Search in sources :

Example 1 with EncryptedPrivateKeyData

use of com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineSetKeyEntry.

public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) throws KeyStoreException {
    Date creationDate = new Date();
    Date lastEditDate = creationDate;
    ObjectData entry = (ObjectData) entries.get(alias);
    if (entry != null) {
        creationDate = extractCreationDate(entry, creationDate);
    }
    privateKeyCache.remove(alias);
    if (key instanceof PrivateKey) {
        if (chain == null) {
            throw new KeyStoreException("BCFKS KeyStore requires a certificate chain for private key storage.");
        }
        try {
            // check that the key pair and the certificate public are consistent
            // TODO: new ConsistentKeyPair(chain[0].getPublicKey(), (PrivateKey)key);
            byte[] encodedKey = key.getEncoded();
            KeyDerivationFunc pbkdAlgId = generatePkbdAlgorithmIdentifier(PKCSObjectIdentifiers.id_PBKDF2, 256 / 8);
            byte[] keyBytes = generateKey(pbkdAlgId, "PRIVATE_KEY_ENCRYPTION", ((password != null) ? password : new char[0]), 32);
            EncryptedPrivateKeyInfo keyInfo;
            if (storeEncryptionAlgorithm.equals(NISTObjectIdentifiers.id_aes256_CCM)) {
                Cipher c = createCipher("AES/CCM/NoPadding", keyBytes);
                byte[] encryptedKey = c.doFinal(encodedKey);
                AlgorithmParameters algParams = c.getParameters();
                PBES2Parameters pbeParams = new PBES2Parameters(pbkdAlgId, new EncryptionScheme(NISTObjectIdentifiers.id_aes256_CCM, CCMParameters.getInstance(algParams.getEncoded())));
                keyInfo = new EncryptedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, pbeParams), encryptedKey);
            } else {
                Cipher c = createCipher("AESKWP", keyBytes);
                byte[] encryptedKey = c.doFinal(encodedKey);
                PBES2Parameters pbeParams = new PBES2Parameters(pbkdAlgId, new EncryptionScheme(NISTObjectIdentifiers.id_aes256_wrap_pad));
                keyInfo = new EncryptedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, pbeParams), encryptedKey);
            }
            EncryptedPrivateKeyData keySeq = createPrivateKeySequence(keyInfo, chain);
            entries.put(alias, new ObjectData(PRIVATE_KEY, alias, creationDate, lastEditDate, keySeq.getEncoded(), null));
        } catch (Exception e) {
            throw new ExtKeyStoreException("BCFKS KeyStore exception storing private key: " + e.toString(), e);
        }
    } else if (key instanceof SecretKey) {
        if (chain != null) {
            throw new KeyStoreException("BCFKS KeyStore cannot store certificate chain with secret key.");
        }
        try {
            byte[] encodedKey = key.getEncoded();
            KeyDerivationFunc pbkdAlgId = generatePkbdAlgorithmIdentifier(PKCSObjectIdentifiers.id_PBKDF2, 256 / 8);
            byte[] keyBytes = generateKey(pbkdAlgId, "SECRET_KEY_ENCRYPTION", ((password != null) ? password : new char[0]), 32);
            String keyAlg = Strings.toUpperCase(key.getAlgorithm());
            SecretKeyData secKeyData;
            if (keyAlg.indexOf("AES") > -1) {
                secKeyData = new SecretKeyData(NISTObjectIdentifiers.aes, encodedKey);
            } else {
                ASN1ObjectIdentifier algOid = (ASN1ObjectIdentifier) oidMap.get(keyAlg);
                if (algOid != null) {
                    secKeyData = new SecretKeyData(algOid, encodedKey);
                } else {
                    algOid = (ASN1ObjectIdentifier) oidMap.get(keyAlg + "." + (encodedKey.length * 8));
                    if (algOid != null) {
                        secKeyData = new SecretKeyData(algOid, encodedKey);
                    } else {
                        throw new KeyStoreException("BCFKS KeyStore cannot recognize secret key (" + keyAlg + ") for storage.");
                    }
                }
            }
            EncryptedSecretKeyData keyData;
            if (storeEncryptionAlgorithm.equals(NISTObjectIdentifiers.id_aes256_CCM)) {
                Cipher c = createCipher("AES/CCM/NoPadding", keyBytes);
                byte[] encryptedKey = c.doFinal(secKeyData.getEncoded());
                AlgorithmParameters algParams = c.getParameters();
                PBES2Parameters pbeParams = new PBES2Parameters(pbkdAlgId, new EncryptionScheme(NISTObjectIdentifiers.id_aes256_CCM, CCMParameters.getInstance(algParams.getEncoded())));
                keyData = new EncryptedSecretKeyData(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, pbeParams), encryptedKey);
            } else {
                Cipher c = createCipher("AESKWP", keyBytes);
                byte[] encryptedKey = c.doFinal(secKeyData.getEncoded());
                PBES2Parameters pbeParams = new PBES2Parameters(pbkdAlgId, new EncryptionScheme(NISTObjectIdentifiers.id_aes256_wrap_pad));
                keyData = new EncryptedSecretKeyData(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, pbeParams), encryptedKey);
            }
            entries.put(alias, new ObjectData(SECRET_KEY, alias, creationDate, lastEditDate, keyData.getEncoded(), null));
        } catch (Exception e) {
            throw new ExtKeyStoreException("BCFKS KeyStore exception storing private key: " + e.toString(), e);
        }
    } else {
        throw new KeyStoreException("BCFKS KeyStore unable to recognize key.");
    }
    lastModifiedDate = lastEditDate;
}
Also used : PBES2Parameters(com.github.zhenwei.core.asn1.pkcs.PBES2Parameters) EncryptionScheme(com.github.zhenwei.core.asn1.pkcs.EncryptionScheme) PrivateKey(java.security.PrivateKey) ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData) KeyStoreException(java.security.KeyStoreException) SecretKeyData(com.github.zhenwei.core.asn1.bc.SecretKeyData) EncryptedSecretKeyData(com.github.zhenwei.core.asn1.bc.EncryptedSecretKeyData) Date(java.util.Date) KeyStoreException(java.security.KeyStoreException) GeneralSecurityException(java.security.GeneralSecurityException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) ParseException(java.text.ParseException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) BadPaddingException(javax.crypto.BadPaddingException) NoSuchProviderException(java.security.NoSuchProviderException) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier) SecretKey(javax.crypto.SecretKey) EncryptedSecretKeyData(com.github.zhenwei.core.asn1.bc.EncryptedSecretKeyData) KeyDerivationFunc(com.github.zhenwei.core.asn1.pkcs.KeyDerivationFunc) EncryptedPrivateKeyInfo(com.github.zhenwei.core.asn1.pkcs.EncryptedPrivateKeyInfo) Cipher(javax.crypto.Cipher) EncryptedPrivateKeyData(com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier) AlgorithmParameters(java.security.AlgorithmParameters)

Example 2 with EncryptedPrivateKeyData

use of com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineGetKey.

public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException {
    ObjectData ent = (ObjectData) entries.get(alias);
    if (ent != null) {
        if (ent.getType().equals(PRIVATE_KEY) || ent.getType().equals(PROTECTED_PRIVATE_KEY)) {
            PrivateKey cachedKey = (PrivateKey) privateKeyCache.get(alias);
            if (cachedKey != null) {
                return cachedKey;
            }
            EncryptedPrivateKeyData encPrivData = EncryptedPrivateKeyData.getInstance(ent.getData());
            EncryptedPrivateKeyInfo encInfo = EncryptedPrivateKeyInfo.getInstance(encPrivData.getEncryptedPrivateKeyInfo());
            try {
                PrivateKeyInfo pInfo = PrivateKeyInfo.getInstance(decryptData("PRIVATE_KEY_ENCRYPTION", encInfo.getEncryptionAlgorithm(), password, encInfo.getEncryptedData()));
                KeyFactory kFact = helper.createKeyFactory(getPublicKeyAlg(pInfo.getPrivateKeyAlgorithm().getAlgorithm()));
                PrivateKey privateKey = kFact.generatePrivate(new PKCS8EncodedKeySpec(pInfo.getEncoded()));
                // check that the key pair and the certificate public key are consistent
                // TODO: new ConsistentKeyPair(engineGetCertificate(alias).getPublicKey(), privateKey);
                privateKeyCache.put(alias, privateKey);
                return privateKey;
            } catch (Exception e) {
                throw new UnrecoverableKeyException("BCFKS KeyStore unable to recover private key (" + alias + "): " + e.getMessage());
            }
        } else if (ent.getType().equals(SECRET_KEY) || ent.getType().equals(PROTECTED_SECRET_KEY)) {
            EncryptedSecretKeyData encKeyData = EncryptedSecretKeyData.getInstance(ent.getData());
            try {
                SecretKeyData keyData = SecretKeyData.getInstance(decryptData("SECRET_KEY_ENCRYPTION", encKeyData.getKeyEncryptionAlgorithm(), password, encKeyData.getEncryptedKeyData()));
                SecretKeyFactory kFact = helper.createSecretKeyFactory(keyData.getKeyAlgorithm().getId());
                return kFact.generateSecret(new SecretKeySpec(keyData.getKeyBytes(), keyData.getKeyAlgorithm().getId()));
            } catch (Exception e) {
                throw new UnrecoverableKeyException("BCFKS KeyStore unable to recover secret key (" + alias + "): " + e.getMessage());
            }
        } else {
            throw new UnrecoverableKeyException("BCFKS KeyStore unable to recover secret key (" + alias + "): type not recognized");
        }
    }
    return null;
}
Also used : PrivateKey(java.security.PrivateKey) ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData) SecretKeyData(com.github.zhenwei.core.asn1.bc.SecretKeyData) EncryptedSecretKeyData(com.github.zhenwei.core.asn1.bc.EncryptedSecretKeyData) KeyStoreException(java.security.KeyStoreException) GeneralSecurityException(java.security.GeneralSecurityException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) ParseException(java.text.ParseException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) BadPaddingException(javax.crypto.BadPaddingException) NoSuchProviderException(java.security.NoSuchProviderException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) EncryptedSecretKeyData(com.github.zhenwei.core.asn1.bc.EncryptedSecretKeyData) SecretKeySpec(javax.crypto.spec.SecretKeySpec) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) EncryptedPrivateKeyInfo(com.github.zhenwei.core.asn1.pkcs.EncryptedPrivateKeyInfo) SecretKeyFactory(javax.crypto.SecretKeyFactory) EncryptedPrivateKeyData(com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData) EncryptedPrivateKeyInfo(com.github.zhenwei.core.asn1.pkcs.EncryptedPrivateKeyInfo) PrivateKeyInfo(com.github.zhenwei.core.asn1.pkcs.PrivateKeyInfo) SecretKeyFactory(javax.crypto.SecretKeyFactory) KeyFactory(java.security.KeyFactory)

Example 3 with EncryptedPrivateKeyData

use of com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineGetCertificateChain.

public Certificate[] engineGetCertificateChain(String alias) {
    ObjectData ent = (ObjectData) entries.get(alias);
    if (ent != null) {
        if (ent.getType().equals(PRIVATE_KEY) || ent.getType().equals(PROTECTED_PRIVATE_KEY)) {
            EncryptedPrivateKeyData encPrivData = EncryptedPrivateKeyData.getInstance(ent.getData());
            com.github.zhenwei.core.asn1.x509.Certificate[] certificates = encPrivData.getCertificateChain();
            Certificate[] chain = new X509Certificate[certificates.length];
            for (int i = 0; i != chain.length; i++) {
                chain[i] = decodeCertificate(certificates[i]);
            }
            return chain;
        }
    }
    return null;
}
Also used : ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData) EncryptedPrivateKeyData(com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 4 with EncryptedPrivateKeyData

use of com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineGetCertificateAlias.

public String engineGetCertificateAlias(Certificate certificate) {
    if (certificate == null) {
        return null;
    }
    byte[] encodedCert;
    try {
        encodedCert = certificate.getEncoded();
    } catch (CertificateEncodingException e) {
        return null;
    }
    for (Iterator<String> it = entries.keySet().iterator(); it.hasNext(); ) {
        String alias = (String) it.next();
        ObjectData ent = (ObjectData) entries.get(alias);
        if (ent.getType().equals(CERTIFICATE)) {
            if (Arrays.areEqual(ent.getData(), encodedCert)) {
                return alias;
            }
        } else if (ent.getType().equals(PRIVATE_KEY) || ent.getType().equals(PROTECTED_PRIVATE_KEY)) {
            try {
                EncryptedPrivateKeyData encPrivData = EncryptedPrivateKeyData.getInstance(ent.getData());
                if (Arrays.areEqual(encPrivData.getCertificateChain()[0].toASN1Primitive().getEncoded(), encodedCert)) {
                    return alias;
                }
            } catch (IOException e) {
            // ignore - this should never happen
            }
        }
    }
    return null;
}
Also used : ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) EncryptedPrivateKeyData(com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData)

Example 5 with EncryptedPrivateKeyData

use of com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineGetCertificate.

public Certificate engineGetCertificate(String s) {
    ObjectData ent = (ObjectData) entries.get(s);
    if (ent != null) {
        if (ent.getType().equals(PRIVATE_KEY) || ent.getType().equals(PROTECTED_PRIVATE_KEY)) {
            EncryptedPrivateKeyData encPrivData = EncryptedPrivateKeyData.getInstance(ent.getData());
            com.github.zhenwei.core.asn1.x509.Certificate[] certificates = encPrivData.getCertificateChain();
            return decodeCertificate(certificates[0]);
        } else if (ent.getType().equals(CERTIFICATE)) {
            return decodeCertificate(ent.getData());
        }
    }
    return null;
}
Also used : ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData) EncryptedPrivateKeyData(com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

EncryptedPrivateKeyData (com.github.zhenwei.core.asn1.bc.EncryptedPrivateKeyData)5 ObjectData (com.github.zhenwei.core.asn1.bc.ObjectData)5 IOException (java.io.IOException)3 CertificateEncodingException (java.security.cert.CertificateEncodingException)3 EncryptedSecretKeyData (com.github.zhenwei.core.asn1.bc.EncryptedSecretKeyData)2 SecretKeyData (com.github.zhenwei.core.asn1.bc.SecretKeyData)2 EncryptedPrivateKeyInfo (com.github.zhenwei.core.asn1.pkcs.EncryptedPrivateKeyInfo)2 GeneralSecurityException (java.security.GeneralSecurityException)2 InvalidKeyException (java.security.InvalidKeyException)2 KeyStoreException (java.security.KeyStoreException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 NoSuchProviderException (java.security.NoSuchProviderException)2 PrivateKey (java.security.PrivateKey)2 UnrecoverableKeyException (java.security.UnrecoverableKeyException)2 Certificate (java.security.cert.Certificate)2 CertificateException (java.security.cert.CertificateException)2 X509Certificate (java.security.cert.X509Certificate)2 ParseException (java.text.ParseException)2 BadPaddingException (javax.crypto.BadPaddingException)2 IllegalBlockSizeException (javax.crypto.IllegalBlockSizeException)2