Example 1 with DerInputStream
use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.
the class PaddedBitString method main.
public static void main(String[] args) throws Exception {
byte[] ba0, ba1;
try {
DerInputStream derin = new DerInputStream(DER_BITSTRING_PAD6);
ba1 = derin.getBitString();
} catch (IOException e) {
e.printStackTrace();
throw new Exception("Unable to parse BitString with 6 padding bits");
}
try {
DerInputStream derin = new DerInputStream(DER_BITSTRING_NOPAD);
ba0 = derin.getBitString();
} catch (IOException e) {
e.printStackTrace();
throw new Exception("Unable to parse BitString with no padding");
}
if (Arrays.equals(ba1, ba0) == false) {
throw new Exception("BitString comparison check failed");
}
}
Also used :
DerInputStream(sun.security.util.DerInputStream)
Example 2 with DerInputStream
use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.
the class KDC method processTgsReq.
/**
* Processes a TGS_REQ and generates a TGS_REP (or KRB_ERROR)
* @param in the request
* @return the response
* @throws java.lang.Exception for various errors
*/
protected byte[] processTgsReq(byte[] in) throws Exception {
TGSReq tgsReq = new TGSReq(in);
PrincipalName service = tgsReq.reqBody.sname;
if (options.containsKey(KDC.Option.RESP_NT)) {
service = new PrincipalName((int) options.get(KDC.Option.RESP_NT), service.getNameStrings(), service.getRealm());
}
try {
System.out.println(realm + "> " + tgsReq.reqBody.cname + " sends TGS-REQ for " + service + ", " + tgsReq.reqBody.kdcOptions);
KDCReqBody body = tgsReq.reqBody;
int[] eTypes = KDCReqBodyDotEType(body);
// etype for outgoing session key
int e2 = eTypes[0];
// etype for outgoing ticket
int e3 = eTypes[0];
PAData[] pas = KDCReqDotPAData(tgsReq);
Ticket tkt = null;
EncTicketPart etp = null;
PrincipalName cname = null;
boolean allowForwardable = true;
if (pas == null || pas.length == 0) {
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
} else {
PrincipalName forUserCName = null;
for (PAData pa : pas) {
if (pa.getType() == Krb5.PA_TGS_REQ) {
APReq apReq = new APReq(pa.getValue());
EncryptedData ed = apReq.authenticator;
tkt = apReq.ticket;
int te = tkt.encPart.getEType();
EncryptionKey kkey = keyForUser(tkt.sname, te, true);
byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
DerInputStream derIn = new DerInputStream(bb);
DerValue der = derIn.getDerValue();
etp = new EncTicketPart(der.toByteArray());
// Finally, cname will be overwritten by PA-FOR-USER
// if it exists.
cname = etp.cname;
System.out.println(realm + "> presenting a ticket of " + etp.cname + " to " + tkt.sname);
} else if (pa.getType() == Krb5.PA_FOR_USER) {
if (options.containsKey(Option.ALLOW_S4U2SELF)) {
PAForUserEnc p4u = new PAForUserEnc(new DerValue(pa.getValue()), null);
forUserCName = p4u.name;
System.out.println(realm + "> presenting a PA_FOR_USER " + " in the name of " + p4u.name);
}
}
}
if (forUserCName != null) {
List<String> names = (List<String>) options.get(Option.ALLOW_S4U2SELF);
if (!names.contains(cname.toString())) {
// Mimic the normal KDC behavior. When a server is not
// allowed to send S4U2self, do not send an error.
// Instead, send a ticket which is useless later.
allowForwardable = false;
}
cname = forUserCName;
}
if (tkt == null) {
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
}
}
// Session key for original ticket, TGT
EncryptionKey ckey = etp.key;
// Session key for session with the service
EncryptionKey key = generateRandomKey(e2);
// Check time, TODO
KerberosTime till = body.till;
if (till == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID);
} else if (till.isZero()) {
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
}
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX + 1];
if (body.kdcOptions.get(KDCOptions.FORWARDABLE) && allowForwardable) {
List<String> sensitives = (List<String>) options.get(Option.SENSITIVE_ACCOUNTS);
if (sensitives != null && sensitives.contains(cname.toString())) {
// Cannot make FORWARDABLE
} else {
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
}
}
if (body.kdcOptions.get(KDCOptions.FORWARDED) || etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) {
bFlags[Krb5.TKT_OPTS_FORWARDED] = true;
}
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
}
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
}
if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
}
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
}
if (body.kdcOptions.get(KDCOptions.CNAME_IN_ADDL_TKT)) {
if (!options.containsKey(Option.ALLOW_S4U2PROXY)) {
// Don't understand CNAME_IN_ADDL_TKT
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
} else {
Map<String, List<String>> map = (Map<String, List<String>>) options.get(Option.ALLOW_S4U2PROXY);
Ticket second = KDCReqBodyDotFirstAdditionalTicket(body);
EncryptionKey key2 = keyForUser(second.sname, second.encPart.getEType(), true);
byte[] bb = second.encPart.decrypt(key2, KeyUsage.KU_TICKET);
DerInputStream derIn = new DerInputStream(bb);
DerValue der = derIn.getDerValue();
EncTicketPart tktEncPart = new EncTicketPart(der.toByteArray());
if (!tktEncPart.flags.get(Krb5.TKT_OPTS_FORWARDABLE)) {
//throw new KrbException(Krb5.KDC_ERR_BADOPTION);
}
PrincipalName client = tktEncPart.cname;
System.out.println(realm + "> and an additional ticket of " + client + " to " + second.sname);
if (map.containsKey(cname.toString())) {
if (map.get(cname.toString()).contains(service.toString())) {
System.out.println(realm + "> S4U2proxy OK");
} else {
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
}
} else {
throw new KrbException(Krb5.KDC_ERR_BADOPTION);
}
cname = client;
}
}
String okAsDelegate = (String) options.get(Option.OK_AS_DELEGATE);
if (okAsDelegate != null && (okAsDelegate.isEmpty() || okAsDelegate.contains(service.getNameString()))) {
bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
TicketFlags tFlags = new TicketFlags(bFlags);
EncTicketPart enc = new EncTicketPart(tFlags, key, cname, // TODO
new TransitedEncoding(1, new byte[0]), new KerberosTime(new Date()), body.from, till, body.rtime, // always set caddr
body.addresses != null ? body.addresses : new HostAddresses(new InetAddress[] { InetAddress.getLocalHost() }), null);
EncryptionKey skey = keyForUser(service, e3, true);
if (skey == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP);
}
Ticket t = new Ticket(service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET));
EncTGSRepPart enc_part = new EncTGSRepPart(key, new LastReq(new LastReqEntry[] { new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) }), // TODO: detect replay
body.getNonce(), new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), // Next 5 and last MUST be same with ticket
tFlags, new KerberosTime(new Date()), body.from, till, body.rtime, service, // always set caddr
body.addresses != null ? body.addresses : new HostAddresses(new InetAddress[] { InetAddress.getLocalHost() }));
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
TGSRep tgsRep = new TGSRep(null, cname, t, edata);
System.out.println(" Return " + tgsRep.cname + " ticket for " + tgsRep.ticket.sname + ", flags " + tFlags);
DerOutputStream out = new DerOutputStream();
out.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) Krb5.KRB_TGS_REP), tgsRep.asn1Encode());
return out.toByteArray();
} catch (KrbException ke) {
ke.printStackTrace(System.out);
KRBError kerr = ke.getError();
KDCReqBody body = tgsReq.reqBody;
System.out.println(" Error " + ke.returnCode() + " " + ke.returnCodeMessage());
if (kerr == null) {
kerr = new KRBError(null, null, null, new KerberosTime(new Date()), 0, ke.returnCode(), body.cname, service, KrbException.errorMessage(ke.returnCode()), null);
}
return kerr.asn1Encode();
}
}
Also used :
DerOutputStream(sun.security.util.DerOutputStream)
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
Example 3 with DerInputStream
use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.
the class StatusLoopDependency method generateSelector.
private static X509CertSelector generateSelector(String name) throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate) cf.generateCertificate(is);
byte[] extVal = target.getExtensionValue("2.5.29.14");
if (extVal != null) {
DerInputStream in = new DerInputStream(extVal);
byte[] subjectKID = in.getOctetString();
selector.setSubjectKeyIdentifier(subjectKID);
} else {
// unlikely to happen.
throw new Exception("unexpected certificate: no SKID extension");
}
return selector;
}
Also used :
DerInputStream(sun.security.util.DerInputStream)
SocketException(java.net.SocketException)
Example 4 with DerInputStream
use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.
the class ValidateNC method createPath.
public static void createPath(String[] certs) throws Exception {
X509Certificate anchorCert = getCertFromFile(certs[0]);
byte[] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
if (nameConstraints != null) {
DerInputStream in = new DerInputStream(nameConstraints);
nameConstraints = in.getOctetString();
}
TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
List list = new ArrayList();
for (int i = 1; i < certs.length; i++) {
list.add(0, getCertFromFile(certs[i]));
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
path = cf.generateCertPath(list);
anchors = Collections.singleton(anchor);
params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
}
Also used :
PKIXParameters(java.security.cert.PKIXParameters)
ArrayList(java.util.ArrayList)
DerInputStream(sun.security.util.DerInputStream)
TrustAnchor(java.security.cert.TrustAnchor)
ArrayList(java.util.ArrayList)
List(java.util.List)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with DerInputStream
use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.
the class OrderAndDup method checkData.
// Check the raw data's ASN.1 structure to see if the revoked certs
// have the same number and correct order as inserted
static void checkData(X509CRLImpl c, byte[] data, BigInteger[] expected) throws Exception {
if (c.getRevokedCertificates().size() != expected.length) {
throw new Exception("Wrong count in CRL object, now " + c.getRevokedCertificates().size());
}
DerValue d1 = new DerValue(data);
// revokedCertificates at 5th place of TBSCertList
DerValue[] d2 = new DerInputStream(d1.data.getSequence(0)[4].toByteArray()).getSequence(0);
if (d2.length != expected.length) {
throw new Exception("Wrong count in raw data, now " + d2.length);
}
for (int i = 0; i < d2.length; i++) {
// Serial is first in revokedCertificates entry
BigInteger bi = d2[i].data.getBigInteger();
if (!bi.equals(expected[i])) {
throw new Exception("Entry at #" + i + " is " + bi + ", should be " + expected[i]);
}
}
}
Also used :
DerValue(sun.security.util.DerValue)
BigInteger(java.math.BigInteger)
DerInputStream(sun.security.util.DerInputStream)
Aggregations
DerInputStream (sun.security.util.DerInputStream)38
DerValue (sun.security.util.DerValue)16
IOException (java.io.IOException)12
ObjectIdentifier (sun.security.util.ObjectIdentifier)10
X509CertSelector (java.security.cert.X509CertSelector)6
BigInteger (java.math.BigInteger)5
CertificateException (java.security.cert.CertificateException)4
CertificateFactory (java.security.cert.CertificateFactory)4
X509Certificate (java.security.cert.X509Certificate)4
X500Principal (javax.security.auth.x500.X500Principal)4
SocketException (java.net.SocketException)3
KeyStoreException (java.security.KeyStoreException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
UnrecoverableEntryException (java.security.UnrecoverableEntryException)3
UnrecoverableKeyException (java.security.UnrecoverableKeyException)3
DestroyFailedException (javax.security.auth.DestroyFailedException)3
AlgorithmParameters (java.security.AlgorithmParameters)2
InvalidKeyException (java.security.InvalidKeyException)2
KeyFactory (java.security.KeyFactory)2
Date (java.util.Date)2
