Search in sources :

Example 26 with X509CertImpl

use of android.sun.security.x509.X509CertImpl in project OpenAM by OpenRock.

the class Cert method getTokenFromSubjectAltExt.

private void getTokenFromSubjectAltExt(X509Certificate cert) throws AuthLoginException {
    try {
        X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
        X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
        CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
        SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
        if (altNameExt != null) {
            GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
            GeneralName generalname = null;
            ObjectIdentifier upnoid = new ObjectIdentifier(UPNOID);
            Iterator itr = (Iterator) names.iterator();
            while ((userTokenId == null) && itr.hasNext()) {
                generalname = (GeneralName) itr.next();
                if (generalname != null) {
                    if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("UPN") && (generalname.getType() == GeneralNameInterface.NAME_ANY)) {
                        OtherName othername = (OtherName) generalname.getName();
                        if (upnoid.equals((Object) (othername.getOID()))) {
                            byte[] nval = othername.getNameValue();
                            DerValue derValue = new DerValue(nval);
                            userTokenId = derValue.getData().getUTF8String();
                        }
                    } else if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("RFC822Name") && (generalname.getType() == GeneralNameInterface.NAME_RFC822)) {
                        RFC822Name email = (RFC822Name) generalname.getName();
                        userTokenId = email.getName();
                    }
                }
            }
        }
    } catch (Exception e) {
        debug.error("Certificate - " + "Error in getTokenFromSubjectAltExt = ", e);
        throw new AuthLoginException(amAuthCert, "CertNoReg", null);
    }
}
Also used : X509CertInfo(sun.security.x509.X509CertInfo) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) OtherName(sun.security.x509.OtherName) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) CertificateExtensions(sun.security.x509.CertificateExtensions) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) GeneralNames(sun.security.x509.GeneralNames) RFC822Name(sun.security.x509.RFC822Name) X509CertImpl(sun.security.x509.X509CertImpl) DerValue(sun.security.util.DerValue) Iterator(java.util.Iterator) GeneralName(sun.security.x509.GeneralName) ObjectIdentifier(sun.security.util.ObjectIdentifier)

Example 27 with X509CertImpl

use of android.sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class PKCS7 method encodeSignedData.

/**
     * Encodes the signed data to a DerOutputStream.
     *
     * @param out the DerOutputStream to write the encoded data to.
     * @exception IOException on encoding errors.
     */
public void encodeSignedData(DerOutputStream out) throws IOException {
    DerOutputStream signedData = new DerOutputStream();
    // version
    signedData.putInteger(version);
    // digestAlgorithmIds
    signedData.putOrderedSetOf(DerValue.tag_Set, digestAlgorithmIds);
    // contentInfo
    contentInfo.encode(signedData);
    // certificates (optional)
    if (certificates != null && certificates.length != 0) {
        // cast to X509CertImpl[] since X509CertImpl implements DerEncoder
        X509CertImpl[] implCerts = new X509CertImpl[certificates.length];
        for (int i = 0; i < certificates.length; i++) {
            if (certificates[i] instanceof X509CertImpl)
                implCerts[i] = (X509CertImpl) certificates[i];
            else {
                try {
                    byte[] encoded = certificates[i].getEncoded();
                    implCerts[i] = new X509CertImpl(encoded);
                } catch (CertificateException ce) {
                    throw new IOException(ce);
                }
            }
        }
        // Add the certificate set (tagged with [0] IMPLICIT)
        // to the signed data
        signedData.putOrderedSetOf((byte) 0xA0, implCerts);
    }
    // CRLs (optional)
    if (crls != null && crls.length != 0) {
        // cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder
        Set<X509CRLImpl> implCRLs = new HashSet<X509CRLImpl>(crls.length);
        for (X509CRL crl : crls) {
            if (crl instanceof X509CRLImpl)
                implCRLs.add((X509CRLImpl) crl);
            else {
                try {
                    byte[] encoded = crl.getEncoded();
                    implCRLs.add(new X509CRLImpl(encoded));
                } catch (CRLException ce) {
                    throw new IOException(ce);
                }
            }
        }
        // Add the CRL set (tagged with [1] IMPLICIT)
        // to the signed data
        signedData.putOrderedSetOf((byte) 0xA1, implCRLs.toArray(new X509CRLImpl[implCRLs.size()]));
    }
    // signerInfos
    signedData.putOrderedSetOf(DerValue.tag_Set, signerInfos);
    // making it a signed data block
    DerValue signedDataSeq = new DerValue(DerValue.tag_Sequence, signedData.toByteArray());
    // making it a content info sequence
    ContentInfo block = new ContentInfo(ContentInfo.SIGNED_DATA_OID, signedDataSeq);
    // writing out the contentInfo sequence
    block.encode(out);
}
Also used : X509CRL(java.security.cert.X509CRL) CertificateException(java.security.cert.CertificateException) X509CertImpl(sun.security.x509.X509CertImpl) X509CRLImpl(sun.security.x509.X509CRLImpl) CRLException(java.security.cert.CRLException)

Example 28 with X509CertImpl

use of android.sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class X509Factory method intern.

/**
     * Return an interned X509CertImpl for the given certificate.
     * If the given X509Certificate or X509CertImpl is already present
     * in the cert cache, the cached object is returned. Otherwise,
     * if it is a X509Certificate, it is first converted to a X509CertImpl.
     * Then the X509CertImpl is added to the cache and returned.
     *
     * Note that all certificates created via generateCertificate(InputStream)
     * are already interned and this method does not need to be called.
     * It is useful for certificates that cannot be created via
     * generateCertificate() and for converting other X509Certificate
     * implementations to an X509CertImpl.
     *
     * @param c The source X509Certificate
     * @return An X509CertImpl object that is either a cached certificate or a
     *      newly built X509CertImpl from the provided X509Certificate
     * @throws CertificateException if failures occur while obtaining the DER
     *      encoding for certificate data.
     */
public static synchronized X509CertImpl intern(X509Certificate c) throws CertificateException {
    if (c == null) {
        return null;
    }
    boolean isImpl = c instanceof X509CertImpl;
    byte[] encoding;
    if (isImpl) {
        encoding = ((X509CertImpl) c).getEncodedInternal();
    } else {
        encoding = c.getEncoded();
    }
    X509CertImpl newC = getFromCache(certCache, encoding);
    if (newC != null) {
        return newC;
    }
    if (isImpl) {
        newC = (X509CertImpl) c;
    } else {
        newC = new X509CertImpl(encoding);
        encoding = newC.getEncodedInternal();
    }
    addToCache(certCache, encoding, newC);
    return newC;
}
Also used : X509CertImpl(sun.security.x509.X509CertImpl)

Example 29 with X509CertImpl

use of android.sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class PKIXCertPathValidator method validate.

private static PKIXCertPathValidatorResult validate(ValidatorParams params) throws CertPathValidatorException {
    if (debug != null)
        debug.println("PKIXCertPathValidator.engineValidate()...");
    // Retrieve the first certificate in the certpath
    // (to be used later in pre-screening)
    AdaptableX509CertSelector selector = null;
    List<X509Certificate> certList = params.certificates();
    if (!certList.isEmpty()) {
        selector = new AdaptableX509CertSelector();
        X509Certificate firstCert = certList.get(0);
        // check trusted certificate's subject
        selector.setSubject(firstCert.getIssuerX500Principal());
        /*
             * Facilitate certification path construction with authority
             * key identifier and subject key identifier.
             */
        try {
            X509CertImpl firstCertImpl = X509CertImpl.toImpl(firstCert);
            selector.setSkiAndSerialNumber(firstCertImpl.getAuthorityKeyIdentifierExtension());
        } catch (CertificateException | IOException e) {
        // ignore
        }
    }
    CertPathValidatorException lastException = null;
    // one that works at which time we stop iterating
    for (TrustAnchor anchor : params.trustAnchors()) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            // we move on to the next one
            if (selector != null && !selector.match(trustedCert)) {
                if (debug != null) {
                    debug.println("NO - don't try this trustedCert");
                }
                continue;
            }
            if (debug != null) {
                debug.println("YES - try this trustedCert");
                debug.println("anchor.getTrustedCert()." + "getSubjectX500Principal() = " + trustedCert.getSubjectX500Principal());
            }
        } else {
            if (debug != null) {
                debug.println("PKIXCertPathValidator.engineValidate(): " + "anchor.getTrustedCert() == null");
            }
        }
        try {
            return validate(anchor, params);
        } catch (CertPathValidatorException cpe) {
            // remember this exception
            lastException = cpe;
        }
    }
    // (a) if we did a validation and it failed, use that exception
    if (lastException != null) {
        throw lastException;
    }
    // (b) otherwise, generate new exception
    throw new CertPathValidatorException("Path does not chain with any of the trust anchors", null, null, -1, PKIXReason.NO_TRUST_ANCHOR);
}
Also used : X509CertImpl(sun.security.x509.X509CertImpl) IOException(java.io.IOException)

Example 30 with X509CertImpl

use of android.sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class Builder method targetDistance.

/**
     * Determine how close a given certificate gets you toward
     * a given target.
     *
     * @param constraints Current NameConstraints; if null,
     *        then caller must verify NameConstraints
     *        independently, realizing that this certificate
     *        may not actually lead to the target at all.
     * @param cert Candidate certificate for chain
     * @param target GeneralNameInterface name of target
     * @return distance from this certificate to target:
     * <ul>
     * <li>-1 means certificate could be CA for target, but
     *     there are no NameConstraints limiting how close
     * <li> 0 means certificate subject or subjectAltName
     *      matches target
     * <li> 1 means certificate is permitted to be CA for
     *      target.
     * <li> 2 means certificate is permitted to be CA for
     *      parent of target.
     * <li>&gt;0 in general, means certificate is permitted
     *     to be a CA for this distance higher in the naming
     *     hierarchy than the target, plus 1.
     * </ul>
     * <p>Note that the subject and/or subjectAltName of the
     * candidate cert does not have to be an ancestor of the
     * target in order to be a CA that can issue a certificate to
     * the target. In these cases, the target distance is calculated
     * by inspecting the NameConstraints extension in the candidate
     * certificate. For example, suppose the target is an X.500 DN with
     * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
     * NameConstraints extension in the candidate certificate
     * includes a permitted component of "O=sun,C=us", which implies
     * that the candidate certificate is allowed to issue certs in
     * the "O=sun,C=us" namespace. The target distance is 3
     * ((distance of permitted NC from target) + 1).
     * The (+1) is added to distinguish the result from the case
     * which returns (0).
     * @throws IOException if certificate does not get closer
     */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}
Also used : GeneralNameInterface(sun.security.x509.GeneralNameInterface) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) GeneralSubtrees(sun.security.x509.GeneralSubtrees) IOException(java.io.IOException) X500Name(sun.security.x509.X500Name) NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)

Aggregations

X509CertImpl (sun.security.x509.X509CertImpl)92 CertificateException (java.security.cert.CertificateException)41 IOException (java.io.IOException)31 X509Certificate (java.security.cert.X509Certificate)23 CertPathValidatorException (java.security.cert.CertPathValidatorException)17 BigInteger (java.math.BigInteger)16 PublicKey (java.security.PublicKey)15 X500Name (sun.security.x509.X500Name)14 X509CertInfo (sun.security.x509.X509CertInfo)14 AlgorithmId (sun.security.x509.AlgorithmId)13 CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)13 X509CertImpl (org.mozilla.jss.netscape.security.x509.X509CertImpl)12 CertificateSerialNumber (sun.security.x509.CertificateSerialNumber)11 CertificateValidity (sun.security.x509.CertificateValidity)11 CertificateX509Key (sun.security.x509.CertificateX509Key)11 CertificateFactory (java.security.cert.CertificateFactory)10 CertificateVersion (sun.security.x509.CertificateVersion)10 SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)9 CertificateIssuerName (sun.security.x509.CertificateIssuerName)8 CertificateSubjectName (sun.security.x509.CertificateSubjectName)8