1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
package model.csr;
import model.asn1.ASN1Object;
import model.asn1.BitString;
import model.asn1.Tag;
import model.asn1.exceptions.ParseException;
import model.asn1.parsing.BytesReader;
import model.pki.AlgorithmIdentifier;
import java.util.Arrays;
import java.util.Collection;
import java.util.stream.Stream;
/**
* Represents a PKCS#10 CSR.
* <pre>
* CertificationRequest ::= SEQUENCE {
* certificationRequestInfo CertificationRequestInfo,
* signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
* signature BIT STRING
* }
* </pre>
* <p>
* A CSR is used to request a certificate from a CA, using a public key. The client encodes a CSR with
* its subject name, public key, and attributes, and sign that with their private key. The private key
* must match the public key encoded in the CSR. This is to prove to the CA that the client has the private
* key of the requested public key.
* After the CA receives the CSR, they can create a new certificate, with or without the requested subject
* and attributes. That is, the requested attributes only have informational purposes, and it is the CA that
* determines whether to use them.
* The data in the CSR are encoded in {@link CertificationRequestInfo}. This object contains the data an
* the signature.
*/
public class CertificationRequest extends ASN1Object {
/**
* All info of that CSR, excluding the signature.
* It will be signed, and the signature is in <pre>signature</pre>.
*/
private final CertificationRequestInfo certificationRequestInfo;
/**
* The algorithm used for <pre>signature</pre>.
*/
private final AlgorithmIdentifier signatureAlgorithm;
/**
* The signature.
*/
private final BitString signature;
/**
* EFFECTS: Initialize the object with the given tag and parentTag, and info, signatureAlgorithm, and signature.
* REQUIRES: The signature must match the public key specified in info. The algorithm must match the signature. The
* fields must have correct tags as described in the class specification.
*/
public CertificationRequest(Tag tag, Tag parentTag,
final CertificationRequestInfo certificationRequestInfo,
final AlgorithmIdentifier signatureAlgorithm,
final BitString signature) {
super(tag, parentTag);
this.certificationRequestInfo = certificationRequestInfo;
this.signatureAlgorithm = signatureAlgorithm;
this.signature = signature;
}
/**
* EFFECTS: Parse input DER CSR, without verifying the signature.
* Throws {@link ParseException} if the input is invalid:
* - Any fields missing (info, algorithm, signature)
* - Any fields having an incorrect tag (as seen in the ASN.1 definition)
* - Any fields with encoding instructions that violate implicit / explicit encoding rules
* - Other issues found during parsing the object, like early EOF (see {@link ASN1Object})
* MODIFIES: this, encoded
*/
public CertificationRequest(BytesReader encoded, boolean hasParentTag) throws ParseException {
super(encoded, hasParentTag);
this.certificationRequestInfo = new CertificationRequestInfo(encoded, false);
this.certificationRequestInfo.getTag().enforce(TAG_SEQUENCE);
this.signatureAlgorithm = new AlgorithmIdentifier(encoded, false);
this.signatureAlgorithm.getTag().enforce(TAG_SEQUENCE);
this.signature = new BitString(encoded, false);
this.signature.getTag().enforce(BitString.TAG);
}
/**
* EFFECT: Encode that sequence into an ordered array of bytes, following the class specification.
*/
@Override
public Byte[] encodeValueDER() {
return Stream.of(Arrays.asList(certificationRequestInfo.encodeDER()),
Arrays.asList(signatureAlgorithm.encodeDER()),
Arrays.asList(signature.encodeDER()))
.flatMap(Collection::stream)
.toArray(Byte[]::new);
}
public CertificationRequestInfo getCertificationRequestInfo() {
return certificationRequestInfo;
}
public AlgorithmIdentifier getSignatureAlgorithm() {
return signatureAlgorithm;
}
public BitString getSignature() {
return signature;
}
}
|