use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by yahoo.
the class ZTSClient method generateRoleCertificateRequest.
/**
* Generate a Role Certificate request that could be sent to ZTS
* to obtain a X509 Certificate for the requested role.
* @param principalDomain name of the principal's domain
* @param principalService name of the principal's service
* @param roleDomainName name of the domain where role is defined
* @param roleName name of the role to get a certificate request for
* @param privateKey private key for the service identity for the caller
* @param csrDn string identifying the dn for the csr without the cn component
* @param csrDomain string identifying the dns domain for generating SAN fields
* @param expiryTime number of minutes to request certificate to be valid for
* @return RoleCertificateRequest object
*/
public static RoleCertificateRequest generateRoleCertificateRequest(final String principalDomain, final String principalService, final String roleDomainName, final String roleName, PrivateKey privateKey, final String csrDn, final String csrDomain, int expiryTime) {
if (principalDomain == null || principalService == null) {
throw new IllegalArgumentException("Principal's Domain and Service must be specified");
}
if (roleDomainName == null || roleName == null) {
throw new IllegalArgumentException("Role DomainName and Name must be specified");
}
if (csrDomain == null) {
throw new IllegalArgumentException("X509 CSR Domain must be specified");
}
// Athenz uses lower case for all elements, so let's
// generate our dn which will be our role resource value
final String domain = principalDomain.toLowerCase();
final String service = principalService.toLowerCase();
final String rnDomain = roleDomainName.toLowerCase();
final String rnName = roleName.toLowerCase();
String dn = "cn=" + rnDomain + AuthorityConsts.ROLE_SEP + rnName;
if (csrDn != null) {
dn = dn.concat(",").concat(csrDn);
}
// now let's generate our dsnName and email fields which will based on
// our principal's details
final String hostName = service + '.' + domain.replace('.', '-') + '.' + csrDomain;
final String email = domain + "." + service + "@" + csrDomain;
GeneralName[] sanArray = new GeneralName[4];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
sanArray[1] = new GeneralName(GeneralName.rfc822Name, new DERIA5String(email));
final String spiffeUri = SPIFFE_URI + rnDomain + SPIFFE_COMP_ROLE + rnName;
sanArray[2] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
final String principalUri = AuthorityConsts.ZTS_CERT_PRINCIPAL_URI + domain + "." + service;
sanArray[3] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(principalUri));
String csr;
try {
csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
} catch (OperatorCreationException | IOException ex) {
throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
}
return new RoleCertificateRequest().setCsr(csr).setExpiryTime(expiryTime);
}
use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by yahoo.
the class CryptoTest method testX509CSRrequestWithPrivateKeyOnly.
@Test(dataProvider = "x500Principal")
public void testX509CSRrequestWithPrivateKeyOnly(String x500Principal, boolean badRequest) {
PrivateKey privateKey = Crypto.loadPrivateKey(rsaPrivateKey);
String certRequest = null;
GeneralName otherName1 = new GeneralName(GeneralName.otherName, new DERIA5String("role1"));
GeneralName otherName2 = new GeneralName(GeneralName.otherName, new DERIA5String("role2"));
GeneralName[] sanArray = new GeneralName[] { otherName1, otherName2 };
try {
certRequest = Crypto.generateX509CSR(privateKey, x500Principal, sanArray);
} catch (Exception e) {
if (!badRequest) {
fail("Should not have failed to create csr");
}
}
if (!badRequest) {
// Now validate the csr
Crypto.getPKCS10CertRequest(certRequest);
}
}
use of com.github.zhenwei.core.asn1.DERIA5String in project XobotOS by xamarin.
the class ASN1Dump method _dumpAsString.
/**
* dump a DER object as a formatted string with indentation
*
* @param obj the DERObject to be dumped out.
*/
static void _dumpAsString(String indent, boolean verbose, DERObject obj, StringBuffer buf) {
String nl = System.getProperty("line.separator");
if (obj instanceof ASN1Sequence) {
Enumeration e = ((ASN1Sequence) obj).getObjects();
String tab = indent + TAB;
buf.append(indent);
if (obj instanceof BERSequence) {
buf.append("BER Sequence");
} else if (obj instanceof DERSequence) {
buf.append("DER Sequence");
} else {
buf.append("Sequence");
}
buf.append(nl);
while (e.hasMoreElements()) {
Object o = e.nextElement();
// BEGIN android-changed
if (o == null || o.equals(DERNull.INSTANCE)) // END android-changed
{
buf.append(tab);
buf.append("NULL");
buf.append(nl);
} else if (o instanceof DERObject) {
_dumpAsString(tab, verbose, (DERObject) o, buf);
} else {
_dumpAsString(tab, verbose, ((DEREncodable) o).getDERObject(), buf);
}
}
} else if (obj instanceof DERTaggedObject) {
String tab = indent + TAB;
buf.append(indent);
if (obj instanceof BERTaggedObject) {
buf.append("BER Tagged [");
} else {
buf.append("Tagged [");
}
DERTaggedObject o = (DERTaggedObject) obj;
buf.append(Integer.toString(o.getTagNo()));
buf.append(']');
if (!o.isExplicit()) {
buf.append(" IMPLICIT ");
}
buf.append(nl);
if (o.isEmpty()) {
buf.append(tab);
buf.append("EMPTY");
buf.append(nl);
} else {
_dumpAsString(tab, verbose, o.getObject(), buf);
}
} else if (obj instanceof BERSet) {
Enumeration e = ((ASN1Set) obj).getObjects();
String tab = indent + TAB;
buf.append(indent);
buf.append("BER Set");
buf.append(nl);
while (e.hasMoreElements()) {
Object o = e.nextElement();
if (o == null) {
buf.append(tab);
buf.append("NULL");
buf.append(nl);
} else if (o instanceof DERObject) {
_dumpAsString(tab, verbose, (DERObject) o, buf);
} else {
_dumpAsString(tab, verbose, ((DEREncodable) o).getDERObject(), buf);
}
}
} else if (obj instanceof DERSet) {
Enumeration e = ((ASN1Set) obj).getObjects();
String tab = indent + TAB;
buf.append(indent);
buf.append("DER Set");
buf.append(nl);
while (e.hasMoreElements()) {
Object o = e.nextElement();
if (o == null) {
buf.append(tab);
buf.append("NULL");
buf.append(nl);
} else if (o instanceof DERObject) {
_dumpAsString(tab, verbose, (DERObject) o, buf);
} else {
_dumpAsString(tab, verbose, ((DEREncodable) o).getDERObject(), buf);
}
}
} else if (obj instanceof DERObjectIdentifier) {
buf.append(indent + "ObjectIdentifier(" + ((DERObjectIdentifier) obj).getId() + ")" + nl);
} else if (obj instanceof DERBoolean) {
buf.append(indent + "Boolean(" + ((DERBoolean) obj).isTrue() + ")" + nl);
} else if (obj instanceof DERInteger) {
buf.append(indent + "Integer(" + ((DERInteger) obj).getValue() + ")" + nl);
} else if (obj instanceof BERConstructedOctetString) {
ASN1OctetString oct = (ASN1OctetString) obj;
buf.append(indent + "BER Constructed Octet String" + "[" + oct.getOctets().length + "] ");
if (verbose) {
buf.append(dumpBinaryDataAsString(indent, oct.getOctets()));
} else {
buf.append(nl);
}
} else if (obj instanceof DEROctetString) {
ASN1OctetString oct = (ASN1OctetString) obj;
buf.append(indent + "DER Octet String" + "[" + oct.getOctets().length + "] ");
if (verbose) {
buf.append(dumpBinaryDataAsString(indent, oct.getOctets()));
} else {
buf.append(nl);
}
} else if (obj instanceof DERBitString) {
DERBitString bt = (DERBitString) obj;
buf.append(indent + "DER Bit String" + "[" + bt.getBytes().length + ", " + bt.getPadBits() + "] ");
if (verbose) {
buf.append(dumpBinaryDataAsString(indent, bt.getBytes()));
} else {
buf.append(nl);
}
} else if (obj instanceof DERIA5String) {
buf.append(indent + "IA5String(" + ((DERIA5String) obj).getString() + ") " + nl);
} else if (obj instanceof DERUTF8String) {
buf.append(indent + "UTF8String(" + ((DERUTF8String) obj).getString() + ") " + nl);
} else if (obj instanceof DERPrintableString) {
buf.append(indent + "PrintableString(" + ((DERPrintableString) obj).getString() + ") " + nl);
} else if (obj instanceof DERVisibleString) {
buf.append(indent + "VisibleString(" + ((DERVisibleString) obj).getString() + ") " + nl);
} else if (obj instanceof DERBMPString) {
buf.append(indent + "BMPString(" + ((DERBMPString) obj).getString() + ") " + nl);
} else if (obj instanceof DERT61String) {
buf.append(indent + "T61String(" + ((DERT61String) obj).getString() + ") " + nl);
} else if (obj instanceof DERUTCTime) {
buf.append(indent + "UTCTime(" + ((DERUTCTime) obj).getTime() + ") " + nl);
} else if (obj instanceof DERGeneralizedTime) {
buf.append(indent + "GeneralizedTime(" + ((DERGeneralizedTime) obj).getTime() + ") " + nl);
} else if (obj instanceof DERUnknownTag) {
buf.append(indent + "Unknown " + Integer.toString(((DERUnknownTag) obj).getTag(), 16) + " " + new String(Hex.encode(((DERUnknownTag) obj).getData())) + nl);
} else if (obj instanceof BERApplicationSpecific) {
buf.append(outputApplicationSpecific("BER", indent, verbose, obj, nl));
} else if (obj instanceof DERApplicationSpecific) {
buf.append(outputApplicationSpecific("DER", indent, verbose, obj, nl));
} else if (obj instanceof DEREnumerated) {
DEREnumerated en = (DEREnumerated) obj;
buf.append(indent + "DER Enumerated(" + en.getValue() + ")" + nl);
} else if (obj instanceof DERExternal) {
DERExternal ext = (DERExternal) obj;
buf.append(indent + "External " + nl);
String tab = indent + TAB;
if (ext.getDirectReference() != null) {
buf.append(tab + "Direct Reference: " + ext.getDirectReference().getId() + nl);
}
if (ext.getIndirectReference() != null) {
buf.append(tab + "Indirect Reference: " + ext.getIndirectReference().toString() + nl);
}
if (ext.getDataValueDescriptor() != null) {
_dumpAsString(tab, verbose, ext.getDataValueDescriptor(), buf);
}
buf.append(tab + "Encoding: " + ext.getEncoding() + nl);
_dumpAsString(tab, verbose, ext.getExternalContent(), buf);
} else {
buf.append(indent + obj.toString() + nl);
}
}
use of com.github.zhenwei.core.asn1.DERIA5String in project XobotOS by xamarin.
the class NetscapeCertRequest method sign.
public void sign(PrivateKey priv_key, SecureRandom rand) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchProviderException, InvalidKeySpecException {
Signature sig = Signature.getInstance(sigAlg.getObjectId().getId(), "BC");
if (rand != null) {
sig.initSign(priv_key, rand);
} else {
sig.initSign(priv_key);
}
ASN1EncodableVector pkac = new ASN1EncodableVector();
pkac.add(getKeySpec());
pkac.add(new DERIA5String(challenge));
try {
sig.update(new DERSequence(pkac).getEncoded(ASN1Encodable.DER));
} catch (IOException ioe) {
throw new SignatureException(ioe.getMessage());
}
sigBits = sig.sign();
}
use of com.github.zhenwei.core.asn1.DERIA5String in project android_frameworks_base by AOSPA.
the class ESTHandler method buildCSR.
private byte[] buildCSR(ByteBuffer octetBuffer, OMADMAdapter omadmAdapter, HTTPHandler httpHandler) throws IOException, GeneralSecurityException {
//Security.addProvider(new BouncyCastleProvider());
Log.d(TAG, "/csrattrs:");
/*
byte[] octets = new byte[octetBuffer.remaining()];
octetBuffer.duplicate().get(octets);
for (byte b : octets) {
System.out.printf("%02x ", b & 0xff);
}
*/
Collection<Asn1Object> csrs = Asn1Decoder.decode(octetBuffer);
for (Asn1Object asn1Object : csrs) {
Log.d(TAG, asn1Object.toString());
}
if (csrs.size() != 1) {
throw new IOException("Unexpected object count in CSR attributes response: " + csrs.size());
}
Asn1Object sequence = csrs.iterator().next();
if (sequence.getClass() != Asn1Constructed.class) {
throw new IOException("Unexpected CSR attribute container: " + sequence);
}
String keyAlgo = null;
Asn1Oid keyAlgoOID = null;
String sigAlgo = null;
String curveName = null;
Asn1Oid pubCrypto = null;
int keySize = -1;
Map<Asn1Oid, ASN1Encodable> idAttributes = new HashMap<>();
for (Asn1Object child : sequence.getChildren()) {
if (child.getTag() == Asn1Decoder.TAG_OID) {
Asn1Oid oid = (Asn1Oid) child;
OidMappings.SigEntry sigEntry = OidMappings.getSigEntry(oid);
if (sigEntry != null) {
sigAlgo = sigEntry.getSigAlgo();
keyAlgoOID = sigEntry.getKeyAlgo();
keyAlgo = OidMappings.getJCEName(keyAlgoOID);
} else if (oid.equals(OidMappings.sPkcs9AtChallengePassword)) {
byte[] tlsUnique = httpHandler.getTLSUnique();
if (tlsUnique != null) {
idAttributes.put(oid, new DERPrintableString(Base64.encodeToString(tlsUnique, Base64.DEFAULT)));
} else {
Log.w(TAG, "Cannot retrieve TLS unique channel binding");
}
}
} else if (child.getTag() == Asn1Decoder.TAG_SEQ) {
Asn1Oid oid = null;
Set<Asn1Oid> oidValues = new HashSet<>();
List<Asn1Object> values = new ArrayList<>();
for (Asn1Object attributeSeq : child.getChildren()) {
if (attributeSeq.getTag() == Asn1Decoder.TAG_OID) {
oid = (Asn1Oid) attributeSeq;
} else if (attributeSeq.getTag() == Asn1Decoder.TAG_SET) {
for (Asn1Object value : attributeSeq.getChildren()) {
if (value.getTag() == Asn1Decoder.TAG_OID) {
oidValues.add((Asn1Oid) value);
} else {
values.add(value);
}
}
}
}
if (oid == null) {
throw new IOException("Invalid attribute, no OID");
}
if (oid.equals(OidMappings.sExtensionRequest)) {
for (Asn1Oid subOid : oidValues) {
if (OidMappings.isIDAttribute(subOid)) {
if (subOid.equals(OidMappings.sMAC)) {
idAttributes.put(subOid, new DERIA5String(omadmAdapter.getMAC()));
} else if (subOid.equals(OidMappings.sIMEI)) {
idAttributes.put(subOid, new DERIA5String(omadmAdapter.getImei()));
} else if (subOid.equals(OidMappings.sMEID)) {
idAttributes.put(subOid, new DERBitString(omadmAdapter.getMeid()));
} else if (subOid.equals(OidMappings.sDevID)) {
idAttributes.put(subOid, new DERPrintableString(omadmAdapter.getDevID()));
}
}
}
} else if (OidMappings.getCryptoID(oid) != null) {
pubCrypto = oid;
if (!values.isEmpty()) {
for (Asn1Object value : values) {
if (value.getTag() == Asn1Decoder.TAG_INTEGER) {
keySize = (int) ((Asn1Integer) value).getValue();
}
}
}
if (oid.equals(OidMappings.sAlgo_EC)) {
if (oidValues.isEmpty()) {
throw new IOException("No ECC curve name provided");
}
for (Asn1Oid value : oidValues) {
curveName = OidMappings.getJCEName(value);
if (curveName != null) {
break;
}
}
if (curveName == null) {
throw new IOException("Found no ECC curve for " + oidValues);
}
}
}
}
}
if (keyAlgoOID == null) {
throw new IOException("No public key algorithm specified");
}
if (pubCrypto != null && !pubCrypto.equals(keyAlgoOID)) {
throw new IOException("Mismatching key algorithms");
}
if (keyAlgoOID.equals(OidMappings.sAlgo_RSA)) {
if (keySize < MinRSAKeySize) {
if (keySize >= 0) {
Log.i(TAG, "Upgrading suggested RSA key size from " + keySize + " to " + MinRSAKeySize);
}
keySize = MinRSAKeySize;
}
}
Log.d(TAG, String.format("pub key '%s', signature '%s', ECC curve '%s', id-atts %s", keyAlgo, sigAlgo, curveName, idAttributes));
/*
Ruckus:
SEQUENCE:
OID=1.2.840.113549.1.1.11 (algo_id_sha256WithRSAEncryption)
RFC-7030:
SEQUENCE:
OID=1.2.840.113549.1.9.7 (challengePassword)
SEQUENCE:
OID=1.2.840.10045.2.1 (algo_id_ecPublicKey)
SET:
OID=1.3.132.0.34 (secp384r1)
SEQUENCE:
OID=1.2.840.113549.1.9.14 (extensionRequest)
SET:
OID=1.3.6.1.1.1.1.22 (mac-address)
OID=1.2.840.10045.4.3.3 (eccdaWithSHA384)
1L, 3L, 6L, 1L, 1L, 1L, 1L, 22
*/
// ECC Does not appear to be supported currently
KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo);
if (curveName != null) {
AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(keyAlgo);
algorithmParameters.init(new ECNamedCurveGenParameterSpec(curveName));
kpg.initialize(algorithmParameters.getParameterSpec(ECNamedCurveGenParameterSpec.class));
} else {
kpg.initialize(keySize);
}
KeyPair kp = kpg.generateKeyPair();
X500Principal subject = new X500Principal("CN=Android, O=Google, C=US");
mClientKey = kp.getPrivate();
// !!! Map the idAttributes into an ASN1Set of values to pass to
// the PKCS10CertificationRequest - this code is using outdated BC classes and
// has *not* been tested.
ASN1Set attributes;
if (!idAttributes.isEmpty()) {
ASN1EncodableVector payload = new DEREncodableVector();
for (Map.Entry<Asn1Oid, ASN1Encodable> entry : idAttributes.entrySet()) {
DERObjectIdentifier type = new DERObjectIdentifier(entry.getKey().toOIDString());
ASN1Set values = new DERSet(entry.getValue());
Attribute attribute = new Attribute(type, values);
payload.add(attribute);
}
attributes = new DERSet(payload);
} else {
attributes = null;
}
return new PKCS10CertificationRequest(sigAlgo, subject, kp.getPublic(), attributes, mClientKey).getEncoded();
}
Aggregations