List of usage examples for org.bouncycastle.x509 X509V2AttributeCertificate verify
public final void verify(PublicKey key, String provider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
From source file:be.fedict.trust.TrustValidator.java
License:Open Source License
/** * Validate the specified encoded {@link X509V2AttributeCertificate}'s. The * supplied certificate path will also be validated and used to validate the * attribute certificates.// w w w .j ava 2 s . c o m * * @param encodedAttributeCertificates * the encoded X509V2 attribute certificate. * * @param certificatePath * the certificate path. * @param validationDate * the validation date. * @throws CertPathValidatorException */ public void isTrusted(List<byte[]> encodedAttributeCertificates, List<X509Certificate> certificatePath, Date validationDate) throws CertPathValidatorException { try { /* * Validate the supplied certificate path */ isTrusted(certificatePath, validationDate); /* * Validate the attribute certificates */ for (byte[] encodedAttributeCertificate : encodedAttributeCertificates) { X509V2AttributeCertificate attributeCertificate = new X509V2AttributeCertificate( encodedAttributeCertificate); // check validity attributeCertificate.checkValidity(); if (certificatePath.size() < 2) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "Certificate path should at least contain 2 certificates"); throw new CertPathValidatorException(this.result.getMessage()); } // validate the signature on the attribute certificate against // the attribute certificate's holder X509Certificate issuerCertificate = certificatePath.get(1); attributeCertificate.verify(issuerCertificate.getPublicKey(), "BC"); } } catch (CertificateExpiredException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "CertificateExpiredException: " + e.getMessage()); } catch (InvalidKeyException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "InvalidKeyException: " + e.getMessage()); } catch (CertificateException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "CertificateException: " + e.getMessage()); } catch (NoSuchAlgorithmException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchAlgorithmException: " + e.getMessage()); } catch (NoSuchProviderException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchProviderException: " + e.getMessage()); } catch (SignatureException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "SignatureException: " + e.getMessage()); } catch (IOException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "IOException: " + e.getMessage()); } }
From source file:org.candlepin.resource.test.cert.test.CertTest.java
License:Open Source License
@Test public void testCertExample() throws Exception { Security.addProvider(new BouncyCastleProvider()); ///* w w w .j av a 2 s . c o m*/ // set up the keys // KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); PrivateKey caPrivKey = fact.generatePrivate(caPrivKeySpec); PublicKey caPubKey = fact.generatePublic(caPubKeySpec); //PrivateKey privKey = fact.generatePrivate(privKeySpec); PublicKey pubKey = fact.generatePublic(pubKeySpec); // // note in this case we are using the CA certificate for both the client // cetificate // and the attribute certificate. This is to make the vcode simpler to // read, in practice // the CA for the attribute certificate should be different to that of // the client certificate // X509Certificate caCert = AttrCertExample.createAcIssuerCert(caPubKey, caPrivKey); X509Certificate clientCert = AttrCertExample.createClientCert(pubKey, caPrivKey, caPubKey); // Instantiate a new AC generator X509V2AttributeCertificateGenerator acGen = new X509V2AttributeCertificateGenerator(); acGen.reset(); // // Holder: here we use the IssuerSerial form // acGen.setHolder(new AttributeCertificateHolder(clientCert)); // set the Issuer acGen.setIssuer(new AttributeCertificateIssuer(caCert.getSubjectX500Principal())); // // serial number (as it's an example we don't have to keep track of the // serials anyway // acGen.setSerialNumber(BigInteger.ONE); // not Before acGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); // not After acGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); // signature Algorithmus acGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); // the actual attributes GeneralName roleName = new GeneralName(GeneralName.rfc822Name, "DAU123456789"); ASN1EncodableVector roleSyntax = new ASN1EncodableVector(); roleSyntax.add(roleName); // roleSyntax OID: 2.5.24.72 X509Attribute attributes = new X509Attribute("2.5.24.72", new DERSequence(roleSyntax)); acGen.addAttribute(attributes); // finally create the AC X509V2AttributeCertificate att = (X509V2AttributeCertificate) acGen.generate(caPrivKey, "BC"); //String encoded = new String(att.getEncoded()); //System.out.println("CERT CERT: " + encoded); //KeyStore store = KeyStore.getInstance("PKCS12"); //String pass = "redhat"; /*FileOutputStream fout = new FileOutputStream("/tmp/foo.file"); store.load(null, null); store.store(fout, pass.toCharArray()); X509CertificateObject ccert = new X509CertificateObject(new X509CertificateStructure(new DERSequence(att)));*/ // // starting here, we parse the newly generated AC // // Holder AttributeCertificateHolder h = att.getHolder(); if (h.match(clientCert)) { if (h.getEntityNames() != null) { // System.out.println(h.getEntityNames().length + // " entity names found"); } if (h.getIssuer() != null) { // System.out.println(h.getIssuer().length + // " issuer names found, serial number " + // h.getSerialNumber()); } // System.out.println("Matches original client x509 cert"); } // Issuer AttributeCertificateIssuer issuer = att.getIssuer(); if (issuer.match(caCert)) { if (issuer.getPrincipals() != null) { // System.out.println(issuer.getPrincipals().length + // " entity names found"); } // System.out.println("Matches original ca x509 cert"); } // Dates // System.out.println("valid not before: " + att.getNotBefore()); // System.out.println("valid not before: " + att.getNotAfter()); // check the dates, an exception is thrown in checkValidity()... try { att.checkValidity(); att.checkValidity(new Date()); } catch (Exception e) { System.out.println(e); } // verify try { att.verify(caPubKey, "BC"); } catch (Exception e) { System.out.println(e); } // Attribute X509Attribute[] attribs = att.getAttributes(); // System.out.println("cert has " + attribs.length + " attributes:"); for (int i = 0; i < attribs.length; i++) { X509Attribute a = attribs[i]; // System.out.println("OID: " + a.getOID()); // currently we only check for the presence of a 'RoleSyntax' // attribute if (a.getOID().equals("2.5.24.72")) { // System.out.println("rolesyntax read from cert!"); } } }