Search in sources :

Example 1 with SafeBag

use of com.mindbright.security.pkcs12.SafeBag in project jss by dogtagpki.

the class pkcs12 method main.

public static void main(String[] args) {
    try {
        // Read arguments
        if (args.length != 3) {
            System.out.println("Usage: PFX <dbdir> <infile> <outfile>");
            System.exit(-1);
        }
        // open input file for reading
        FileInputStream infile = null;
        try {
            infile = new FileInputStream(args[1]);
        } catch (FileNotFoundException f) {
            System.out.println("Cannot open file " + args[1] + " for reading: " + f.getMessage());
            return;
        }
        int certfile = 0;
        // initialize CryptoManager. This is necessary because there is
        // crypto involved with decoding a PKCS #12 file
        CryptoManager.initialize(args[0]);
        CryptoManager manager = CryptoManager.getInstance();
        // Decode the P12 file
        PFX.Template pfxt = new PFX.Template();
        PFX pfx;
        try (BufferedInputStream is = new BufferedInputStream(infile, 2048)) {
            pfx = (PFX) pfxt.decode(is);
        }
        System.out.println("Decoded PFX");
        // print out information about the top-level PFX structure
        System.out.println("Version: " + pfx.getVersion());
        AuthenticatedSafes authSafes = pfx.getAuthSafes();
        SEQUENCE safeContentsSequence = authSafes.getSequence();
        System.out.println("AuthSafes has " + safeContentsSequence.size() + " SafeContents");
        // Get the password for the old file
        System.out.println("Enter password: ");
        Password pass = Password.readPasswordFromConsole();
        // get new password, which will be used for the new file we create
        // later
        System.out.println("Enter new password:");
        Password newPass = Password.readPasswordFromConsole();
        // Verify the MAC on the PFX.  This is important to be sure
        // it hasn't been tampered with.
        StringBuffer sb = new StringBuffer();
        if (pfx.verifyAuthSafes(pass, sb)) {
            System.out.println("AuthSafes verifies correctly.");
        } else {
            System.out.println("AuthSafes failed to verify because: " + sb);
        }
        // Create a new AuthenticatedSafes. As we read the contents of the
        // old authSafes, we will store them into the new one.  After we have
        // cycled through all the contents, they will all have been copied into
        // the new authSafes.
        AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
        // for(int i=0; i < asSeq.size(); i++) {
        for (int i = 0; i < safeContentsSequence.size(); i++) {
            // The safeContents may or may not be encrypted.  We always send
            // the password in.  It will get used if it is needed.  If the
            // decryption of the safeContents fails for some reason (like
            // a bad password), then this method will throw an exception
            SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);
            System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags");
            // Go through all the bags in this SafeContents
            for (int j = 0; j < safeContents.size(); j++) {
                SafeBag safeBag = (SafeBag) safeContents.elementAt(j);
                // The type of the bag is an OID
                System.out.println("\nBag " + j + " has type " + safeBag.getBagType());
                // look for bag attributes
                SET attribs = safeBag.getBagAttributes();
                if (attribs == null) {
                    System.out.println("Bag has no attributes");
                } else {
                    for (int b = 0; b < attribs.size(); b++) {
                        Attribute a = (Attribute) attribs.elementAt(b);
                        if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                            // the friendly name attribute is a nickname
                            BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                            System.out.println("Friendly Name: " + bs);
                        } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) {
                            // the local key id is used to match a key
                            // to its cert.  The key id is the SHA-1 hash of
                            // the DER-encoded cert.
                            OCTET_STRING os = (OCTET_STRING) ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate());
                            System.out.println("LocalKeyID:");
                        /*
                            AuthenticatedSafes.
                                print_byte_array(os.toByteArray());
							*/
                        } else {
                            System.out.println("Unknown attribute type: " + a.getType().toString());
                        }
                    }
                }
                // now look at the contents of the bag
                ASN1Value val = safeBag.getInterpretedBagContent();
                if (val instanceof PrivateKeyInfo) {
                    // A PrivateKeyInfo contains an unencrypted private key
                    System.out.println("content is PrivateKeyInfo");
                } else if (val instanceof EncryptedPrivateKeyInfo) {
                    // An EncryptedPrivateKeyInfo is, well, an encrypted
                    // PrivateKeyInfo. Usually, strong crypto is used in
                    // an EncryptedPrivateKeyInfo.
                    EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val);
                    System.out.println("content is EncryptedPrivateKeyInfo, algoid:" + epki.getEncryptionAlgorithm().getOID());
                    // Because we are in a PKCS #12 file, the passwords are
                    // char-to-byte converted in a special way.  We have to
                    // use the special converter class instead of the default.
                    PrivateKeyInfo pki = epki.decrypt(pass, new org.mozilla.jss.pkcs12.PasswordConverter());
                    // import the key into the key3.db
                    CryptoToken tok = manager.getTokenByName("Internal Key Storage Token");
                    CryptoStore store = tok.getCryptoStore();
                    tok.login(new ConsolePasswordCallback());
                    ByteArrayOutputStream baos = new ByteArrayOutputStream();
                    pki.encode(baos);
                    store.importPrivateKey(baos.toByteArray(), PrivateKey.RSA);
                    // re-encrypt the PrivateKeyInfo with the new password
                    // and random salt
                    byte[] salt = new byte[PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()];
                    JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG();
                    rand.nextBytes(salt);
                    epki = EncryptedPrivateKeyInfo.createPBE(PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki);
                    // Overwrite the previous EncryptedPrivateKeyInfo with
                    // this new one we just created using the new password.
                    // This is what will get put in the new PKCS #12 file
                    // we are creating.
                    safeContents.insertElementAt(new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), i);
                    safeContents.removeElementAt(i + 1);
                } else if (val instanceof CertBag) {
                    System.out.println("content is CertBag");
                    CertBag cb = (CertBag) val;
                    if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
                        // this is an X.509 certificate
                        OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert();
                        Certificate cert = (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray());
                        cert.getInfo().print(System.out);
                    } else {
                        System.out.println("Unrecognized cert type");
                    }
                } else {
                    System.out.println("content is ANY");
                }
            }
            // Add the new safe contents to the new authsafes
            if (authSafes.safeContentsIsEncrypted(i)) {
                newAuthSafes.addEncryptedSafeContents(AuthenticatedSafes.DEFAULT_KEY_GEN_ALG, newPass, null, AuthenticatedSafes.DEFAULT_ITERATIONS, safeContents);
            } else {
                newAuthSafes.addSafeContents(safeContents);
            }
        }
        // Create new PFX from the new authsafes
        PFX newPfx = new PFX(newAuthSafes);
        // Add a MAC to the new PFX
        newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS);
        // write the new PFX out to a file
        FileOutputStream fos = new FileOutputStream(args[2]);
        newPfx.encode(fos);
        fos.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : SET(org.mozilla.jss.asn1.SET) Attribute(org.mozilla.jss.pkix.primitive.Attribute) JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom) FileNotFoundException(java.io.FileNotFoundException) CryptoManager(org.mozilla.jss.CryptoManager) ANY(org.mozilla.jss.asn1.ANY) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) BufferedInputStream(java.io.BufferedInputStream) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) ConsolePasswordCallback(org.mozilla.jss.util.ConsolePasswordCallback) BMPString(org.mozilla.jss.asn1.BMPString) Password(org.mozilla.jss.util.Password) PFX(org.mozilla.jss.pkcs12.PFX) CryptoToken(org.mozilla.jss.crypto.CryptoToken) ByteArrayOutputStream(java.io.ByteArrayOutputStream) SafeBag(org.mozilla.jss.pkcs12.SafeBag) FileInputStream(java.io.FileInputStream) FileNotFoundException(java.io.FileNotFoundException) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes) CryptoStore(org.mozilla.jss.crypto.CryptoStore) CertBag(org.mozilla.jss.pkcs12.CertBag) FileOutputStream(java.io.FileOutputStream) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PasswordConverter(org.mozilla.jss.pkcs12.PasswordConverter) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PrivateKeyInfo(org.mozilla.jss.pkix.primitive.PrivateKeyInfo) Certificate(org.mozilla.jss.pkix.cert.Certificate)

Example 2 with SafeBag

use of com.mindbright.security.pkcs12.SafeBag in project jss by dogtagpki.

the class PKCS12Util method addCertBag.

public void addCertBag(PKCS12CertInfo certInfo, SEQUENCE safeContents) throws Exception {
    byte[] id = certInfo.getID();
    logger.debug(" - Certificate ID: " + Utils.HexEncode(id));
    X509CertImpl cert = certInfo.getCert();
    ASN1Value certAsn1 = new OCTET_STRING(cert.getEncoded());
    CertBag certBag = new CertBag(CertBag.X509_CERT_TYPE, certAsn1);
    SET certAttrs = createCertBagAttrs(certInfo);
    SafeBag safeBag = new SafeBag(SafeBag.CERT_BAG, certBag, certAttrs);
    safeContents.addElement(safeBag);
}
Also used : ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) CertBag(org.mozilla.jss.pkcs12.CertBag) SET(org.mozilla.jss.asn1.SET) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) SafeBag(org.mozilla.jss.pkcs12.SafeBag)

Example 3 with SafeBag

use of com.mindbright.security.pkcs12.SafeBag in project jss by dogtagpki.

the class PKCS12Util method addKeyBag.

/**
 * Add a private key to the PKCS #12 object.
 *
 * The PKCS12KeyInfo object received comes about in two
 * different scenarios:
 *
 * - The private key could be in encrypted byte[] form (e.g.
 *   when we have merely loaded a PKCS #12 file for inspection
 *   or e.g. to delete a certificate and its associated key).
 *   In this case we simply re-use this encrypted private key
 *   info byte[].
 *
 * - The private key could be a be an NSS PrivateKey handle.  In
 *   this case we must export the PrivateKey from the token to
 *   obtain the EncryptedPrivateKeyInfo.
 *
 * The common final step is to add the encrypted private key
 * data to a "Shrouded Key Bag" to the PKCS #12 object.
 * Unencrypted key material is never seen.
 */
public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, SEQUENCE encSafeContents) throws Exception {
    byte[] keyID = keyInfo.getID();
    logger.debug(" - Key ID: " + Utils.HexEncode(keyID));
    ASN1Value content;
    byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes();
    if (epkiBytes != null) {
        // private key already encrypted
        content = new ANY(epkiBytes);
    } else {
        PrivateKey privateKey = keyInfo.getPrivateKey();
        if (privateKey == null) {
            throw new Exception("Missing private key for " + keyInfo.getFriendlyName());
        }
        CryptoToken token = CryptoManager.getInstance().getInternalKeyStorageToken();
        if (keyEncryption == PBEAlgorithm.PBE_SHA1_DES3_CBC) {
            content = create_EPKI_with_PBE_SHA1_DES3_CBC(token, privateKey, password);
        } else if (keyEncryption == PBEAlgorithm.PBE_PKCS5_PBES2) {
            content = create_EPKI_with_PBE_PKCS5_PBES2(token, privateKey, password);
        } else {
            throw new Exception("Unsupported key encryption: " + keyEncryption);
        }
    }
    SET keyAttrs = createKeyBagAttrs(keyInfo);
    SafeBag safeBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, content, keyAttrs);
    encSafeContents.addElement(safeBag);
}
Also used : ASN1Value(org.mozilla.jss.asn1.ASN1Value) PrivateKey(org.mozilla.jss.crypto.PrivateKey) CryptoToken(org.mozilla.jss.crypto.CryptoToken) SET(org.mozilla.jss.asn1.SET) ANY(org.mozilla.jss.asn1.ANY) SafeBag(org.mozilla.jss.pkcs12.SafeBag) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) ObjectNotFoundException(org.mozilla.jss.crypto.ObjectNotFoundException) CertificateException(java.security.cert.CertificateException) InvalidNameException(javax.naming.InvalidNameException)

Example 4 with SafeBag

use of com.mindbright.security.pkcs12.SafeBag in project jss by dogtagpki.

the class PKCS12Util method getKeyInfos.

public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
    logger.debug("Load encrypted private keys:");
    AuthenticatedSafes safes = pfx.getAuthSafes();
    for (int i = 0; i < safes.getSize(); i++) {
        SEQUENCE contents = safes.getSafeContentsAt(password, i);
        for (int j = 0; j < contents.size(); j++) {
            SafeBag bag = (SafeBag) contents.elementAt(j);
            OBJECT_IDENTIFIER oid = bag.getBagType();
            if (!oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG))
                continue;
            logger.debug(" - Private key:");
            PKCS12KeyInfo keyInfo = getKeyInfo(bag, password);
            pkcs12.addKeyInfo(keyInfo);
        }
    }
}
Also used : SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) SafeBag(org.mozilla.jss.pkcs12.SafeBag) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)

Example 5 with SafeBag

use of com.mindbright.security.pkcs12.SafeBag in project SpringRemote by HaleyWang.

the class PKCS12KeyStore method processSafeContents.

private void processSafeContents(byte[] scBer) throws IOException {
    ByteArrayInputStream ba = new ByteArrayInputStream(scBer);
    SafeContents sc = new SafeContents();
    ASN1DER ber = new ASN1DER();
    ber.decode(ba, sc);
    for (int j = 0; j < sc.getCount(); j++) {
        SafeBag safeBag = sc.getSafeBag(j);
        String friendlyName = getAttribute(safeBag, "1.2.840.113549.1.9.20");
        String localKeyId = getAttribute(safeBag, "1.2.840.113549.1.9.21");
        if (friendlyName != null) {
            if (localKeyId != null) {
                name2id.put(friendlyName, localKeyId);
            }
            if (!aliases.contains(friendlyName)) {
                aliases.addElement(friendlyName);
            }
        } else if (localKeyId != null) {
            name2id.put(localKeyId, localKeyId);
            if (!aliases.contains(localKeyId)) {
                aliases.addElement(localKeyId);
            }
        }
        switch(safeBag.getBagType()) {
            case SafeBag.TYPE_PKCS8_SHROUDED_KEYBAG:
                EncryptedPrivateKeyInfo keyBag = (EncryptedPrivateKeyInfo) safeBag.bagValue.getValue();
                privateKeys.put(localKeyId, keyBag);
                break;
            case SafeBag.TYPE_CERTBAG:
                CertBag cb = (CertBag) safeBag.bagValue.getValue();
                byte[] derCert = ((ASN1OctetString) cb.certValue.getValue()).getRaw();
                if (localKeyId == null) {
                    /*
                     * Trusted certs don't have a localKeyId
                     */
                    localKeyId = friendlyName;
                } else {
                    certificates.put(localKeyId, derCert);
                }
                break;
            default:
                throw new IOException("SafeBag type not supported: " + safeBag.bagId.getString());
        }
    }
}
Also used : ASN1OctetString(com.mindbright.asn1.ASN1OctetString) CertBag(com.mindbright.security.pkcs12.CertBag) ByteArrayInputStream(java.io.ByteArrayInputStream) ASN1DER(com.mindbright.asn1.ASN1DER) EncryptedPrivateKeyInfo(com.mindbright.security.pkcs8.EncryptedPrivateKeyInfo) SafeContents(com.mindbright.security.pkcs12.SafeContents) ASN1OctetString(com.mindbright.asn1.ASN1OctetString) ASN1CharString(com.mindbright.asn1.ASN1CharString) IOException(java.io.IOException) SafeBag(com.mindbright.security.pkcs12.SafeBag)

Aggregations

SafeBag (org.mozilla.jss.pkcs12.SafeBag)7 ASN1Value (org.mozilla.jss.asn1.ASN1Value)5 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)5 SET (org.mozilla.jss.asn1.SET)5 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)4 ANY (org.mozilla.jss.asn1.ANY)3 OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)3 BufferedInputStream (java.io.BufferedInputStream)2 FileInputStream (java.io.FileInputStream)2 IOException (java.io.IOException)2 CryptoToken (org.mozilla.jss.crypto.CryptoToken)2 CertBag (org.mozilla.jss.pkcs12.CertBag)2 ASN1Exception (codec.asn1.ASN1Exception)1 CertBag (codec.pkcs12.CertBag)1 PFX (codec.pkcs12.PFX)1 PKCS8ShroudedKeyBag (codec.pkcs12.PKCS8ShroudedKeyBag)1 SafeBag (codec.pkcs12.SafeBag)1 ASN1CharString (com.mindbright.asn1.ASN1CharString)1 ASN1DER (com.mindbright.asn1.ASN1DER)1 ASN1OctetString (com.mindbright.asn1.ASN1OctetString)1