From d342a45d98c4795b3a3fe1aaef5236ad4a782b55 Mon Sep 17 00:00:00 2001
From: Yuuta Liang <yuutaw@students.cs.ubc.ca>
Date: Thu, 12 Oct 2023 12:10:33 +0800
Subject: Implement data structures from X.680, X.501, X.509, and PKCS#10, with
 X.690 encoding / decoding support

The implementation took four days, and it is still a little bit rough. Updated version should arrive soon.

Signed-off-by: Yuuta Liang <yuutaw@students.cs.ubc.ca>
---
 src/main/model/pki/cert/Certificate.java | 127 +++++++++++++++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 src/main/model/pki/cert/Certificate.java

(limited to 'src/main/model/pki/cert/Certificate.java')

diff --git a/src/main/model/pki/cert/Certificate.java b/src/main/model/pki/cert/Certificate.java
new file mode 100644
index 0000000..4e6c291
--- /dev/null
+++ b/src/main/model/pki/cert/Certificate.java
@@ -0,0 +1,127 @@
+package model.pki.cert;
+
+import model.asn1.ASN1Object;
+import model.asn1.BitString;
+import model.asn1.Tag;
+import model.asn1.exceptions.ParseException;
+import model.asn1.parsing.BytesReader;
+import model.pki.AlgorithmIdentifier;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.stream.Stream;
+
+/**
+ * Represents an X.509 signed certificate.
+ * <pre>
+ *    Certificate ::= SIGNED{TBSCertificate}
+ *
+ *    ENCRYPTED{ToBeEnciphered} ::= BIT STRING (CONSTRAINED BY {
+ *      -- shall be the result of applying an encipherment procedure
+ *      -- to the BER-encoded octets of a value of -- ToBeEnciphered } )
+ *
+ *    HASH{ToBeHashed} ::= SEQUENCE {
+ *      algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
+ *      hashValue BIT STRING (CONSTRAINED BY {
+ *          -- shall be the result of applying a hashing procedure to the DER-encoded
+ *          -- octets of a value of -- ToBeHashed } ),
+ *    ... }
+ *
+ *    ENCRYPTED-HASH{ToBeSigned} ::= BIT STRING (CONSTRAINED BY {
+ *      -- shall be the result of applying a hashing procedure to the DER-encoded (see 6.2)
+ *      -- octets of a value of -- ToBeSigned -- and then applying an encipherment procedure
+ *      -- to those octets -- } )
+ *
+ *    SIGNATURE{ToBeSigned} ::= SEQUENCE {
+ *      algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
+ *      encrypted ENCRYPTED-HASH{ToBeSigned},
+ *     ... }
+ *
+ *    SIGNED{ToBeSigned} ::= SEQUENCE {
+ *      toBeSigned ToBeSigned,
+ *      COMPONENTS OF SIGNATURE{ToBeSigned},
+ *    ... }
+ * </pre>
+ *
+ * A certificate creates a binding between the proposed subject name and the public key. It is only valid once a trusted
+ * CA signs it. Relying parties only need to trust a single trust anchor (the Root CA), and all of its issued certs are
+ * trusted. This is done through the cert tree: each certificate contains the Issued By field, indicating the DN of the
+ * upper level, all the way until the root CA, which is hard-coded in relying parties.
+ */
+public class Certificate extends ASN1Object {
+    /**
+     * All info of that cert, excluding the signature.
+     * It will be signed, and the signature is in <pre>signature</pre>.
+     */
+    private final TbsCertificate certificate;
+
+    /**
+     * The algorithm used for <pre>signature</pre>.
+     */
+    private final AlgorithmIdentifier signatureAlgorithm;
+
+    /**
+     * The signature.
+     */
+    private final BitString signature;
+
+    /**
+     * EFFECTS: Initialize the object with the given tag and parentTag, and info, signatureAlgorithm, and signature.
+     * REQUIRES: The algorithm must match the signature. The fields must have correct tags as described in the class
+     * specification (SEQUENCE, SEQUENCE, BIT STRING).
+     */
+    public Certificate(Tag tag, Tag parentTag,
+                       final TbsCertificate certificate,
+                       final AlgorithmIdentifier signatureAlgorithm,
+                       final BitString signature) {
+        super(tag, parentTag);
+        this.certificate = certificate;
+        this.signatureAlgorithm = signatureAlgorithm;
+        this.signature = signature;
+    }
+
+    /**
+     * EFFECTS: Parse input DER, without verifying the signature.
+     *   Throws {@link ParseException} if the input is invalid:
+     *    - Any fields missing
+     *    - Any fields having an incorrect tag (as seen in the ASN.1 definition)
+     *    - Any fields with encoding instructions that violate implicit / explicit encoding rules
+     *    - Other issues found during parsing the object, like early EOF (see {@link ASN1Object})
+     * MODIFIES: this, encoded
+     */
+    public Certificate(BytesReader encoded, boolean hasParentTag) throws ParseException {
+        super(encoded, hasParentTag);
+        this.certificate = new TbsCertificate(encoded, false);
+        this.certificate.getTag().enforce(TAG_SEQUENCE);
+
+        this.signatureAlgorithm = new AlgorithmIdentifier(encoded, false);
+        this.signatureAlgorithm.getTag().enforce(TAG_SEQUENCE);
+
+        this.signature = new BitString(encoded, false);
+        this.signature.getTag().enforce(BitString.TAG);
+    }
+
+    /**
+     * EFFECT: Encode that sequence into an ordered array of bytes, following the class specification.
+     */
+    @Override
+    public Byte[] encodeValueDER() {
+        return Stream.of(Arrays.asList(certificate.encodeDER()),
+                Arrays.asList(signatureAlgorithm.encodeDER()),
+                Arrays.asList(signature.encodeDER()))
+                .flatMap(Collection::stream)
+                .toArray(Byte[]::new);
+    }
+
+    public TbsCertificate getCertificate() {
+        return certificate;
+    }
+
+    public AlgorithmIdentifier getSignatureAlgorithm() {
+        return signatureAlgorithm;
+    }
+
+    public BitString getSignature() {
+        return signature;
+    }
+}
-- 
cgit v1.2.3