@Override public synchronized Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context) throws IOException { Socket result = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context); if (!SSLSocket.class.isInstance(result)) { throw new IOException("Expected tls socket"); } SSLSocket sslSocket = (SSLSocket) result; java.security.cert.Certificate[] peerCertificateChain = sslSocket.getSession().getPeerCertificates(); if (peerCertificateChain.length != 1) { throw new IOException("Expected root ca cert"); } if (!X509Certificate.class.isInstance(peerCertificateChain[0])) { throw new IOException("Expected root ca cert in X509 format"); } String cn; try { X509Certificate certificate = (X509Certificate) peerCertificateChain[0]; cn = IETFUtils.valueToString(new JcaX509CertificateHolder(certificate).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()); certificates.add(certificate); } catch (Exception e) { throw new IOException(e); } if (!caHostname.equals(cn)) { throw new IOException("Expected cn of " + caHostname + " but got " + cn); } return result; } }
private boolean certificateCommonNameChanged(String certificateCommonName) { try { KeyStore userKeyStore = UserConfig.getUserKeyStore(); X509Certificate currentCertificate = (X509Certificate) userKeyStore.getCertificate(CipherParams.CERTIFICATE_IDENTIFIER); if (currentCertificate != null) { X500Name currentCertificateSubject = new JcaX509CertificateHolder(currentCertificate).getSubject(); RDN currentCertificateSubjectCN = currentCertificateSubject.getRDNs(BCStyle.CN)[0]; String currentCertificateSubjectCnStr = IETFUtils.valueToString(currentCertificateSubjectCN.getFirst().getValue()); if (!certificateCommonName.equals(currentCertificateSubjectCnStr)) { logger.log(Level.INFO, "- Certificate regeneration necessary: Cert common name in daemon config changed from " + currentCertificateSubjectCnStr + " to " + certificateCommonName + "."); return true; } } else { logger.log(Level.INFO, "- Certificate regeneration necessary, because no certificate found in key store."); return true; } return false; } catch (Exception e) { throw new RuntimeException("Cannot (re-)generate server certificate for hostname: " + certificateCommonName, e); } }
SignerInfoSignatureAlgorithmFinder.INSTANCE) .setDirectSignature(true) .build(signer, new JcaX509CertificateHolder(signerCert))); gen.addCertificates(certs);
public X509Certificate buildEndEntityCert(KeyPair keyPair, X509Certificate caCert, PrivateKey caPrivateKey, String hostname, String ipAddress, String crlPath, Integer ocspPort) throws Exception { X509CertificateHolder holder = new JcaX509CertificateHolder(caCert); ContentSigner signer =new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(caPrivateKey);
new JcaX509CertificateHolder(rootCertificate) }; ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC")
cn = CN_CACHE.get(cnKey); if (cn == null) { X500Name x500name = new JcaX509CertificateHolder( (X509Certificate) cp.bytesToCertificate(pemBytes)).getSubject(); RDN rdn = x500name.getRDNs(BCStyle.CN)[0];
new JcaX509CertificateHolder(issuerCertificate), certificateToCheck.getSerialNumber());
private AttributeCertificateHolder buildHolder(X509Certificate holderCert) throws CertificateEncodingException { JcaX509CertificateHolder holderWrappedCert = new JcaX509CertificateHolder( holderCert); AttributeCertificateHolder acHolder = new AttributeCertificateHolder( holderWrappedCert.getSubject(), holderCert.getSerialNumber()); return acHolder; }
static CertificateID generateCertificateId(X509Certificate issuerCert, BigInteger serialNumber, AlgorithmIdentifier digestAlgorithmIdentifier) throws OperatorCreationException, CertificateEncodingException, OCSPException { return new CertificateID( new JcaDigestCalculatorProviderBuilder().build().get(digestAlgorithmIdentifier), new JcaX509CertificateHolder(issuerCert), serialNumber); }
static CertificateID generateCertificateId(X509Certificate issuerCert, BigInteger serialNumber, AlgorithmIdentifier digestAlgorithmIdentifier) throws OperatorCreationException, CertificateEncodingException, OCSPException { return new CertificateID( new JcaDigestCalculatorProviderBuilder().build().get(digestAlgorithmIdentifier), new JcaX509CertificateHolder(issuerCert), serialNumber); }
private AttributeCertificateIssuer buildIssuer() throws CertificateEncodingException { JcaX509CertificateHolder issuer = new JcaX509CertificateHolder( aaCredential.getCertificate()); return new AttributeCertificateIssuer(issuer.getSubject()); }
static CertificateID generateCertificateId(X509Certificate issuerCert, BigInteger serialNumber, ASN1ObjectIdentifier identifier) throws OperatorCreationException, CertificateEncodingException, OCSPException { return new CertificateID( new JcaDigestCalculatorProviderBuilder().build().get(new AlgorithmIdentifier(identifier, DERNull.INSTANCE)), new JcaX509CertificateHolder(issuerCert), serialNumber); }
static CertificateID generateCertificateId(X509Certificate issuerCert, BigInteger serialNumber, ASN1ObjectIdentifier identifier) throws OperatorCreationException, CertificateEncodingException, OCSPException { return new CertificateID( new JcaDigestCalculatorProviderBuilder().build().get(new AlgorithmIdentifier(identifier, DERNull.INSTANCE)), new JcaX509CertificateHolder(issuerCert), serialNumber); }
public String extractCN(X509Certificate cert) throws GeneralSecurityException { X500Name x500name = new JcaX509CertificateHolder(cert).getSubject(); RDN cn = x500name.getRDNs(BCStyle.CN)[0]; String valx = IETFUtils.valueToString(cn.getFirst().getValue()); return valx; }
private boolean verifyACSignature(VOMSAttribute attributes, X509Certificate cert) { try { X509CertificateHolder certHolder = new JcaX509CertificateHolder(cert); ContentVerifierProvider cvp = new BcRSAContentVerifierProviderBuilder( new DefaultDigestAlgorithmIdentifierFinder()).build(certHolder); return attributes.getVOMSAC().isSignatureValid(cvp); } catch (Exception e) { throw new VOMSError("Error verifying AC signature: " + e.getMessage(), e); } } }
private static String getValueByObjectIdentifier(X509Certificate cert, ASN1ObjectIdentifier identifier) throws CertificateEncodingException { X500Name x500name = new JcaX509CertificateHolder(cert).getSubject(); RDN c = x500name.getRDNs(identifier)[0]; return IETFUtils.valueToString(c.getFirst().getValue()); }
private boolean isSelfSigned(final X509Certificate cert) throws ClientException { try { JcaX509CertificateHolder holder = new JcaX509CertificateHolder(cert); ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder() .build(holder); return holder.isSignatureValid(verifierProvider); } catch (RuntimeOperatorException e) { if(e.getCause() instanceof SignatureException) { LOGGER.warn("SignatureException detected so we consider that the certificate is not self signed"); return false; } throw new ClientException(e); } catch (Exception e) { throw new ClientException(e); } }
private boolean isOcspResponderCommonNameValid(X509Cert ocspCertificate) { if(ocspCertificate==null) { return false; } try { X500Name x500name = new JcaX509CertificateHolder(ocspCertificate.getX509Certificate()).getSubject(); RDN dn = x500name.getRDNs(BCStyle.CN)[0]; String commonName = IETFUtils.valueToString(dn.getFirst().getValue()); return configuration.getAllowedOcspRespondersForTM().contains(commonName); } catch (CertificateEncodingException e) { throw new DigiDoc4JException("OCSP certificate encoding failed ", e); } }
@Override public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { X509Certificate cert = chain[0]; X500Name x500name = new JcaX509CertificateHolder(cert).getSubject(); RDN cn = x500name.getRDNs(BCStyle.CN)[0]; String hostname = IETFUtils.valueToString(cn.getFirst().getValue()); checkTrusted(chain, hostname); }
@Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { X509Certificate cert = chain[0]; X500Name x500name = new JcaX509CertificateHolder(cert).getSubject(); RDN cn = x500name.getRDNs(BCStyle.CN)[0]; String hostname = IETFUtils.valueToString(cn.getFirst().getValue()); checkTrusted(chain, hostname); }