use of com.android.apksig.internal.x509.Certificate in project snowflake-jdbc by snowflakedb.
the class SFTrustManager method getTrustManager.
/**
* Get TrustManager for the algorithm. This is mainly used to get the JVM default trust manager
* and cache all of the root CA.
*
* @param algorithm algorithm.
* @return TrustManager object.
*/
private X509TrustManager getTrustManager(String algorithm) {
try {
TrustManagerFactory factory = TrustManagerFactory.getInstance(algorithm);
factory.init((KeyStore) null);
X509TrustManager ret = null;
for (TrustManager tm : factory.getTrustManagers()) {
// Manager here.
if (tm instanceof X509TrustManager) {
ret = (X509TrustManager) tm;
break;
}
}
if (ret == null) {
return null;
}
synchronized (ROOT_CA_LOCK) {
// cache root CA certificates for later use.
if (ROOT_CA.isEmpty()) {
for (X509Certificate cert : ret.getAcceptedIssuers()) {
Certificate bcCert = Certificate.getInstance(cert.getEncoded());
ROOT_CA.put(bcCert.getSubject().hashCode(), bcCert);
}
}
}
return ret;
} catch (NoSuchAlgorithmException | KeyStoreException | CertificateEncodingException ex) {
throw new SSLInitializationException(ex.getMessage(), ex);
}
}
use of com.android.apksig.internal.x509.Certificate in project snowflake-jdbc by snowflakedb.
the class SFTrustManager method getPairIssuerSubject.
/**
* Creates a pair of Issuer and Subject certificates
*
* @param bcChain a list of bouncy castle Certificate
* @return a list of paif of Issuer and Subject certificates
*/
private List<SFPair<Certificate, Certificate>> getPairIssuerSubject(List<Certificate> bcChain) throws CertificateException {
List<SFPair<Certificate, Certificate>> pairIssuerSubject = new ArrayList<>();
for (int i = 0, len = bcChain.size(); i < len; ++i) {
Certificate bcCert = bcChain.get(i);
if (bcCert.getIssuer().equals(bcCert.getSubject())) {
// skipping ROOT CA
continue;
}
if (i < len - 1) {
pairIssuerSubject.add(SFPair.of(bcChain.get(i + 1), bcChain.get(i)));
} else {
// no root CA certificate is attached in the certificate chain, so
// getting one from the root CA from JVM.
Certificate issuer = ROOT_CA.get(bcCert.getIssuer().hashCode());
if (issuer == null) {
throw new CertificateException("Failed to find the root CA.", new SFOCSPException(OCSPErrorCode.NO_ROOTCA_FOUND, "Failed to find the root CA."));
}
pairIssuerSubject.add(SFPair.of(issuer, bcChain.get(i)));
}
}
return pairIssuerSubject;
}
use of com.android.apksig.internal.x509.Certificate in project bitbreeds-webrtc by IIlllII.
the class CertUtil method getCertFingerPrint.
/**
* @param alias alias
* @param pass password
* @param storePath path to keystore
* @return sha-256 string based on cert in keystore
*/
public static String getCertFingerPrint(String storePath, String alias, String pass) {
try {
Certificate cert = DTLSUtils.loadCert(storePath, alias, pass);
byte[] der = cert.getEncoded();
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] dat = md.digest(der);
String fingerprint = createFingerprintString(dat);
logger.info("Local cert signature is {} ", fingerprint);
return fingerprint;
} catch (Exception e) {
logger.error("Failed to create cert fingerprint from {}", storePath, e);
throw new IllegalStateException("Loading certificate failed");
}
}
use of com.android.apksig.internal.x509.Certificate in project apksig by venshine.
the class ApkSigningBlockUtils method generateSignaturesOverData.
/**
* uses the SignatureAlgorithms in the provided signerConfig to sign the provided data
*
* @return list of signature algorithm IDs and their corresponding signatures over the data.
*/
public static List<Pair<Integer, byte[]>> generateSignaturesOverData(SignerConfig signerConfig, byte[] data) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException {
List<Pair<Integer, byte[]>> signatures = new ArrayList<>(signerConfig.signatureAlgorithms.size());
PublicKey publicKey = signerConfig.certificates.get(0).getPublicKey();
for (SignatureAlgorithm signatureAlgorithm : signerConfig.signatureAlgorithms) {
Pair<String, ? extends AlgorithmParameterSpec> sigAlgAndParams = signatureAlgorithm.getJcaSignatureAlgorithmAndParams();
String jcaSignatureAlgorithm = sigAlgAndParams.getFirst();
AlgorithmParameterSpec jcaSignatureAlgorithmParams = sigAlgAndParams.getSecond();
byte[] signatureBytes;
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initSign(signerConfig.privateKey);
if (jcaSignatureAlgorithmParams != null) {
signature.setParameter(jcaSignatureAlgorithmParams);
}
signature.update(data);
signatureBytes = signature.sign();
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to sign using " + jcaSignatureAlgorithm, e);
} catch (InvalidAlgorithmParameterException | SignatureException e) {
throw new SignatureException("Failed to sign using " + jcaSignatureAlgorithm, e);
}
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initVerify(publicKey);
if (jcaSignatureAlgorithmParams != null) {
signature.setParameter(jcaSignatureAlgorithmParams);
}
signature.update(data);
if (!signature.verify(signatureBytes)) {
throw new SignatureException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using public key from certificate");
}
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
} catch (InvalidAlgorithmParameterException | SignatureException e) {
throw new SignatureException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
}
signatures.add(Pair.of(signatureAlgorithm.getId(), signatureBytes));
}
return signatures;
}
use of com.android.apksig.internal.x509.Certificate in project apksig by venshine.
the class X509CertificateUtils method generateCertificates.
/**
* Generates a {@code Collection} of {@code Certificate} objects from the encoded {@code
* InputStream} using the provided {@code CertificateFactory}.
*
* @throws CertificateException if the InputStream cannot be decoded to zero or more valid
* {@code Certificates} objects.
*/
public static Collection<? extends java.security.cert.Certificate> generateCertificates(InputStream in, CertificateFactory certFactory) throws CertificateException {
// Since the InputStream is not guaranteed to support mark / reset operations first read it
// into a byte array to allow using the BER parser / DER encoder if it cannot be read by
// the CertificateFactory.
byte[] encodedCerts;
try {
encodedCerts = ByteStreams.toByteArray(in);
} catch (IOException e) {
throw new CertificateException("Failed to read the input stream", e);
}
try {
return certFactory.generateCertificates(new ByteArrayInputStream(encodedCerts));
} catch (CertificateException e) {
// This could be expected if the certificates are encoded using a BER encoding that does
// not use the minimum number of bytes to represent the length of the contents; attempt
// to decode the certificates using the BER parser and re-encode using the DER encoder
// below.
}
try {
Collection<X509Certificate> certificates = new ArrayList<>(1);
ByteBuffer encodedCertsBuffer = ByteBuffer.wrap(encodedCerts);
while (encodedCertsBuffer.hasRemaining()) {
ByteBuffer certBuffer = getNextDEREncodedCertificateBlock(encodedCertsBuffer);
int startingPos = certBuffer.position();
Certificate reencodedCert = Asn1BerParser.parse(certBuffer, Certificate.class);
byte[] reencodedForm = Asn1DerEncoder.encode(reencodedCert);
X509Certificate certificate = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(reencodedForm));
byte[] originalEncoding = new byte[certBuffer.position() - startingPos];
certBuffer.position(startingPos);
certBuffer.get(originalEncoding);
GuaranteedEncodedFormX509Certificate guaranteedEncodedCert = new GuaranteedEncodedFormX509Certificate(certificate, originalEncoding);
certificates.add(guaranteedEncodedCert);
}
return certificates;
} catch (Asn1DecodingException | Asn1EncodingException e) {
throw new CertificateException("Failed to parse certificates", e);
}
}
Aggregations