public int compare(Object o1, Object o2) { X509Certificate c1 = (X509Certificate) o1; X509Certificate c2 = (X509Certificate) o2; if (c1 == c2) // this deals with case where both are null { return 0; } if (c1 == null) // non-null is always bigger than null { return -1; } if (c2 == null) { return 1; } if (c1.equals(c2)) { return 0; } Date d1 = c1.getNotAfter(); Date d2 = c2.getNotAfter(); int c = d1.compareTo(d2); if (c == 0) { String s1 = JavaImpl.getSubjectX500(c1); String s2 = JavaImpl.getSubjectX500(c2); c = s1.compareTo(s2); if (c == 0) { s1 = JavaImpl.getIssuerX500(c1); s2 = JavaImpl.getIssuerX500(c2); c = s1.compareTo(s2); if (c == 0) { BigInteger big1 = c1.getSerialNumber(); BigInteger big2 = c2.getSerialNumber(); c = big1.compareTo(big2); if (c == 0) { try { byte[] b1 = c1.getEncoded(); byte[] b2 = c2.getEncoded(); int len1 = b1.length; int len2 = b2.length; int i = 0; for (; i < len1 && i < len2; i++) { c = ((int) b1[i]) - ((int) b2[i]); if (c != 0) { break; } } if (c == 0) { c = b1.length - b2.length; } } catch (CertificateEncodingException cee) { // I give up. They can be equal if they // really want to be this badly. c = 0; } } } } } return c; }
/** * Creates a new certificate ID instance (using SHA-1 digest calculator) for the specified subject * certificate serial number and issuer certificate. * * @param subjectSerialNumber the subject certificate serial number * @param issuer the issuer certificate * @return the certificate id * @throws Exception if the certificate if cannot be created */ public static CertificateID createCertId(BigInteger subjectSerialNumber, X509Certificate issuer) throws Exception { return new CertificateID( createDigestCalculator(SHA1_ID), new X509CertificateHolder(issuer.getEncoded()), subjectSerialNumber); }
public void ready(String name, PrivateKey unusedPrivateKey, X509Certificate certificate) { String status; try { vaadin.updateVariable("cert", printBase64Binary(certificate.getEncoded())); status = "Готово."; } catch (CertificateEncodingException e) { status = "Ошибка."; } ui.removeAll(); ui.add(new Label(name), BorderLayout.PAGE_START); ui.add(new Label(status), BorderLayout.CENTER); Button cancel = new Button("Отменить"); cancel.addActionListener( new ActionListener() { @Override public void actionPerformed(ActionEvent e) { loading(); } }); Panel buttons = new Panel(new BorderLayout(2, 2)); buttons.add(cancel, BorderLayout.LINE_START); ui.add(buttons, BorderLayout.PAGE_END); refresh(); }
public void checkRequestResponseIntegrity( SignatureRequestEncoder sreqenc, X509Certificate server_certificate) throws IOException { // The DocumentData object if (sreqenc.copy_data) { if (doc_data == null) bad("Missing DocumentData"); if (!sreqenc.document_data.equals(doc_data)) bad("DocumentData mismatch"); } else if (doc_data != null) bad("Unexpected DocumentData"); byte[] expected_fingerprint = null; if (server_certificate != null) { try { expected_fingerprint = HashAlgorithms.SHA256.digest(server_certificate.getEncoded()); } catch (GeneralSecurityException e) { throw new IOException(e); } } // For each candidate profile do a match try for (SignatureProfileEncoder spe : sreqenc.signature_profiles) { if (sign_prof_data.match( spe, sreqenc.document_data, sreqenc.document_references, sreqenc.certificate_filters, sreqenc.id, expected_fingerprint)) { return; } } throw new IOException("Mismatch between signature request and response"); }
public DEPExportFormat exportDEP() { try { // prepare data structures for DEP export // DEP exports are grouped according to the used signature certificate (CURRENTLY NOT USED IN // THE DEMO) HashMap<String, List<ReceiptPackage>> certificateToReceiptMap = new HashMap<>(); for (ReceiptPackage receiptPackage : receiptPackages) { X509Certificate signingCertificate = receiptPackage.getSigningCertificate(); List<ReceiptPackage> receiptPackagesForSignatureCertificate = certificateToReceiptMap.get(signingCertificate.getSerialNumber() + ""); if (receiptPackagesForSignatureCertificate == null) { receiptPackagesForSignatureCertificate = new ArrayList<>(); certificateToReceiptMap.put( signingCertificate.getSerialNumber() + "", receiptPackagesForSignatureCertificate); } receiptPackagesForSignatureCertificate.add(receiptPackage); } // create data structure for export format DEPExportFormat depExportFormat = new DEPExportFormat(); DEPBelegDump[] belegDump = new DEPBelegDump[certificateToReceiptMap.keySet().size()]; // store receipts in export format int dumpIndex = 0; for (List<ReceiptPackage> signedReceipts : certificateToReceiptMap.values()) { belegDump[dumpIndex] = new DEPBelegDump(); depExportFormat.setBelegPackage(belegDump); List<String> receiptsInJWSCompactRepresentation = new ArrayList<>(); for (ReceiptPackage receiptPackage : signedReceipts) { receiptsInJWSCompactRepresentation.add(receiptPackage.getJwsCompactRepresentation()); } belegDump[dumpIndex].setBelegeDaten( receiptsInJWSCompactRepresentation.toArray( new String[receiptsInJWSCompactRepresentation.size()])); String base64EncodedSignatureCertificate = CashBoxUtils.base64Encode( signedReceipts.get(0).getSigningCertificate().getEncoded(), false); belegDump[dumpIndex].setSignatureCertificate(base64EncodedSignatureCertificate); List<X509Certificate> base64EncodedCertificateChain = signedReceipts.get(0).getCertificateChain(); String[] certificateChain = new String[base64EncodedCertificateChain.size()]; for (int i = 0; i < base64EncodedCertificateChain.size(); i++) { X509Certificate base64EncodedChainCertificate = base64EncodedCertificateChain.get(i); certificateChain[i] = CashBoxUtils.base64Encode(base64EncodedChainCertificate.getEncoded(), false); } belegDump[dumpIndex].setCertificateChain(certificateChain); dumpIndex++; } return depExportFormat; } catch (CertificateEncodingException e) { e.printStackTrace(); } return null; }
protected PropertyDataObject generate( Collection<X509Certificate> certs, BaseCertRefsData certRefsData, QualifyingProperty prop) throws PropertyDataGenerationException { if (null == certs) { throw new PropertyDataGenerationException(prop, "certificates not provided"); } try { String digestAlgUri = this.algorithmsProvider.getDigestAlgorithmForReferenceProperties(); MessageDigest messageDigest = this.messageDigestProvider.getEngine(digestAlgUri); for (X509Certificate cert : certs) { // "DigestValue contains the base-64 encoded value of the digest // computed on the DER-encoded certificate." // The base-64 encoding is done by JAXB with the configured // adapter (Base64XmlAdapter). // For X509 certificates the encoded form return by getEncoded is DER. byte[] digestValue = messageDigest.digest(cert.getEncoded()); certRefsData.addCertRef( new CertRef( cert.getIssuerX500Principal().getName(), cert.getSerialNumber(), digestAlgUri, digestValue)); } return certRefsData; } catch (UnsupportedAlgorithmException ex) { throw new PropertyDataGenerationException(prop, ex.getMessage(), ex); } catch (CertificateEncodingException ex) { throw new PropertyDataGenerationException(prop, "cannot get encoded certificate", ex); } }
/** * Encode the CertPath using PKIPATH format. * * @return a byte array containing the binary encoding of the PkiPath object * @exception CertificateEncodingException if an exception occurs */ private byte[] encodePKIPATH() throws CertificateEncodingException { ListIterator<X509Certificate> li = certs.listIterator(certs.size()); try { DerOutputStream bytes = new DerOutputStream(); // encode certs in reverse order (trust anchor to target) // according to PkiPath format while (li.hasPrevious()) { X509Certificate cert = li.previous(); // check for duplicate cert if (certs.lastIndexOf(cert) != certs.indexOf(cert)) { throw new CertificateEncodingException("Duplicate Certificate"); } // get encoded certificates byte[] encoded = cert.getEncoded(); bytes.write(encoded); } // Wrap the data in a SEQUENCE DerOutputStream derout = new DerOutputStream(); derout.write(DerValue.tag_SequenceOf, bytes); return derout.toByteArray(); } catch (IOException ioe) { throw new CertificateEncodingException("IOException encoding " + "PkiPath data: " + ioe, ioe); } }
/** * Return a DERObject containing the encoded certificate. * * @param cert the X509Certificate object to be encoded * @return the DERObject */ private ASN1Primitive toASN1Object(X509Certificate cert) throws CertificateEncodingException { try { return new ASN1InputStream(cert.getEncoded()).readObject(); } catch (Exception e) { throw new CertificateEncodingException( "Exception while encoding certificate: " + e.toString()); } }
public static void testcaV3() throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair = kpg.generateKeyPair(); X509Certificate cer = buildCARootCertV3(keyPair); FileUtils.writeByteArrayToFile(new File("d:\\caV3.cer"), cer.getEncoded()); System.out.println(cer); }
/* Translate to encoded bytes */ private void emit(DerOutputStream out) throws IOException, CertificateEncodingException { DerOutputStream tagged = new DerOutputStream(); if (forward != null) { DerOutputStream tmp = new DerOutputStream(); tmp.putDerValue(new DerValue(forward.getEncoded())); tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_FORWARD), tmp); } if (reverse != null) { DerOutputStream tmp = new DerOutputStream(); tmp.putDerValue(new DerValue(reverse.getEncoded())); tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_REVERSE), tmp); } out.write(DerValue.tag_Sequence, tagged); }
@Override public String toConfigNode(X509Certificate object, ConfigProperty property, SavingContext ctx) throws ConfigurationException { try { return Base64.toBase64(object.getEncoded()); } catch (CertificateEncodingException e) { throw new ConfigurationException("Cannot encode X509 certificate", e); } }
public void testSHA1WithRSAStream() throws Exception { List certList = new ArrayList(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); certList.add(new X509CertificateHolder(keyCert.getEncoded())); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); gen.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(digCalcProv) .build( new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate()), keyCert)); gen.addCertificates(new CollectionStore(certList)); OutputStream sigOut = gen.open(bOut); sigOut.write(TEST_MESSAGE.getBytes()); sigOut.close(); CMSSignedDataParser sp = new CMSSignedDataParser( digCalcProv, new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), bOut.toByteArray()); sp.getSignedContent().drain(); // // compute expected content digest // MessageDigest md = MessageDigest.getInstance("SHA1"); byte[] contentDigest = md.digest(TEST_MESSAGE.getBytes()); Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))); if (contentDigest != null) { assertTrue(MessageDigest.isEqual(contentDigest, signer.getContentDigest())); } } }
private static byte[] getEncoded(X509Certificate cert) throws IOException { if (cert != null) { try { return cert.getEncoded(); } catch (GeneralSecurityException gse) { throw new IOException("problem with encoding object in write_X509"); } } return new byte[] {'0', 0}; }
public static void exportCert(X509Certificate cert, String name, String path) throws Exception { File dir = new File(path); if (!dir.exists()) { dir.mkdir(); } File certFile = new File(path + File.separator + name + ".cer"); FileOutputStream fos = new FileOutputStream(certFile); fos.write(cert.getEncoded()); fos.close(); }
/** * Constructor XMLX509Certificate * * @param doc * @param x509certificate * @throws XMLSecurityException */ public XMLX509Certificate(Document doc, X509Certificate x509certificate) throws XMLSecurityException { super(doc); try { this.addBase64Text(x509certificate.getEncoded()); } catch (java.security.cert.CertificateEncodingException ex) { throw new XMLSecurityException("empty", ex); } }
private String getFingerprint(X509Certificate certificate) { try { MessageDigest sha1 = MessageDigest.getInstance("SHA1"); sha1.update(certificate.getEncoded()); return toHexString(sha1.digest()); } catch (NoSuchAlgorithmException e) { return "<Could not determine fingerprint>"; } catch (CertificateEncodingException e) { return "<Could not determine fingerprint>"; } }
private X509Certificate generateCertificate( PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey) throws Exception { X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset(); certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm("SHA1WithRSAEncryption"); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); certificateGenerator.addExtension( X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCertificate) { issuerPublicKey = issuerCertificate.getPublicKey(); } else { issuerPublicKey = subjectPublicKey; } certificateGenerator.addExtension( X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory.generateCertificate( new ByteArrayInputStream(certificate.getEncoded())); return certificate; }
// Converts to javax.security public static javax.security.cert.X509Certificate convert( java.security.cert.X509Certificate cert) { try { byte[] encoded = cert.getEncoded(); return javax.security.cert.X509Certificate.getInstance(encoded); } catch (java.security.cert.CertificateEncodingException e) { } catch (javax.security.cert.CertificateEncodingException e) { } catch (javax.security.cert.CertificateException e) { } return null; }
private static String certHash(final X509Certificate cert, String digest) { try { MessageDigest md = MessageDigest.getInstance(digest); md.update(cert.getEncoded()); return hexString(md.digest()); } catch (java.security.cert.CertificateEncodingException e) { return e.getMessage(); } catch (java.security.NoSuchAlgorithmException e) { return e.getMessage(); } }
private static String getCertFingerprint(byte[] certData) { try { CertificateFactory x509CertFact = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) x509CertFact.generateCertificate(new ByteArrayInputStream(certData)); MessageDigest md = MessageDigest.getInstance("SHA-1"); return toHexString(md.digest(cert.getEncoded())); } catch (CertificateException e) { throw new RuntimeException(e); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); } }
public void testAES256CCM() throws Exception { byte[] data = "Eric H. Echidna".getBytes(); ASN1ObjectIdentifier macAlg = CMSAlgorithm.AES256_CCM; AlgorithmParameters algParams = AlgorithmParameters.getInstance("CCM", BC); algParams.init(new CCMParameters(Hex.decode("000102030405060708090a0b"), 16).getEncoded()); CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); X509CertificateHolder origCert = new X509CertificateHolder(_origCert.getEncoded()); adGen.setOriginatorInfo(new OriginatorInfoGenerator(origCert).generate()); adGen.addRecipientInfoGenerator( new JceKeyTransRecipientInfoGenerator(_reciCert).setProvider(BC)); CMSAuthenticatedData ad = adGen.generate( new CMSProcessableByteArray(data), new JceCMSMacCalculatorBuilder(macAlg) .setAlgorithmParameters(algParams) .setProvider(BC) .build()); assertTrue(ad.getOriginatorInfo().getCertificates().getMatches(null).contains(origCert)); RecipientInformationStore recipients = ad.getRecipientInfos(); assertEquals(ad.getMacAlgOID(), macAlg.getId()); Collection c = recipients.getRecipients(); assertEquals(1, c.size()); Iterator it = c.iterator(); while (it.hasNext()) { RecipientInformation recipient = (RecipientInformation) it.next(); assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); byte[] recData = recipient.getContent( new JceKeyTransAuthenticatedRecipient(_reciKP.getPrivate()).setProvider(BC)); assertTrue(Arrays.equals(data, recData)); assertEquals(16, ad.getMac().length); assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); } }
public static byte[] parseSignature(byte[] signature) { byte[] buffer = null; try { CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(signature)); buffer = cert.getEncoded(); } catch (Exception e) { e.printStackTrace(); } return buffer; }
private JAXBElement<BinarySecurityTokenType> createBinarySecurityToken(X509Certificate cert) throws Exception { BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType(); binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(cert.getEncoded())); binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE); binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary"); JAXBElement<BinarySecurityTokenType> tokenType = new JAXBElement<BinarySecurityTokenType>( QNameConstants.BINARY_SECURITY_TOKEN, BinarySecurityTokenType.class, binarySecurityToken); return tokenType; }
private static void appendThumbPrint(X509Certificate cert, String hash, StringBuilder sb) { try { MessageDigest md = MessageDigest.getInstance(hash); byte[] der = cert.getEncoded(); md.update(der); byte[] digest = md.digest(); char[] encode = Hex.encode(digest); appendHexSpace(encode, sb); } catch (NoSuchAlgorithmException e) { sb.append("Error calculating thumbprint: " + e.getMessage()); } catch (CertificateEncodingException e) { sb.append("Error calculating thumbprint: " + e.getMessage()); } }
public static void testcaV1() throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair = kpg.generateKeyPair(); X509Certificate cer = buildCARootCertV1(keyPair); System.out.println(cer); FileUtils.writeByteArrayToFile(new File("d:\\caV1cer.cer"), cer.getEncoded()); // 生成CA证书 byte[] publicBase64 = org.apache.commons.codec.binary.Base64.encodeBase64(cer.getEncoded(), true); String publicStr = new String(publicBase64, "UTF-8"); publicStr = PUBLIC_PREFIX + publicStr + PUBLIC_SUFFIX; System.out.println(publicStr); FileUtils.writeByteArrayToFile(new File("d:\\caV1cer.pem"), publicStr.getBytes("UTF-8")); // 生成CA私钥 byte[] privateBase64 = org.apache.commons.codec.binary.Base64.encodeBase64( keyPair.getPrivate().getEncoded(), true); String privateStr = new String(privateBase64, "UTF-8"); privateStr = PRIVATE_PREFIX + privateStr + PRIVATE_SUFFIX; System.out.println(privateStr); FileUtils.writeByteArrayToFile(new File("d:\\caV1key.pem"), privateStr.getBytes("UTF-8")); }
/** * Bounce the given {@link Signature} through a decode/encode cycle. * * @throws CertificateException if the before/after length differs substantially, usually a signal * of something fishy going on. * @hide */ public static Signature bounce(CertificateFactory cf, Signature s) throws CertificateException { final InputStream is = new ByteArrayInputStream(s.mSignature); final X509Certificate cert = (X509Certificate) cf.generateCertificate(is); final Signature sPrime = new Signature(cert.getEncoded()); if (Math.abs(sPrime.mSignature.length - s.mSignature.length) > 2) { throw new CertificateException( "Bounced cert length looks fishy; before " + s.mSignature.length + ", after " + sPrime.mSignature.length); } return sPrime; }
/** * Create dummy public key certificate. * * @param keyId key id * @param cn common name * @throws Exception if an error occurs */ @Command(description = "Create dummy public key certificate") public void dummyCert( @Param(name = "keyId", description = "Key ID") String keyId, @Param(name = "cn", description = "Common name") String cn) throws Exception { Calendar cal = GregorianCalendar.getInstance(); cal.add(Calendar.YEAR, -1); Date notBefore = cal.getTime(); cal.add(Calendar.YEAR, 2); Date notAfter = cal.getTime(); ClientId memberId = ClientId.create("FOO", "BAR", "BAZ"); GenerateSelfSignedCert request = new GenerateSelfSignedCert(keyId, cn, notBefore, notAfter, KeyUsageInfo.SIGNING, memberId); GenerateSelfSignedCertResponse response = SignerClient.execute(request); X509Certificate cert = readCertificate(response.getCertificateBytes()); System.out.println("Certificate base64:"); System.out.println(encodeBase64(cert.getEncoded())); bytesToFile(keyId + ".crt", cert.getEncoded()); base64ToFile(keyId + ".crt.b64", cert.getEncoded()); }
/** * Calculates the hash of the certificate known as the "thumbprint" and returns it as a string * representation. * * @param cert The certificate to hash. * @param algorithm The hash algorithm to use. * @return The SHA-1 hash of the certificate. * @throws CertificateException */ private static String getThumbprint(X509Certificate cert, String algorithm) throws CertificateException { MessageDigest digest; try { digest = MessageDigest.getInstance(algorithm); } catch (NoSuchAlgorithmException e) { throw new CertificateException(e); } byte[] encodedCert = cert.getEncoded(); StringBuilder sb = new StringBuilder(encodedCert.length * 2); Formatter f = new Formatter(sb); try { for (byte b : digest.digest(encodedCert)) f.format("%02x", b); } finally { f.close(); } return sb.toString(); }
private byte[] getCertFingerprint(X509Certificate cert) { MessageDigest md; byte[] fingerprint = null; try { md = MessageDigest.getInstance("SHA1"); md.update(cert.getEncoded()); fingerprint = md.digest(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } return fingerprint; }
@Override protected Object doExecute() throws Exception { String base64Cert = null; X509Certificate signerCert = null; if (certFile != null) { signerCert = X509Util.parseCert(certFile); base64Cert = IoUtil.base64Encode(signerCert.getEncoded(), false); } if ("PKCS12".equalsIgnoreCase(signerType) || "JKS".equalsIgnoreCase(signerType)) { signerConf = ShellUtil.canonicalizeSignerConf(signerType, signerConf, passwordResolver); } CmpResponderEntry entry = new CmpResponderEntry(name, signerType, signerConf, base64Cert); boolean b = caManager.addCmpResponder(entry); output(b, "added", "could not add", "CMP responder " + name); return null; }