Example 41 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project keystore-explorer by kaikramer.
the class DSubjectKeyIdentifier method prepopulateWithValue.
private void prepopulateWithValue(byte[] value) throws IOException {
SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier.getInstance(value);
jkiKeyIdentifier.setKeyIdentifier(subjectKeyIdentifier.getKeyIdentifier());
}
Also used :
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
Example 42 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project xipki by xipki.
the class Certprofile method getSubjectKeyIdentifier.
public SubjectKeyIdentifier getSubjectKeyIdentifier(SubjectPublicKeyInfo subjectPublicKeyInfo) throws CertprofileException {
SubjectKeyIdentifierControl control = getSubjectKeyIdentifierControl();
SubjectKeyIdentifierControl.SubjectKeyIdentifierMethod method = null;
String hashAlgo = null;
if (control != null) {
method = control.getMethod();
hashAlgo = control.getHashAlgo();
}
HashAlgo hash;
if (hashAlgo == null) {
hash = HashAlgo.SHA1;
} else {
try {
hash = HashAlgo.getInstance(hashAlgo);
} catch (NoSuchAlgorithmException e) {
throw new CertprofileException("unknown hash algorithm " + hashAlgo);
}
}
byte[] encodedSpki = subjectPublicKeyInfo.getPublicKeyData().getBytes();
byte[] skiValue = hash.hash(encodedSpki);
if (method == null || method == SubjectKeyIdentifierControl.SubjectKeyIdentifierMethod.METHOD_1) {
// do nothing
} else if (method == SubjectKeyIdentifierControl.SubjectKeyIdentifierMethod.METHOD_2) {
byte[] bytes = Arrays.copyOfRange(skiValue, skiValue.length - 8, skiValue.length);
bytes[0] &= 0x0F;
bytes[0] |= 0x40;
skiValue = bytes;
} else {
throw new CertprofileException("unknown SubjectKeyIdentifierMethod " + method);
}
String truncateMethod = control == null ? null : control.getTruncateMethod();
if (StringUtil.isNotBlank(truncateMethod)) {
boolean leftmost;
if (StringUtil.startsWithIgnoreCase(truncateMethod, "L:")) {
leftmost = true;
} else if (StringUtil.startsWithIgnoreCase(truncateMethod, "R:")) {
leftmost = false;
} else {
throw new CertprofileException("unknown TruncateMethod " + truncateMethod);
}
int size;
try {
size = Integer.parseUnsignedInt(truncateMethod.substring(2));
} catch (NumberFormatException ex) {
throw new CertprofileException("invalid TruncateMethod " + truncateMethod);
}
if (size < skiValue.length) {
if (leftmost) {
skiValue = Arrays.copyOf(skiValue, size);
} else {
skiValue = Arrays.copyOfRange(skiValue, skiValue.length - size, skiValue.length);
}
}
}
return new SubjectKeyIdentifier(skiValue);
}
Also used :
HashAlgo(org.xipki.security.HashAlgo)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
Example 43 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project xipki by xipki.
the class P12KeyGenerator method generateIdentity.
private static KeyStoreWrapper generateIdentity(KeyPairWithSubjectPublicKeyInfo kp, KeystoreGenerationParameters params, String selfSignedCertSubject) throws Exception {
Date now = new Date();
// 10 minutes past
Date notBefore = new Date(now.getTime() - 10 * MIN);
Date notAfter = new Date(notBefore.getTime() + 3650 * DAY);
String dnStr = (selfSignedCertSubject == null) ? "CN=DUMMY" : selfSignedCertSubject;
X500Name subjectDn = new X500Name(dnStr);
SubjectPublicKeyInfo subjectPublicKeyInfo = kp.getSubjectPublicKeyInfo();
ContentSigner contentSigner = getContentSigner(kp.getKeypair().getPrivate(), kp.getKeypair().getPublic());
// Generate keystore
X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(subjectDn, BigInteger.ONE, notBefore, notAfter, subjectDn, subjectPublicKeyInfo);
byte[] encodedSpki = kp.getSubjectPublicKeyInfo().getPublicKeyData().getBytes();
byte[] skiValue = HashAlgo.SHA1.hash(encodedSpki);
certGenerator.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(skiValue));
KeyAndCertPair identity = new KeyAndCertPair(new X509Cert(certGenerator.build(contentSigner)), kp.getKeypair().getPrivate());
KeyStore ks = KeyUtil.getKeyStore("PKCS12");
ks.load(null, params.getPassword());
ks.setKeyEntry("main", identity.key, params.getPassword(), new Certificate[] { identity.cert.toJceCert() });
ByteArrayOutputStream ksStream = new ByteArrayOutputStream();
try {
ks.store(ksStream, params.getPassword());
} finally {
ksStream.flush();
}
KeyStoreWrapper result = new KeyStoreWrapper(ksStream.toByteArray());
result.setKeystoreObject(ks);
return result;
}
Also used :
ContentSigner(org.bouncycastle.operator.ContentSigner)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
Example 44 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project jruby-openssl by jruby.
the class X509AuxCertificate method computeExFlags.
// NOTE: not all EXFLAGS are implemented!
private int computeExFlags() throws IOException {
int flags = 0;
/* V1 should mean no extensions ... */
if (getVersion() == 1) {
flags |= X509Utils.EXFLAG_V1;
}
if (getExtensionValue("2.5.29.19") != null) {
// BASIC_CONSTRAINTS
if (getBasicConstraints() != -1) {
// is CA
flags |= X509Utils.EXFLAG_CA;
}
flags |= X509Utils.EXFLAG_BCONS;
}
if (getSubjectX500Principal().equals(getIssuerX500Principal())) {
flags |= X509Utils.EXFLAG_SI;
// TODO duplicate code from X509Utils.checkIfIssuedBy
if (getExtensionValue("2.5.29.35") != null) {
// authorityKeyID
Object key = X509Utils.get(getExtensionValue("2.5.29.35"));
if (!(key instanceof ASN1Sequence))
key = X509Utils.get((DEROctetString) key);
final ASN1Sequence seq = (ASN1Sequence) key;
final AuthorityKeyIdentifier akid;
if (seq.size() == 1 && (seq.getObjectAt(0) instanceof ASN1OctetString)) {
akid = AuthorityKeyIdentifier.getInstance(new DLSequence(new DERTaggedObject(0, seq.getObjectAt(0))));
} else {
akid = AuthorityKeyIdentifier.getInstance(seq);
}
if (akid.getKeyIdentifier() != null) {
if (getExtensionValue("2.5.29.14") != null) {
DEROctetString der = (DEROctetString) X509Utils.get(getExtensionValue("2.5.29.14"));
SubjectKeyIdentifier skid = SubjectKeyIdentifier.getInstance(X509Utils.get(der.getOctets()));
if (skid.getKeyIdentifier() != null) {
if (Arrays.equals(akid.getKeyIdentifier(), skid.getKeyIdentifier())) {
/* .. and the signature alg matches the PUBKEY alg: */
if (getSigAlgName().equals(getPublicKey().getAlgorithm())) {
flags |= X509Utils.EXFLAG_SS;
/* indicate self-signed */
}
}
}
}
}
}
}
if (getKeyUsage() != null) {
flags |= X509Utils.EXFLAG_XKUSAGE;
}
if (getExtensionValue("1.3.6.1.5.5.7.1.14") != null) {
flags |= X509Utils.EXFLAG_PROXY;
}
return flags;
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DLSequence(org.bouncycastle.asn1.DLSequence)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 45 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project ddf by codice.
the class SamlAssertionValidatorImpl method validateHolderOfKeyConfirmation.
private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException {
List<String> confirmationMethods = assertion.getConfirmationMethods();
boolean hasHokMethod = false;
for (String method : confirmationMethods) {
if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
hasHokMethod = true;
}
}
if (hasHokMethod) {
if (x509Certs != null && x509Certs.length > 0) {
List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject().getSubjectConfirmations();
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) {
Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM();
Node keyInfo = dom.getFirstChild();
Node x509Data = keyInfo.getFirstChild();
Node dataNode = x509Data.getFirstChild();
Node dataText = dataNode.getFirstChild();
X509Certificate tlsCertificate = x509Certs[0];
if (dataNode.getLocalName().equals("X509Certificate")) {
String textContent = dataText.getTextContent();
byte[] byteValue = Base64.getMimeDecoder().decode(textContent);
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteValue));
// check that the certificate is still valid
cert.checkValidity();
// if the certs aren't the same, verify
if (!tlsCertificate.equals(cert)) {
// verify that the cert was signed by the same private key as the TLS cert
cert.verify(tlsCertificate.getPublicKey());
}
} catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with certificate.");
}
} else if (dataNode.getLocalName().equals("X509SubjectName")) {
String textContent = dataText.getTextContent();
// the assertion.
if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject DN.");
}
} else if (dataNode.getLocalName().equals("X509IssuerSerial")) {
// we have no way to support this confirmation type so we have to throw an error
throw new SecurityServiceException("Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED");
} else if (dataNode.getLocalName().equals("X509SKI")) {
String textContent = dataText.getTextContent();
byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14");
byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent);
if (tlsSKI != null && tlsSKI.length > 0) {
ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI);
ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI);
SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(tlsOs.getOctets());
SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(assertionOs.getOctets());
// assertion.
if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
}
} else {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
}
}
}
}
} else {
throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS.");
}
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
SecurityServiceException(ddf.security.service.SecurityServiceException)
Element(org.w3c.dom.Element)
Node(org.w3c.dom.Node)
CertificateException(java.security.cert.CertificateException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SignatureException(java.security.SignatureException)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
InvalidKeyException(java.security.InvalidKeyException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
ByteArrayInputStream(java.io.ByteArrayInputStream)
NoSuchProviderException(java.security.NoSuchProviderException)
Aggregations
SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)34
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)17
X509Certificate (java.security.cert.X509Certificate)14
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)14
IOException (java.io.IOException)12
X500Name (org.bouncycastle.asn1.x500.X500Name)10
GeneralName (org.bouncycastle.asn1.x509.GeneralName)10
ContentSigner (org.bouncycastle.operator.ContentSigner)10
BigInteger (java.math.BigInteger)9
Date (java.util.Date)9
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)9
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)8
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)8
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)8
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)8
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
CertificateException (java.security.cert.CertificateException)6
