Package org.ejbca.cvc

Examples of org.ejbca.cvc.CVCertificate


          }
          //CAReferenceField caRef = new CAReferenceField(country,mnemonic,sequence);
          CAReferenceField caRef = null; // Don't create a caRef in the self signed request
          // We are making a self signed request, so holder ref is same as ca ref
          HolderReferenceField holderRef = new HolderReferenceField(country,mnemonic,sequence);
          CVCertificate request = CertificateGenerator.createRequest(keyPair, signatureAlg, caRef, holderRef);
          byte[] der = request.getDEREncoded();
          if (authSignKeyFile != null) {
            getPrintStream().println("Reading private key from pkcs8 file "+authSignKeyFile+" to create an authenticated request");
            byte[] keybytes = FileTools.readFiletoBuffer(authSignKeyFile);
                KeyFactory keyfact = KeyFactory.getInstance(keytype, "BC");
                PrivateKey privKey = keyfact.generatePrivate(new PKCS8EncodedKeySpec(keybytes));
                KeyPair authKeyPair = new KeyPair(null, privKey); // We don't need the public key
                // Default caRef if we do not pass in a certificate to get caRef from
            CAReferenceField authCaRef = new CAReferenceField(country,mnemonic,sequence);
            CVCertificate authCert = null;
            if (authSignCertFile != null) {
              getPrintStream().println("Reading cert from cvcert file "+authSignCertFile+" to create an authenticated request");             
              CVCObject parsedObject = CvcPrintCommand.getCVCObject(authSignCertFile);
              authCert = (CVCertificate)parsedObject;
              String c = authCert.getCertificateBody().getHolderReference().getCountry();
              String m = authCert.getCertificateBody().getHolderReference().getMnemonic();
              String s = authCert.getCertificateBody().getHolderReference().getSequence();
              authCaRef = new CAReferenceField(c, m, s);
            }
            CVCAuthenticatedRequest authRequest = CertificateGenerator.createAuthenticatedRequest(request, authKeyPair, signatureAlg, authCaRef);
            // Test to verify it yourself first
            if (authCert != null) {
              getPrintStream().println("Verifying the request before sending it...");
              PublicKey pk = KeyTools.getECPublicKeyWithParams(authCert.getCertificateBody().getPublicKey(), keySpec);
              authRequest.verify(pk);             
            }
            der = authRequest.getDEREncoded();           
          }
          cvcreq = new String(Base64.encode(der));
          // Print the generated request to file
          FileOutputStream fos = new FileOutputStream(basefilename+".cvreq");
          fos.write(der);
          fos.close();         
          getPrintStream().println("Wrote binary request to: "+basefilename+".cvreq");
          fos = new FileOutputStream(basefilename+".pkcs8");
          fos.write(keyPair.getPrivate().getEncoded());
          fos.close();         
          getPrintStream().println("Wrote private key in "+keyPair.getPrivate().getFormat()+" format to to: "+basefilename+".pkcs8");
        } else {
          // Read request from file
          getPrintStream().println("Reading request from filename: "+basefilename+".cvreq");
          byte[] der = FileTools.readFiletoBuffer(basefilename+".cvreq");
          cvcreq = new String(Base64.encode(der));
        }
       
        // Edit a user, creating it if it does not exist
        // Actually don't do that, leverage the existing commands and force to use the editUser command instead.
        // This also makes this CLI exactly represent the actual WS-API call
        // getEjbcaRAWS().editUser(userdata);
       
        getPrintStream().println("Submitting CVC request for user '"+username+"'.");
        getPrintStream().println();             
        // Use the request and request a certificate
        List<Certificate> resp = getEjbcaRAWS().cvcRequest(username, userpassword, cvcreq);

        // Handle the response
        Certificate cert = resp.get(0);
        byte[] b64cert = cert.getCertificateData();
        CVCObject parsedObject = CertificateParser.parseCertificate(Base64.decode(b64cert));
        CVCertificate cvcert = (CVCertificate)parsedObject;
        FileOutputStream fos = new FileOutputStream(basefilename+".cvcert");
        fos.write(cvcert.getDEREncoded());
        fos.close();
        getPrintStream().println("Wrote binary certificate to: "+basefilename+".cvcert");
        getPrintStream().println("You can look at the certificate with the command cvcwscli.sh cvcprint "+basefilename+".cvcert");
      }catch(AuthorizationDeniedException_Exception e){
        getPrintStream().println("Error : " + e.getMessage());
View Full Code Here


      byte[] bytes = null;
      if (parsedObject instanceof CVCAuthenticatedRequest) {
        CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest)parsedObject;
        bytes = authreq.getDEREncoded();
      } else {
        CVCertificate cert1 = (CVCertificate)parsedObject;
        CardVerifiableCertificate cvcert = new CardVerifiableCertificate(cert1);
        bytes = cvcert.getEncoded();
      }
      if ("pem".equalsIgnoreCase(outform)) {
        byte[] b64 = Base64.encode(bytes);
View Full Code Here

        // We should have created an authenticated request signed by the default
        // key, we intended to have it signed by the old key,
        // but since the CVCA is not renewed, and no old key exists, it will be
        // the "defaultKey", but we won't know the difference in this test.
        CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest) obj;
        CVCertificate reqcert = authreq.getRequest();
        assertEquals("SETESTCVCA00001", reqcert.getCertificateBody().getHolderReference().getConcatenated());
        assertEquals("SETESTCVCA00001", reqcert.getCertificateBody().getAuthorityReference().getConcatenated());

        // Make a certificate request from a DV, regenerating keys
        cachain = dvdcainfo.getCertificateChain();
        request = caAdminSession.makeRequest(admin, dvdcainfo.getCAId(), cachain, true, false, true, "foo123");
        obj = CertificateParser.parseCVCObject(request);
        // We should have created an authenticated request signed by the old
        // certificate
        authreq = (CVCAuthenticatedRequest) obj;
        reqcert = authreq.getRequest();
        assertEquals("SETESTDV-D00002", reqcert.getCertificateBody().getHolderReference().getConcatenated());
        // This request is made from the DV targeted for the DV, so the old DV
        // certificate will be the holder ref.
        // Normally you would target an external CA, and thus send in it's
        // cachain. The caRef would be the external CAs holderRef.
        assertEquals("SETESTDV-D00001", reqcert.getCertificateBody().getAuthorityReference().getConcatenated());

        // Get the DVs certificate request signed by the CVCA
        byte[] authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, false);
        CVCObject parsedObject = CertificateParser.parseCVCObject(authrequest);
        authreq = (CVCAuthenticatedRequest) parsedObject;
        assertEquals("SETESTDV-D00002", authreq.getRequest().getCertificateBody().getHolderReference().getConcatenated());
        assertEquals("SETESTDV-D00001", authreq.getRequest().getCertificateBody().getAuthorityReference().getConcatenated());
        assertEquals("SETESTCVCA00001", authreq.getAuthorityReference().getConcatenated());

        // Get the DVs certificate request signed by the CVCA creating a link
        // certificate.
        // Passing in a request without authrole should return a regular
        // authenticated request though.
        authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, true);
        parsedObject = CertificateParser.parseCVCObject(authrequest);
        authreq = (CVCAuthenticatedRequest) parsedObject;
        // Pass in a certificate instead
        CardVerifiableCertificate dvdcert = (CardVerifiableCertificate) cachain.iterator().next();
        authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), dvdcert.getEncoded(), false, true);
        parsedObject = CertificateParser.parseCVCObject(authrequest);
        CVCertificate linkcert = (CVCertificate) parsedObject;
        assertEquals("SETESTCVCA00001", linkcert.getCertificateBody().getAuthorityReference().getConcatenated());
        assertEquals("SETESTDV-D00001", linkcert.getCertificateBody().getHolderReference().getConcatenated());

        // Renew again but regenerate keys this time to make sure sequence is
        // updated
        caid = dvdcainfo.getCAId();
        caAdminSession.renewCA(admin, caid, "foo123", true);
View Full Code Here

        byte[] request = caAdminSession.makeRequest(admin, dvdcainfo.getCAId(), cachain, true, false, true, "foo123");
        CVCObject obj = CertificateParser.parseCVCObject(request);
        // We should have created an authenticated request signed by the old
        // certificate
        CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest) obj;
        CVCertificate reqcert = authreq.getRequest();
        assertEquals("SETDVEC-D00002", reqcert.getCertificateBody().getHolderReference().getConcatenated());
        // This request is made from the DV targeted for the DV, so the old DV
        // certificate will be the holder ref.
        // Normally you would target an external CA, and thus send in it's
        // cachain. The caRef would be the external CAs holderRef.
        assertEquals("SETDVEC-D00001", reqcert.getCertificateBody().getAuthorityReference().getConcatenated());

        // Get the DVs certificate request signed by the CVCA
        byte[] authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, false);
        CVCObject parsedObject = CertificateParser.parseCVCObject(authrequest);
        authreq = (CVCAuthenticatedRequest) parsedObject;
        assertEquals("SETDVEC-D00002", authreq.getRequest().getCertificateBody().getHolderReference().getConcatenated());
        assertEquals("SETDVEC-D00001", authreq.getRequest().getCertificateBody().getAuthorityReference().getConcatenated());
        assertEquals("SETCVCAEC00001", authreq.getAuthorityReference().getConcatenated());

        // Get the DVs certificate request signed by the CVCA creating a link
        // certificate.
        // Passing in a request without authrole should return a regular
        // authenticated request though.
        authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, true);
        parsedObject = CertificateParser.parseCVCObject(authrequest);
        authreq = (CVCAuthenticatedRequest) parsedObject;
        // Pass in a certificate instead
        CardVerifiableCertificate dvdcert = (CardVerifiableCertificate) cachain.iterator().next();
        authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), dvdcert.getEncoded(), false, true);
        parsedObject = CertificateParser.parseCVCObject(authrequest);
        CVCertificate linkcert = (CVCertificate) parsedObject;
        assertEquals("SETCVCAEC00001", linkcert.getCertificateBody().getAuthorityReference().getConcatenated());
        assertEquals("SETDVEC-D00001", linkcert.getCertificateBody().getHolderReference().getConcatenated());

        // Renew again but regenerate keys this time to make sure sequence is
        // updated
        caid = dvdcainfo.getCAId();
        caAdminSession.renewCA(admin, caid, "foo123", true);
        dvdcainfo = caAdminSession.getCAInfo(admin, dvdcaname);
        assertEquals(CAInfo.CATYPE_CVC, dvdcainfo.getCAType());
        cert = (Certificate) dvdcainfo.getCertificateChain().iterator().next();
        assertEquals("CVC", cert.getType());
        assertEquals(CertTools.getSubjectDN(cert), dvddn);
        assertEquals(CertTools.getIssuerDN(cert), rootcadn);
        assertEquals(dvdcainfo.getSubjectDN(), dvddn);
        cvcert = (CardVerifiableCertificate) cert;
        role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
        assertEquals("DV_D", role);
        String holderRef = cvcert.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated();
        // Sequence must have been updated with 1
        assertEquals("SETDVEC-D00003", holderRef);

        // Make a certificate request from a CVCA
        cachain = cvcainfo.getCertificateChain();
        assertEquals(1, cachain.size());
        Certificate cert1 = (Certificate) cachain.iterator().next();
        CardVerifiableCertificate cvcert1 = (CardVerifiableCertificate) cert1;
        assertEquals("SETCVCAEC00001", cvcert1.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
        request = caAdminSession.makeRequest(admin, cvcainfo.getCAId(), cachain, false, false, false, null);
        obj = CertificateParser.parseCVCObject(request);
        // We should have created an un-authenticated request, because there
        // does not exist any old key
        CVCertificate cvcertreq = (CVCertificate) obj;
        assertEquals("SETCVCAEC00001", cvcertreq.getCertificateBody().getHolderReference().getConcatenated());
        assertEquals("SETCVCAEC00001", cvcertreq.getCertificateBody().getAuthorityReference().getConcatenated());

        // Renew the CVCA, generating new keys
        caAdminSession.renewCA(admin, cvcainfo.getCAId(), "foo123", true);

        // Make a certificate request from a CVCA again
        cvcainfo = caAdminSession.getCAInfo(admin, rootcaname);
        cachain = cvcainfo.getCertificateChain();
        assertEquals(1, cachain.size());
        Certificate cert2 = (Certificate) cachain.iterator().next();
        CardVerifiableCertificate cvcert2 = (CardVerifiableCertificate) cert2;
        assertEquals("SETCVCAEC00002", cvcert2.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
        request = caAdminSession.makeRequest(admin, cvcainfo.getCAId(), cachain, false, false, false, null);
        obj = CertificateParser.parseCVCObject(request);
        // We should have created an authenticated request signed by the old
        // certificate
        CVCAuthenticatedRequest authreq1 = (CVCAuthenticatedRequest) obj;
        CVCertificate reqcert1 = authreq1.getRequest();
        assertEquals("SETCVCAEC00002", reqcert1.getCertificateBody().getHolderReference().getConcatenated());
        assertEquals("SETCVCAEC00002", reqcert1.getCertificateBody().getAuthorityReference().getConcatenated());
    } // test10AddCVCCAECC
View Full Code Here

        if (parsedObject instanceof CVCAuthenticatedRequest) {
          type = "authenticated request";
        }
        getPrintStream().println("Verifying "+type+" "+filename+" with certificate "+verifycert);
        CVCObject parsedVerifyObject = getCVCObject(verifycert);
        CVCertificate cert2 = (CVCertificate)parsedVerifyObject;
        PublicKey pk = cert2.getCertificateBody().getPublicKey();
        if (args.length > 3) {
          // we have an additional curve name
          String cvcacert = args[3];
          getPrintStream().println("Using CVCA certificate "+cvcacert+" for EC parameters.");
          CVCObject parsedCvcaObject = getCVCObject(cvcacert);
          CVCertificate cvca = (CVCertificate)parsedCvcaObject;
          pk = KeyTools.getECPublicKeyWithParams(pk, cvca.getCertificateBody().getPublicKey());
        }
        try {
          if (parsedObject instanceof CVCAuthenticatedRequest) {
            CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest)parsedObject;
            authreq.verify(pk);                     
          } else {
            CVCertificate cert1 = (CVCertificate)parsedObject;
            CardVerifiableCertificate cvcert = new CardVerifiableCertificate(cert1);
            cvcert.verify(pk);                     
          }
          getPrintStream().println("Verification of certificate was successful");
        } catch (Exception e) {
View Full Code Here

        // Handle the response
        int i = 1;
        for (Certificate certificate : resp) {
          byte[] b64cert = certificate.getCertificateData();
          CVCObject parsedObject = CertificateParser.parseCertificate(Base64.decode(b64cert));
          CVCertificate cvcert = (CVCertificate)parsedObject;
          FileOutputStream fos = new FileOutputStream(basefilename+i+".cvcert");
          fos.write(cvcert.getDEREncoded());
          fos.close();
          getPrintStream().println("Wrote binary certificate to: "+basefilename+i+".cvcert");
          getPrintStream().println("You can look at the certificate with the command cvcwscli.sh cvcprint "+basefilename+i+".cvcert");         
          i++;
        }
View Full Code Here

      } else {
        caRef = new CAReferenceField(holderRef.getCountry(), holderRef.getMnemonic(), holderRef.getSequence());       
        log.debug("No CA cert, using caRef from the holder itself: "+caRef.getConcatenated());         
      }
      log.debug("Creating request with signature alg: "+signAlg+", using provider "+catoken.getProvider());
      CVCertificate request = CertificateGenerator.createRequest(keyPair, signAlg, caRef, holderRef, catoken.getProvider());
      ret = request.getDEREncoded();
    } catch (IllegalKeyStoreException e) {
            throw new RuntimeException(e);
    } catch (InvalidKeyException e) {
            throw new RuntimeException(e);
    } catch (NoSuchAlgorithmException e) {
View Full Code Here

        log.debug("Using current sequence in caRef: "+sequence);       
      }
      // Set the CA reference field for the authentication signature
      CAReferenceField caRef = new CAReferenceField(caHolder.getCountry(), caHolder.getMnemonic(), sequence);

      CVCertificate cvcert = null;
      try {
        byte[] binbytes = request;
        try {
          // We don't know if this is a PEM or binary certificate or request request so we first try to
          // decode it as a PEM certificate, and if it's not we try it as a PEM request and finally as a binary request
          Collection<Certificate> col = CertTools.getCertsFromPEM(new ByteArrayInputStream(request));
          Certificate cert = col.iterator().next();
          if (cert != null) {
            binbytes = cert.getEncoded();
          }
        } catch (Exception e) {
          log.debug("This is not a PEM certificate?: "+e.getMessage());
          try {
            binbytes = RequestMessageUtils.getRequestBytes(request);
          } catch (Exception e2) {
            log.debug("This is not a PEM request?: "+e2.getMessage());           
          }
        }
        // This can be either a CV certificate, a CV certificate request, or an authenticated request that we should re-sign
        CVCObject parsedObject;
        parsedObject = CertificateParser.parseCVCObject(binbytes);
        if (parsedObject instanceof CVCertificate) {
          cvcert = (CVCertificate) parsedObject;
          log.debug("This is a reqular CV request, or cert.");         
        } else if (parsedObject instanceof CVCAuthenticatedRequest) {
          CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest)parsedObject;
          cvcert = authreq.getRequest();
          log.debug("This is an authenticated CV request, we will overwrite the old authentication with a new.");         
        }
      } catch (ParseException e) {
              String msg = intres.getLocalizedMessage("cvc.error.notcvcrequest");
        log.info(msg, e);
        return request;
      } catch (ClassCastException e) {
              String msg = intres.getLocalizedMessage("cvc.error.notcvcrequest");
        log.info(msg, e);
        return request;
      }
      // Check if the input was a CVCA certificate, which is the same CVCA as this. If all is true we should create a CVCA link certificate
      // instead of an authenticated request
      CardVerifiableCertificate cvccert = new CardVerifiableCertificate(cvcert);
      HolderReferenceField cvccertholder = cvccert.getCVCertificate().getCertificateBody().getHolderReference();
      AuthorizationRoleEnum authRole = null;
      AccessRightEnum rights = null;
      try {
        authRole = cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole();         
         rights = cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getAccessRight();
      } catch (NoSuchFieldException e) {
        log.debug("No AuthorizationRoleEnum or AccessRightEnum, this is not a CV certificate so we can't make a link certificate: "+e.getMessage());
       
      }
      if (createlinkcert && (authRole != null) && (rights != null)) {
        log.debug("We will create a link certificate.");
        String msg = intres.getLocalizedMessage("cvc.info.createlinkcert", cvccertholder.getConcatenated(), caRef.getConcatenated());
        log.info(msg);
        PublicKey pk = cvccert.getPublicKey();
        Date validFrom = cvccert.getCVCertificate().getCertificateBody().getValidFrom();
        Date validTo = cvccert.getCVCertificate().getCertificateBody().getValidTo();
        // Generate a new certificate with the same contents as the passed in certificate, but with new caRef and signature
        CVCertificate retcert = CertificateGenerator.createCertificate(pk, keyPair.getPrivate(), signAlg, caRef, cvccertholder, authRole, rights, validFrom, validTo, catoken.getProvider());
        ret = retcert.getDEREncoded();
        log.debug("Signed a CardVerifiableCertificate CardVerifiableCertificate.");
      } else {
        log.debug("Creating authenticated request with signature alg: "+signAlg+", using provider "+catoken.getProvider());
        CVCAuthenticatedRequest authreq = CertificateGenerator.createAuthenticatedRequest(cvcert, keyPair, signAlg, caRef, catoken.getProvider());
        ret = authreq.getDEREncoded();       
View Full Code Here

        // Generate the CVC certificate using Keijos library
        CATokenContainer catoken = getCAToken();
        String sigAlg = catoken.getCATokenInfo().getSignatureAlgorithm();
        log.debug("Creating CV certificate with algorithm "+sigAlg+", using provider "+catoken.getProvider()+", public key algorithm from CVC request must match this algorithm.");
        log.debug("CARef: "+caRef.getConcatenated()+"; holderRef: "+holderRef.getConcatenated());
        CVCertificate cvc = CertificateGenerator.createCertificate(publicKey, catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN),
            sigAlg, caRef, holderRef, authRole, accessRights, val.getNotBefore(), val.getNotAfter(), catoken.getProvider());

        if (log.isDebugEnabled()) {
            log.debug("Certificate: "+cvc.toString());
            log.debug("Certificate bytes: "+new String(Base64.encode(cvc.getDEREncoded())));         
        }
       
        CardVerifiableCertificate retCert = new CardVerifiableCertificate(cvc);
        // Verify certificate before returning
        retCert.verify(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN));
View Full Code Here

TOP

Related Classes of org.ejbca.cvc.CVCertificate

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.