/** * Validate the signature on the PKCS10 certification request in this holder. * * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature. * @return true if the signature is valid, false otherwise. * @throws PKCSException if the signature cannot be processed or is inappropriate. */ public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws PKCSException { CertificationRequestInfo requestInfo = certificationRequest.getCertificationRequestInfo(); ContentVerifier verifier; try { verifier = verifierProvider.get(certificationRequest.getSignatureAlgorithm()); OutputStream sOut = verifier.getOutputStream(); sOut.write(requestInfo.getEncoded(ASN1Encoding.DER)); sOut.close(); } catch (Exception e) { throw new PKCSException("unable to process signature: " + e.getMessage(), e); } return verifier.verify(certificationRequest.getSignature().getBytes()); }
/** * Validate the signature on the PKCS10 certification request in this holder. * * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature. * @return true if the signature is valid, false otherwise. * @throws PKCSException if the signature cannot be processed or is inappropriate. */ public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws PKCSException { CertificationRequestInfo requestInfo = certificationRequest.getCertificationRequestInfo(); ContentVerifier verifier; try { verifier = verifierProvider.get(certificationRequest.getSignatureAlgorithm()); OutputStream sOut = verifier.getOutputStream(); sOut.write(requestInfo.getEncoded(ASN1Encoding.DER)); sOut.close(); } catch (Exception e) { throw new PKCSException("unable to process signature: " + e.getMessage(), e); } return verifier.verify(this.getSignature()); }
public static Extensions getExtensions(CertificationRequestInfo csr) { ParamUtil.requireNonNull("csr", csr); ASN1Set attrs = csr.getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { return Extensions.getInstance(attr.getAttributeValues()[0]); } } return null; }
public static String getChallengePassword(CertificationRequestInfo csr) { ParamUtil.requireNonNull("csr", csr); ASN1Set attrs = csr.getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attr.getAttrType())) { ASN1String str = (ASN1String) attr.getAttributeValues()[0]; return str.getString(); } } return null; }
@Override protected Object execute0() throws Exception { Set<String> issuerNames = qaSystemManager.issuerNames(); if (isEmpty(issuerNames)) { throw new IllegalCmdParamException("no issuer is configured"); } if (issuerName == null) { if (issuerNames.size() != 1) { throw new IllegalCmdParamException("no issuer is specified"); } issuerName = issuerNames.iterator().next(); } if (!issuerNames.contains(issuerName)) { throw new IllegalCmdParamException("issuer " + issuerName + " is not within the configured issuers " + issuerNames); } X509IssuerInfo issuerInfo = qaSystemManager.getIssuer(issuerName); X509CertprofileQa qa = qaSystemManager.getCertprofile(profileName); if (qa == null) { throw new IllegalCmdParamException("found no certificate profile named '" + profileName + "'"); } CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile)); Extensions extensions = null; CertificationRequestInfo reqInfo = csr.getCertificationRequestInfo(); ASN1Set attrs = reqInfo.getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { extensions = Extensions.getInstance(attr.getAttributeValues()[0]); } } byte[] certBytes = IoUtil.read(certFile); ValidationResult result = qa.checkCert(certBytes, issuerInfo, reqInfo.getSubject(), reqInfo.getSubjectPublicKeyInfo(), extensions); StringBuilder sb = new StringBuilder(); sb.append(certFile).append(" (certprofile ").append(profileName).append(")\n"); sb.append("\tcertificate is "); sb.append(result.isAllSuccessful() ? "valid" : "invalid"); if (verbose.booleanValue()) { for (ValidationIssue issue : result.validationIssues()) { sb.append("\n"); format(issue, " ", sb); } } println(sb.toString()); if (!result.isAllSuccessful()) { throw new CmdFailure("certificate is invalid"); } return null; }
/** * handle the PKI body with the choice {@code p10cr}<br/> * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within * PKIHeader.generalInfo * */ private PKIBody processP10cr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) { // verify the POP first CertResponse certResp; ASN1Integer certReqId = new ASN1Integer(-1); boolean certGenerated = false; X509Ca ca = getCa(); if (!securityFactory.verifyPopo(p10cr, getCmpControl().popoAlgoValidator())) { LOG.warn("could not validate POP for the pkcs#10 requst"); certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP"); } else { CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = CaUtil.getExtensions(certTemp); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); String certprofileName = null; Date notBefore = null; Date notAfter = null; if (keyvalues != null) { certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERT_PROFILE); String str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_BEFORE); if (str != null) { notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_AFTER); if (str != null) { notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } } if (certprofileName == null) { certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null); } else { certprofileName = certprofileName.toUpperCase(); if (!requestor.isCertProfilePermitted(certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg); } else { CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName); certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, tid, false, request, cmpControl, msgId, event).get(0); certGenerated = true; } } } CMPCertificate[] caPubs = null; if (certGenerated && cmpControl.sendCaCert()) { caPubs = new CMPCertificate[]{ca.caInfo().certInCmpFormat()}; } CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[]{certResp}); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
