mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9548 Commits
26 Branches
Tree: b4b4b8c285
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4b4b8c285'
${ noResults }
poi/src/ooxml/testcases/org/apache/poi/poifs/crypt/PkiTestUtils.java

PkiTestUtils.java 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. package org.apache.poi.poifs.crypt;

  18. 

  19. import java.io.IOException;

  20. import java.io.InputStream;

  21. import java.io.StringWriter;

  22. import java.math.BigInteger;

  23. import java.security.KeyPair;

  24. import java.security.KeyPairGenerator;

  25. import java.security.PrivateKey;

  26. import java.security.PublicKey;

  27. import java.security.SecureRandom;

  28. import java.security.cert.CRLException;

  29. import java.security.cert.CertificateEncodingException;

  30. import java.security.cert.CertificateException;

  31. import java.security.cert.X509CRL;

  32. import java.security.cert.X509Certificate;

  33. import java.security.interfaces.RSAPublicKey;

  34. import java.security.spec.RSAKeyGenParameterSpec;

  35. import java.util.Date;

  36. 

  37. import javax.xml.parsers.DocumentBuilder;

  38. import javax.xml.parsers.DocumentBuilderFactory;

  39. import javax.xml.parsers.ParserConfigurationException;

  40. import javax.xml.transform.OutputKeys;

  41. import javax.xml.transform.Result;

  42. import javax.xml.transform.Source;

  43. import javax.xml.transform.Transformer;

  44. import javax.xml.transform.TransformerException;

  45. import javax.xml.transform.TransformerFactory;

  46. import javax.xml.transform.dom.DOMSource;

  47. import javax.xml.transform.stream.StreamResult;

  48. 

  49. import org.bouncycastle.asn1.DERIA5String;

  50. import org.bouncycastle.asn1.DEROctetString;

  51. import org.bouncycastle.asn1.DERSequence;

  52. import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

  53. import org.bouncycastle.asn1.x500.X500Name;

  54. import org.bouncycastle.asn1.x509.AuthorityInformationAccess;

  55. import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;

  56. import org.bouncycastle.asn1.x509.BasicConstraints;

  57. import org.bouncycastle.asn1.x509.CRLNumber;

  58. import org.bouncycastle.asn1.x509.CRLReason;

  59. import org.bouncycastle.asn1.x509.DistributionPoint;

  60. import org.bouncycastle.asn1.x509.DistributionPointName;

  61. import org.bouncycastle.asn1.x509.Extension;

  62. import org.bouncycastle.asn1.x509.Extensions;

  63. import org.bouncycastle.asn1.x509.GeneralName;

  64. import org.bouncycastle.asn1.x509.GeneralNames;

  65. import org.bouncycastle.asn1.x509.KeyUsage;

  66. import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;

  67. import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;

  68. import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;

  69. import org.bouncycastle.cert.X509CRLHolder;

  70. import org.bouncycastle.cert.X509CertificateHolder;

  71. import org.bouncycastle.cert.X509ExtensionUtils;

  72. import org.bouncycastle.cert.X509v2CRLBuilder;

  73. import org.bouncycastle.cert.X509v3CertificateBuilder;

  74. import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;

  75. import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

  76. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  77. import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;

  78. import org.bouncycastle.cert.ocsp.CertificateID;

  79. import org.bouncycastle.cert.ocsp.CertificateStatus;

  80. import org.bouncycastle.cert.ocsp.OCSPReq;

  81. import org.bouncycastle.cert.ocsp.OCSPReqBuilder;

  82. import org.bouncycastle.cert.ocsp.OCSPResp;

  83. import org.bouncycastle.cert.ocsp.OCSPRespBuilder;

  84. import org.bouncycastle.cert.ocsp.Req;

  85. import org.bouncycastle.cert.ocsp.RevokedStatus;

  86. import org.bouncycastle.crypto.params.RSAKeyParameters;

  87. import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;

  88. import org.bouncycastle.operator.ContentSigner;

  89. import org.bouncycastle.operator.DigestCalculator;

  90. import org.bouncycastle.operator.OperatorCreationException;

  91. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  92. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  93. import org.w3c.dom.Document;

  94. import org.w3c.dom.Node;

  95. import org.xml.sax.InputSource;

  96. import org.xml.sax.SAXException;

  97. 

  98. public class PkiTestUtils {

  99. 

  100.     private PkiTestUtils() {

  101.         super();

  102.     }

  103. 

  104.     static KeyPair generateKeyPair() throws Exception {

  105.         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");

  106.         SecureRandom random = new SecureRandom();

  107.         keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,

  108.                 RSAKeyGenParameterSpec.F4), random);

  109.         return keyPairGenerator.generateKeyPair();

  110.     }

  111. 

  112.     static X509Certificate generateCertificate(PublicKey subjectPublicKey,

  113.             String subjectDn, Date notBefore, Date notAfter,

  114.             X509Certificate issuerCertificate, PrivateKey issuerPrivateKey,

  115.             boolean caFlag, int pathLength, String crlUri, String ocspUri,

  116.             KeyUsage keyUsage)

  117.     throws IOException, OperatorCreationException, CertificateException

  118.     {

  119.         String signatureAlgorithm = "SHA1withRSA";

  120.         X500Name issuerName;

  121.         if (issuerCertificate != null) {

  122.             issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer();

  123.         } else {

  124.             issuerName = new X500Name(subjectDn);

  125.         }

  126.         

  127.         RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;

  128.         RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());

  129. 

  130.         SubjectPublicKeyInfo subjectPublicKeyInfo = 

  131.             SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);

  132. 

  133.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  134.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  135.         

  136.         X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(

  137.               issuerName

  138.             , new BigInteger(128, new SecureRandom())

  139.             , notBefore

  140.             , notAfter

  141.             , new X500Name(subjectDn)

  142.             , subjectPublicKeyInfo

  143.         );

  144. 

  145.         X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);

  146.         SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);

  147.         AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) 

  148.             ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded()))

  149.             : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);

  150. 

  151.         certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);

  152.         certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);

  153. 

  154.         if (caFlag) {

  155.             BasicConstraints bc;

  156.             

  157.             if (-1 == pathLength) {

  158.                 bc = new BasicConstraints(true);

  159.             } else {

  160.                 bc = new BasicConstraints(pathLength);

  161.             }

  162.             certificateGenerator.addExtension(Extension.basicConstraints, false, bc);

  163.         }

  164. 

  165.         if (null != crlUri) {

  166.             int uri = GeneralName.uniformResourceIdentifier;

  167.             DERIA5String crlUriDer = new DERIA5String(crlUri);

  168.             GeneralName gn = new GeneralName(uri, crlUriDer);

  169. 

  170.             DERSequence gnDer = new DERSequence(gn);

  171.             GeneralNames gns = GeneralNames.getInstance(gnDer);

  172.             

  173.             DistributionPointName dpn = new DistributionPointName(0, gns);

  174.             DistributionPoint distp = new DistributionPoint(dpn, null, null);

  175.             DERSequence distpDer = new DERSequence(distp);

  176.             certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer);

  177.         }

  178. 

  179.         if (null != ocspUri) {

  180.             int uri = GeneralName.uniformResourceIdentifier;

  181.             GeneralName ocspName = new GeneralName(uri, ocspUri);

  182.             

  183.             AuthorityInformationAccess authorityInformationAccess =

  184.                 new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspName);

  185.             

  186.             certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess);

  187.         }

  188. 

  189.         if (null != keyUsage) {

  190.             certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);

  191.         }

  192. 

  193.         JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);

  194.         signerBuilder.setProvider("BC");

  195.         

  196.         X509CertificateHolder certHolder =

  197.             certificateGenerator.build(signerBuilder.build(issuerPrivateKey));

  198. 

  199.         /*

  200.          * Next certificate factory trick is needed to make sure that the

  201.          * certificate delivered to the caller is provided by the default

  202.          * security provider instead of BouncyCastle. If we don't do this trick

  203.          * we might run into trouble when trying to use the CertPath validator.

  204.          */

  205. //        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

  206. //        certificate = (X509Certificate) certificateFactory

  207. //                .generateCertificate(new ByteArrayInputStream(certificate

  208. //                        .getEncoded()));

  209.         return new JcaX509CertificateConverter().getCertificate(certHolder);

  210.     }

  211. 

  212.     static Document loadDocument(InputStream documentInputStream)

  213.             throws ParserConfigurationException, SAXException, IOException {

  214.         InputSource inputSource = new InputSource(documentInputStream);

  215.         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory

  216.                 .newInstance();

  217.         documentBuilderFactory.setNamespaceAware(true);

  218.         DocumentBuilder documentBuilder = documentBuilderFactory

  219.                 .newDocumentBuilder();

  220.         return documentBuilder.parse(inputSource);

  221.     }

  222. 

  223.     static String toString(Node dom) throws TransformerException {

  224.         Source source = new DOMSource(dom);

  225.         StringWriter stringWriter = new StringWriter();

  226.         Result result = new StreamResult(stringWriter);

  227.         TransformerFactory transformerFactory = TransformerFactory

  228.                 .newInstance();

  229.         Transformer transformer = transformerFactory.newTransformer();

  230.         /*

  231.          * We have to omit the ?xml declaration if we want to embed the

  232.          * document.

  233.          */

  234.         transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");

  235.         transformer.transform(source, result);

  236.         return stringWriter.getBuffer().toString();

  237.     }

  238. 

  239.     public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey)

  240.     throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {

  241.         

  242.         X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());

  243.         X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());

  244.         crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));

  245.         JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

  246. 

  247.         CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

  248.         

  249.         crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);

  250.         X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));

  251.         return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);

  252.     }

  253. 

  254.     public static OCSPResp createOcspResp(X509Certificate certificate,

  255.             boolean revoked, X509Certificate issuerCertificate,

  256.             X509Certificate ocspResponderCertificate,

  257.             PrivateKey ocspResponderPrivateKey, String signatureAlgorithm,

  258.             long nonceTimeinMillis)

  259.             throws Exception {

  260.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  261.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  262.         X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());

  263.         CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

  264.         

  265.         // request

  266.         //create a nonce to avoid replay attack

  267.         BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);

  268.         DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());

  269.         Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);

  270.         Extensions exts = new Extensions(ext);

  271.         

  272.         OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();

  273.         ocspReqBuilder.addRequest(certId);

  274.         ocspReqBuilder.setRequestExtensions(exts);

  275.         OCSPReq ocspReq = ocspReqBuilder.build();

  276. 

  277.         

  278.         SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo

  279.             (CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());

  280.         

  281.         BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);

  282.         basicOCSPRespBuilder.setResponseExtensions(exts);

  283. 

  284.         // request processing

  285.         Req[] requestList = ocspReq.getRequestList();

  286.         for (Req ocspRequest : requestList) {

  287.             CertificateID certificateID = ocspRequest.getCertID();

  288.             CertificateStatus certificateStatus = CertificateStatus.GOOD;

  289.             if (revoked) {

  290.                 certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);

  291.             }

  292.             basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);

  293.         }

  294. 

  295.         // basic response generation

  296.         X509CertificateHolder[] chain = null;

  297.         if (!ocspResponderCertificate.equals(issuerCertificate)) {

  298.             // TODO: HorribleProxy can't convert array input params yet

  299.             chain = new X509CertificateHolder[] {

  300.                 new X509CertificateHolder(ocspResponderCertificate.getEncoded()),

  301.                 issuerHolder

  302.             };

  303.         }

  304.         

  305.         ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA")

  306.             .setProvider("BC").build(ocspResponderPrivateKey);

  307.         BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

  308. 

  309.         

  310.         OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();

  311. 

  312.         return ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

  313.     }

  314. }