public static ASN1ObjectIdentifier getOIDForHashAlgorithm(int hashAlgorithm) { switch (hashAlgorithm) { case HashAlgorithm.md5: return PKCSObjectIdentifiers.md5; case HashAlgorithm.sha1: return X509ObjectIdentifiers.id_SHA1; case HashAlgorithm.sha224: return NISTObjectIdentifiers.id_sha224; case HashAlgorithm.sha256: return NISTObjectIdentifiers.id_sha256; case HashAlgorithm.sha384: return NISTObjectIdentifiers.id_sha384; case HashAlgorithm.sha512: return NISTObjectIdentifiers.id_sha512; default: throw new IllegalArgumentException("unknown HashAlgorithm"); } }
static PublicKey createPublicKeyFromPublicKeyInfo( SubjectPublicKeyInfo info) { AlgorithmIdentifier algId = info.getAlgorithmId(); if (algId.getObjectId().equals(PKCSObjectIdentifiers.rsaEncryption) || algId.getObjectId().equals(X509ObjectIdentifiers.id_ea_rsa)) { return new JCERSAPublicKey(info); } else if (algId.getObjectId().equals(X9ObjectIdentifiers.id_ecPublicKey)) { return new JCEECPublicKey(info); } else { throw new RuntimeException("algorithm identifier in key not recognised"); } }
public static ASN1ObjectIdentifier getOIDForHashAlgorithm(short hashAlgorithm) { switch (hashAlgorithm) { case HashAlgorithm.md5: return PKCSObjectIdentifiers.md5; case HashAlgorithm.sha1: return X509ObjectIdentifiers.id_SHA1; case HashAlgorithm.sha224: return NISTObjectIdentifiers.id_sha224; case HashAlgorithm.sha256: return NISTObjectIdentifiers.id_sha256; case HashAlgorithm.sha384: return NISTObjectIdentifiers.id_sha384; case HashAlgorithm.sha512: return NISTObjectIdentifiers.id_sha512; default: throw new IllegalArgumentException("unknown HashAlgorithm"); } }
private void checkExtensionAuthorityInfoAccess(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) { AuthorityInfoAccessControl aiaControl = certProfile.aiaControl(); Set<String> expCaIssuerUris = (aiaControl == null || aiaControl.includesCaIssuers()) ? issuerInfo.caIssuerUrls() : Collections.emptySet(); Set<String> expOcspUris = (aiaControl == null || aiaControl.includesOcsp()) ? issuerInfo.ocspUrls() : Collections.emptySet(); if (CollectionUtil.isEmpty(expCaIssuerUris) && CollectionUtil.isEmpty(expOcspUris)) { failureMsg.append("AIA is present but expected is 'none'; "); return; } AuthorityInformationAccess isAia = AuthorityInformationAccess.getInstance(extensionValue); checkAia(failureMsg, isAia, X509ObjectIdentifiers.id_ad_caIssuers, expCaIssuerUris); checkAia(failureMsg, isAia, X509ObjectIdentifiers.id_ad_ocsp, expOcspUris); }
@Test public void digestInfoRipemd160() throws Exception { byte[] message = "hello world".getBytes(); MessageDigest messageDigest = MessageDigest.getInstance("RIPEMD160", new BouncyCastleProvider()); byte[] digest = messageDigest.digest(message); LOG.debug("Digest: " + new String(Hex.encodeHex(digest))); DERObjectIdentifier hashAlgoId = X509ObjectIdentifiers.ripemd160; DigestInfo digestInfo = new DigestInfo(new AlgorithmIdentifier(hashAlgoId, DERNull.INSTANCE), digest); byte[] encodedDigestInfo = digestInfo.getEncoded(); LOG.debug("Digest Info: " + new String(Hex.encodeHex(encodedDigestInfo))); }
public static String getCACertificateURL(X509Certificate certificate) throws IOException { byte[] bOctets = ((ASN1OctetString) ASN1Primitive.fromByteArray(certificate.getExtensionValue(Extension.authorityInfoAccess.getId()))).getOctets(); AuthorityInformationAccess access = AuthorityInformationAccess.getInstance(ASN1Sequence.fromByteArray(bOctets)); for (AccessDescription ad:access.getAccessDescriptions()){ if (ad.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_caIssuers)){ return ad.getAccessLocation().getName().toString(); } } return null; }
/** * ETSI TS 101 733 V2.2.1 (2013-04) * 5.11.3 signer-attributes Attribute * NOTE 1: Only a single signer-attributes can be used. * * The signer-attributes attribute specifies additional attributes of the signer (e.g. role). * It may be either: * • claimed attributes of the signer; or * • certified attributes of the signer. * The signer-attributes attribute shall be a signed attribute. * * @param parameters * @param signedAttributes * @return */ private void addSignerAttribute(final CAdESSignatureParameters parameters, final ASN1EncodableVector signedAttributes) { // In PAdES, the role is in the signature dictionary if (!padesUsage) { final List<String> claimedSignerRoles = parameters.bLevel().getClaimedSignerRoles(); if (claimedSignerRoles != null) { List<org.bouncycastle.asn1.x509.Attribute> claimedAttributes = new ArrayList<org.bouncycastle.asn1.x509.Attribute>(claimedSignerRoles.size()); for (final String claimedSignerRole : claimedSignerRoles) { final DERUTF8String roles = new DERUTF8String(claimedSignerRole); // TODO: role attribute key (id_at_name) should be customizable final org.bouncycastle.asn1.x509.Attribute id_aa_ets_signerAttr = new org.bouncycastle.asn1.x509.Attribute(X509ObjectIdentifiers.id_at_name, new DERSet(roles)); claimedAttributes.add(id_aa_ets_signerAttr); } final org.bouncycastle.asn1.cms.Attribute attribute = new org.bouncycastle.asn1.cms.Attribute(id_aa_ets_signerAttr, new DERSet(new SignerAttribute(claimedAttributes.toArray(new org.bouncycastle.asn1.x509.Attribute[claimedAttributes.size()])))); signedAttributes.add(attribute); } // TODO: handle CertifiedAttributes ::= AttributeCertificate -- as defined in RFC 3281: see clause 4.1. // final List<String> certifiedSignerRoles = parameters.bLevel().getCertifiedSignerRoles(); } }
@SuppressWarnings({ "deprecation", "resource" }) private String getOCSPUrl(X509Certificate certificate) throws IOException { ASN1Primitive obj; try { obj = getExtensionValue(certificate, Extension.authorityInfoAccess.getId()); } catch (IOException ex) { log.error("Failed to get OCSP URL", ex); return null; } if (obj == null) { return null; } AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(obj); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { boolean correctAccessMethod = accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod); if (!correctAccessMethod) { continue; } GeneralName name = accessDescription.getAccessLocation(); if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { continue; } DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false); return derStr.getString(); } return null; }
static boolean isRsaOid( DERObjectIdentifier algOid) { return algOid.equals(PKCSObjectIdentifiers.rsaEncryption) || algOid.equals(X509ObjectIdentifiers.id_ea_rsa) || algOid.equals(PKCSObjectIdentifiers.id_RSASSA_PSS) || algOid.equals(PKCSObjectIdentifiers.id_RSAES_OAEP); }
public DefaultCMSSignatureAlgorithmNameGenerator() { addEntries(NISTObjectIdentifiers.dsa_with_sha224, "SHA224", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha256, "SHA256", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha384, "SHA384", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha512, "SHA512", "DSA"); addEntries(OIWObjectIdentifiers.dsaWithSHA1, "SHA1", "DSA"); addEntries(OIWObjectIdentifiers.md4WithRSA, "MD4", "RSA"); addEntries(OIWObjectIdentifiers.md4WithRSAEncryption, "MD4", "RSA"); addEntries(OIWObjectIdentifiers.md5WithRSA, "MD5", "RSA"); addEntries(OIWObjectIdentifiers.sha1WithRSA, "SHA1", "RSA"); addEntries(PKCSObjectIdentifiers.md2WithRSAEncryption, "MD2", "RSA"); addEntries(PKCSObjectIdentifiers.md4WithRSAEncryption, "MD4", "RSA"); addEntries(PKCSObjectIdentifiers.md5WithRSAEncryption, "MD5", "RSA"); addEntries(PKCSObjectIdentifiers.sha1WithRSAEncryption, "SHA1", "RSA"); addEntries(PKCSObjectIdentifiers.sha224WithRSAEncryption, "SHA224", "RSA"); addEntries(PKCSObjectIdentifiers.sha256WithRSAEncryption, "SHA256", "RSA"); addEntries(PKCSObjectIdentifiers.sha384WithRSAEncryption, "SHA384", "RSA"); addEntries(PKCSObjectIdentifiers.sha512WithRSAEncryption, "SHA512", "RSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA1, "SHA1", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA224, "SHA224", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA256, "SHA256", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA384, "SHA384", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA512, "SHA512", "ECDSA"); addEntries(X9ObjectIdentifiers.id_dsa_with_sha1, "SHA1", "DSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_1, "SHA1", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_224, "SHA224", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_256, "SHA256", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_384, "SHA384", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_512, "SHA512", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_1, "SHA1", "RSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_256, "SHA256", "RSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_PSS_SHA_1, "SHA1", "RSAandMGF1"); addEntries(EACObjectIdentifiers.id_TA_RSA_PSS_SHA_256, "SHA256", "RSAandMGF1"); encryptionAlgs.put(X9ObjectIdentifiers.id_dsa, "DSA"); encryptionAlgs.put(PKCSObjectIdentifiers.rsaEncryption, "RSA"); encryptionAlgs.put(TeleTrusTObjectIdentifiers.teleTrusTRSAsignatureAlgorithm, "RSA"); encryptionAlgs.put(X509ObjectIdentifiers.id_ea_rsa, "RSA"); encryptionAlgs.put(PKCSObjectIdentifiers.id_RSASSA_PSS, "RSAandMGF1"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3410_94, "GOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3410_2001, "ECGOST3410"); encryptionAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.6.2"), "ECGOST3410"); encryptionAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.1.5"), "GOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001, "ECGOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94, "GOST3410"); digestAlgs.put(PKCSObjectIdentifiers.md2, "MD2"); digestAlgs.put(PKCSObjectIdentifiers.md4, "MD4"); digestAlgs.put(PKCSObjectIdentifiers.md5, "MD5"); digestAlgs.put(OIWObjectIdentifiers.idSHA1, "SHA1"); digestAlgs.put(NISTObjectIdentifiers.id_sha224, "SHA224"); digestAlgs.put(NISTObjectIdentifiers.id_sha256, "SHA256"); digestAlgs.put(NISTObjectIdentifiers.id_sha384, "SHA384"); digestAlgs.put(NISTObjectIdentifiers.id_sha512, "SHA512"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd128, "RIPEMD128"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd160, "RIPEMD160"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd256, "RIPEMD256"); digestAlgs.put(CryptoProObjectIdentifiers.gostR3411, "GOST3411"); digestAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.2.1"), "GOST3411"); }
public DefaultCMSSignatureAlgorithmNameGenerator() { addEntries(NISTObjectIdentifiers.dsa_with_sha224, "SHA224", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha256, "SHA256", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha384, "SHA384", "DSA"); addEntries(NISTObjectIdentifiers.dsa_with_sha512, "SHA512", "DSA"); addEntries(OIWObjectIdentifiers.dsaWithSHA1, "SHA1", "DSA"); addEntries(OIWObjectIdentifiers.md4WithRSA, "MD4", "RSA"); addEntries(OIWObjectIdentifiers.md4WithRSAEncryption, "MD4", "RSA"); addEntries(OIWObjectIdentifiers.md5WithRSA, "MD5", "RSA"); addEntries(OIWObjectIdentifiers.sha1WithRSA, "SHA1", "RSA"); addEntries(PKCSObjectIdentifiers.md2WithRSAEncryption, "MD2", "RSA"); addEntries(PKCSObjectIdentifiers.md4WithRSAEncryption, "MD4", "RSA"); addEntries(PKCSObjectIdentifiers.md5WithRSAEncryption, "MD5", "RSA"); addEntries(PKCSObjectIdentifiers.sha1WithRSAEncryption, "SHA1", "RSA"); addEntries(PKCSObjectIdentifiers.sha224WithRSAEncryption, "SHA224", "RSA"); addEntries(PKCSObjectIdentifiers.sha256WithRSAEncryption, "SHA256", "RSA"); addEntries(PKCSObjectIdentifiers.sha384WithRSAEncryption, "SHA384", "RSA"); addEntries(PKCSObjectIdentifiers.sha512WithRSAEncryption, "SHA512", "RSA"); addEntries(TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128, "RIPEMD128", "RSA"); addEntries(TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160, "RIPEMD160", "RSA"); addEntries(TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256, "RIPEMD256", "RSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA1, "SHA1", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA224, "SHA224", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA256, "SHA256", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA384, "SHA384", "ECDSA"); addEntries(X9ObjectIdentifiers.ecdsa_with_SHA512, "SHA512", "ECDSA"); addEntries(X9ObjectIdentifiers.id_dsa_with_sha1, "SHA1", "DSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_1, "SHA1", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_224, "SHA224", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_256, "SHA256", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_384, "SHA384", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_ECDSA_SHA_512, "SHA512", "ECDSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_1, "SHA1", "RSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_v1_5_SHA_256, "SHA256", "RSA"); addEntries(EACObjectIdentifiers.id_TA_RSA_PSS_SHA_1, "SHA1", "RSAandMGF1"); addEntries(EACObjectIdentifiers.id_TA_RSA_PSS_SHA_256, "SHA256", "RSAandMGF1"); addEntries(BSIObjectIdentifiers.ecdsa_plain_SHA1, "SHA1", "PLAIN-ECDSA"); addEntries(BSIObjectIdentifiers.ecdsa_plain_SHA224, "SHA224", "PLAIN-ECDSA"); addEntries(BSIObjectIdentifiers.ecdsa_plain_SHA256, "SHA256", "PLAIN-ECDSA"); addEntries(BSIObjectIdentifiers.ecdsa_plain_SHA384, "SHA384", "PLAIN-ECDSA"); addEntries(BSIObjectIdentifiers.ecdsa_plain_SHA512, "SHA512", "PLAIN-ECDSA"); addEntries(BSIObjectIdentifiers.ecdsa_plain_RIPEMD160, "RIPEMD160", "PLAIN-ECDSA"); encryptionAlgs.put(X9ObjectIdentifiers.id_dsa, "DSA"); encryptionAlgs.put(PKCSObjectIdentifiers.rsaEncryption, "RSA"); encryptionAlgs.put(TeleTrusTObjectIdentifiers.teleTrusTRSAsignatureAlgorithm, "RSA"); encryptionAlgs.put(X509ObjectIdentifiers.id_ea_rsa, "RSA"); encryptionAlgs.put(PKCSObjectIdentifiers.id_RSASSA_PSS, "RSAandMGF1"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3410_94, "GOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3410_2001, "ECGOST3410"); encryptionAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.6.2"), "ECGOST3410"); encryptionAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.1.5"), "GOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001, "ECGOST3410"); encryptionAlgs.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94, "GOST3410"); digestAlgs.put(PKCSObjectIdentifiers.md2, "MD2"); digestAlgs.put(PKCSObjectIdentifiers.md4, "MD4"); digestAlgs.put(PKCSObjectIdentifiers.md5, "MD5"); digestAlgs.put(OIWObjectIdentifiers.idSHA1, "SHA1"); digestAlgs.put(NISTObjectIdentifiers.id_sha224, "SHA224"); digestAlgs.put(NISTObjectIdentifiers.id_sha256, "SHA256"); digestAlgs.put(NISTObjectIdentifiers.id_sha384, "SHA384"); digestAlgs.put(NISTObjectIdentifiers.id_sha512, "SHA512"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd128, "RIPEMD128"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd160, "RIPEMD160"); digestAlgs.put(TeleTrusTObjectIdentifiers.ripemd256, "RIPEMD256"); digestAlgs.put(CryptoProObjectIdentifiers.gostR3411, "GOST3411"); digestAlgs.put(new ASN1ObjectIdentifier("1.3.6.1.4.1.5849.1.2.1"), "GOST3411"); }
private URI getOcspUri(X509Certificate certificate) throws IOException, URISyntaxException { URI ocspURI = getAccessLocation(certificate, X509ObjectIdentifiers.ocspAccessMethod); return ocspURI; }
private static void checkAia(StringBuilder failureMsg, AuthorityInformationAccess aia, ASN1ObjectIdentifier accessMethod, Set<String> expectedUris) { String typeDesc; if (X509ObjectIdentifiers.id_ad_ocsp.equals(accessMethod)) { typeDesc = "OCSP"; } else if (X509ObjectIdentifiers.id_ad_caIssuers.equals(accessMethod)) { typeDesc = "caIssuer"; } else { typeDesc = accessMethod.getId(); } List<AccessDescription> isAccessDescriptions = new LinkedList<>(); for (AccessDescription accessDescription : aia.getAccessDescriptions()) { if (accessMethod.equals(accessDescription.getAccessMethod())) { isAccessDescriptions.add(accessDescription); } } int size = isAccessDescriptions.size(); if (size != expectedUris.size()) { addViolation(failureMsg, "number of AIA " + typeDesc + " URIs", size, expectedUris.size()); return; } Set<String> isUris = new HashSet<>(); for (int i = 0; i < size; i++) { GeneralName isAccessLocation = isAccessDescriptions.get(i).getAccessLocation(); if (isAccessLocation.getTagNo() != GeneralName.uniformResourceIdentifier) { addViolation(failureMsg, "tag of accessLocation of AIA ", isAccessLocation.getTagNo(), GeneralName.uniformResourceIdentifier); } else { String isOcspUri = ((ASN1String) isAccessLocation.getName()).getString(); isUris.add(isOcspUri); } } Set<String> diffs = strInBnotInA(expectedUris, isUris); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append(typeDesc).append(" URIs ").append(diffs.toString()); failureMsg.append(" are present but not expected; "); } diffs = strInBnotInA(isUris, expectedUris); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append(typeDesc).append(" URIs ").append(diffs.toString()); failureMsg.append(" are absent but are required; "); } }
public SHA1WithRSAEncryption() { super(X509ObjectIdentifiers.id_SHA1, new SHA1Digest(), new PKCS1Encoding(new RSABlindedEngine())); }
/** * Gives back the OCSP URIs meta-data found within the given X509 cert. * * @param certificate * the cert token. * @param checkInTrustAnchors * if true, the method will search in the ServiceSupplyPoint urls * @return a list of OCSP URIs, or empty list if the extension is not present. */ public static List<String> getOCSPAccessLocations(final CertificateToken certificate, boolean checkInTrustAnchors) { List<String> ocspUrls = getAccessLocations(certificate, X509ObjectIdentifiers.id_ad_ocsp); if (Utils.isCollectionEmpty(ocspUrls) && checkInTrustAnchors) { return getServiceSupplyPoints(certificate, "ocsp"); } return ocspUrls; }
/** * Gives back the CA URIs meta-data found within the given X509 cert. * * @param certificate * the cert token. * @return a list of CA URIs, or empty list if the extension is not present. */ public static List<String> getCAAccessLocations(final CertificateToken certificate) { return getAccessLocations(certificate, X509ObjectIdentifiers.id_ad_caIssuers); }
