List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509CertificateConverter
public JcaX509CertificateConverter()
From source file:io.smartspaces.util.net.SslUtils.java
License:Apache License
/** * Get an SSL socket factory that provides a client certificate for the socket * connections.//from w w w .j a v a 2 s.c o m * * @param caCrtFile * file path to the certificate authority certificate * @param clientCrtFile * file path to the certificate for the client * @param clientKeyFile * file path to the private key for the client * * @return the socket factory providing the client functionality * * @throws Exception */ public static SSLSocketFactory configureSSLSocketFactory(String caCrtFile, String clientCrtFile, String clientKeyFile) throws Exception { Security.addProvider(new BouncyCastleProvider()); JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter() .setProvider(SECURITY_PROVIDER_BOUNCY_CASTLE); // load CA certificate PEMParser reader = new PEMParser( new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile))))); X509Certificate caCert = certificateConverter.getCertificate((X509CertificateHolder) reader.readObject()); reader.close(); // load client certificate reader = new PEMParser( new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(clientCrtFile))))); X509Certificate cert = certificateConverter.getCertificate((X509CertificateHolder) reader.readObject()); reader.close(); // load client private key JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter().setProvider(SECURITY_PROVIDER_BOUNCY_CASTLE); reader = new PEMParser( new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(clientKeyFile))))); KeyPair key = keyConverter.getKeyPair((PEMKeyPair) reader.readObject()); reader.close(); // CA certificate is used to authenticate server KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType()); caKs.load(null, null); caKs.setCertificateEntry("ca-certificate", caCert); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(caKs); // client key and certificates are sent to server so it can authenticate // the client.F KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, null); ks.setCertificateEntry("certificate", cert); // This assumes that the client key is not password protected. We need a // password, but it could be anything. char[] password = VIRTUAL_KEYSTORE_PASSWORD.toCharArray(); ks.setKeyEntry("private-key", key.getPrivate(), password, new java.security.cert.Certificate[] { cert }); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, password); // finally, create SSL socket factory. SSLContext context = SSLContext.getInstance("TLS"); context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); return context.getSocketFactory(); }
From source file:io.spikex.core.Main.java
License:Apache License
private void createKeyStore(final YamlDocument conf) { YamlDocument confKeyStore = conf.getDocument(CONF_KEY_KEYSTORE); boolean generate = confKeyStore.getValue(CONF_KEY_GENERATE, DEF_GENERATE_KEYSTORE); if (generate) { Path keyStorePath = Paths .get(confKeyStore.getValue(CONF_KEY_PATH, m_confPath.resolve(DEF_KEYSTORE_PATH).toString())) .toAbsolutePath().normalize(); if (!Files.exists(keyStorePath)) { Provider bcProvider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); if (bcProvider == null) { Security.addProvider(new BouncyCastleProvider()); }/*from w ww. jav a 2s. c o m*/ String password = confKeyStore.getValue(CONF_KEY_PASSWORD, DEF_KEYSTORE_PASSWORD); String hostFqdn = confKeyStore.getValue(CONF_KEY_HOST_FQDN, HostOs.hostName()); List<String> subjAltNames = confKeyStore.getValue(CONF_KEY_SUBJECT_ALT_NAME, new ArrayList()); try (FileOutputStream out = new FileOutputStream(keyStorePath.toFile())) { m_logger.info("Generating keystore: {}", keyStorePath); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME); SecureRandom rnd = new SecureRandom(); generator.initialize(2048, rnd); KeyPair pair = generator.generateKeyPair(); // DN X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.C, System.getProperty("user.country.format", "NU")); nameBuilder.addRDN(BCStyle.OU, "Self-signed test certificate"); nameBuilder.addRDN(BCStyle.OU, "For testing purposes only"); nameBuilder.addRDN(BCStyle.O, "Spike.x"); nameBuilder.addRDN(BCStyle.CN, hostFqdn); long oneDay = 24 * 60 * 60 * 1000; Date notBefore = new Date(System.currentTimeMillis() - oneDay); // Yesterday Date notAfter = new Date(System.currentTimeMillis() + (oneDay * 3 * 365)); // 3 years BigInteger serialNum = BigInteger.valueOf(rnd.nextLong()); X509v3CertificateBuilder x509v3Builder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNum, notBefore, notAfter, nameBuilder.build(), pair.getPublic()); // // Extensions // x509v3Builder.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); x509v3Builder.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); x509v3Builder.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); GeneralName[] dnsNames = new GeneralName[subjAltNames.size()]; for (int i = 0; i < subjAltNames.size(); i++) { String name = subjAltNames.get(i); m_logger.info("Adding subject alt name: {}", name); dnsNames[i] = new GeneralName(GeneralName.dNSName, name); } x509v3Builder.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(dnsNames)); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(pair.getPrivate()); X509Certificate cert = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(x509v3Builder.build(signer)); // Validate cert.checkValidity(new Date()); cert.verify(cert.getPublicKey()); // Save in keystore KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); ks.setKeyEntry(hostFqdn, pair.getPrivate(), password.toCharArray(), new Certificate[] { cert }); m_logger.info("Created self-signed certificate: {}", hostFqdn); ks.store(out, password.toCharArray()); } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | NoSuchProviderException | OperatorCreationException | InvalidKeyException | SignatureException e) { throw new RuntimeException("Failed to create keystore: " + keyStorePath, e); } } } }
From source file:io.spikex.core.Main.java
License:Apache License
private void createTrustStore(final YamlDocument conf) { YamlDocument confTrustStore = conf.getDocument(CONF_KEY_TRUSTSTORE); boolean generate = confTrustStore.getValue(CONF_KEY_GENERATE, DEF_GENERATE_TRUSSTORE); if (generate) { Path trustStorePath = Paths .get(confTrustStore.getValue(CONF_KEY_PATH, m_confPath.resolve(DEF_TRUSTSTORE_PATH)).toString()) .toAbsolutePath().normalize(); Path certsPath = m_confPath.resolve(DEF_TRUSTSTORE_CERTS_DIR).toAbsolutePath().normalize(); if (!Files.exists(trustStorePath) && Files.exists(certsPath)) { Provider bcProvider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); if (bcProvider == null) { Security.addProvider(new BouncyCastleProvider()); }// ww w .ja va2 s.c om try { // Create keystore m_logger.info("Generating truststore: {}", trustStorePath); KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType()); ts.load(null); // // Import PEM certificates // https://gist.github.com/akorobov/6910564 // try (DirectoryStream<Path> dirStream = Files.newDirectoryStream(certsPath)) { JcaX509CertificateConverter converter = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME); for (Path path : dirStream) { PEMParser parser = new PEMParser(new FileReader(path.toFile())); while (true) { int index = 1; Object object = parser.readObject(); if (object != null) { if (object instanceof X509CertificateHolder) { X509Certificate cert = converter .getCertificate((X509CertificateHolder) object); m_logger.debug( "Certificate issuer: {} subject: {} serial: {} validity: {}-{}", cert.getIssuerX500Principal().getName(), cert.getSubjectX500Principal().getName(), cert.getSerialNumber(), cert.getNotBefore(), cert.getNotAfter()); // Validate cert.checkValidity(new Date()); // Alias String alias = cert.getSubjectX500Principal().getName(); if (Strings.isNullOrEmpty(alias)) { alias = "cert-" + index++; } // Save in trusstore ts.setCertificateEntry(alias, cert); m_logger.info("Imported trusted certificate: {}", alias); } } else { break; } } } } catch (CertificateException e) { m_logger.error("Failed to import trusted certificate", e); } // Save truststore String password = confTrustStore.getValue(CONF_KEY_PASSWORD, DEF_TRUSTSTORE_PASSWORD); ts.store(new FileOutputStream(trustStorePath.toFile()), password.toCharArray()); } catch (IOException | NoSuchAlgorithmException | KeyStoreException | CertificateException e) { throw new RuntimeException("Failed to create truststore: " + trustStorePath, e); } } } }
From source file:io.vertx.config.vault.utils.Certificates.java
License:Apache License
/** * See http://www.programcreek.com/java-api-examples/index.php?api=org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder * * @param keyPair The RSA keypair with which to generate the certificate * @param issuer The issuer (and subject) to use for the certificate * @return An X509 certificate//from w w w . j a v a2s . co m * @throws IOException * @throws OperatorCreationException * @throws CertificateException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws InvalidKeyException * @throws SignatureException */ private static X509Certificate generateCert(final KeyPair keyPair, final String issuer) throws IOException, OperatorCreationException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { final String subject = issuer; final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(new X500Name(issuer), BigInteger.ONE, new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)), new X500Name(subject), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.iPAddress, "127.0.0.1")); certificateBuilder.addExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName, false, subjectAltNames); final AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1WithRSAEncryption"); final AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); final BcContentSignerBuilder signerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId); final AsymmetricKeyParameter keyp = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); final ContentSigner signer = signerBuilder.build(keyp); final X509CertificateHolder x509CertificateHolder = certificateBuilder.build(signer); final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509CertificateHolder); certificate.checkValidity(new Date()); certificate.verify(keyPair.getPublic()); return certificate; }
From source file:it.trento.comune.j4sign.cms.utils.CMSVerifier.java
License:Open Source License
public void basicVerify() { addBCProvider();//www . j a va 2 s . c o m SimpleDateFormat df = new SimpleDateFormat("dd MMMMM yyyy HH:mm:ss z"); try { Store certs = this.cmsSignedData.getCertificates(); // Recupero i firmatari. SignerInformationStore signerStore = this.cmsSignedData.getSignerInfos(); Collection<SignerInformation> c = signerStore.getSigners(); if (debug) System.out.println(c.size() + " firmatari diversi trovati"); Iterator<SignerInformation> it = c.iterator(); // ciclo tra tutti i firmatari int i = 0; X509Certificate cert = null; while (it.hasNext()) { SignerInformation signer = it.next(); Collection<?> certCollection = null; try { certCollection = certs.getMatches(signer.getSID()); } catch (StoreException ex1) { System.out.println("Errore nel CertStore"); } if (certCollection.size() == 1) { X509CertificateHolder ch = (X509CertificateHolder) certCollection.toArray()[0]; try { // get Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(ch); if (debug) System.out.println(i + ") Verifiying signature from:\n" + cert.getSubjectDN()); this.signerDN = cert.getSubjectDN().toString(); if (debug) System.out.println("Certificato valido fino a " + cert.getNotAfter()); this.notBefore = df.format(cert.getNotBefore()); this.notAfter = df.format(cert.getNotAfter()); cert.checkValidity(); this.validNotExpired = true; } catch (CertificateExpiredException ex) { if (debug) System.out.println("Certificato scaduto il " + cert.getNotAfter()); } catch (CertificateNotYetValidException ex) { if (debug) System.out.println("Certificato non ancora valido. Valido da " + cert.getNotBefore()); } catch (CertificateException e) { if (debug) System.out.println("Errore Certificato "); } // VERIFICA INTEGRITA' (passando il certificato) // verify that the given certificate successfully handles // and confirms the signature associated with this signer // and, if a signingTime attribute is available, that the // certificate was valid at the time the signature was // generated. // try { // ROB: faccio solo controllo integrit -> passo solo la // chiave pubblica. if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder() .build(new X509CertificateHolder(cert.getEncoded())))) { if (debug) System.out.println("Firma " + i + " integra."); this.integrityChecked = true; } else { if (debug) System.err.println("Firma " + i + " non integra!"); } parseAuthenticatedAttributes(signer); /* * } catch (CertificateExpiredException e) { * System.out.println("Certificato per la Firma " + i + * " scaduto."); } catch (CertificateNotYetValidException e) * { System.out.println("Certificato per la Firma " + i + * " non ancora valido."); } */ } else { if (debug) System.out.println("There is not exactly one certificate for this signer!"); } i++; } } catch (CMSException e) { if (debug) System.out.println("Dati firmati non corretti: " + e.getMessage()); } catch (CertificateEncodingException e) { if (debug) System.out.println("Encoding certificato non corretto: " + e.getMessage()); } catch (OperatorCreationException e) { if (debug) System.out.println(e.getMessage()); } catch (CertificateException e) { if (debug) System.out.println("Errore nel certificato: " + e.getMessage()); } catch (IOException e) { if (debug) System.out.println(e.getMessage()); } }
From source file:it.trento.comune.j4sign.examples.CLITest.java
License:Open Source License
/** * Tests (possibly multiple) digital signatures using PKCS#11 tokens. After * correct integrity verification of all signatures, the CMS signed message * is saved on the filesystem under the users's home directory. * //from w w w. ja v a 2s . co m */ public void testExternalSignature() { try { System.out.println("\n========= CMS (PKCS7) Signed message test ========\n"); System.out.print("The test message to sign is:\t"); ByteArrayOutputStream baos = new ByteArrayOutputStream(); baos.write(this.msgBytes); System.out.println(baos.toString()); System.out.print("As exadecimal string:\t\t"); System.out.println(formatAsString(this.msgBytes, " ", WRAP_AFTER)); System.out.println(); CMSProcessable msg = new CMSProcessableByteArray(this.msgBytes); // questa versione del generatore priva della classe interna // per // la generazione delle SignerInfo, che stata promossa a // classe a // s. ExternalSignatureCMSSignedDataGenerator gen = new ExternalSignatureCMSSignedDataGenerator(); // Conterr la lista dei certificati; come minimo dovr // contenere i certificati dei firmatari; opzionale, ma // consigliabile, // l'aggiunta dei certificati root per completare le catene di // certificazione. ArrayList certList = new ArrayList(); ExternalSignatureSignerInfoGenerator sig = null; String answer = "STARTVALUE"; String question = "Do you want to sign this message?"; String defaultChoice = null; int i = 0; Prompt prompt = new Prompt(); String[] choices = { "Y", "N" }; while (!answer.equals("N")) { answer = prompt.question(question, "Type Y or N:", choices, defaultChoice); if (answer.equals("Y")) { System.out.println("========================"); System.out.println("ADDING SIGNATURE " + i); if (detectCardAndCriptoki()) { System.out.println("Starting signing process."); // System.out // .println("Applying SHA1 digest with RSA // encryption."); sig = getSignerInfoGenerator(msg, this.digestAlg, this.encAlg, this.makeDigestOnToken, // digest // on // token? certList); if (sig != null) gen.addSignerInf(sig); } // if card detected question = "\nAdd another signature?"; defaultChoice = "N"; answer = "STARTVALUE"; } i++; } if (certList.size() != 0) { // Per passare i certificati al generatore li si incapsula // in un // CertStore. CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); System.out.println("Adding certificates ... "); gen.addCertificatesAndCRLs(store); // Finalmente, si pu creare il l'oggetto CMS. System.out.println("Generating CMSSignedData "); CMSSignedData s = gen.generate(msg, true); // Verifica System.out.println("\nStarting CMSSignedData verification ... "); // recupero dal CMS la lista dei certificati Store certs = s.getCertificates(); // Recupero i firmatari. SignerInformationStore signers = s.getSignerInfos(); Collection<?> c = signers.getSigners(); System.out.println(c.size() + " signers found."); Iterator it = c.iterator(); // ciclo tra tutti i firmatari i = 0; while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection<?> certCollection = certs.getMatches(signer.getSID()); if (certCollection.size() == 1) { // Iterator certIt = certCollection.iterator(); // X509Certificate cert = (X509Certificate) // certIt.next(); X509CertificateHolder ch = (X509CertificateHolder) certCollection.toArray()[0]; X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(ch); System.out.println(i + ") Verifiying signature from:\n" + cert.getSubjectDN()); /* * System.out.println("Certificate follows:"); * System.out * .println("===================================="); * System.out.println(cert); * System.out.println("====================================" * ); */ if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { System.out.println("SIGNATURE " + i + " OK!"); } else System.err.println("SIGNATURE " + i + " Failure!"); } else System.out.println("There is not exactly one certificate for this signer!"); i++; } // writing CMS file to user's home directory this.filePath = System.getProperty("user.home") + System.getProperty("file.separator") + "ciao.txt.p7m"; System.out.println("\nSAVING FILE TO: " + filePath); FileOutputStream fos = new FileOutputStream(filePath); fos.write(s.getEncoded()); fos.flush(); fos.close(); } } catch (Exception ex) { System.err.println("EXCEPTION:\n" + ex); } }
From source file:it.trento.comune.j4sign.verification.RootsVerifier.java
License:Open Source License
private boolean verify(boolean forceCRLDownload) { String error = null;/*from ww w . ja v a 2s.com*/ boolean rootsOk = false; log.info("Starting root certificates verification."); try { CertificationAuthorities CNIPARoot = new CertificationAuthorities(); try { CNIPARoot.addCertificateAuthority(CNIPARoot.getBytesFromPath(this.CNIPACACertFilePath)); } catch (GeneralSecurityException e) { log.severe("Errore nell'inizializzazione della CA CNIPA: " + e); } Store certs = null; CMSSignedData CNIPA_CMS = null; try { CNIPA_CMS = getCNIPA_CMS(); } catch (FileNotFoundException ex) { log.severe("Errore nell'acquisizione del file: " + ex); } Provider p = new org.bouncycastle.jce.provider.BouncyCastleProvider(); if (Security.getProvider(p.getName()) == null) Security.addProvider(p); certs = CNIPA_CMS.getCertificates(); if (certs != null) { SignerInformationStore signers = CNIPA_CMS.getSignerInfos(); Collection c = signers.getSigners(); log.info(c.size() + " signers found."); Iterator it = c.iterator(); // ciclo tra tutti i firmatari int i = 0; while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = null; try { certCollection = certs.getMatches(signer.getSID()); } catch (StoreException ex1) { log.severe("CertStore error: " + ex1); } if (certCollection.size() == 1) { X509CertificateHolder ch = (X509CertificateHolder) certCollection.toArray()[0]; byte[] signerFingerprint = getCertFingerprint(ch.getEncoded()); log.info("Signer fingerprint: " + formatAsGUString(signerFingerprint)); if (Arrays.equals(signerFingerprint, this.userApprovedFingerprint)) { // get Certificate java.security.cert.X509Certificate cert = null; try { cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(ch); VerifyResult vr = new VerifyResult(this.conf, certs, cert, CNIPA_CMS, CNIPARoot, signer, false, forceCRLDownload, false, getCrlDir()); // rootsOk = vr.getPassed_cnipasigner_expired(); rootsOk = vr.getPassed(); error = vr.getCRLerror(); } catch (CertificateException e) { log.severe("Certificate error:" + e.getMessage()); } } else log.severe("Signer cert has wrong fingerprint!"); } else log.severe("There is not exactly one certificate for this signer!"); i++; } } } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); log.severe(e.getMessage()); } catch (CMSException e) { // TODO Auto-generated catch block e.printStackTrace(); log.severe(e.getMessage()); } return rootsOk; }
From source file:it.trento.comune.j4sign.verification.Verifier.java
License:Open Source License
public void verify() { org.bouncycastle.jce.provider.BouncyCastleProvider p = new org.bouncycastle.jce.provider.BouncyCastleProvider(); if (Security.getProvider(p.getName()) == null) Security.addProvider(p);//w w w .j a v a2 s .co m Store certs = this.cms.getCertificates(); if (certs != null) { SignerInformation signer = currentSigner.next(); Collection<?> certCollection = null; try { certCollection = certs.getMatches(signer.getSID()); } catch (StoreException ex1) { log.severe("Errore nel CertStore"); errors.add("Errore nel CertStore"); } if (certCollection.size() == 1) { // Iterator certIt = certCollection.iterator(); // X509Certificate cert = (X509Certificate) // certIt.next(); X509CertificateHolder ch = (X509CertificateHolder) certCollection.toArray()[0]; // get Certificate java.security.cert.X509Certificate cert = null; try { cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(ch); // inserisce in una lista i DN dei firmatari signersList.add(cert.getSubjectX500Principal()); log.info("Signer CN: " + getCommonName(cert)); VerifyResult vr = new VerifyResult(conf, certs, cert, cms, CAroot, signer, false, isDownloadCRLForced, true, getCrlDir()); // do verification!!! vr.getPassed(); risultati.add(vr); } catch (CertificateException e) { log.severe("Certificate error:" + e.getMessage()); } } else { log.severe("There is not exactly one certificate for this signer!"); errors.add("There is not exactly one certificate for this signer!"); } if (!currentSigner.hasNext()) { done = true; } } }
From source file:it.trento.comune.j4sign.verification.VerifyResult.java
License:Open Source License
private void initCountersignatures(Store certs, CMSSignedData cm, CertificationAuthorities roots, SignerInformation parentSigner, boolean isDownloadCRLForced) { SignerInformationStore cs = parentSigner.getCounterSignatures(); if (cs.size() > 0) { risultatiCs = new Hashtable<X500Principal, VerifyResult>(); log.info("detected " + cs.size() + " countersignatures for " + cert.getSubjectX500Principal()); Iterator<SignerInformation> csIterator = cs.getSigners().iterator(); while (csIterator.hasNext()) { SignerInformation counterSigner = csIterator.next(); Collection cc = null; try { cc = certs.getMatches(counterSigner.getSID()); } catch (StoreException ex1) { log.severe("Errore nel CertStore"); // errors.add("Errore nel CertStore"); }// ww w .j a va2 s. c o m if (cc.size() == 1) { X509CertificateHolder ch = (X509CertificateHolder) cc.toArray()[0]; // get Certificate X509Certificate c; try { c = new JcaX509CertificateConverter().setProvider("BC").getCertificate(ch); log.info("CounterSigner CN: " + Verifier.getCommonName(c)); VerifyResult vr = new VerifyResult(conf, certs, c, cm, roots, counterSigner, true, this.crlDownloadForced, this.checkQCStatements, this.crlDir); risultatiCs.put(c.getSubjectX500Principal(), vr); } catch (CertificateException e) { log.severe( "Errore nell'estrazione del certificato del controfirmatario: " + e.getMessage()); } } } } }
From source file:jenkins.bouncycastle.api.PEMEncodable.java
License:Open Source License
/** * Creates a {@link PEMEncodable} by decoding PEM formated data from a {@link String} * /*from w w w . j av a 2 s . com*/ * @param pem {@link String} with the PEM data * @param passphrase passphrase for the encrypted PEM data. null if PEM data is not passphrase protected. The caller * is responsible for zeroing out the char[] after use to ensure the password does not stay in memory, e.g. with * <code>Arrays.fill(passphrase, (char)0)</code> * @return {@link PEMEncodable} object * @throws IOException launched if a problem exists reading the PEM information * @throws UnrecoverableKeyException in case PEM is passphrase protected and none or wrong is provided */ @Nonnull public static PEMEncodable decode(@Nonnull String pem, @Nullable final char[] passphrase) throws IOException, UnrecoverableKeyException { try (PEMParser parser = new PEMParser(new StringReader(pem));) { Object object = parser.readObject(); JcaPEMKeyConverter kConv = new JcaPEMKeyConverter().setProvider("BC"); // handle supported PEM formats. if (object instanceof PEMEncryptedKeyPair) { if (passphrase != null) { PEMDecryptorProvider dp = new JcePEMDecryptorProviderBuilder().build(passphrase); PEMEncryptedKeyPair ekp = (PEMEncryptedKeyPair) object; return new PEMEncodable(kConv.getKeyPair(ekp.decryptKeyPair(dp))); } else { throw new UnrecoverableKeyException(); } } else if (object instanceof PKCS8EncryptedPrivateKeyInfo) { if (passphrase != null) { InputDecryptorProvider dp = new JceOpenSSLPKCS8DecryptorProviderBuilder().build(passphrase); PKCS8EncryptedPrivateKeyInfo epk = (PKCS8EncryptedPrivateKeyInfo) object; return new PEMEncodable(kConv.getPrivateKey(epk.decryptPrivateKeyInfo(dp))); } else { throw new UnrecoverableKeyException(); } } else if (object instanceof PEMKeyPair) { return new PEMEncodable(kConv.getKeyPair((PEMKeyPair) object)); } else if (object instanceof PrivateKeyInfo) { PrivateKey pk = kConv.getPrivateKey((PrivateKeyInfo) object); // JENKINS-35661 in this case we know how to get the public key too if (pk instanceof RSAPrivateCrtKey) { // obtain public key spec from the private key RSAPrivateCrtKey rsaPK = (RSAPrivateCrtKey) pk; RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(rsaPK.getModulus(), rsaPK.getPublicExponent()); KeyFactory kf = KeyFactory.getInstance("RSA"); return new PEMEncodable(new KeyPair(kf.generatePublic(pubKeySpec), rsaPK)); } return new PEMEncodable(pk); } else if (object instanceof SubjectPublicKeyInfo) { return new PEMEncodable(kConv.getPublicKey((SubjectPublicKeyInfo) object)); } else if (object instanceof X509CertificateHolder) { JcaX509CertificateConverter cConv = new JcaX509CertificateConverter().setProvider("BC"); return new PEMEncodable(cConv.getCertificate((X509CertificateHolder) object)); } else { throw new IOException( "Could not parse PEM, only key pairs, private keys, public keys and certificates are supported. Received " + object.getClass().getName()); } } catch (OperatorCreationException e) { throw new IOException(e.getMessage(), e); } catch (PKCSException | InvalidKeySpecException e) { LOGGER.log(Level.WARNING, "Could not read PEM encrypted information", e); throw new UnrecoverableKeyException(); } catch (CertificateException e) { throw new IOException("Could not read certificate", e); } catch (NoSuchAlgorithmException e) { throw new AssertionError( "RSA algorithm support is mandated by Java Language Specification. See https://docs.oracle.com/javase/7/docs/api/java/security/KeyFactory.html"); } }