/** * generate an X509 certificate, based on the current issuer and subject * using the default provider and the passed in source of randomness * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */ public X509Certificate generate( PrivateKey key, SecureRandom random) throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertificate tbsCert = tbsGen.generateTBSCertificate(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCert); } catch (IOException e) { throw new ExtCertificateEncodingException("exception encoding TBS cert", e); } return generateJcaObject(tbsCert, signature); }
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing, and the passed in source * of randomness (if required). */ public X509Certificate generate( PrivateKey key, String provider, SecureRandom random) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertificate tbsCert = tbsGen.generateTBSCertificate(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCert); } catch (IOException e) { throw new ExtCertificateEncodingException("exception encoding TBS cert", e); } return generateJcaObject(tbsCert, signature); }
private X509Certificate generateJcaObject(TBSCertificate tbsCert, byte[] signature) throws CertificateEncodingException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); try { return new X509CertificateObject(Certificate.getInstance(new DERSequence(v))); } catch (CertificateParsingException e) { throw new ExtCertificateEncodingException("exception producing certificate object", e); } }
/** * Verifies the CT Log's signature over the SCT and PreCertificate. * * @param sct SignedCertificateTimestamp received from the log. * @param preCertificate PreCertificate sent to the log for addition. * @param issuerInfo Information on the issuer which will ultimately sign this PreCertificate. If * the PreCertificate was signed using by a PreCertificate Signing Cert, the issuerInfo * contains data on the final CA certificate used for signing. * @return true if the SCT verifies, false otherwise. */ boolean verifySCTOverPreCertificate( Ct.SignedCertificateTimestamp sct, X509Certificate preCertificate, IssuerInformation issuerInfo) { Preconditions.checkNotNull(issuerInfo, "At the very least, the issuer key hash is needed."); //TODO(eranm): Remove this restriction after this method knows how to strip the CT // extension from a final certificate. Preconditions.checkArgument( CertificateInfo.isPreCertificate(preCertificate), "PreCertificate must contain the poison extension"); TBSCertificate preCertificateTBS = createTbsForVerification(preCertificate, issuerInfo); try { byte[] toVerify = serializeSignedSCTDataForPreCertificate( preCertificateTBS.getEncoded(), issuerInfo.getKeyHash(), sct); return verifySCTSignatureOverBytes(sct, toVerify); } catch (IOException e) { throw new CertificateTransparencyException( "TBSCertificate part could not be encoded: " + e.getMessage(), e); } }
private static byte[] buildCRT(TBSCertificate tbs, AlgorithmIdentifier aid, byte[] sig) { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbs); v.add(aid); v.add(new DERBitString(sig)); byte [] crt = null; try { Certificate c = Certificate.getInstance(new DERSequence(v)); crt = c.getEncoded(); Base64.encode(crt, System.out); System.out.println(""); } catch (Exception ex) { ex.printStackTrace(System.out); Assert.fail(); } return crt; }
private static TBSCertificate createTBS(ByteArrayOutputStream bOut, SubjectPublicKeyInfo ski, AlgorithmIdentifier algo) throws IOException { TBSCertificate tbs = null; V1TBSCertificateGenerator tbsGen = new V1TBSCertificateGenerator(); tbsGen.setSerialNumber(new ASN1Integer(0x1)); tbsGen.setStartDate(new Time(new Date(100, 01, 01, 00, 00, 00))); tbsGen.setEndDate(new Time(new Date(130, 12, 31, 23, 59, 59))); tbsGen.setIssuer(new X500Name("CN=Cryptonit")); tbsGen.setSubject(new X500Name("CN=Cryptonit")); tbsGen.setSignature(algo); tbsGen.setSubjectPublicKeyInfo(ski); tbs = tbsGen.generateTBSCertificate(); ASN1OutputStream aOut = new ASN1OutputStream(bOut); aOut.writeObject(tbs); System.out.println("Build TBS"); System.out.println(toHex(bOut.toByteArray())); Base64.encode(bOut.toByteArray(), System.out); System.out.println(); return tbs; }
private X509Certificate generateJcaObject(TBSCertificate tbsCert, byte[] signature) throws CertificateEncodingException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); try { return new X509CertificateObject(Certificate.getInstance((new DERSequence(v)))); } catch (CertificateParsingException e) { throw new ExtCertificateEncodingException("exception producing certificate object", e); } }
private TBSCertificate generateTbsCert() { if (!extGenerator.isEmpty()) { tbsGen.setExtensions(extGenerator.generate()); } return tbsGen.generateTBSCertificate(); }
private X509Certificate generateJcaObject(TBSCertificate tbsCert, byte[] signature) throws CertificateParsingException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); return new X509CertificateObject(Certificate.getInstance(new DERSequence(v))); }
static X509CertificateHolder generateFullCert(ContentSigner signer, TBSCertificate tbsCert) { try { return new X509CertificateHolder(generateStructure(tbsCert, signer.getAlgorithmIdentifier(), generateSig(signer, tbsCert))); } catch (IOException e) { throw new IllegalStateException("cannot produce certificate signature"); } }
private static Certificate generateStructure(TBSCertificate tbsCert, AlgorithmIdentifier sigAlgId, byte[] signature) { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); return Certificate.getInstance(new DERSequence(v)); }
/** * Validate the signature on the certificate in this holder. * * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature. * @return true if the signature is valid, false otherwise. * @throws CertException if the signature cannot be processed or is inappropriate. */ public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException { TBSCertificate tbsCert = x509Certificate.getTBSCertificate(); if (!CertUtils.isAlgIdEqual(tbsCert.getSignature(), x509Certificate.getSignatureAlgorithm())) { throw new CertException("signature invalid - algorithm identifier mismatch"); } ContentVerifier verifier; try { verifier = verifierProvider.get((tbsCert.getSignature())); OutputStream sOut = verifier.getOutputStream(); DEROutputStream dOut = new DEROutputStream(sOut); dOut.writeObject(tbsCert); sOut.close(); } catch (Exception e) { throw new CertException("unable to process signature: " + e.getMessage(), e); } return verifier.verify(x509Certificate.getSignature().getBytes()); }
static TBSCertificate getTBSCertificateStructure( X509Certificate cert) { try { return TBSCertificate.getInstance( ASN1Primitive.fromByteArray(cert.getTBSCertificate())); } catch (Exception e) { throw new IllegalArgumentException( "can't extract TBS structure from this cert"); } }
