Package org.ejbca.cvc

Examples of org.ejbca.cvc.HolderReferenceField


        CAReferenceField carf = cvccert.getCVCertificate().getCertificateBody().getAuthorityReference();
        if (carf != null) {
          car = carf.getConcatenated();
        }
        String chr = "chr";
        HolderReferenceField chrf = cvccert.getCVCertificate().getCertificateBody().getHolderReference();
        if (chrf != null) {
          chr = chrf.getConcatenated();
        }
        dnpart = car + "_" + chr;
      } else {
        String dn = CertTools.getSubjectDN(cacert);
        dnpart = CertTools.getPartFromDN(dn, "CN");
View Full Code Here


          log.debug("Received an authenticated request, could be an initial DV request signed by CVCA or a renewal for DV or IS.");
          CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest)parsedObject;
          CVCPublicKey cvcKey = authreq.getRequest().getCertificateBody().getPublicKey();
          String algorithm = AlgorithmUtil.getAlgorithmName(cvcKey.getObjectIdentifier());
          log.debug("Received request has a public key with algorithm: "+algorithm);
          HolderReferenceField holderRef = authreq.getRequest().getCertificateBody().getHolderReference();
          CAReferenceField caRef = authreq.getAuthorityReference();

          // Check to see that the inner signature does not also verify using an old certificate
          // because that means the same keys were used, and that is not allowed according to the EU policy
          // This must be done whether it is signed by CVCA or a renewal request
          Collection<java.security.cert.Certificate> oldcerts = certificateStoreSession.findCertificatesByUsername(admin, username);
          if (oldcerts != null) {
            log.debug("Found "+oldcerts.size()+" old certificates for user "+username);
            Iterator<java.security.cert.Certificate> iterator = oldcerts.iterator();
            while (iterator.hasNext()) {
              java.security.cert.Certificate cert = iterator.next();
              PublicKey pk = getCVPublicKey(admin, cert);
              CVCertificate innerreq = authreq.getRequest();
              checkInnerCollision(pk, innerreq, holderRef.getConcatenated()); // Throws AuthorizationDeniedException
            }
          }

          boolean verifiedOuter = false; // So we can throw an error if we could not verify
          if (StringUtils.equals(holderRef.getMnemonic(), caRef.getMnemonic()) && StringUtils.equals(holderRef.getCountry(), caRef.getCountry())) {
            log.debug("Authenticated request is self signed, we will try to verify it using user's old certificate.");
            Collection<java.security.cert.Certificate> certs = certificateStoreSession.findCertificatesByUsername(admin, username);
            // certs contains certificates ordered with last expire date first. Last expire date should be last issued cert
            // We have to iterate over available user certificates, because we don't know which on signed the old one
            // and cv certificates have very coarse grained validity periods so we can't really know which one is the latest one
            // if 2 certificates are issued the same day.
            if (certs != null) {
              log.debug("Found "+certs.size()+" old certificates for user "+username);
              Iterator<java.security.cert.Certificate> iterator = certs.iterator();
              while (iterator.hasNext()) {
                java.security.cert.Certificate cert = iterator.next();
                try {
                  // Only allow renewal if the old certificate is valid
                  PublicKey pk = getCVPublicKey(admin, cert);
                  if (log.isDebugEnabled()) {
                    log.debug("Trying to verify the outer signature with an old certificate, fp: "+CertTools.getFingerprintAsString(cert));                   
                  }
                  authreq.verify(pk);
                  log.debug("Verified outer signature");
                  // Yes we did it, we can move on to the next step because the outer signature was actually created with some old certificate
                  verifiedOuter = true;
                  if (ejbhelper.checkValidityAndSetUserPassword(admin, cert, username, password)) {
                    // If we managed to verify the certificate we will break out of the loop                 
                    break;
                  }
                 
                  // If verification of outer signature fails because the signature is invalid we will break and deny the request...with a message
                } catch (InvalidKeyException e) {
                  String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                  log.warn(msg, e);
                } catch (CertificateExpiredException e) { // thrown by checkValidityAndSetUserPassword
                  String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                  // Only log this with DEBUG since it will be a common case that happens, nothing that should cause any alerts
                  log.debug(msg);
                  // This exception we want to throw on, because we want to give this error if there was a certificate suitable for
                  // verification, but it had expired. This is thrown by checkValidityAndSetUserPassword after the request has already been
                  // verified using the public key of the certificate.
                  throw e;
                } catch (CertificateException e) {
                  String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                  log.warn(msg, e);
                } catch (NoSuchAlgorithmException e) {
                  String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                  log.info(msg, e);
                } catch (NoSuchProviderException e) {
                  String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                  log.warn(msg, e);
                } catch (SignatureException e) {
                  // Failing to verify the outer signature will be normal, since we must try all old certificates
                  if (log.isDebugEnabled()) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.debug(msg);                 
                  }
                }
              } // while (iterator.hasNext()) {
              // if verification failed because the old cert was not yet valid, continue processing as usual, using the sent in username/password hoping the
              // status is NEW and password is correct. If old certificate was expired a CertificateExpiredException is thrown above.

            } // if (certs != null) {
           
            // If there are no old certificate, continue processing as usual, using the sent in username/password hoping the
            // status is NEW and password is correct.
          } else { // if (StringUtils.equals(holderRef, caRef))
            // Subject and issuerDN is CN=Mnemonic,C=Country
            String dn = "CN="+caRef.getMnemonic()+",C="+caRef.getCountry();
            log.debug("Authenticated request is not self signed, we will try to verify it using a CVCA certificate: "+dn);
            CAInfo info = caAdminSession.getCAInfoOrThrowException(admin, CertTools.stringToBCDNString(dn).hashCode());
            if (info != null) {
              Collection<java.security.cert.Certificate> certs = info.getCertificateChain();
              if (certs != null) {
                log.debug("Found "+certs.size()+" certificates in chain for CA with DN: "+dn);             
                Iterator<java.security.cert.Certificate> iterator = certs.iterator();
                if (iterator.hasNext()) {
                  // The CA certificate is first in chain
                  java.security.cert.Certificate cert = iterator.next();
                  if (log.isDebugEnabled()) {
                    log.debug("Trying to verify the outer signature with a CVCA certificate, fp: "+CertTools.getFingerprintAsString(cert));                   
                  }
                  try {
                    // The CVCA certificate always contains the full key parameters, no need to du any EC curve parameter magic here
                    authreq.verify(cert.getPublicKey());
                    log.debug("Verified outer signature");
                    verifiedOuter = true;
                    // Yes we did it, we can move on to the next step because the outer signature was actually created with some old certificate
                    if (!ejbhelper.checkValidityAndSetUserPassword(admin, cert, username, password)) {
                      // If the CA certificate was not valid, we are not happy                 
                      String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), "CA certificate not valid for CA: "+info.getCAId());             
                      log.info(msg);
                      throw new AuthorizationDeniedException(msg);
                    }             
                  } catch (InvalidKeyException e) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.warn(msg, e);
                  } catch (CertificateException e) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.warn(msg, e);
                  } catch (NoSuchAlgorithmException e) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.warn(msg, e);
                  } catch (NoSuchProviderException e) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.warn(msg, e);
                  } catch (SignatureException e) {
                    String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), e.getMessage());             
                    log.warn(msg, e);
                  }             
                }               
              } else {
                log.info("No CA certificate found to authenticate request: "+dn);
              }
            } else {
              log.info("No CA found to authenticate request: "+dn);
            }
          }
          // if verification failed because we could not verify the outer signature at all it is an error
          if (!verifiedOuter) {
            String msg = intres.getLocalizedMessage("cvc.error.outersignature", holderRef.getConcatenated(), "No certificate found that could authenticate request");             
            log.info(msg);
            throw new AuthorizationDeniedException(msg);
          }
        } // if (parsedObject instanceof CVCAuthenticatedRequest)
        // If it is not an authenticated request, with an outer signature, continue processing as usual,
View Full Code Here

        KeyPair keyPair = KeyTools.genKeys(keyspec, keyalg);
        KeyPair keyPair1 = KeyTools.genKeys(keyspec, keyalg);
        KeyPair keyPair2 = KeyTools.genKeys(keyspec, keyalg);

        CAReferenceField caRef = new CAReferenceField("SE", "WSTEST", "00111");
        HolderReferenceField holderRef = new HolderReferenceField(caRef.getCountry(), caRef.getMnemonic(), caRef.getSequence());

        // Simple self signed request
        CVCertificate request = CertificateGenerator.createRequest(keyPair, signalg, caRef, holderRef);

        // A renew request with an outer signature created with the same keys as
View Full Code Here

        // Now we want to renew a DVCA signed by an external CVCA

        // Create the self signed CVCA, we do it here locally
        final KeyPair cvcakeypair = KeyTools.genKeys(keyspec, keyalg);
        CAReferenceField caRef = new CAReferenceField("SE", cvcaMnemonic, "00001");
        HolderReferenceField holderRef = new HolderReferenceField("SE", cvcaMnemonic, "00001");
        CVCertificate cvcert = CertificateGenerator.createTestCertificate(cvcakeypair.getPublic(), cvcakeypair.getPrivate(), caRef, holderRef, signalg,
                AuthorizationRoleEnum.CVCA);
        CardVerifiableCertificate cvcacert = new CardVerifiableCertificate(cvcert);

        // Create the DVCA signed by our external CVCA
        String caname = createDVCCASignedByExternal(dvcaName, dvcaMnemonic, keyspec, keyalg, signalg);
        assertNotNull("Failed to create DVC CA " + dvcaName + "Signed By External.", caname);
        assertEquals(caname, dvcaName);
        // Now test our WS API to generate a request, setting status to
        // "WAITING_FOR_CERTIFICATE_RESPONSE"
        CAInfo dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
        assertEquals(SecConst.CA_WAITING_CERTIFICATE_RESPONSE, dvinfo.getStatus());
        cachain.add(cvcacert.getEncoded());
        // Create the request with WS API
        request = ejbcaraws.caRenewCertRequest(caname, cachain, false, false, false, pwd);
        // make the mandatory junit checks...
        assertNotNull(request);
        CVCRequestMessage cvcreq = RequestMessageUtils.genCVCRequestMessage(request);
        assertNotNull(cvcreq);
        assertEquals(dvinfo.getSubjectDN(), cvcreq.getRequestDN());
        CVCObject obj = CertificateParser.parseCVCObject(request);
        // System.out.println(obj.getAsText());
        CVCertificate cert = (CVCertificate) obj;
        assertEquals(cvcacert.getCVCertificate().getCertificateBody().getAuthorityReference().getConcatenated(), cert.getCertificateBody()
                .getAuthorityReference().getConcatenated());

        // Receive the response so the DV CA is activated
        HolderReferenceField dvholderref = cert.getCertificateBody().getHolderReference();
        CVCertificate dvretcert = CertificateGenerator.createTestCertificate(cert.getCertificateBody().getPublicKey(), cvcakeypair.getPrivate(), caRef,
                dvholderref, signalg, AuthorizationRoleEnum.DV_D);
        ejbcaraws.caCertResponse(caname, dvretcert.getDEREncoded(), cachain, pwd);
        // Check that the cert was received and the CA activated
        dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
View Full Code Here

          String seq = CertTools.getPartFromDN(dn, "SERIALNUMBER");
          if (StringUtils.isEmpty(seq)) {
            seq = RandomStringUtils.randomNumeric(5);
            getLogger().info("No sequence given, using random 5 number sequence: "+seq);
          }
              HolderReferenceField holderRef = new HolderReferenceField(country, mnemonic, seq);
              CAReferenceField caRef = new CAReferenceField(holderRef.getCountry(), holderRef.getMnemonic(), holderRef.getSequence());
              AuthorizationRoleEnum authRole = AuthorizationRoleEnum.CVCA;
              Date notBefore = new Date();
              Calendar notAfter = Calendar.getInstance();
              notAfter.add(Calendar.DAY_OF_MONTH, valdays);
              CVCertificate cvc = CertificateGenerator.createCertificate(pubKey, privKey,
View Full Code Here

            CAReferenceField carf = cvccert.getCertificateBody().getAuthorityReference();
            if (carf != null) {
              String car = carf.getConcatenated();
              filename += car;
            }
            HolderReferenceField chrf = cvccert.getCertificateBody().getHolderReference();
            if (chrf != null) {
              String chr = chrf.getConcatenated();
              if (filename.length() > 0) {
                filename += "_";
              }
              filename +=chr;
            }
View Full Code Here

                        CVCAuthenticatedRequest cvcreq = (CVCAuthenticatedRequest) parsedObject;
                        cvccert = cvcreq.getRequest();
                    } else {
                        cvccert = (CVCertificate) parsedObject;
                    }
                    HolderReferenceField chrf = cvccert.getCertificateBody().getHolderReference();
                    if (chrf != null) {
                      filename = chrf.getConcatenated();
                    }
                } catch (ParseException ex) {
                    // Apparently it wasn't a CVC request, ignore
                } catch (IllegalArgumentException ex) {
                    // Apparently it wasn't a X.509 certificate, was it a certificate request?
View Full Code Here

            getPrintStream().println("No sequence given, using random 5 number sequence: "+sequence);
          }
          //CAReferenceField caRef = new CAReferenceField(country,mnemonic,sequence);
          CAReferenceField caRef = null; // Don't create a caRef in the self signed request
          // We are making a self signed request, so holder ref is same as ca ref
          HolderReferenceField holderRef = new HolderReferenceField(country,mnemonic,sequence);
          CVCertificate request = CertificateGenerator.createRequest(keyPair, signatureAlg, caRef, holderRef);
          byte[] der = request.getDEREncoded();
          if (authSignKeyFile != null) {
            getPrintStream().println("Reading private key from pkcs8 file "+authSignKeyFile+" to create an authenticated request");
            byte[] keybytes = FileTools.readFiletoBuffer(authSignKeyFile);
View Full Code Here

        if (username != null) {
            return username;
        }
        String subject = null;
    try {
      HolderReferenceField hr = cvcert.getCertificateBody().getHolderReference();
      subject = hr.getMnemonic()+hr.getCountry();
    } catch (NoSuchFieldException e) {
      log.error(e);
    }
        return subject;
    }
View Full Code Here

        log.info("Sequence "+seq+" is too short, padding with zeroes.");
        for (int i = seq.length(); i < 5; i++) {
          seq = "0"+seq;         
        }
      }
      HolderReferenceField holderRef = new HolderReferenceField(country, mnemonic, seq);
      CAReferenceField caRef = null;
      if (cacert != null) {
        if (cacert instanceof CardVerifiableCertificate) {
          CardVerifiableCertificate cvcacert = (CardVerifiableCertificate) cacert;
          try {
            HolderReferenceField href = cvcacert.getCVCertificate().getCertificateBody().getHolderReference();
            caRef = new CAReferenceField(href.getCountry(), href.getMnemonic(), href.getSequence());
            log.debug("Using caRef from the CA certificate: "+caRef.getConcatenated());         
          } catch (NoSuchFieldException e) {
            log.debug("CA certificate does not contain a Holder reference to use as CARef in request.");
          }         
        } else {
View Full Code Here

TOP

Related Classes of org.ejbca.cvc.HolderReferenceField

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.