mirrors
/
poi
镜像自地址 https://github.com/apache/poi.git
关注 1
点赞 0
派生 0
代码 工单 0 版本发布 100 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
5764 提交
26 分支
目录树: 56051c3e44
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '56051c3e44'
${ noResults }
poi/src/ooxml/testcases/org/apache/poi/poifs/crypt/PkiTestUtils.java

PkiTestUtils.java 15KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. package org.apache.poi.poifs.crypt;

  18. 

  19. import java.io.IOException;

  20. import java.io.InputStream;

  21. import java.io.StringWriter;

  22. import java.math.BigInteger;

  23. import java.security.KeyPair;

  24. import java.security.KeyPairGenerator;

  25. import java.security.PrivateKey;

  26. import java.security.PublicKey;

  27. import java.security.SecureRandom;

  28. import java.security.cert.CRLException;

  29. import java.security.cert.CertificateEncodingException;

  30. import java.security.cert.CertificateException;

  31. import java.security.cert.X509CRL;

  32. import java.security.cert.X509Certificate;

  33. import java.security.interfaces.RSAPublicKey;

  34. import java.security.spec.RSAKeyGenParameterSpec;

  35. import java.util.Date;

  36. 

  37. import javax.xml.parsers.DocumentBuilder;

  38. import javax.xml.parsers.DocumentBuilderFactory;

  39. import javax.xml.parsers.ParserConfigurationException;

  40. import javax.xml.transform.OutputKeys;

  41. import javax.xml.transform.Result;

  42. import javax.xml.transform.Source;

  43. import javax.xml.transform.Transformer;

  44. import javax.xml.transform.TransformerException;

  45. import javax.xml.transform.TransformerFactory;

  46. import javax.xml.transform.dom.DOMSource;

  47. import javax.xml.transform.stream.StreamResult;

  48. 

  49. import org.bouncycastle.asn1.DERIA5String;

  50. import org.bouncycastle.asn1.DEROctetString;

  51. import org.bouncycastle.asn1.DERSequence;

  52. import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

  53. import org.bouncycastle.asn1.x500.X500Name;

  54. import org.bouncycastle.asn1.x509.AuthorityInformationAccess;

  55. import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;

  56. import org.bouncycastle.asn1.x509.BasicConstraints;

  57. import org.bouncycastle.asn1.x509.CRLNumber;

  58. import org.bouncycastle.asn1.x509.CRLReason;

  59. import org.bouncycastle.asn1.x509.DistributionPoint;

  60. import org.bouncycastle.asn1.x509.DistributionPointName;

  61. import org.bouncycastle.asn1.x509.Extension;

  62. import org.bouncycastle.asn1.x509.Extensions;

  63. import org.bouncycastle.asn1.x509.GeneralName;

  64. import org.bouncycastle.asn1.x509.GeneralNames;

  65. import org.bouncycastle.asn1.x509.KeyUsage;

  66. import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;

  67. import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;

  68. import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;

  69. import org.bouncycastle.cert.X509CRLHolder;

  70. import org.bouncycastle.cert.X509CertificateHolder;

  71. import org.bouncycastle.cert.X509ExtensionUtils;

  72. import org.bouncycastle.cert.X509v2CRLBuilder;

  73. import org.bouncycastle.cert.X509v3CertificateBuilder;

  74. import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;

  75. import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

  76. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  77. import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;

  78. import org.bouncycastle.cert.ocsp.CertificateID;

  79. import org.bouncycastle.cert.ocsp.CertificateStatus;

  80. import org.bouncycastle.cert.ocsp.OCSPReq;

  81. import org.bouncycastle.cert.ocsp.OCSPReqBuilder;

  82. import org.bouncycastle.cert.ocsp.OCSPResp;

  83. import org.bouncycastle.cert.ocsp.OCSPRespBuilder;

  84. import org.bouncycastle.cert.ocsp.Req;

  85. import org.bouncycastle.cert.ocsp.RevokedStatus;

  86. import org.bouncycastle.crypto.params.RSAKeyParameters;

  87. import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;

  88. import org.bouncycastle.operator.ContentSigner;

  89. import org.bouncycastle.operator.DigestCalculator;

  90. import org.bouncycastle.operator.OperatorCreationException;

  91. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  92. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  93. import org.w3c.dom.Document;

  94. import org.w3c.dom.Node;

  95. import org.xml.sax.InputSource;

  96. import org.xml.sax.SAXException;

  97. 

  98. public class PkiTestUtils {

  99. 

  100.     private PkiTestUtils() {

  101.         super();

  102.     }

  103. 

  104.     static KeyPair generateKeyPair() throws Exception {

  105.         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");

  106.         SecureRandom random = new SecureRandom();

  107.         keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,

  108.                 RSAKeyGenParameterSpec.F4), random);

  109.         KeyPair keyPair = keyPairGenerator.generateKeyPair();

  110.         return keyPair;

  111.     }

  112. 

  113.     static X509Certificate generateCertificate(PublicKey subjectPublicKey,

  114.             String subjectDn, Date notBefore, Date notAfter,

  115.             X509Certificate issuerCertificate, PrivateKey issuerPrivateKey,

  116.             boolean caFlag, int pathLength, String crlUri, String ocspUri,

  117.             KeyUsage keyUsage)

  118.     throws IOException, OperatorCreationException, CertificateException

  119.     {

  120.         String signatureAlgorithm = "SHA1withRSA";

  121.         X500Name issuerName;

  122.         if (issuerCertificate != null) {

  123.             issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer();

  124.         } else {

  125.             issuerName = new X500Name(subjectDn);

  126.         }

  127.         

  128.         RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;

  129.         RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());

  130. 

  131.         SubjectPublicKeyInfo subjectPublicKeyInfo = 

  132.             SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);

  133. 

  134.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  135.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  136.         

  137.         X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(

  138.               issuerName

  139.             , new BigInteger(128, new SecureRandom())

  140.             , notBefore

  141.             , notAfter

  142.             , new X500Name(subjectDn)

  143.             , subjectPublicKeyInfo

  144.         );

  145. 

  146.         X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);

  147.         SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);

  148.         AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) 

  149.             ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded()))

  150.             : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);

  151. 

  152.         certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);

  153.         certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);

  154. 

  155.         if (caFlag) {

  156.             BasicConstraints bc;

  157.             

  158.             if (-1 == pathLength) {

  159.                 bc = new BasicConstraints(true);

  160.             } else {

  161.                 bc = new BasicConstraints(pathLength);

  162.             }

  163.             certificateGenerator.addExtension(Extension.basicConstraints, false, bc);

  164.         }

  165. 

  166.         if (null != crlUri) {

  167.             int uri = GeneralName.uniformResourceIdentifier;

  168.             DERIA5String crlUriDer = new DERIA5String(crlUri);

  169.             GeneralName gn = new GeneralName(uri, crlUriDer);

  170. 

  171.             DERSequence gnDer = new DERSequence(gn);

  172.             GeneralNames gns = GeneralNames.getInstance(gnDer);

  173.             

  174.             DistributionPointName dpn = new DistributionPointName(0, gns);

  175.             DistributionPoint distp = new DistributionPoint(dpn, null, null);

  176.             DERSequence distpDer = new DERSequence(distp);

  177.             certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer);

  178.         }

  179. 

  180.         if (null != ocspUri) {

  181.             int uri = GeneralName.uniformResourceIdentifier;

  182.             GeneralName ocspName = new GeneralName(uri, ocspUri);

  183.             

  184.             AuthorityInformationAccess authorityInformationAccess =

  185.                 new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspName);

  186.             

  187.             certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess);

  188.         }

  189. 

  190.         if (null != keyUsage) {

  191.             certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);

  192.         }

  193. 

  194.         JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);

  195.         signerBuilder.setProvider("BC");

  196.         

  197.         X509CertificateHolder certHolder =

  198.             certificateGenerator.build(signerBuilder.build(issuerPrivateKey));

  199. 

  200.         /*

  201.          * Next certificate factory trick is needed to make sure that the

  202.          * certificate delivered to the caller is provided by the default

  203.          * security provider instead of BouncyCastle. If we don't do this trick

  204.          * we might run into trouble when trying to use the CertPath validator.

  205.          */

  206. //        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

  207. //        certificate = (X509Certificate) certificateFactory

  208. //                .generateCertificate(new ByteArrayInputStream(certificate

  209. //                        .getEncoded()));

  210.         return new JcaX509CertificateConverter().getCertificate(certHolder);

  211.     }

  212. 

  213.     static Document loadDocument(InputStream documentInputStream)

  214.             throws ParserConfigurationException, SAXException, IOException {

  215.         InputSource inputSource = new InputSource(documentInputStream);

  216.         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory

  217.                 .newInstance();

  218.         documentBuilderFactory.setNamespaceAware(true);

  219.         DocumentBuilder documentBuilder = documentBuilderFactory

  220.                 .newDocumentBuilder();

  221.         Document document = documentBuilder.parse(inputSource);

  222.         return document;

  223.     }

  224. 

  225.     static String toString(Node dom) throws TransformerException {

  226.         Source source = new DOMSource(dom);

  227.         StringWriter stringWriter = new StringWriter();

  228.         Result result = new StreamResult(stringWriter);

  229.         TransformerFactory transformerFactory = TransformerFactory

  230.                 .newInstance();

  231.         Transformer transformer = transformerFactory.newTransformer();

  232.         /*

  233.          * We have to omit the ?xml declaration if we want to embed the

  234.          * document.

  235.          */

  236.         transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");

  237.         transformer.transform(source, result);

  238.         return stringWriter.getBuffer().toString();

  239.     }

  240. 

  241.     public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey)

  242.     throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {

  243.         

  244.         X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());

  245.         X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());

  246.         crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));

  247.         JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

  248. 

  249.         CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

  250.         

  251.         crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);

  252.         X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));

  253.         return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);

  254.     }

  255. 

  256.     public static OCSPResp createOcspResp(X509Certificate certificate,

  257.             boolean revoked, X509Certificate issuerCertificate,

  258.             X509Certificate ocspResponderCertificate,

  259.             PrivateKey ocspResponderPrivateKey, String signatureAlgorithm,

  260.             long nonceTimeinMillis)

  261.             throws Exception {

  262.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  263.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  264.         X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());

  265.         CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

  266.         

  267.         // request

  268.         //create a nonce to avoid replay attack

  269.         BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);

  270.         DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());

  271.         Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);

  272.         Extensions exts = new Extensions(ext);

  273.         

  274.         OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();

  275.         ocspReqBuilder.addRequest(certId);

  276.         ocspReqBuilder.setRequestExtensions(exts);

  277.         OCSPReq ocspReq = ocspReqBuilder.build();

  278. 

  279.         

  280.         SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo

  281.             (CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());

  282.         

  283.         BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);

  284.         basicOCSPRespBuilder.setResponseExtensions(exts);

  285. 

  286.         // request processing

  287.         Req[] requestList = ocspReq.getRequestList();

  288.         for (Req ocspRequest : requestList) {

  289.             CertificateID certificateID = ocspRequest.getCertID();

  290.             CertificateStatus certificateStatus = CertificateStatus.GOOD;

  291.             if (revoked) {

  292.                 certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);

  293.             }

  294.             basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);

  295.         }

  296. 

  297.         // basic response generation

  298.         X509CertificateHolder[] chain = null;

  299.         if (!ocspResponderCertificate.equals(issuerCertificate)) {

  300.             // TODO: HorribleProxy can't convert array input params yet

  301.             chain = new X509CertificateHolder[] {

  302.                 new X509CertificateHolder(ocspResponderCertificate.getEncoded()),

  303.                 issuerHolder

  304.             };

  305.         }

  306.         

  307.         ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA")

  308.             .setProvider("BC").build(ocspResponderPrivateKey);

  309.         BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

  310. 

  311.         

  312.         OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();

  313.         OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

  314. 

  315.         return ocspResp;

  316.     }

  317. }