Example 91 with ASN1OctetString
use of com.unboundid.asn1.ASN1OctetString in project zm-mailbox by Zimbra.
the class UBIDMutableEntry method mapToAttrs.
// ZMutableEntry
@Override
public void mapToAttrs(Map<String, Object> mapAttrs) {
AttributeManager attrMgr = AttributeManager.getInst();
for (Map.Entry<String, Object> me : mapAttrs.entrySet()) {
String attrName = me.getKey();
Object v = me.getValue();
boolean containsBinaryData = attrMgr == null ? false : attrMgr.containsBinaryData(attrName);
boolean isBinaryTransfer = attrMgr == null ? false : attrMgr.isBinaryTransfer(attrName);
if (v instanceof String) {
ASN1OctetString value = UBIDUtil.newASN1OctetString(containsBinaryData, (String) v);
Attribute a = UBIDUtil.newAttribute(isBinaryTransfer, attrName, value);
entry.addAttribute(a);
} else if (v instanceof String[]) {
String[] sa = (String[]) v;
ASN1OctetString[] values = new ASN1OctetString[sa.length];
for (int i = 0; i < sa.length; i++) {
values[i] = UBIDUtil.newASN1OctetString(containsBinaryData, sa[i]);
}
Attribute a = UBIDUtil.newAttribute(isBinaryTransfer, attrName, values);
entry.addAttribute(a);
} else if (v instanceof Collection) {
Collection c = (Collection) v;
ASN1OctetString[] values = new ASN1OctetString[c.size()];
int i = 0;
for (Object o : c) {
values[i] = UBIDUtil.newASN1OctetString(containsBinaryData, o.toString());
i++;
}
Attribute a = UBIDUtil.newAttribute(isBinaryTransfer, attrName, values);
entry.addAttribute(a);
}
}
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
AttributeManager(com.zimbra.cs.account.AttributeManager)
Attribute(com.unboundid.ldap.sdk.Attribute)
Collection(java.util.Collection)
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
Map(java.util.Map)
Example 92 with ASN1OctetString
use of com.unboundid.asn1.ASN1OctetString in project zm-mailbox by Zimbra.
the class UBIDModificationList method addAttr.
@Override
public void addAttr(String name, String[] value, Entry entry, boolean containsBinaryData, boolean isBinaryTransfer) {
String[] currentValues = entry.getMultiAttr(name, false, true);
List<ASN1OctetString> valuesToAdd = null;
for (int i = 0; i < value.length; i++) {
if (LdapUtil.contains(currentValues, value[i])) {
continue;
}
if (valuesToAdd == null) {
valuesToAdd = new ArrayList<ASN1OctetString>();
}
valuesToAdd.add(UBIDUtil.newASN1OctetString(containsBinaryData, value[i]));
}
if (valuesToAdd != null) {
String transferAttrName = LdapUtil.attrNameToBinaryTransferAttrName(isBinaryTransfer, name);
Modification mod = new Modification(ModificationType.ADD, transferAttrName, valuesToAdd.toArray(new ASN1OctetString[valuesToAdd.size()]));
modList.add(mod);
}
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
Modification(com.unboundid.ldap.sdk.Modification)
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
Example 93 with ASN1OctetString
use of com.unboundid.asn1.ASN1OctetString in project zm-mailbox by Zimbra.
the class UBIDModificationList method modifyAttr.
@Override
public void modifyAttr(String name, String[] value, boolean containsBinaryData, boolean isBinaryTransfer) {
List<ASN1OctetString> valuesToMod = new ArrayList<ASN1OctetString>();
for (int i = 0; i < value.length; i++) {
valuesToMod.add(UBIDUtil.newASN1OctetString(containsBinaryData, value[i]));
}
String transferAttrName = LdapUtil.attrNameToBinaryTransferAttrName(isBinaryTransfer, name);
Modification mod = new Modification(ModificationType.REPLACE, transferAttrName, valuesToMod.toArray(new ASN1OctetString[valuesToMod.size()]));
modList.add(mod);
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
Modification(com.unboundid.ldap.sdk.Modification)
ArrayList(java.util.ArrayList)
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
Example 94 with ASN1OctetString
use of com.unboundid.asn1.ASN1OctetString in project ddf by codice.
the class SamlAssertionValidatorImpl method validateHolderOfKeyConfirmation.
private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException {
List<String> confirmationMethods = assertion.getConfirmationMethods();
boolean hasHokMethod = false;
for (String method : confirmationMethods) {
if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
hasHokMethod = true;
}
}
if (hasHokMethod) {
if (x509Certs != null && x509Certs.length > 0) {
List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject().getSubjectConfirmations();
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) {
Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM();
Node keyInfo = dom.getFirstChild();
Node x509Data = keyInfo.getFirstChild();
Node dataNode = x509Data.getFirstChild();
Node dataText = dataNode.getFirstChild();
X509Certificate tlsCertificate = x509Certs[0];
if (dataNode.getLocalName().equals("X509Certificate")) {
String textContent = dataText.getTextContent();
byte[] byteValue = Base64.getMimeDecoder().decode(textContent);
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteValue));
// check that the certificate is still valid
cert.checkValidity();
// if the certs aren't the same, verify
if (!tlsCertificate.equals(cert)) {
// verify that the cert was signed by the same private key as the TLS cert
cert.verify(tlsCertificate.getPublicKey());
}
} catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with certificate.");
}
} else if (dataNode.getLocalName().equals("X509SubjectName")) {
String textContent = dataText.getTextContent();
// the assertion.
if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject DN.");
}
} else if (dataNode.getLocalName().equals("X509IssuerSerial")) {
// we have no way to support this confirmation type so we have to throw an error
throw new SecurityServiceException("Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED");
} else if (dataNode.getLocalName().equals("X509SKI")) {
String textContent = dataText.getTextContent();
byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14");
byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent);
if (tlsSKI != null && tlsSKI.length > 0) {
ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI);
ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI);
SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(tlsOs.getOctets());
SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier.getInstance(assertionOs.getOctets());
// assertion.
if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
}
} else {
throw new SecurityServiceException("Unable to validate Holder of Key assertion with subject key identifier.");
}
}
}
}
} else {
throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS.");
}
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
SecurityServiceException(ddf.security.service.SecurityServiceException)
Element(org.w3c.dom.Element)
Node(org.w3c.dom.Node)
CertificateException(java.security.cert.CertificateException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SignatureException(java.security.SignatureException)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
InvalidKeyException(java.security.InvalidKeyException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
ByteArrayInputStream(java.io.ByteArrayInputStream)
NoSuchProviderException(java.security.NoSuchProviderException)
Aggregations
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)84
IOException (java.io.IOException)37
DEROctetString (org.bouncycastle.asn1.DEROctetString)25
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)23
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)22
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)19
ByteArrayInputStream (java.io.ByteArrayInputStream)16
X509Certificate (java.security.cert.X509Certificate)15
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)15
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)14
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)14
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)13
Enumeration (java.util.Enumeration)12
DERBitString (org.bouncycastle.asn1.DERBitString)12
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)11
CertificateException (java.security.cert.CertificateException)11
DERBMPString (org.bouncycastle.asn1.DERBMPString)11
DERIA5String (org.bouncycastle.asn1.DERIA5String)11
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)11
ASN1OctetString (com.unboundid.asn1.ASN1OctetString)10
