Example 16 with GeneralSecurityException
use of java.security.GeneralSecurityException in project android_frameworks_base by ResurrectionRemix.
the class OSUClient method remediate.
public void remediate(OSUManager osuManager, Network network, KeyManager km, HomeSP homeSP, int flowType) throws IOException, GeneralSecurityException {
try (HTTPHandler httpHandler = createHandler(network, homeSP, km, flowType)) {
URL redirectURL = osuManager.prepareUserInput(homeSP.getFriendlyName());
OMADMAdapter omadmAdapter = osuManager.getOMADMAdapter();
String regRequest = SOAPBuilder.buildPostDevDataResponse(RequestReason.SubRemediation, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
OSUResponse serverResponse = httpHandler.exchangeSOAP(mURL, regRequest);
if (serverResponse.getMessageType() != OSUMessageType.PostDevData) {
throw new IOException("Expected a PostDevDataResponse");
}
String sessionID = serverResponse.getSessionID();
PostDevDataResponse pddResponse = (PostDevDataResponse) serverResponse;
Log.d(TAG, "Remediation response: " + pddResponse);
Map<OSUCertType, List<X509Certificate>> certs = null;
PrivateKey clientKey = null;
if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
if (pddResponse.getExecCommand() == ExecCommand.UploadMO) {
String ulMessage = SOAPBuilder.buildPostDevDataResponse(RequestReason.MOUpload, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN), osuManager.getMOTree(homeSP));
Log.d(TAG, "Upload MO: " + ulMessage);
OSUResponse ulResponse = httpHandler.exchangeSOAP(mURL, ulMessage);
if (ulResponse.getMessageType() != OSUMessageType.PostDevData) {
throw new IOException("Expected a PostDevDataResponse to MOUpload");
}
pddResponse = (PostDevDataResponse) ulResponse;
}
if (pddResponse.getExecCommand() == ExecCommand.Browser) {
if (flowType == OSUManager.FLOW_POLICY) {
throw new IOException("Browser launch requested in policy flow");
}
String webURL = ((BrowserURI) pddResponse.getCommandData()).getURI();
if (webURL == null) {
throw new IOException("No web-url");
} else if (!webURL.contains(sessionID)) {
throw new IOException("Bad or missing session ID in webURL");
}
if (!osuManager.startUserInput(new URL(webURL), network)) {
throw new IOException("User session failed");
}
Log.d(TAG, " -- Sending user input complete:");
String userComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.InputComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
OSUResponse udResponse = httpHandler.exchangeSOAP(mURL, userComplete);
if (udResponse.getMessageType() != OSUMessageType.PostDevData) {
throw new IOException("Bad user input complete response: " + udResponse);
}
pddResponse = (PostDevDataResponse) udResponse;
} else if (pddResponse.getExecCommand() == ExecCommand.GetCert) {
certs = new HashMap<>();
try (ESTHandler estHandler = new ESTHandler((GetCertData) pddResponse.getCommandData(), network, osuManager.getOMADMAdapter(), km, mKeyStore, homeSP, flowType)) {
estHandler.execute(true);
certs.put(OSUCertType.CA, estHandler.getCACerts());
certs.put(OSUCertType.Client, estHandler.getClientCerts());
clientKey = estHandler.getClientKey();
}
if (httpHandler.isHTTPAuthPerformed()) {
// 8.4.3.6
httpHandler.renegotiate(certs, clientKey);
}
Log.d(TAG, " -- Sending remediation cert enrollment complete:");
// 8.4.3.5 in the spec actually prescribes that an update URI is sent here,
// but there is no remediation flow that defines user interaction after EST
// so for now a null is passed.
String certComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.CertEnrollmentComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
OSUResponse ceResponse = httpHandler.exchangeSOAP(mURL, certComplete);
if (ceResponse.getMessageType() != OSUMessageType.PostDevData) {
throw new IOException("Bad cert enrollment complete response: " + ceResponse);
}
pddResponse = (PostDevDataResponse) ceResponse;
} else {
throw new IOException("Unexpected command: " + pddResponse.getExecCommand());
}
}
if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
throw new IOException("Expected a PostDevDataResponse to MOUpload");
}
Log.d(TAG, "Remediation response: " + pddResponse);
List<MOData> mods = new ArrayList<>();
for (OSUCommand command : pddResponse.getCommands()) {
if (command.getOSUCommand() == OSUCommandID.UpdateNode) {
mods.add((MOData) command.getCommandData());
} else if (command.getOSUCommand() != OSUCommandID.NoMOUpdate) {
throw new IOException("Unexpected OSU response: " + command);
}
}
// 1. Machine remediation: Remediation complete + replace node
// 2a. User remediation with upload: ExecCommand.UploadMO
// 2b. User remediation without upload: ExecCommand.Browser
// 3. User remediation only: -> sppPostDevData user input complete
//
// 4. Update node
// 5. -> Update response
// 6. Exchange complete
OSUError error = null;
String updateResponse = SOAPBuilder.buildUpdateResponse(sessionID, error);
Log.d(TAG, " -- Sending updateResponse:");
OSUResponse exComplete = httpHandler.exchangeSOAP(mURL, updateResponse);
Log.d(TAG, "exComplete response: " + exComplete);
if (exComplete.getMessageType() != OSUMessageType.ExchangeComplete) {
throw new IOException("Expected ExchangeComplete: " + exComplete);
} else if (exComplete.getStatus() != OSUStatus.ExchangeComplete) {
throw new IOException("Bad ExchangeComplete status: " + exComplete);
}
// the network is lost and the remediation flow fails.
try {
osuManager.remediationComplete(homeSP, mods, certs, clientKey);
} catch (IOException | GeneralSecurityException e) {
osuManager.provisioningFailed(homeSP.getFriendlyName(), e.getMessage(), homeSP, OSUManager.FLOW_REMEDIATION);
error = OSUError.CommandFailed;
}
}
}
Also used :
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
ESTHandler(com.android.hotspot2.est.ESTHandler)
GeneralSecurityException(java.security.GeneralSecurityException)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
OMADMAdapter(com.android.hotspot2.OMADMAdapter)
URL(java.net.URL)
MOData(com.android.hotspot2.osu.commands.MOData)
BrowserURI(com.android.hotspot2.osu.commands.BrowserURI)
ArrayList(java.util.ArrayList)
List(java.util.List)
GetCertData(com.android.hotspot2.osu.commands.GetCertData)
Example 17 with GeneralSecurityException
use of java.security.GeneralSecurityException in project android_frameworks_base by ResurrectionRemix.
the class OSUManager method loadKeyStore.
private static KeyStore loadKeyStore(File ksFile, Set<X509Certificate> diskCerts) throws IOException {
try {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
if (ksFile.exists()) {
try (FileInputStream in = new FileInputStream(ksFile)) {
keyStore.load(in, null);
}
// Note: comparing two sets of certs does not work.
boolean mismatch = false;
int loadCount = 0;
for (int n = 0; n < 1000; n++) {
String alias = String.format("%s%d", CERT_WFA_ALIAS, n);
Certificate cert = keyStore.getCertificate(alias);
if (cert == null) {
break;
}
loadCount++;
boolean matched = false;
Iterator<X509Certificate> iter = diskCerts.iterator();
while (iter.hasNext()) {
X509Certificate diskCert = iter.next();
if (cert.equals(diskCert)) {
iter.remove();
matched = true;
break;
}
}
if (!matched) {
mismatch = true;
break;
}
}
if (mismatch || !diskCerts.isEmpty()) {
Log.d(TAG, "Re-seeding Passpoint key store with " + diskCerts.size() + " WFA certs");
for (int n = 0; n < 1000; n++) {
String alias = String.format("%s%d", CERT_WFA_ALIAS, n);
Certificate cert = keyStore.getCertificate(alias);
if (cert == null) {
break;
} else {
keyStore.deleteEntry(alias);
}
}
int index = 0;
for (X509Certificate caCert : diskCerts) {
keyStore.setCertificateEntry(String.format("%s%d", CERT_WFA_ALIAS, index), caCert);
index++;
}
try (FileOutputStream out = new FileOutputStream(ksFile)) {
keyStore.store(out, null);
}
} else {
Log.d(TAG, "Loaded Passpoint key store with " + loadCount + " CA certs");
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
Log.d("ZXC", "KS Alias '" + aliases.nextElement() + "'");
}
}
} else {
keyStore.load(null, null);
int index = 0;
for (X509Certificate caCert : diskCerts) {
keyStore.setCertificateEntry(String.format("%s%d", CERT_WFA_ALIAS, index), caCert);
index++;
}
try (FileOutputStream out = new FileOutputStream(ksFile)) {
keyStore.store(out, null);
}
Log.d(TAG, "Initialized Passpoint key store with " + diskCerts.size() + " CA certs");
}
return keyStore;
} catch (GeneralSecurityException gse) {
throw new IOException(gse);
}
}
Also used :
FileOutputStream(java.io.FileOutputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 18 with GeneralSecurityException
use of java.security.GeneralSecurityException in project android_frameworks_base by ResurrectionRemix.
the class OSUManager method provisioningComplete.
public void provisioningComplete(OSUInfo osuInfo, MOData moData, Map<OSUCertType, List<X509Certificate>> certs, PrivateKey privateKey, Network osuNetwork) {
synchronized (mWifiNetworkAdapter) {
mProvisioningThread = null;
}
try {
Log.d("ZXZ", "MOTree.toXML: " + moData.getMOTree().toXml());
HomeSP homeSP = mWifiNetworkAdapter.addSP(moData.getMOTree());
Integer spNwk = mWifiNetworkAdapter.addNetwork(homeSP, certs, privateKey, osuNetwork);
if (spNwk == null) {
notifyUser(OSUOperationStatus.ProvisioningFailure, "Failed to save network configuration", osuInfo.getName(LOCALE));
mWifiNetworkAdapter.removeSP(homeSP.getFQDN());
} else {
Set<X509Certificate> rootCerts = OSUSocketFactory.getRootCerts(mKeyStore);
X509Certificate remCert = getCert(certs, OSUCertType.Remediation);
X509Certificate polCert = getCert(certs, OSUCertType.Policy);
if (privateKey != null) {
X509Certificate cltCert = getCert(certs, OSUCertType.Client);
mKeyStore.setKeyEntry(CERT_CLT_KEY_ALIAS + homeSP, privateKey.getEncoded(), new X509Certificate[] { cltCert });
mKeyStore.setCertificateEntry(CERT_CLT_CERT_ALIAS, cltCert);
}
boolean usingShared = false;
int newCerts = 0;
if (remCert != null) {
if (!rootCerts.contains(remCert)) {
if (remCert.equals(polCert)) {
mKeyStore.setCertificateEntry(CERT_SHARED_ALIAS + homeSP.getFQDN(), remCert);
usingShared = true;
newCerts++;
} else {
mKeyStore.setCertificateEntry(CERT_REM_ALIAS + homeSP.getFQDN(), remCert);
newCerts++;
}
}
}
if (!usingShared && polCert != null) {
if (!rootCerts.contains(polCert)) {
mKeyStore.setCertificateEntry(CERT_POLICY_ALIAS + homeSP.getFQDN(), remCert);
newCerts++;
}
}
if (newCerts > 0) {
try (FileOutputStream out = new FileOutputStream(KEYSTORE_FILE)) {
mKeyStore.store(out, null);
}
}
notifyUser(OSUOperationStatus.ProvisioningSuccess, null, osuInfo.getName(LOCALE));
Log.d(TAG, "Provisioning complete.");
}
} catch (IOException | GeneralSecurityException | SAXException e) {
Log.e(TAG, "Failed to provision: " + e, e);
notifyUser(OSUOperationStatus.ProvisioningFailure, e.toString(), osuInfo.getName(LOCALE));
}
}
Also used :
HomeSP(com.android.hotspot2.pps.HomeSP)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
FileOutputStream(java.io.FileOutputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
SAXException(org.xml.sax.SAXException)
Example 19 with GeneralSecurityException
use of java.security.GeneralSecurityException in project OpenAM by OpenRock.
the class LDAPUtils method newConnectionFactory.
/**
* Creates a new connection factory based on the provided parameters.
*
* @param ldapurl The address of the LDAP server.
* @param username The directory user's DN. May be null if this is an anonymous connection.
* @param password The directory user's password.
* @param heartBeatInterval The interval for sending out heartbeat requests.
* @param heartBeatTimeUnit The timeunit for the heartbeat interval.
* @param ldapOptions Additional LDAP settings used to create the connection factory.
* @return An authenticated/anonymous connection factory, which may also send heartbeat requests.
*/
private static ConnectionFactory newConnectionFactory(LDAPURL ldapurl, String username, char[] password, int heartBeatInterval, String heartBeatTimeUnit, Options ldapOptions) {
Boolean ssl = ldapurl.isSSL();
int heartBeatTimeout = SystemPropertiesManager.getAsInt(Constants.LDAP_HEARTBEAT_TIMEOUT, DEFAULT_HEARTBEAT_TIMEOUT);
if (ssl != null && ssl.booleanValue()) {
try {
//Creating a defensive copy of ldapOptions to handle the case when a mixture of SSL/non-SSL connections
//needs to be established.
ldapOptions = Options.copyOf(ldapOptions).set(LDAPConnectionFactory.SSL_CONTEXT, new SSLContextBuilder().getSSLContext());
} catch (GeneralSecurityException gse) {
DEBUG.error("An error occurred while creating SSLContext", gse);
}
}
// Enable heartbeat
if (heartBeatInterval > 0 && heartBeatTimeUnit != null) {
TimeUnit unit = TimeUnit.valueOf(heartBeatTimeUnit.toUpperCase());
ldapOptions = ldapOptions.set(HEARTBEAT_ENABLED, true).set(HEARTBEAT_INTERVAL, new Duration(unit.toSeconds(heartBeatInterval), TimeUnit.SECONDS)).set(HEARTBEAT_TIMEOUT, new Duration(unit.toSeconds(heartBeatTimeout), TimeUnit.SECONDS));
}
// Enable Authenticated connection
if (username != null) {
ldapOptions = ldapOptions.set(AUTHN_BIND_REQUEST, LDAPRequests.newSimpleBindRequest(username, password));
}
return new LDAPConnectionFactory(ldapurl.getHost(), ldapurl.getPort(), ldapOptions);
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
TimeUnit(java.util.concurrent.TimeUnit)
Duration(org.forgerock.util.time.Duration)
LDAPConnectionFactory(org.forgerock.opendj.ldap.LDAPConnectionFactory)
SSLContextBuilder(org.forgerock.opendj.ldap.SSLContextBuilder)
Example 20 with GeneralSecurityException
use of java.security.GeneralSecurityException in project OpenAM by OpenRock.
the class TOTPAlgorithm method hmac_sha.
/**
* This method uses the JCE to provide the crypto algorithm.
* HMAC computes a Hashed Message Authentication Code with the
* crypto hash algorithm as a parameter.
*
* @param crypto the crypto algorithm (HmacSHA1, HmacSHA256,
* HmacSHA512)
* @param keyBytes the bytes to use for the HMAC key
* @param text the message or text to be authenticated
*/
private static byte[] hmac_sha(String crypto, byte[] keyBytes, byte[] text) {
try {
Mac hmac;
hmac = Mac.getInstance(crypto);
SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey);
return hmac.doFinal(text);
} catch (GeneralSecurityException gse) {
throw new UndeclaredThrowableException(gse);
}
}
Also used :
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
GeneralSecurityException(java.security.GeneralSecurityException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
Mac(javax.crypto.Mac)
Aggregations
GeneralSecurityException (java.security.GeneralSecurityException)1197
IOException (java.io.IOException)448
Cipher (javax.crypto.Cipher)148
Test (org.junit.Test)136
X509Certificate (java.security.cert.X509Certificate)130
KeyStore (java.security.KeyStore)98
SSLContext (javax.net.ssl.SSLContext)86
SecretKeySpec (javax.crypto.spec.SecretKeySpec)82
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)77
ArrayList (java.util.ArrayList)75
File (java.io.File)64
InputStream (java.io.InputStream)63
Certificate (java.security.cert.Certificate)61
PublicKey (java.security.PublicKey)56
FileInputStream (java.io.FileInputStream)54
PrivateKey (java.security.PrivateKey)51
BigInteger (java.math.BigInteger)50
SecretKey (javax.crypto.SecretKey)48
IvParameterSpec (javax.crypto.spec.IvParameterSpec)47
KeyPair (java.security.KeyPair)45
