private static X509CertificateHolder makeV3Certificate(
KeyPair subKP, String _subDN, KeyPair issKP, String _issDN)
throws GeneralSecurityException, IOException, OperatorCreationException, CertException {
PublicKey subPub = subKP.getPublic();
PrivateKey issPriv = issKP.getPrivate();
PublicKey issPub = issKP.getPublic();
X509v3CertificateBuilder v1CertGen =
new JcaX509v3CertificateBuilder(
new X500Name(_issDN),
BigInteger.valueOf(System.currentTimeMillis()),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)),
new X500Name(_subDN),
subPub);
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(issPriv);
X509CertificateHolder certHolder = v1CertGen.build(signer);
ContentVerifierProvider verifier =
new JcaContentVerifierProviderBuilder().setProvider(BC).build(issPub);
assertTrue(certHolder.isSignatureValid(verifier));
return certHolder;
}
private SignatureData getFromCmsSignature(
SignatureVerificationRequest signatureVerificationRequest,
SignatureVerificationResponse response)
throws CMSException {
String signature = signatureVerificationRequest.getSignature();
byte[] decoded = Base64.decode(signature);
CMSSignedData cmsSignedData = new CMSSignedData(decoded);
String encodedSignedData = new String((byte[]) cmsSignedData.getSignedContent().getContent());
// Fetch information about the issuers
List<String> certInfos = new ArrayList<String>();
Collection certificates = cmsSignedData.getCertificates().getMatches(null);
for (Object certificate : certificates) {
X509CertificateHolder holder = (X509CertificateHolder) certificate;
certInfos.add(holder.getSubject().toString());
CertificateInfo ci = new CertificateInfo();
ci.setSubjectDn(holder.getSubject().toString());
ci.setValidTo(simpleDateFormat.format(holder.getNotAfter()));
response.getCertificateInfos().getCertificateInfo().add(ci);
}
// Fetch timestamp
Date signingDate = findTimestamp(cmsSignedData);
String dateString = simpleDateFormat.format(signingDate);
response.setSignatureDate(dateString);
// Create the SignatureData to be verified
SignatureData signData = new SignatureData();
signData.setEncodedTbs(encodedSignedData);
signData.setSignature(signature);
ELegType clientType = new ELegType("test", "test", PkiClient.NETMAKER_NETID_4);
signData.setClientType(clientType);
return signData;
}
@Before
public void setup()
throws JAXBException, IOException, ProfileException, CertificateEncodingException,
NoSuchAlgorithmException {
X509CertificateHolder x509CertificateHolder =
new JcaX509CertificateHolder(generatePKI.getCaCert());
if (profiles == null)
profiles =
new ProfilesJAXB(
getClass().getResourceAsStream("/PrivateKey.xml"),
x509CertificateHolder.toASN1Structure());
}
public Certificate getSignerCertificate() {
try {
Collection certificateCollection =
cmsSignedData.getCertificates().getMatches(firstSignerInfo.getSID());
Iterator iterator = certificateCollection.iterator();
X509CertificateHolder certHolder = (X509CertificateHolder) iterator.next();
return CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
.generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
} catch (Exception e) {
log.error(Channel.TECH, "Could not extract signer certificate from CMS signature : %1$s", e);
}
return null;
}
@Override
protected Object _doExecute() throws Exception {
EnrollCertRequestType request = new EnrollCertRequestType(EnrollCertRequestType.Type.CERT_REQ);
CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
ConcurrentContentSigner signer =
getSigner(hashAlgo, new SignatureAlgoControl(rsaMgf1, dsaPlain));
X509CertificateHolder ssCert = signer.getCertificateAsBCObject();
X500Name x500Subject = subject == null ? ssCert.getSubject() : new X500Name(subject);
certTemplateBuilder.setSubject(x500Subject);
certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo());
CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
ProofOfPossessionSigningKeyBuilder popoBuilder =
new ProofOfPossessionSigningKeyBuilder(certReq);
ContentSigner contentSigner = signer.borrowContentSigner();
POPOSigningKey popoSk;
try {
popoSk = popoBuilder.build(contentSigner);
} finally {
signer.returnContentSigner(contentSigner);
}
ProofOfPossession popo = new ProofOfPossession(popoSk);
EnrollCertRequestEntryType reqEntry =
new EnrollCertRequestEntryType("id-1", profile, certReq, popo);
request.addRequestEntry(reqEntry);
EnrollCertResult result;
RequestResponseDebug debug = getRequestResponseDebug();
try {
result = caClient.requestCerts(request, caName, user, debug);
} finally {
saveRequestResponse(debug);
}
X509Certificate cert = null;
if (result != null) {
String id = result.getAllIds().iterator().next();
CertOrError certOrError = result.getCertificateOrError(id);
cert = (X509Certificate) certOrError.getCertificate();
}
if (cert != null) {
throw new CmdFailure("no certificate is excepted, but received one");
}
return null;
}
public static void checkOrCreateKeyStore(
final String file, final String password, final String domainName)
throws IllegalArgumentException, OperatorCreationException {
final String hostname;
if ("0.0.0.0".equals(domainName)) {
hostname = "localhost";
} else {
hostname = domainName;
}
try {
KeyStore ks = KeyStore.getInstance("JKS");
File keyStoreFile = new File(file);
if (!keyStoreFile.exists()) {
keyStoreFile.createNewFile();
ks.load(null, null);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509v3CertificateBuilder v3CertGen =
new X509v3CertificateBuilder(
new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
BigInteger.valueOf(System.currentTimeMillis()),
new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)),
new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
SubjectPublicKeyInfo.getInstance(KPair.getPublic().getEncoded()));
AlgorithmIdentifier sigAlgId =
new DefaultSignatureAlgorithmIdentifierFinder().find("SHA512withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(KPair.getPrivate().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
X509CertificateHolder PKCertificateHolder = v3CertGen.build(sigGen);
X509CertificateStructure eeX509CertificateStructure = PKCertificateHolder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate cert;
try (InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded())) {
cert = (X509Certificate) cf.generateCertificate(is1);
}
ks.setKeyEntry(
"siesta",
KPair.getPrivate(),
password.toCharArray(),
new java.security.cert.Certificate[] {cert});
ks.store(new FileOutputStream(file), password.toCharArray());
}
} catch (GeneralSecurityException | IOException | IllegalStateException ex) {
throw new IllegalArgumentException("Error creating keystore, please manually create one", ex);
}
}
/**
* Verify that the given verifier can successfully verify the signature on this SignerInformation
* object.
*
* @param verifier a suitably configured SignerInformationVerifier.
* @return true if the signer information is verified, false otherwise.
* @throws org.bouncycastle.cms.CMSVerifierCertificateNotValidException if the provider has an
* associated certificate and the certificate is not valid at the time given as the
* SignerInfo's signing time.
* @throws org.bouncycastle.cms.CMSException if the verifier is unable to create a
* ContentVerifiers or DigestCalculators.
*/
public boolean verify(SignerInformationVerifier verifier) throws CMSException {
Time signingTime = getSigningTime(); // has to be validated if present.
if (verifier.hasAssociatedCertificate()) {
if (signingTime != null) {
X509CertificateHolder dcv = verifier.getAssociatedCertificate();
if (!dcv.isValidOn(signingTime.getDate())) {
throw new CMSVerifierCertificateNotValidException("verifier not valid at signingTime");
}
}
}
return doVerify(verifier);
}
// controlla che nel firmatario sia presente l'attributo ESSCertIDv2 e che esso sia valido
// in questo caso la busta crittografica è espressa correttamente nel formato CADES-BES secondo
// la DELIBERAZIONE ministeriale del N . 45 DEL 21 MAGGIO 2009
private boolean isLegallySigned(SignerInformation signer, X509CertificateHolder cert)
throws FirmapiuException, NoSuchAlgorithmException, IOException {
AttributeTable signAttr = signer.getSignedAttributes();
if (signAttr == null) throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
Attribute attr = signAttr.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
if (attr == null) throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
ASN1Sequence sequence = ASN1Sequence.getInstance(attr.getAttrValues().getObjectAt(0));
SigningCertificateV2 scv2 = SigningCertificateV2.getInstance(sequence);
ESSCertIDv2[] essCert = scv2.getCerts();
if (essCert == null || essCert.length < 1)
throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
// controlla l'hash del certificato se si restituisce true se no restituisce no
// aggiungere hash del certificato di sottoscrizione
String digestAlgorithm = "SHA-256";
MessageDigest sha = null;
sha = MessageDigest.getInstance(digestAlgorithm);
byte[] digestedCert = sha.digest(cert.getEncoded());
byte[] essCertHash = essCert[0].getCertHash();
// affinché la firma sia valida digestCert e essCertHash devono essere uguali
if (digestedCert.length != essCertHash.length) return false;
else {
for (int i = 0; i < digestedCert.length; i++)
if (digestedCert[i] != essCertHash[i]) {
return false;
}
return true;
} // fine if
} // fine metodo
public List<Certificate> getSignatureCertificateInfo() {
try {
Store certificateStore = cmsSignedData.getCertificates();
Collection<X509CertificateHolder> certificateCollection = certificateStore.getMatches(null);
List<Certificate> x509CertsCollection =
new ArrayList<Certificate>(certificateCollection.size());
for (X509CertificateHolder certHolder : certificateCollection) {
x509CertsCollection.add(
CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
.generateCertificate(new ByteArrayInputStream(certHolder.getEncoded())));
}
return x509CertsCollection;
} catch (Exception e) {
ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
}
return null;
}
/**
* This method returns DER encoded array of bytes representing {@code X509Certificate} for given
* {@code X509CertificateHolder}. The {@code IOException} is transformed in {@code DSSException}.
*
* @param certificateHolder {@code X509CertificateHolder}
* @return DER encoded array of bytes representing {@code X509Certificate}.
* @throws DSSException
*/
public static byte[] getCertificateDEREncoded(final X509CertificateHolder certificateHolder)
throws DSSException {
try {
final byte[] bytes = certificateHolder.getEncoded();
return bytes;
} catch (IOException e) {
throw new DSSException(e);
}
}
/**
* This method return {@code X509Certificate} representing {@code X509CertificateHolder}. The
* {@code CertificateParsingException} is transformed in {@code DSSException}.
*
* @param certificateHolder {@code X509CertificateHolder}
* @return {@code X509Certificate}.
* @throws DSSException
*/
public static X509Certificate getCertificate(final X509CertificateHolder certificateHolder)
throws DSSException {
try {
final X509Certificate certificate =
new X509CertificateObject(certificateHolder.toASN1Structure());
return certificate;
} catch (CertificateParsingException e) {
throw new DSSException(e);
}
}
public boolean isVerified(
X509CertificateHolder certHolder, DigestCalculatorProvider digesterProvider)
throws CMPException {
AlgorithmIdentifier digAlg =
digestAlgFinder.find(certHolder.toASN1Structure().getSignatureAlgorithm());
if (digAlg == null) {
throw new CMPException("cannot find algorithm for digest from signature");
}
DigestCalculator digester;
try {
digester = digesterProvider.get(digAlg);
} catch (OperatorCreationException e) {
throw new CMPException("unable to create digester: " + e.getMessage(), e);
}
CMPUtil.derEncodeToStream(certHolder.toASN1Structure(), digester.getOutputStream());
return Arrays.areEqual(certStatus.getCertHash().getOctets(), digester.getDigest());
}
public X509Certificate convertCertificate(X509CertificateHolder certHolder)
throws CertificateException {
try {
CertificateFactory certFact = helper.createCertificateFactory("X.509");
return (X509Certificate)
certFact.generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
} catch (IOException e) {
throw new OpCertificateException(
"cannot get encoded form of certificate: " + e.getMessage(), e);
} catch (NoSuchAlgorithmException e) {
throw new OpCertificateException("cannot create certificate factory: " + e.getMessage(), e);
} catch (NoSuchProviderException e) {
throw new OpCertificateException("cannot find factory provider: " + e.getMessage(), e);
}
}
/**
* Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from
* the signer's associated certificate using the sha1DigestCalculator. If alternate values are
* required for id-aa-signingCertificate they should be added to the signerInfoGen object before
* it is passed in, otherwise a standard digest based value will be added.
*
* @param signerInfoGen the generator for the signer we are using.
* @param digestCalculator calculator for to use for digest of certificate.
* @param tsaPolicy tasPolicy to send.
* @param isIssuerSerialIncluded should issuerSerial be included in the ESSCertIDs, true if yes,
* by default false.
* @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated
* certificate for the signer,
* @throws TSPException if the signer certificate cannot be processed.
*/
public TimeStampTokenGenerator(
final SignerInfoGenerator signerInfoGen,
DigestCalculator digestCalculator,
ASN1ObjectIdentifier tsaPolicy,
boolean isIssuerSerialIncluded)
throws IllegalArgumentException, TSPException {
this.signerInfoGen = signerInfoGen;
this.tsaPolicyOID = tsaPolicy;
if (!signerInfoGen.hasAssociatedCertificate()) {
throw new IllegalArgumentException("SignerInfoGenerator must have an associated certificate");
}
X509CertificateHolder assocCert = signerInfoGen.getAssociatedCertificate();
TSPUtil.validateCertificate(assocCert);
try {
OutputStream dOut = digestCalculator.getOutputStream();
dOut.write(assocCert.getEncoded());
dOut.close();
if (digestCalculator
.getAlgorithmIdentifier()
.getAlgorithm()
.equals(OIWObjectIdentifiers.idSHA1)) {
final ESSCertID essCertid =
new ESSCertID(
digestCalculator.getDigest(),
isIssuerSerialIncluded
? new IssuerSerial(
new GeneralNames(new GeneralName(assocCert.getIssuer())),
assocCert.getSerialNumber())
: null);
this.signerInfoGen =
new SignerInfoGenerator(
signerInfoGen,
new CMSAttributeTableGenerator() {
public AttributeTable getAttributes(Map parameters)
throws CMSAttributeTableGenerationException {
AttributeTable table =
signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters);
if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificate) == null) {
return table.add(
PKCSObjectIdentifiers.id_aa_signingCertificate,
new SigningCertificate(essCertid));
}
return table;
}
},
signerInfoGen.getUnsignedAttributeTableGenerator());
} else {
AlgorithmIdentifier digAlgID =
new AlgorithmIdentifier(digestCalculator.getAlgorithmIdentifier().getAlgorithm());
final ESSCertIDv2 essCertid =
new ESSCertIDv2(
digAlgID,
digestCalculator.getDigest(),
isIssuerSerialIncluded
? new IssuerSerial(
new GeneralNames(new GeneralName(assocCert.getIssuer())),
new ASN1Integer(assocCert.getSerialNumber()))
: null);
this.signerInfoGen =
new SignerInfoGenerator(
signerInfoGen,
new CMSAttributeTableGenerator() {
public AttributeTable getAttributes(Map parameters)
throws CMSAttributeTableGenerationException {
AttributeTable table =
signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters);
if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2) == null) {
return table.add(
PKCSObjectIdentifiers.id_aa_signingCertificateV2,
new SigningCertificateV2(essCertid));
}
return table;
}
},
signerInfoGen.getUnsignedAttributeTableGenerator());
}
} catch (IOException e) {
throw new TSPException("Exception processing certificate.", e);
}
}
public PKCS12SafeBagBuilder(X509CertificateHolder certificate) throws IOException {
this(certificate.toASN1Structure());
}
