Example 6 with KeyIdentifier
use of android.sun.security.x509.KeyIdentifier in project jdk8u_jdk by JetBrains.
the class Vertex method certToString.
/**
* Return string representation of this vertex's
* certificate information.
*
* @returns String representation of certificate info
*/
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
ce.printStackTrace();
}
return sb.toString();
}
sb.append("Issuer: ").append(x509Cert.getIssuerX500Principal()).append("\n");
sb.append("Subject: ").append(x509Cert.getSubjectX500Principal()).append("\n");
sb.append("SerialNum: ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
sb.append("Expires: ").append(x509Cert.getNotAfter().toString()).append("\n");
boolean[] iUID = x509Cert.getIssuerUniqueID();
if (iUID != null) {
sb.append("IssuerUID: ");
for (boolean b : iUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
boolean[] sUID = x509Cert.getSubjectUniqueID();
if (sUID != null) {
sb.append("SubjectUID: ");
for (boolean b : sUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
try {
SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
if (sKeyID != null) {
KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
sb.append("SubjKeyID: ").append(keyID.toString());
}
AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
if (aKeyID != null) {
KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
sb.append("AuthKeyID: ").append(keyID.toString());
}
} catch (IOException e) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
e.printStackTrace();
}
}
return sb.toString();
}
Also used :
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Example 7 with KeyIdentifier
use of android.sun.security.x509.KeyIdentifier in project Bytecoder by mirkosertic.
the class SimpleValidator method buildTrustedChain.
/**
* Build a trusted certificate chain. This method always returns a chain
* with a trust anchor as the final cert in the chain. If no trust anchor
* could be found, a CertificateException is thrown.
*/
private X509Certificate[] buildTrustedChain(X509Certificate[] chain) throws CertificateException {
List<X509Certificate> c = new ArrayList<X509Certificate>(chain.length);
// if a trusted certificate is found, append it and return
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
X509Certificate trustedCert = getTrustedCertificate(cert);
if (trustedCert != null) {
c.add(trustedCert);
return c.toArray(CHAIN0);
}
c.add(cert);
}
// check if we can append a trusted cert
X509Certificate cert = chain[chain.length - 1];
X500Principal subject = cert.getSubjectX500Principal();
X500Principal issuer = cert.getIssuerX500Principal();
List<X509Certificate> list = trustedX500Principals.get(issuer);
if (list != null) {
X509Certificate matchedCert = list.get(0);
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
KeyIdentifier akid = certImpl.getAuthKeyId();
if (akid != null) {
for (X509Certificate sup : list) {
// Look for a best match issuer.
X509CertImpl supCert = X509CertImpl.toImpl(sup);
if (akid.equals(supCert.getSubjectKeyId())) {
matchedCert = sup;
break;
}
}
}
c.add(matchedCert);
return c.toArray(CHAIN0);
}
// no trusted cert found, error
throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR);
}
Also used :
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
X500Principal(javax.security.auth.x500.X500Principal)
Example 8 with KeyIdentifier
use of android.sun.security.x509.KeyIdentifier in project Bytecoder by mirkosertic.
the class Vertex method certToString.
/**
* Return string representation of this vertex's
* certificate information.
*
* @return String representation of certificate info
*/
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
ce.printStackTrace();
}
return sb.toString();
}
sb.append("Issuer: ").append(x509Cert.getIssuerX500Principal()).append("\n");
sb.append("Subject: ").append(x509Cert.getSubjectX500Principal()).append("\n");
sb.append("SerialNum: ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
sb.append("Expires: ").append(x509Cert.getNotAfter().toString()).append("\n");
boolean[] iUID = x509Cert.getIssuerUniqueID();
if (iUID != null) {
sb.append("IssuerUID: ");
for (boolean b : iUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
boolean[] sUID = x509Cert.getSubjectUniqueID();
if (sUID != null) {
sb.append("SubjectUID: ");
for (boolean b : sUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
try {
SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
if (sKeyID != null) {
KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
sb.append("SubjKeyID: ").append(keyID.toString());
}
AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
if (aKeyID != null) {
KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
sb.append("AuthKeyID: ").append(keyID.toString());
}
} catch (IOException e) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
e.printStackTrace();
}
}
return sb.toString();
}
Also used :
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Example 9 with KeyIdentifier
use of android.sun.security.x509.KeyIdentifier in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
/**
* Calculate the KeyIdentifier for an RSAPublicKey and place it in an AuthorityKeyIdentifier extension.
*
* Java encodes RSA public keys using the SubjectPublicKeyInfo type described in RFC 5280.
* <pre>
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* </pre>
*
* A KeyIdentifier is a SHA-1 digest of the subjectPublicKey bit string from the ASN.1 above.
*
* @param key the RSAPublicKey to use
* @return an AuthorityKeyIdentifierExtension based on the key
* @throws IOException if we can't construct a MessageDigest object.
*/
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(RSAPublicKey key) throws IOException {
try {
MessageDigest d = MessageDigest.getInstance("SHA-1");
byte[] encodedKey = key.getEncoded();
DerInputStream s = new DerValue(encodedKey).toDerInputStream();
// Skip the first item in the sequence, AlgorithmIdentifier.
// The parameter, startLen, is required for skipSequence although it's unused.
s.skipSequence(0);
// Get the key's bit string
BitArray b = s.getUnalignedBitString();
byte[] digest = d.digest(b.toByteArray());
KeyIdentifier ki = new KeyIdentifier(digest);
return new AuthorityKeyIdentifierExtension(ki, null, null);
} catch (NoSuchAlgorithmException e) {
throw new IOException("Could not find SHA1 implementation", e);
}
}
Also used :
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
MessageDigest(java.security.MessageDigest)
Example 10 with KeyIdentifier
use of android.sun.security.x509.KeyIdentifier in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
// The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
/* The getExtensionValue returns us the Extension extnValue element which is an octet string. For
* the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier. The actual
* KeyIdentifier is also an octet string. The extnValue for the SubjectKeyIdentifier
* is therefore ultimately an octet string of an octet string. See Appendix A of RFC 5280. */
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
if (ski == null) {
/* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
* from the certificate's public key. */
return buildAuthorityKeyIdentifier(caCert.getPublicKey());
}
/* RFC 5280 section 4.2.1.1 is a bit odd. It states the AuthorityKeyIdentifier MAY contain
* a KeyIdentifier or the issuer name and CertificateSerialNumber. The KeyIdentifier is mandatory for
* non-self-signed certificates, but there is no additional guidance about when or why one should
* provide the issuer name or CertificateSerialNumber. I've found at least one place,
* https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them. Also,
* the semantics around the issuer field in this extension can be very confusing
* (see https://www.openssl.org/docs/faq.html#USER14). Our old crypto code that used BouncyCastle
* did include the issuer and serial number along with the key identifier, but I think it's best if
* we leave it out.
*/
KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
return new AuthorityKeyIdentifierExtension(ki, null, null);
}
Also used :
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
Aggregations
IOException (java.io.IOException)10
KeyIdentifier (sun.security.x509.KeyIdentifier)9
KeyIdentifier (org.mozilla.jss.netscape.security.x509.KeyIdentifier)8
AuthorityKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)6
AuthorityKeyIdentifierExtension (sun.security.x509.AuthorityKeyIdentifierExtension)6
SubjectKeyIdentifierExtension (sun.security.x509.SubjectKeyIdentifierExtension)5
X509CertImpl (sun.security.x509.X509CertImpl)5
MessageDigest (java.security.MessageDigest)4
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
CertificateException (java.security.cert.CertificateException)4
BitArray (org.mozilla.jss.netscape.security.util.BitArray)4
DerInputStream (org.mozilla.jss.netscape.security.util.DerInputStream)4
DerValue (org.mozilla.jss.netscape.security.util.DerValue)4
BigInteger (java.math.BigInteger)2
SecureRandom (java.security.SecureRandom)2
Date (java.util.Date)2
OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)2
BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)2
CertificateExtensions (sun.security.x509.CertificateExtensions)2
KeyUsageExtension (sun.security.x509.KeyUsageExtension)2
