source License
public void init() { log.info("TimeStampBean - init"); try {//from w ww .j a v a 2 s. c o m String serverURL = StringUtils.checkURL(config.getTimeStampServerURL()); timeStampServiceURL = serverURL + "/timestamp"; Query query = dao.getEM().createNamedQuery("findActorVSByServerURL").setParameter("serverURL", serverURL); ActorVS timeStampServer = dao.getSingleResult(ActorVS.class, query); CertificateVS timeStampServerCert = null; if (timeStampServer == null) { fetchTimeStampServerInfo(new ActorVS(serverURL)); return; } else { query = dao.getEM().createNamedQuery("findCertByActorVSAndStateAndType") .setParameter("actorVS", timeStampServer).setParameter("state", CertificateVS.State.OK) .setParameter("type", CertificateVS.Type.TIMESTAMP_SERVER); timeStampServerCert = dao.getSingleResult(CertificateVS.class, query); if (timeStampServerCert != null) { x509TimeStampServerCert = CertUtils.loadCertificate(timeStampServerCert.getContent()); if (new Date().before(x509TimeStampServerCert.getNotAfter())) { signingCertPEMBytes = CertUtils.getPEMEncoded(x509TimeStampServerCert); } else { log.info("timeStampServerCert lapsed - not valid after:" + x509TimeStampServerCert.getNotAfter()); dao.getEM().merge(timeStampServerCert.setState(CertificateVS.State.LAPSED)); } } if (signingCertPEMBytes == null) { fetchTimeStampServerInfo(timeStampServer); return; } } if (x509TimeStampServerCert != null) { config.setX509TimeStampServerCert(x509TimeStampServerCert); timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .setProvider(ContextVS.PROVIDER).build(x509TimeStampServerCert); X509CertificateHolder certHolder = timeStampSignerInfoVerifier.getAssociatedCertificate(); TSPUtil.validateCertificate(certHolder); } else throw new Exception("TimeStamp signing cert not found - serverURL: " + serverURL); } catch (Exception ex) { log.log(Level.SEVERE, ex.getMessage(), ex); } }
From source file:org.votingsystem.web.ejb.TimeStampBean.java
License:Open Source License
private void updateTimeStampServer(ActorVS timeStampServer) throws Exception { log.info("updateTimeStampServer"); if (timeStampServer.getId() == null) { dao.persist(timeStampServer);//from ww w.j a va2s. c om } X509Certificate x509TimeStampServerCert = CertUtils .fromPEMToX509CertCollection(timeStampServer.getCertChainPEM().getBytes()).iterator().next(); if (new Date().after(x509TimeStampServerCert.getNotAfter())) { throw new ExceptionVS(timeStampServer.getServerURL() + " - signing cert is lapsed"); } CertificateVS certificateVS = CertificateVS.ACTORVS(timeStampServer, x509TimeStampServerCert); certificateVS.setType(CertificateVS.Type.TIMESTAMP_SERVER); certificateVS.setCertChainPEM(timeStampServer.getCertChainPEM().getBytes()); dao.persist(certificateVS); log.info("updateTimeStampServer - new CertificateVS - id: " + certificateVS.getId()); signingCertPEMBytes = CertUtils.getPEMEncoded(x509TimeStampServerCert); timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider(ContextVS.PROVIDER) .build(x509TimeStampServerCert); X509CertificateHolder certHolder = timeStampSignerInfoVerifier.getAssociatedCertificate(); TSPUtil.validateCertificate(certHolder); }