Search in sources :

Example 1 with PFX

use of com.mindbright.security.pkcs12.PFX in project jss by dogtagpki.

the class pkcs12 method main.

public static void main(String[] args) {
    try {
        // Read arguments
        if (args.length != 3) {
            System.out.println("Usage: PFX <dbdir> <infile> <outfile>");
            System.exit(-1);
        }
        // open input file for reading
        FileInputStream infile = null;
        try {
            infile = new FileInputStream(args[1]);
        } catch (FileNotFoundException f) {
            System.out.println("Cannot open file " + args[1] + " for reading: " + f.getMessage());
            return;
        }
        int certfile = 0;
        // initialize CryptoManager. This is necessary because there is
        // crypto involved with decoding a PKCS #12 file
        CryptoManager.initialize(args[0]);
        CryptoManager manager = CryptoManager.getInstance();
        // Decode the P12 file
        PFX.Template pfxt = new PFX.Template();
        PFX pfx;
        try (BufferedInputStream is = new BufferedInputStream(infile, 2048)) {
            pfx = (PFX) pfxt.decode(is);
        }
        System.out.println("Decoded PFX");
        // print out information about the top-level PFX structure
        System.out.println("Version: " + pfx.getVersion());
        AuthenticatedSafes authSafes = pfx.getAuthSafes();
        SEQUENCE safeContentsSequence = authSafes.getSequence();
        System.out.println("AuthSafes has " + safeContentsSequence.size() + " SafeContents");
        // Get the password for the old file
        System.out.println("Enter password: ");
        Password pass = Password.readPasswordFromConsole();
        // get new password, which will be used for the new file we create
        // later
        System.out.println("Enter new password:");
        Password newPass = Password.readPasswordFromConsole();
        // Verify the MAC on the PFX.  This is important to be sure
        // it hasn't been tampered with.
        StringBuffer sb = new StringBuffer();
        if (pfx.verifyAuthSafes(pass, sb)) {
            System.out.println("AuthSafes verifies correctly.");
        } else {
            System.out.println("AuthSafes failed to verify because: " + sb);
        }
        // Create a new AuthenticatedSafes. As we read the contents of the
        // old authSafes, we will store them into the new one.  After we have
        // cycled through all the contents, they will all have been copied into
        // the new authSafes.
        AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
        // for(int i=0; i < asSeq.size(); i++) {
        for (int i = 0; i < safeContentsSequence.size(); i++) {
            // The safeContents may or may not be encrypted.  We always send
            // the password in.  It will get used if it is needed.  If the
            // decryption of the safeContents fails for some reason (like
            // a bad password), then this method will throw an exception
            SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);
            System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags");
            // Go through all the bags in this SafeContents
            for (int j = 0; j < safeContents.size(); j++) {
                SafeBag safeBag = (SafeBag) safeContents.elementAt(j);
                // The type of the bag is an OID
                System.out.println("\nBag " + j + " has type " + safeBag.getBagType());
                // look for bag attributes
                SET attribs = safeBag.getBagAttributes();
                if (attribs == null) {
                    System.out.println("Bag has no attributes");
                } else {
                    for (int b = 0; b < attribs.size(); b++) {
                        Attribute a = (Attribute) attribs.elementAt(b);
                        if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                            // the friendly name attribute is a nickname
                            BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                            System.out.println("Friendly Name: " + bs);
                        } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) {
                            // the local key id is used to match a key
                            // to its cert.  The key id is the SHA-1 hash of
                            // the DER-encoded cert.
                            OCTET_STRING os = (OCTET_STRING) ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate());
                            System.out.println("LocalKeyID:");
                        /*
                            AuthenticatedSafes.
                                print_byte_array(os.toByteArray());
							*/
                        } else {
                            System.out.println("Unknown attribute type: " + a.getType().toString());
                        }
                    }
                }
                // now look at the contents of the bag
                ASN1Value val = safeBag.getInterpretedBagContent();
                if (val instanceof PrivateKeyInfo) {
                    // A PrivateKeyInfo contains an unencrypted private key
                    System.out.println("content is PrivateKeyInfo");
                } else if (val instanceof EncryptedPrivateKeyInfo) {
                    // An EncryptedPrivateKeyInfo is, well, an encrypted
                    // PrivateKeyInfo. Usually, strong crypto is used in
                    // an EncryptedPrivateKeyInfo.
                    EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val);
                    System.out.println("content is EncryptedPrivateKeyInfo, algoid:" + epki.getEncryptionAlgorithm().getOID());
                    // Because we are in a PKCS #12 file, the passwords are
                    // char-to-byte converted in a special way.  We have to
                    // use the special converter class instead of the default.
                    PrivateKeyInfo pki = epki.decrypt(pass, new org.mozilla.jss.pkcs12.PasswordConverter());
                    // import the key into the key3.db
                    CryptoToken tok = manager.getTokenByName("Internal Key Storage Token");
                    CryptoStore store = tok.getCryptoStore();
                    tok.login(new ConsolePasswordCallback());
                    ByteArrayOutputStream baos = new ByteArrayOutputStream();
                    pki.encode(baos);
                    store.importPrivateKey(baos.toByteArray(), PrivateKey.RSA);
                    // re-encrypt the PrivateKeyInfo with the new password
                    // and random salt
                    byte[] salt = new byte[PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()];
                    JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG();
                    rand.nextBytes(salt);
                    epki = EncryptedPrivateKeyInfo.createPBE(PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki);
                    // Overwrite the previous EncryptedPrivateKeyInfo with
                    // this new one we just created using the new password.
                    // This is what will get put in the new PKCS #12 file
                    // we are creating.
                    safeContents.insertElementAt(new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), i);
                    safeContents.removeElementAt(i + 1);
                } else if (val instanceof CertBag) {
                    System.out.println("content is CertBag");
                    CertBag cb = (CertBag) val;
                    if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
                        // this is an X.509 certificate
                        OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert();
                        Certificate cert = (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray());
                        cert.getInfo().print(System.out);
                    } else {
                        System.out.println("Unrecognized cert type");
                    }
                } else {
                    System.out.println("content is ANY");
                }
            }
            // Add the new safe contents to the new authsafes
            if (authSafes.safeContentsIsEncrypted(i)) {
                newAuthSafes.addEncryptedSafeContents(AuthenticatedSafes.DEFAULT_KEY_GEN_ALG, newPass, null, AuthenticatedSafes.DEFAULT_ITERATIONS, safeContents);
            } else {
                newAuthSafes.addSafeContents(safeContents);
            }
        }
        // Create new PFX from the new authsafes
        PFX newPfx = new PFX(newAuthSafes);
        // Add a MAC to the new PFX
        newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS);
        // write the new PFX out to a file
        FileOutputStream fos = new FileOutputStream(args[2]);
        newPfx.encode(fos);
        fos.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : SET(org.mozilla.jss.asn1.SET) Attribute(org.mozilla.jss.pkix.primitive.Attribute) JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom) FileNotFoundException(java.io.FileNotFoundException) CryptoManager(org.mozilla.jss.CryptoManager) ANY(org.mozilla.jss.asn1.ANY) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) BufferedInputStream(java.io.BufferedInputStream) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) ConsolePasswordCallback(org.mozilla.jss.util.ConsolePasswordCallback) BMPString(org.mozilla.jss.asn1.BMPString) Password(org.mozilla.jss.util.Password) PFX(org.mozilla.jss.pkcs12.PFX) CryptoToken(org.mozilla.jss.crypto.CryptoToken) ByteArrayOutputStream(java.io.ByteArrayOutputStream) SafeBag(org.mozilla.jss.pkcs12.SafeBag) FileInputStream(java.io.FileInputStream) FileNotFoundException(java.io.FileNotFoundException) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes) CryptoStore(org.mozilla.jss.crypto.CryptoStore) CertBag(org.mozilla.jss.pkcs12.CertBag) FileOutputStream(java.io.FileOutputStream) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PasswordConverter(org.mozilla.jss.pkcs12.PasswordConverter) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PrivateKeyInfo(org.mozilla.jss.pkix.primitive.PrivateKeyInfo) Certificate(org.mozilla.jss.pkix.cert.Certificate)

Example 2 with PFX

use of com.mindbright.security.pkcs12.PFX in project jss by dogtagpki.

the class PKCS12Util method storeIntoFile.

public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception {
    PFX pfx = generatePFX(pkcs12, password);
    logger.info("Storing PKCS #12 data into " + filename);
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    pfx.encode(bos);
    byte[] data = bos.toByteArray();
    try (FileOutputStream fos = new FileOutputStream(filename)) {
        fos.write(data);
    }
}
Also used : PFX(org.mozilla.jss.pkcs12.PFX) FileOutputStream(java.io.FileOutputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream)

Example 3 with PFX

use of com.mindbright.security.pkcs12.PFX in project core by jcryptool.

the class AbstractImportKeyStoreEntryHandler method performImportAction.

protected void performImportAction(IImportDescriptor descriptor, Object importedObject) throws IllegalArgumentException {
    if (descriptor.getKeyStoreEntryType().equals(KeyType.SECRETKEY)) {
        if (importedObject instanceof SecretKey) {
            // $NON-NLS-1$
            LogUtil.logInfo("importing secret key");
            addSecretKey(descriptor, (SecretKey) importedObject);
        } else {
            throw new IllegalArgumentException("Parameter is not as expected an instance of SecretKey");
        }
    } else if (descriptor.getKeyStoreEntryType().equals(KeyType.KEYPAIR)) {
        if (importedObject instanceof PFX) {
            // $NON-NLS-1$
            LogUtil.logInfo("importing pfx");
            PFX pfx = (PFX) importedObject;
            try {
                char[] password = promptPassword();
                if (password == null)
                    return;
                SafeBag safeBag = pfx.getAuthSafe().getSafeContents(0).getSafeBag(0);
                PKCS8ShroudedKeyBag kBag = (PKCS8ShroudedKeyBag) safeBag.getBagValue();
                PrivateKey privKey = kBag.getPrivateKey(password);
                SafeBag certBag = pfx.getAuthSafe().getSafeContents(1, password).getSafeBag(0);
                CertBag cBag = (CertBag) certBag.getBagValue();
                PublicKey pubKey = cBag.getCertificate().getPublicKey();
                int keySize = -1;
                if (pubKey instanceof RSAPublicKey)
                    keySize = ((RSAPublicKey) pubKey).getN().bitLength();
                else if (pubKey instanceof DSAPublicKey)
                    keySize = ((DSAPublicKey) pubKey).getParameters().getP().bitLength();
                // TODO: Add keySize calculation for the remaining
                // algorithms.
                ImportDescriptor newDescriptor = new ImportDescriptor(descriptor.getContactName(), privKey.getAlgorithm(), KeyType.KEYPAIR, descriptor.getFileName(), descriptor.getPassword(), descriptor.getProvider(), keySize);
                addKeyPair(newDescriptor, privKey, pubKey);
            } catch (ASN1Exception e) {
                LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "error while importing key pair", e, true);
            } catch (IOException e) {
                LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "error while importing key pair", e, false);
            } catch (GeneralSecurityException e) {
                LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "error while importing key pair", e, true);
            }
        } else {
            throw new IllegalArgumentException("Parameter is not an instance of PFX, as expected");
        }
    } else if (descriptor.getKeyStoreEntryType().equals(KeyType.PUBLICKEY)) {
        if (importedObject instanceof Certificate) {
            // $NON-NLS-1$
            LogUtil.logInfo("importing certificate");
            addCertificate(descriptor, (Certificate) importedObject);
        } else {
            throw new IllegalArgumentException("Parameter is not an instance of Certificate, as expected");
        }
    }
}
Also used : PKCS8ShroudedKeyBag(codec.pkcs12.PKCS8ShroudedKeyBag) PFX(codec.pkcs12.PFX) PrivateKey(java.security.PrivateKey) RSAPublicKey(de.flexiprovider.core.rsa.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) DSAPublicKey(de.flexiprovider.core.dsa.interfaces.DSAPublicKey) ASN1Exception(codec.asn1.ASN1Exception) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) SafeBag(codec.pkcs12.SafeBag) DSAPublicKey(de.flexiprovider.core.dsa.interfaces.DSAPublicKey) SecretKey(javax.crypto.SecretKey) CertBag(codec.pkcs12.CertBag) RSAPublicKey(de.flexiprovider.core.rsa.interfaces.RSAPublicKey) IImportDescriptor(org.jcryptool.crypto.keystore.descriptors.interfaces.IImportDescriptor) ImportDescriptor(org.jcryptool.crypto.keystore.descriptors.ImportDescriptor) Certificate(java.security.cert.Certificate)

Example 4 with PFX

use of com.mindbright.security.pkcs12.PFX in project core by jcryptool.

the class ImportExportManager method exportKeyPair.

public void exportKeyPair(IPath path, PrivateKey key, Certificate[] chain, char[] password) {
    PFX pfx;
    X509Certificate[] x509Chain = convert(chain);
    try {
        if (x509Chain.length > 1) {
            X509Certificate[] shortChain = new X509Certificate[x509Chain.length - 1];
            for (int i = 1; i < chain.length; i++) {
                shortChain[i - 1] = x509Chain[i];
            }
            pfx = new PFX(key, x509Chain[0], shortChain, password, null, null);
        } else {
            pfx = new PFX(key, x509Chain[0], null, password, null, null);
        }
        IFileStore fileStore = EFS.getStore(URIUtil.toURI(path));
        OutputStream os = new BufferedOutputStream(fileStore.openOutputStream(EFS.APPEND, null));
        DEREncoder encoder = new DEREncoder(os);
        pfx.encode(encoder);
        encoder.close();
        os.close();
    } catch (CertificateEncodingException e) {
        LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "CertificateEncodingException while creating a PFX", e, true);
    } catch (GeneralSecurityException e) {
        LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "GeneralSecurityException while creating a PFX", e, true);
    } catch (ASN1Exception e) {
        LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "ASN1Exception while creating a PFX", e, true);
    } catch (IOException e) {
        LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "IOException while creating a PFX", e, true);
    } catch (CoreException e) {
        LogUtil.logError(KeyStorePlugin.PLUGIN_ID, "CoreException while creating a PFX", e, true);
    }
}
Also used : PFX(codec.pkcs12.PFX) ASN1Exception(codec.asn1.ASN1Exception) BufferedOutputStream(java.io.BufferedOutputStream) ObjectOutputStream(java.io.ObjectOutputStream) OutputStream(java.io.OutputStream) GeneralSecurityException(java.security.GeneralSecurityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CoreException(org.eclipse.core.runtime.CoreException) DEREncoder(codec.asn1.DEREncoder) IFileStore(org.eclipse.core.filesystem.IFileStore) BufferedOutputStream(java.io.BufferedOutputStream)

Example 5 with PFX

use of com.mindbright.security.pkcs12.PFX in project core by jcryptool.

the class ImportManager method importPFX.

public PFX importPFX(IPath path) {
    BufferedInputStream is;
    try {
        IFileStore fileStore = EFS.getStore(URIUtil.toURI(path));
        is = new BufferedInputStream(fileStore.openInputStream(EFS.NONE, null));
        PFX pfx = new PFX();
        DERDecoder decoder = new DERDecoder(is);
        pfx.decode(decoder);
        decoder.close();
        return pfx;
    } catch (CoreException e) {
        LogUtil.logError(FlexiProviderKeystorePlugin.PLUGIN_ID, "CoreException while accessing a file store", e, true);
    } catch (ASN1Exception e) {
        LogUtil.logError(FlexiProviderKeystorePlugin.PLUGIN_ID, "ASN1Exception while decoding a pfx", e, true);
    } catch (IOException e) {
        LogUtil.logError(FlexiProviderKeystorePlugin.PLUGIN_ID, "IOException while decoding a pfx", e, false);
    }
    return null;
}
Also used : PFX(codec.pkcs12.PFX) CoreException(org.eclipse.core.runtime.CoreException) BufferedInputStream(java.io.BufferedInputStream) ASN1Exception(codec.asn1.ASN1Exception) IFileStore(org.eclipse.core.filesystem.IFileStore) IOException(java.io.IOException) DERDecoder(codec.asn1.DERDecoder)

Aggregations

PFX (org.mozilla.jss.pkcs12.PFX)6 PFX (codec.pkcs12.PFX)4 IOException (java.io.IOException)4 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)4 ASN1Exception (codec.asn1.ASN1Exception)3 BufferedInputStream (java.io.BufferedInputStream)3 FileOutputStream (java.io.FileOutputStream)3 BMPString (org.mozilla.jss.asn1.BMPString)3 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)3 AMPassword (com.sun.identity.security.keystore.AMPassword)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2 FileInputStream (java.io.FileInputStream)2 GeneralSecurityException (java.security.GeneralSecurityException)2 MessageDigest (java.security.MessageDigest)2 Certificate (java.security.cert.Certificate)2 CertificateException (java.security.cert.CertificateException)2 SecretKey (javax.crypto.SecretKey)2 InvalidNameException (javax.naming.InvalidNameException)2 IFileStore (org.eclipse.core.filesystem.IFileStore)2