Example 21 with AlgorithmIdentifier
use of com.android.apksig.internal.pkcs7.AlgorithmIdentifier in project hedera-sdk-java by hashgraph.
the class Pem method writeEncryptedPrivateKey.
/*
* For some reason, this generates PEM encodings that we ourselves can import, but OpenSSL
* doesn't like. We decided to punt on generating encrypted PEMs for now but saving
* the code for when we get back to it and/or any demand arises.
*/
@SuppressWarnings("unused")
static void writeEncryptedPrivateKey(PrivateKeyInfo pkInfo, Writer out, String passphrase) throws IOException {
byte[] salt = Crypto.randomBytes(Crypto.SALT_LEN);
KeyParameter derivedKey = Crypto.deriveKeySha256(passphrase, salt, Crypto.ITERATIONS, Crypto.CBC_DK_LEN);
byte[] iv = Crypto.randomBytes(Crypto.IV_LEN);
Cipher cipher = Crypto.initAesCbc128Encrypt(derivedKey, iv);
byte[] encryptedKey = Crypto.runCipher(cipher, pkInfo.getEncoded());
// I wanted to just do this with BC's PKCS8Generator and KcePKCSPBEOutputEncryptorBuilder
// but it tries to init AES instance of `Cipher` with a `PBKDF2Key` and the former complains
// So this is basically a reimplementation of that minus the excess OO
PBES2Parameters parameters = new PBES2Parameters(new KeyDerivationFunc(PKCSObjectIdentifiers.id_PBKDF2, new PBKDF2Params(salt, Crypto.ITERATIONS, Crypto.CBC_DK_LEN, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256))), new EncryptionScheme(NISTObjectIdentifiers.id_aes128_CBC, ASN1Primitive.fromByteArray(cipher.getParameters().getEncoded())));
EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, parameters), encryptedKey);
PemWriter writer = new PemWriter(out);
writer.writeObject(new PemObject(TYPE_ENCRYPTED_PRIVATE_KEY, encryptedPrivateKeyInfo.getEncoded()));
writer.flush();
}
Also used :
PBES2Parameters(org.bouncycastle.asn1.pkcs.PBES2Parameters)
PemObject(org.bouncycastle.util.io.pem.PemObject)
EncryptionScheme(org.bouncycastle.asn1.pkcs.EncryptionScheme)
PemWriter(org.bouncycastle.util.io.pem.PemWriter)
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
KeyDerivationFunc(org.bouncycastle.asn1.pkcs.KeyDerivationFunc)
PBKDF2Params(org.bouncycastle.asn1.pkcs.PBKDF2Params)
EncryptedPrivateKeyInfo(org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo)
Cipher(javax.crypto.Cipher)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 22 with AlgorithmIdentifier
use of com.android.apksig.internal.pkcs7.AlgorithmIdentifier in project apksig by venshine.
the class V1SchemeSigner method generateSignatureBlock.
/**
* Generates the CMS PKCS #7 signature block corresponding to the provided signature file and
* signing configuration.
*/
private static byte[] generateSignatureBlock(SignerConfig signerConfig, byte[] signatureFileBytes) throws NoSuchAlgorithmException, InvalidKeyException, CertificateException, SignatureException {
// Obtain relevant bits of signing configuration
List<X509Certificate> signerCerts = signerConfig.certificates;
X509Certificate signingCert = signerCerts.get(0);
PublicKey publicKey = signingCert.getPublicKey();
DigestAlgorithm digestAlgorithm = signerConfig.signatureDigestAlgorithm;
Pair<String, AlgorithmIdentifier> signatureAlgs = getSignerInfoSignatureAlgorithm(publicKey, digestAlgorithm, signerConfig.deterministicDsaSigning);
String jcaSignatureAlgorithm = signatureAlgs.getFirst();
// Generate the cryptographic signature of the signature file
byte[] signatureBytes;
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initSign(signerConfig.privateKey);
signature.update(signatureFileBytes);
signatureBytes = signature.sign();
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to sign using " + jcaSignatureAlgorithm, e);
} catch (SignatureException e) {
throw new SignatureException("Failed to sign using " + jcaSignatureAlgorithm, e);
}
// Verify the signature against the public key in the signing certificate
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initVerify(publicKey);
signature.update(signatureFileBytes);
if (!signature.verify(signatureBytes)) {
throw new SignatureException("Signature did not verify");
}
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
} catch (SignatureException e) {
throw new SignatureException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
}
AlgorithmIdentifier digestAlgorithmId = getSignerInfoDigestAlgorithmOid(digestAlgorithm);
AlgorithmIdentifier signatureAlgorithmId = signatureAlgs.getSecond();
try {
return ApkSigningBlockUtils.generatePkcs7DerEncodedMessage(signatureBytes, null, signerCerts, digestAlgorithmId, signatureAlgorithmId);
} catch (Asn1EncodingException | CertificateEncodingException ex) {
throw new SignatureException("Failed to encode signature block");
}
}
Also used :
Asn1EncodingException(com.android.apksig.internal.asn1.Asn1EncodingException)
PublicKey(java.security.PublicKey)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
SignatureException(java.security.SignatureException)
InvalidKeyException(java.security.InvalidKeyException)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(com.android.apksig.internal.pkcs7.AlgorithmIdentifier)
Signature(java.security.Signature)
Example 23 with AlgorithmIdentifier
use of com.android.apksig.internal.pkcs7.AlgorithmIdentifier in project kafka by apache.
the class TestSslUtils method generateCertificate.
/**
* Create a self-signed X.509 Certificate.
* From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
* @return the self-signed certificate
* @throws CertificateException thrown if a security error or an IO error occurred.
*/
public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws CertificateException {
try {
Security.addProvider(new BouncyCastleProvider());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X500Name name = new X500Name(dn);
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000L);
BigInteger sn = new BigInteger(64, new SecureRandom());
X509v1CertificateBuilder v1CertGen = new X509v1CertificateBuilder(name, sn, from, to, name, subPubKeyInfo);
X509CertificateHolder certificateHolder = v1CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
} catch (CertificateException ce) {
throw ce;
} catch (Exception e) {
throw new CertificateException(e);
}
}
Also used :
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
EOFException(java.io.EOFException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
X509v1CertificateBuilder(org.bouncycastle.cert.X509v1CertificateBuilder)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 24 with AlgorithmIdentifier
use of com.android.apksig.internal.pkcs7.AlgorithmIdentifier in project XobotOS by xamarin.
the class X509CertSelector method match.
/**
* Returns whether the specified certificate matches all the criteria
* collected in this instance.
*
* @param certificate
* the certificate to check.
* @return {@code true} if the certificate matches all the criteria,
* otherwise {@code false}.
*/
public boolean match(Certificate certificate) {
if (!(certificate instanceof X509Certificate)) {
return false;
}
X509Certificate cert = (X509Certificate) certificate;
if ((certificateEquals != null) && !certificateEquals.equals(cert)) {
return false;
}
if ((serialNumber != null) && !serialNumber.equals(cert.getSerialNumber())) {
return false;
}
if ((issuer != null) && !issuer.equals(cert.getIssuerX500Principal())) {
return false;
}
if ((subject != null) && !subject.equals(cert.getSubjectX500Principal())) {
return false;
}
if ((subjectKeyIdentifier != null) && !Arrays.equals(subjectKeyIdentifier, // are taken from rfc 3280 (http://www.ietf.org/rfc/rfc3280.txt)
getExtensionValue(cert, "2.5.29.14"))) {
return false;
}
if ((authorityKeyIdentifier != null) && !Arrays.equals(authorityKeyIdentifier, getExtensionValue(cert, "2.5.29.35"))) {
return false;
}
if (certificateValid != null) {
try {
cert.checkValidity(certificateValid);
} catch (CertificateExpiredException e) {
return false;
} catch (CertificateNotYetValidException e) {
return false;
}
}
if (privateKeyValid != null) {
try {
byte[] bytes = getExtensionValue(cert, "2.5.29.16");
if (bytes == null) {
return false;
}
PrivateKeyUsagePeriod pkup = (PrivateKeyUsagePeriod) PrivateKeyUsagePeriod.ASN1.decode(bytes);
Date notBefore = pkup.getNotBefore();
Date notAfter = pkup.getNotAfter();
if ((notBefore == null) && (notAfter == null)) {
return false;
}
if ((notBefore != null) && notBefore.compareTo(privateKeyValid) > 0) {
return false;
}
if ((notAfter != null) && notAfter.compareTo(privateKeyValid) < 0) {
return false;
}
} catch (IOException e) {
return false;
}
}
if (subjectPublicKeyAlgID != null) {
try {
byte[] encoding = cert.getPublicKey().getEncoded();
AlgorithmIdentifier ai = ((SubjectPublicKeyInfo) SubjectPublicKeyInfo.ASN1.decode(encoding)).getAlgorithmIdentifier();
if (!subjectPublicKeyAlgID.equals(ai.getAlgorithm())) {
return false;
}
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
if (subjectPublicKey != null) {
if (!Arrays.equals(subjectPublicKey, cert.getPublicKey().getEncoded())) {
return false;
}
}
if (keyUsage != null) {
boolean[] ku = cert.getKeyUsage();
if (ku != null) {
int i = 0;
int min_length = (ku.length < keyUsage.length) ? ku.length : keyUsage.length;
for (; i < min_length; i++) {
if (keyUsage[i] && !ku[i]) {
// but certificate does not.
return false;
}
}
for (; i < keyUsage.length; i++) {
if (keyUsage[i]) {
return false;
}
}
}
}
if (extendedKeyUsage != null) {
try {
List keyUsage = cert.getExtendedKeyUsage();
if (keyUsage != null) {
if (!keyUsage.containsAll(extendedKeyUsage)) {
return false;
}
}
} catch (CertificateParsingException e) {
return false;
}
}
if (pathLen != -1) {
int p_len = cert.getBasicConstraints();
if ((pathLen < 0) && (p_len >= 0)) {
// need end-entity but got CA
return false;
}
if ((pathLen > 0) && (pathLen > p_len)) {
// allowed _pathLen is small
return false;
}
}
if (subjectAltNames != null) {
PASSED: try {
byte[] bytes = getExtensionValue(cert, "2.5.29.17");
if (bytes == null) {
return false;
}
List<GeneralName> sans = ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames();
if ((sans == null) || (sans.size() == 0)) {
return false;
}
boolean[][] map = new boolean[9][];
// initialize the check map
for (int i = 0; i < 9; i++) {
map[i] = (subjectAltNames[i] == null) ? EmptyArray.BOOLEAN : new boolean[subjectAltNames[i].size()];
}
for (GeneralName name : sans) {
int tag = name.getTag();
for (int i = 0; i < map[tag].length; i++) {
if (subjectAltNames[tag].get(i).equals(name)) {
if (!matchAllNames) {
break PASSED;
}
map[tag][i] = true;
}
}
}
if (!matchAllNames) {
// there was not any match
return false;
}
// else check the map
for (int tag = 0; tag < 9; tag++) {
for (int name = 0; name < map[tag].length; name++) {
if (!map[tag][name]) {
return false;
}
}
}
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
if (nameConstraints != null) {
if (!nameConstraints.isAcceptable(cert)) {
return false;
}
}
if (policies != null) {
byte[] bytes = getExtensionValue(cert, "2.5.29.32");
if (bytes == null) {
return false;
}
if (policies.size() == 0) {
// one policy in it.
return true;
}
PASSED: try {
List<PolicyInformation> policyInformations = ((CertificatePolicies) CertificatePolicies.ASN1.decode(bytes)).getPolicyInformations();
for (PolicyInformation policyInformation : policyInformations) {
if (policies.contains(policyInformation.getPolicyIdentifier())) {
break PASSED;
}
}
return false;
} catch (IOException e) {
// the extension is invalid
return false;
}
}
if (pathToNames != null) {
byte[] bytes = getExtensionValue(cert, "2.5.29.30");
if (bytes != null) {
NameConstraints nameConstraints;
try {
nameConstraints = (NameConstraints) NameConstraints.ASN1.decode(bytes);
} catch (IOException e) {
// the extension is invalid;
return false;
}
if (!nameConstraints.isAcceptable(pathToNames)) {
return false;
}
}
}
return true;
}
Also used :
NameConstraints(org.apache.harmony.security.x509.NameConstraints)
PolicyInformation(org.apache.harmony.security.x509.PolicyInformation)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.apache.harmony.security.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
AlgorithmIdentifier(org.apache.harmony.security.x509.AlgorithmIdentifier)
ArrayList(java.util.ArrayList)
List(java.util.List)
GeneralName(org.apache.harmony.security.x509.GeneralName)
PrivateKeyUsagePeriod(org.apache.harmony.security.x509.PrivateKeyUsagePeriod)
Example 25 with AlgorithmIdentifier
use of com.android.apksig.internal.pkcs7.AlgorithmIdentifier in project XobotOS by xamarin.
the class JCEECPublicKey method getEncoded.
public byte[] getEncoded() {
ASN1Encodable params;
SubjectPublicKeyInfo info;
// BEGIN android-removed
// if (algorithm.equals("ECGOST3410"))
// {
// if (gostParams != null)
// {
// params = gostParams;
// }
// else
// {
// if (ecSpec instanceof ECNamedCurveSpec)
// {
// params = new GOST3410PublicKeyAlgParameters(
// ECGOST3410NamedCurves.getOID(((ECNamedCurveSpec)ecSpec).getName()),
// CryptoProObjectIdentifiers.gostR3411_94_CryptoProParamSet);
// }
// else
// { // strictly speaking this may not be applicable...
// ECCurve curve = EC5Util.convertCurve(ecSpec.getCurve());
//
// X9ECParameters ecP = new X9ECParameters(
// curve,
// EC5Util.convertPoint(curve, ecSpec.getGenerator(), withCompression),
// ecSpec.getOrder(),
// BigInteger.valueOf(ecSpec.getCofactor()),
// ecSpec.getCurve().getSeed());
//
// params = new X962Parameters(ecP);
// }
// }
//
// BigInteger bX = this.q.getX().toBigInteger();
// BigInteger bY = this.q.getY().toBigInteger();
// byte[] encKey = new byte[64];
//
// extractBytes(encKey, 0, bX);
// extractBytes(encKey, 32, bY);
//
// info = new SubjectPublicKeyInfo(new AlgorithmIdentifier(CryptoProObjectIdentifiers.gostR3410_2001, params.getDERObject()), new DEROctetString(encKey));
// }
// else
// END android-removed
{
if (ecSpec instanceof ECNamedCurveSpec) {
DERObjectIdentifier curveOid = ECUtil.getNamedCurveOid(((ECNamedCurveSpec) ecSpec).getName());
if (curveOid == null) {
curveOid = new DERObjectIdentifier(((ECNamedCurveSpec) ecSpec).getName());
}
params = new X962Parameters(curveOid);
} else if (ecSpec == null) {
params = new X962Parameters(DERNull.INSTANCE);
} else {
ECCurve curve = EC5Util.convertCurve(ecSpec.getCurve());
X9ECParameters ecP = new X9ECParameters(curve, EC5Util.convertPoint(curve, ecSpec.getGenerator(), withCompression), ecSpec.getOrder(), BigInteger.valueOf(ecSpec.getCofactor()), ecSpec.getCurve().getSeed());
params = new X962Parameters(ecP);
}
ECCurve curve = this.engineGetQ().getCurve();
ASN1OctetString p = (ASN1OctetString) new X9ECPoint(curve.createPoint(this.getQ().getX().toBigInteger(), this.getQ().getY().toBigInteger(), withCompression)).getDERObject();
info = new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params.getDERObject()), p.getOctets());
}
return info.getDEREncoded();
}
Also used :
X962Parameters(org.bouncycastle.asn1.x9.X962Parameters)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
X9ECParameters(org.bouncycastle.asn1.x9.X9ECParameters)
X9ECPoint(org.bouncycastle.asn1.x9.X9ECPoint)
ECCurve(org.bouncycastle.math.ec.ECCurve)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)
ECNamedCurveSpec(org.bouncycastle.jce.spec.ECNamedCurveSpec)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Aggregations
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)249
IOException (java.io.IOException)144
AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)140
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)75
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)71
BigInteger (java.math.BigInteger)60
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)55
X500Name (org.bouncycastle.asn1.x500.X500Name)50
X509Certificate (java.security.cert.X509Certificate)44
Date (java.util.Date)43
ContentSigner (org.bouncycastle.operator.ContentSigner)39
DEROctetString (org.bouncycastle.asn1.DEROctetString)38
OutputStream (java.io.OutputStream)37
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)36
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)34
PrivateKeyInfo (org.bouncycastle.asn1.pkcs.PrivateKeyInfo)33
BcRSAContentSignerBuilder (org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)33
DefaultDigestAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)31
DefaultSignatureAlgorithmIdentifierFinder (org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)31
DEROctetString (com.github.zhenwei.core.asn1.DEROctetString)28
