/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing and the supplied source * of randomness, if required. */ public X509AttributeCertificate generate( PrivateKey key, String provider, SecureRandom random) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { if (!extGenerator.isEmpty()) { acInfoGen.setExtensions(extGenerator.generate()); } AttributeCertificateInfo acInfo = acInfoGen.generateAttributeCertificateInfo(); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(acInfo); v.add(sigAlgId); try { v.add(new DERBitString(X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, acInfo))); return new X509V2AttributeCertificate(new AttributeCertificate(new DERSequence(v))); } catch (IOException e) { throw new ExtCertificateEncodingException("constructed invalid certificate", e); } }
static X509AttributeCertificateHolder generateFullAttrCert(ContentSigner signer, AttributeCertificateInfo attrInfo) { try { return new X509AttributeCertificateHolder(generateAttrStructure(attrInfo, signer.getAlgorithmIdentifier(), generateSig(signer, attrInfo))); } catch (IOException e) { throw new IllegalStateException("cannot produce attribute certificate signature"); } }
private static AttributeCertificate generateAttrStructure(AttributeCertificateInfo attrInfo, AlgorithmIdentifier sigAlgId, byte[] signature) { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(attrInfo); v.add(sigAlgId); v.add(new DERBitString(signature)); return AttributeCertificate.getInstance(new DERSequence(v)); }
/** * Validate the signature on the attribute certificate in this holder. * * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature. * @return true if the signature is valid, false otherwise. * @throws CertException if the signature cannot be processed or is inappropriate. */ public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException { AttributeCertificateInfo acinfo = attrCert.getAcinfo(); if (!CertUtils.isAlgIdEqual(acinfo.getSignature(), attrCert.getSignatureAlgorithm())) { throw new CertException("signature invalid - algorithm identifier mismatch"); } ContentVerifier verifier; try { verifier = verifierProvider.get((acinfo.getSignature())); OutputStream sOut = verifier.getOutputStream(); DEROutputStream dOut = new DEROutputStream(sOut); dOut.writeObject(acinfo); sOut.close(); } catch (Exception e) { throw new CertException("unable to process signature: " + e.getMessage(), e); } return verifier.verify(attrCert.getSignatureValue().getBytes()); }
/** * Validate the signature on the attribute certificate in this holder. * * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature. * @return true if the signature is valid, false otherwise. * @throws CertException if the signature cannot be processed or is inappropriate. */ public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException { AttributeCertificateInfo acinfo = attrCert.getAcinfo(); if (!CertUtils.isAlgIdEqual(acinfo.getSignature(), attrCert.getSignatureAlgorithm())) { throw new CertException("signature invalid - algorithm identifier mismatch"); } ContentVerifier verifier; try { verifier = verifierProvider.get((acinfo.getSignature())); OutputStream sOut = verifier.getOutputStream(); DEROutputStream dOut = new DEROutputStream(sOut); dOut.writeObject(acinfo); sOut.close(); } catch (Exception e) { throw new CertException("unable to process signature: " + e.getMessage(), e); } return verifier.verify(this.getSignature()); }
@Override public List<CertifiedRole> getCertifiedSignerRoles() { final Attribute id_aa_ets_signerAttr = getSignedAttribute(PKCSObjectIdentifiers.id_aa_ets_signerAttr); if (id_aa_ets_signerAttr == null) { return null; } final ASN1Set attrValues = id_aa_ets_signerAttr.getAttrValues(); final ASN1Encodable asn1EncodableAttrValue = attrValues.getObjectAt(0); try { final SignerAttribute signerAttr = SignerAttribute.getInstance(asn1EncodableAttrValue); if (signerAttr == null) { return null; } List<CertifiedRole> roles = null; final Object[] signerAttrValues = signerAttr.getValues(); for (final Object signerAttrValue : signerAttrValues) { if (signerAttrValue instanceof AttributeCertificate) { if (roles == null) { roles = new ArrayList<CertifiedRole>(); } final AttributeCertificate attributeCertificate = (AttributeCertificate) signerAttrValue; final AttributeCertificateInfo acInfo = attributeCertificate.getAcinfo(); final AttCertValidityPeriod attrCertValidityPeriod = acInfo.getAttrCertValidityPeriod(); final ASN1Sequence attributes = acInfo.getAttributes(); for (int ii = 0; ii < attributes.size(); ii++) { final ASN1Encodable objectAt = attributes.getObjectAt(ii); final org.bouncycastle.asn1.x509.Attribute attribute = org.bouncycastle.asn1.x509.Attribute.getInstance(objectAt); final ASN1Set attrValues1 = attribute.getAttrValues(); DERSequence derSequence = (DERSequence) attrValues1.getObjectAt(0); RoleSyntax roleSyntax = RoleSyntax.getInstance(derSequence); CertifiedRole certifiedRole = new CertifiedRole(); certifiedRole.setRole(roleSyntax.getRoleNameAsString()); certifiedRole.setNotBefore(DSSASN1Utils.toDate(attrCertValidityPeriod.getNotBeforeTime())); certifiedRole.setNotAfter(DSSASN1Utils.toDate(attrCertValidityPeriod.getNotAfterTime())); roles.add(certifiedRole); } } } return roles; } catch (Exception e) { LOG.error("Error when dealing with certified signer roles: [" + asn1EncodableAttrValue.toString() + "]", e); return null; } }
public VOMSAttributeCertificate( String holderString , int holderSerialNumber , String issuerString , int productionSerial , long fromEpoch , long toEpoch , String[] fqans ) throws Exception { try { DEREncodableVector infoVector = new ASN1EncodableVector() ; this.setVersion() ; this.setHolder( holderString , holderSerialNumber ) ; this.setIssuer( issuerString ) ; this.setAlgorithmIdentifier() ; this.setSerialNumber( productionSerial ) ; this.setTimes( new Date ( fromEpoch ) , new Date( toEpoch ) ) ; this.setVOMSFQANs( fqans ) ; this.setExtensions() ; infoVector.add( version ) ; infoVector.add( holder ) ; infoVector.add( issuer ) ; infoVector.add( signature ) ; infoVector.add( serialNumber ) ; infoVector.add( attrCertValidityPeriod ) ; infoVector.add( attributes ) ; infoVector.add( extensions ) ; ASN1Sequence infoSequence = ASN1Sequence.getInstance( new DERSequence( infoVector ) ) ; this.acinfo = new AttributeCertificateInfo( infoSequence ) ; // Do it this way to match Vincenzo as much as possible // - rather than this way... this.signatureAlgorithm = new AlgorithmIdentifier( "1.2.840.113549.1.1.4" ) ; this.signatureAlgorithm = new AlgorithmIdentifier( new DERObjectIdentifier( "1.2.840.113549.1.1.4" ) , (DEREncodable)null ) ; this.signatureValue = new DERBitString( this.sign() ) ; this.ac = new AttributeCertificate( acinfo , signatureAlgorithm , signatureValue ) ; } catch( Exception e ) { // inspect?: throw e ; } }
