use of com.google.protobuf2.Any in project jss by dogtagpki.
the class PKCS12Util method getCertInfo.
public PKCS12CertInfo getCertInfo(SafeBag bag) throws Exception {
PKCS12CertInfo certInfo = new PKCS12CertInfo();
CertBag certBag = (CertBag) bag.getInterpretedBagContent();
OCTET_STRING certStr = (OCTET_STRING) certBag.getInterpretedCert();
byte[] x509cert = certStr.toByteArray();
// generate cert ID from SHA-1 hash of cert data
byte[] id = SafeBag.getLocalKeyIDFromCert(x509cert);
certInfo.setID(id);
logger.debug(" Certificate ID: " + Utils.HexEncode(id));
X509CertImpl cert = new X509CertImpl(x509cert);
certInfo.setCert(cert);
X500Principal subjectDN = cert.getSubjectX500Principal();
logger.debug(" Subject DN: " + subjectDN);
SET bagAttrs = bag.getBagAttributes();
for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
Attribute attr = (Attribute) bagAttrs.elementAt(i);
OBJECT_IDENTIFIER oid = attr.getType();
if (oid.equals(SafeBag.FRIENDLY_NAME)) {
SET values = attr.getValues();
ANY value = (ANY) values.elementAt(0);
ByteArrayInputStream bis = new ByteArrayInputStream(value.getEncoded());
BMPString friendlyName = (BMPString) (new BMPString.Template()).decode(bis);
certInfo.setFriendlyName(friendlyName.toString());
logger.debug(" Friendly name: " + certInfo.getFriendlyName());
} else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
SET values = attr.getValues();
ANY value = (ANY) values.elementAt(0);
ByteArrayInputStream bis = new ByteArrayInputStream(value.getEncoded());
OCTET_STRING keyIdAsn1 = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
byte[] keyID = keyIdAsn1.toByteArray();
certInfo.setKeyID(keyID);
logger.debug(" Key ID: " + Utils.HexEncode(keyID));
} else if (oid.equals(PKCS12.CERT_TRUST_FLAGS_OID) && trustFlagsEnabled) {
SET values = attr.getValues();
ANY value = (ANY) values.elementAt(0);
ByteArrayInputStream is = new ByteArrayInputStream(value.getEncoded());
BMPString trustFlagsAsn1 = (BMPString) (new BMPString.Template()).decode(is);
String trustFlags = trustFlagsAsn1.toString();
certInfo.setTrustFlags(trustFlags);
logger.debug(" Trust flags: " + trustFlags);
} else {
logger.warn(" " + oid + ": " + attr.getValues());
}
}
if (certInfo.getFriendlyName() == null) {
logger.debug(" Generating new friendly name");
LdapName dn = new LdapName(subjectDN.getName());
ArrayList<String> values = new ArrayList<>();
// The getRdns method returns the list in reverse order
// therefore, we must traverse in reverse order.
List<Rdn> rdns = dn.getRdns();
for (int i = rdns.size() - 1; i >= 0; i--) {
Rdn rdn = rdns.get(i);
values.add(rdn.getValue().toString());
}
String friendlyName = StringUtils.join(values, " - ");
certInfo.setFriendlyName(friendlyName);
logger.debug(" Friendly name: " + friendlyName);
}
return certInfo;
}
use of com.google.protobuf2.Any in project jss by dogtagpki.
the class SafeBag method createCertBag.
/**
* Creates a SafeBag that contains an X.509 Certificate.
* The SafeBag will have the given <i>localKeyID</i> attribute,
* and a <i>friendlyName</i>
* attribute equal to the supplied string. This is the way Communicator
* makes a CertBag. The same <i>localKeyID</i> attribute should be stored
* in the matching private key bag.
*
* @param cert A DER-encoded X.509 certificate.
* @param friendlyName Will be stored in the <i>friendlyName</i>
* attribute of the SafeBag. Should be the nickname of the cert.
* @param localKeyID The bytes to used for the localKeyID. These should
* be obtained from the <code>getLocalKeyIDFromCert</code> method.
* @exception InvalidBERException If the cert is not a valid DER encoding.
* @see #getLocalKeyIDFromCert
*/
public static SafeBag createCertBag(byte[] cert, String friendlyName, byte[] localKeyID) throws InvalidBERException {
try {
// create CertBag
CertBag cb = new CertBag(CertBag.X509_CERT_TYPE, new ANY(cert));
// setup attributes
SET attributes = new SET();
// friendly name should be cert nickname
attributes.addElement(new Attribute(FRIENDLY_NAME, new BMPString(friendlyName)));
attributes.addElement(new Attribute(LOCAL_KEY_ID, new OCTET_STRING(localKeyID)));
return new SafeBag(CERT_BAG, cb, attributes);
} catch (CharConversionException e) {
throw new AssertionException("CharConversionException converting" + " Unicode to BMPString");
}
}
use of com.google.protobuf2.Any in project jss by dogtagpki.
the class IssuingDistributionPoint method encode.
@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
SEQUENCE seq = new SEQUENCE();
DerOutputStream derOut;
try {
// is a CHOICE, the [0] tag is forced to be EXPLICIT.
if (fullName != null) {
EXPLICIT distPoint = new EXPLICIT(Tag.get(0), fullNameEncoding);
seq.addElement(distPoint);
} else if (relativeName != null) {
derOut = new DerOutputStream();
relativeName.encode(derOut);
ANY raw = new ANY(derOut.toByteArray());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
raw.encodeWithAlternateTag(Tag.get(1), bos);
ANY distPointName = new ANY(bos.toByteArray());
EXPLICIT distPoint = new EXPLICIT(Tag.get(0), distPointName);
seq.addElement(distPoint);
}
if (onlyContainsUserCerts != false) {
seq.addElement(Tag.get(1), new BOOLEAN(true));
}
if (onlyContainsCACerts != false) {
seq.addElement(Tag.get(2), new BOOLEAN(true));
}
// Encodes the ReasonFlags.
if (onlySomeReasons != null) {
derOut = new DerOutputStream();
derOut.putUnalignedBitString(onlySomeReasons);
ANY raw = new ANY(derOut.toByteArray());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
raw.encodeWithAlternateTag(Tag.get(3), bos);
ANY reasonEncoding = new ANY(bos.toByteArray());
seq.addElement(reasonEncoding);
}
if (indirectCRL != false) {
seq.addElement(Tag.get(4), new BOOLEAN(true));
}
seq.encode(implicitTag, ostream);
} catch (InvalidBERException e) {
// the Sun encoding classes
throw new IOException(e.toString());
}
}
use of com.google.protobuf2.Any in project jss by dogtagpki.
the class SignerInfo method verifyWithSignedAttributes.
/**
* Verifies a SignerInfo with signed attributes. If signed
* attributes are present, then two particular attributes must
* be present: <ul>
* <li>PKCS #9 Content-Type, the type of content that is being signed.
* This must match the contentType parameter.
* <li>PKCS #9 Message-Digest, the digest of the content that is being
* signed. This must match the messageDigest parameter.
* </ul>
* After these two attributes are verified to be both present and correct,
* the encryptedDigest field of the SignerInfo is verified to be the
* signature of the contents octets of the DER encoding of the
* signedAttributes field.
*/
private void verifyWithSignedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
int numAttrib = signedAttributes.size();
if (numAttrib < 2) {
throw new SignatureException("At least two signed attributes must be present:" + " content-type and message-digest");
}
// go through the signed attributes, verifying the
// interesting ones
boolean foundContentType = false;
boolean foundMessageDigest = false;
for (int i = 0; i < numAttrib; i++) {
if (!(signedAttributes.elementAt(i) instanceof Attribute)) {
throw new SignatureException("Element of signedAttributes is not an Attribute");
}
Attribute attrib = (Attribute) signedAttributes.elementAt(i);
if (attrib.getType().equals(CONTENT_TYPE)) {
// content-type. Compare with what was passed in.
SET vals = attrib.getValues();
if (vals.size() != 1) {
throw new SignatureException("Content-Type attribute " + " does not have exactly one value");
}
ASN1Value val = vals.elementAt(0);
OBJECT_IDENTIFIER ctype;
try {
if (val instanceof OBJECT_IDENTIFIER) {
ctype = (OBJECT_IDENTIFIER) val;
} else if (val instanceof ANY) {
ctype = (OBJECT_IDENTIFIER) ((ANY) val).decodeWith(OBJECT_IDENTIFIER.getTemplate());
} else {
// what the heck is it? not what it's supposed to be
throw new InvalidBERException("Content-Type signed attribute has unexpected" + " content type");
}
} catch (InvalidBERException e) {
throw new SignatureException("Content-Type signed attribute does not have " + "OBJECT IDENTIFIER value");
}
// contentType parameter
if (!ctype.equals(contentType)) {
throw new SignatureException("Content-type in signed attributes does not " + "match content-type being verified");
}
// content type is A-OK
foundContentType = true;
} else if (attrib.getType().equals(MESSAGE_DIGEST)) {
SET vals = attrib.getValues();
if (vals.size() != 1) {
throw new SignatureException("Message-digest attribute does not have" + " exactly one value");
}
ASN1Value val = vals.elementAt(0);
byte[] mdigest;
try {
if (val instanceof OCTET_STRING) {
mdigest = ((OCTET_STRING) val).toByteArray();
} else if (val instanceof ANY) {
OCTET_STRING os;
os = (OCTET_STRING) ((ANY) val).decodeWith(OCTET_STRING.getTemplate());
mdigest = os.toByteArray();
} else {
// what the heck is it? not what it's supposed to be
throw new InvalidBERException("Content-Type signed attribute has unexpected" + " content type");
}
} catch (InvalidBERException e) {
throw new SignatureException("Message-digest attribute does not" + " have OCTET STRING value");
}
// message digest being verified
if (!byteArraysAreSame(mdigest, messageDigest)) {
throw new SignatureException("Message-digest attribute does not" + " match message digest being verified");
}
// message digest is A-OK
foundMessageDigest = true;
}
// we don't care about other attributes
}
if (!foundContentType) {
throw new SignatureException("Signed attributes does not contain" + " PKCS #9 content-type attribute");
}
if (!foundMessageDigest) {
throw new SignatureException("Signed attributes does not contain" + " PKCS #9 message-digest attribute");
}
SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
// All the signed attributes are present and correct.
// Now verify the signature.
CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
Signature sig;
// verify the contents octets of the DER encoded signed attribs
byte[] encoding = ASN1Util.encode(signedAttributes);
byte[] toBeVerified;
if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
// create DigestInfo structure
SEQUENCE digestInfo = createDigestInfo(encoding, true);
toBeVerified = ASN1Util.encode(digestInfo);
sig = token.getSignatureContext(SignatureAlgorithm.RSASignature);
} else {
toBeVerified = encoding;
sig = token.getSignatureContext(sigAlg);
}
sig.initVerify(pubkey);
sig.update(toBeVerified);
if (!sig.verify(encryptedDigest.toByteArray())) {
// signature is invalid
throw new SignatureException("encryptedDigest was not the correct" + " signature of the contents octets of the DER-encoded" + " signed attributes");
}
// SUCCESSFULLY VERIFIED
}
Aggregations