Example 1 with SignatureCheck
use of com.github.zhenwei.core.asn1.bc.SignatureCheck in project LinLong-Java by zhenwei1108.
the class BcFKSKeyStoreSpi method engineLoad.
public void engineLoad(InputStream inputStream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
// reset any current values
entries.clear();
privateKeyCache.clear();
lastModifiedDate = creationDate = null;
hmacAlgorithm = null;
if (inputStream == null) {
// initialise defaults
lastModifiedDate = creationDate = new Date();
verificationKey = null;
validator = null;
// basic initialisation
hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(PKCSObjectIdentifiers.id_PBKDF2, 512 / 8);
return;
}
ASN1InputStream aIn = new ASN1InputStream(inputStream);
ObjectStore store;
try {
store = ObjectStore.getInstance(aIn.readObject());
} catch (Exception e) {
throw new IOException(e.getMessage());
}
ObjectStoreIntegrityCheck integrityCheck = store.getIntegrityCheck();
AlgorithmIdentifier integrityAlg;
if (integrityCheck.getType() == ObjectStoreIntegrityCheck.PBKD_MAC_CHECK) {
PbkdMacIntegrityCheck pbkdMacIntegrityCheck = PbkdMacIntegrityCheck.getInstance(integrityCheck.getIntegrityCheck());
hmacAlgorithm = pbkdMacIntegrityCheck.getMacAlgorithm();
hmacPkbdAlgorithm = pbkdMacIntegrityCheck.getPbkdAlgorithm();
integrityAlg = hmacAlgorithm;
try {
verifyMac(store.getStoreData().toASN1Primitive().getEncoded(), pbkdMacIntegrityCheck, password);
} catch (NoSuchProviderException e) {
throw new IOException(e.getMessage());
}
} else if (integrityCheck.getType() == ObjectStoreIntegrityCheck.SIG_CHECK) {
SignatureCheck sigCheck = SignatureCheck.getInstance(integrityCheck.getIntegrityCheck());
integrityAlg = sigCheck.getSignatureAlgorithm();
try {
com.github.zhenwei.core.asn1.x509.Certificate[] certificates = sigCheck.getCertificates();
if (validator != null) {
if (certificates == null) {
throw new IOException("validator specified but no certifcates in store");
}
CertificateFactory certFact = helper.createCertificateFactory("X.509");
X509Certificate[] certs = new X509Certificate[certificates.length];
for (int i = 0; i != certs.length; i++) {
certs[i] = (X509Certificate) certFact.generateCertificate(new ByteArrayInputStream(certificates[i].getEncoded()));
}
if (validator.isValid(certs)) {
verifySig(store.getStoreData(), sigCheck, certs[0].getPublicKey());
} else {
throw new IOException("certificate chain in key store signature not valid");
}
} else {
verifySig(store.getStoreData(), sigCheck, verificationKey);
}
} catch (GeneralSecurityException e) {
throw new IOException("error verifying signature: " + e.getMessage(), e);
}
} else {
throw new IOException("BCFKS KeyStore unable to recognize integrity check.");
}
ASN1Encodable sData = store.getStoreData();
ObjectStoreData storeData;
if (sData instanceof EncryptedObjectStoreData) {
EncryptedObjectStoreData encryptedStoreData = (EncryptedObjectStoreData) sData;
AlgorithmIdentifier protectAlgId = encryptedStoreData.getEncryptionAlgorithm();
storeData = ObjectStoreData.getInstance(decryptData("STORE_ENCRYPTION", protectAlgId, password, encryptedStoreData.getEncryptedContent().getOctets()));
} else {
storeData = ObjectStoreData.getInstance(sData);
}
try {
creationDate = storeData.getCreationDate().getDate();
lastModifiedDate = storeData.getLastModifiedDate().getDate();
} catch (ParseException e) {
throw new IOException("BCFKS KeyStore unable to parse store data information.");
}
if (!storeData.getIntegrityAlgorithm().equals(integrityAlg)) {
throw new IOException("BCFKS KeyStore storeData integrity algorithm does not match store integrity algorithm.");
}
for (Iterator it = storeData.getObjectDataSequence().iterator(); it.hasNext(); ) {
ObjectData objData = ObjectData.getInstance(it.next());
entries.put(objData.getIdentifier(), objData);
}
}
Also used :
PbkdMacIntegrityCheck(com.github.zhenwei.core.asn1.bc.PbkdMacIntegrityCheck)
ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream)
ObjectStore(com.github.zhenwei.core.asn1.bc.ObjectStore)
GeneralSecurityException(java.security.GeneralSecurityException)
ObjectData(com.github.zhenwei.core.asn1.bc.ObjectData)
IOException(java.io.IOException)
EncryptedObjectStoreData(com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData)
CertificateFactory(java.security.cert.CertificateFactory)
Date(java.util.Date)
KeyStoreException(java.security.KeyStoreException)
GeneralSecurityException(java.security.GeneralSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
ParseException(java.text.ParseException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
BadPaddingException(javax.crypto.BadPaddingException)
NoSuchProviderException(java.security.NoSuchProviderException)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)
SignatureCheck(com.github.zhenwei.core.asn1.bc.SignatureCheck)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Iterator(java.util.Iterator)
ASN1Encodable(com.github.zhenwei.core.asn1.ASN1Encodable)
ParseException(java.text.ParseException)
NoSuchProviderException(java.security.NoSuchProviderException)
ObjectStoreData(com.github.zhenwei.core.asn1.bc.ObjectStoreData)
EncryptedObjectStoreData(com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData)
ObjectStoreIntegrityCheck(com.github.zhenwei.core.asn1.bc.ObjectStoreIntegrityCheck)
Example 2 with SignatureCheck
use of com.github.zhenwei.core.asn1.bc.SignatureCheck in project LinLong-Java by zhenwei1108.
the class BcFKSKeyStoreSpi method engineStore.
public void engineStore(KeyStore.LoadStoreParameter parameter) throws CertificateException, NoSuchAlgorithmException, IOException {
if (parameter == null) {
throw new IllegalArgumentException("'parameter' arg cannot be null");
}
if (parameter instanceof BCFKSStoreParameter) {
BCFKSStoreParameter bcParam = (BCFKSStoreParameter) parameter;
char[] password = ParameterUtil.extractPassword(parameter);
hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
engineStore(bcParam.getOutputStream(), password);
} else if (parameter instanceof BCFKSLoadStoreParameter) {
BCFKSLoadStoreParameter bcParam = (BCFKSLoadStoreParameter) parameter;
if (bcParam.getStoreSignatureKey() != null) {
signatureAlgorithm = generateSignatureAlgId(bcParam.getStoreSignatureKey(), bcParam.getStoreSignatureAlgorithm());
hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
if (bcParam.getStoreEncryptionAlgorithm() == BCFKSLoadStoreParameter.EncryptionAlgorithm.AES256_CCM) {
storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_CCM;
} else {
storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_wrap_pad;
}
if (bcParam.getStoreMacAlgorithm() == BCFKSLoadStoreParameter.MacAlgorithm.HmacSHA512) {
hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
} else {
hmacAlgorithm = new AlgorithmIdentifier(NISTObjectIdentifiers.id_hmacWithSHA3_512, DERNull.INSTANCE);
}
char[] password = ParameterUtil.extractPassword(bcParam);
EncryptedObjectStoreData encStoreData = getEncryptedObjectStoreData(signatureAlgorithm, password);
try {
Signature sig = helper.createSignature(signatureAlgorithm.getAlgorithm().getId());
sig.initSign((PrivateKey) bcParam.getStoreSignatureKey());
sig.update(encStoreData.getEncoded());
SignatureCheck signatureCheck;
X509Certificate[] certs = bcParam.getStoreCertificates();
if (certs != null) {
com.github.zhenwei.core.asn1.x509.Certificate[] certificates = new com.github.zhenwei.core.asn1.x509.Certificate[certs.length];
for (int i = 0; i != certificates.length; i++) {
certificates[i] = com.github.zhenwei.core.asn1.x509.Certificate.getInstance(certs[i].getEncoded());
}
signatureCheck = new SignatureCheck(signatureAlgorithm, certificates, sig.sign());
} else {
signatureCheck = new SignatureCheck(signatureAlgorithm, sig.sign());
}
ObjectStore store = new ObjectStore(encStoreData, new ObjectStoreIntegrityCheck(signatureCheck));
bcParam.getOutputStream().write(store.getEncoded());
bcParam.getOutputStream().flush();
} catch (GeneralSecurityException e) {
throw new IOException("error creating signature: " + e.getMessage(), e);
}
} else {
char[] password = ParameterUtil.extractPassword(bcParam);
hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
if (bcParam.getStoreEncryptionAlgorithm() == BCFKSLoadStoreParameter.EncryptionAlgorithm.AES256_CCM) {
storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_CCM;
} else {
storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_wrap_pad;
}
if (bcParam.getStoreMacAlgorithm() == BCFKSLoadStoreParameter.MacAlgorithm.HmacSHA512) {
hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
} else {
hmacAlgorithm = new AlgorithmIdentifier(NISTObjectIdentifiers.id_hmacWithSHA3_512, DERNull.INSTANCE);
}
engineStore(bcParam.getOutputStream(), password);
}
} else if (parameter instanceof BCLoadStoreParameter) {
BCLoadStoreParameter bcParam = (BCLoadStoreParameter) parameter;
engineStore(bcParam.getOutputStream(), ParameterUtil.extractPassword(parameter));
} else {
throw new IllegalArgumentException("no support for 'parameter' of type " + parameter.getClass().getName());
}
}
Also used :
ObjectStore(com.github.zhenwei.core.asn1.bc.ObjectStore)
PrivateKey(java.security.PrivateKey)
GeneralSecurityException(java.security.GeneralSecurityException)
BCFKSStoreParameter(com.github.zhenwei.provider.jcajce.BCFKSStoreParameter)
EncryptedObjectStoreData(com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData)
IOException(java.io.IOException)
AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)
SignatureCheck(com.github.zhenwei.core.asn1.bc.SignatureCheck)
Signature(java.security.Signature)
BCFKSLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter)
BCLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCLoadStoreParameter)
ObjectStoreIntegrityCheck(com.github.zhenwei.core.asn1.bc.ObjectStoreIntegrityCheck)
Aggregations
EncryptedObjectStoreData (com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData)2
ObjectStore (com.github.zhenwei.core.asn1.bc.ObjectStore)2
ObjectStoreIntegrityCheck (com.github.zhenwei.core.asn1.bc.ObjectStoreIntegrityCheck)2
SignatureCheck (com.github.zhenwei.core.asn1.bc.SignatureCheck)2
AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)2
IOException (java.io.IOException)2
GeneralSecurityException (java.security.GeneralSecurityException)2
ASN1Encodable (com.github.zhenwei.core.asn1.ASN1Encodable)1
ASN1InputStream (com.github.zhenwei.core.asn1.ASN1InputStream)1
ObjectData (com.github.zhenwei.core.asn1.bc.ObjectData)1
ObjectStoreData (com.github.zhenwei.core.asn1.bc.ObjectStoreData)1
PbkdMacIntegrityCheck (com.github.zhenwei.core.asn1.bc.PbkdMacIntegrityCheck)1
BCFKSLoadStoreParameter (com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter)1
BCFKSStoreParameter (com.github.zhenwei.provider.jcajce.BCFKSStoreParameter)1
BCLoadStoreParameter (com.github.zhenwei.provider.jcajce.BCLoadStoreParameter)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
InvalidKeyException (java.security.InvalidKeyException)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
