Example 1 with PKCS12Attribute
use of java.security.PKCS12Attribute in project Bytecoder by mirkosertic.
the class PKCS12KeyStore method getAttributes.
/*
* Assemble the entry attributes
*/
private Set<KeyStore.Entry.Attribute> getAttributes(Entry entry) {
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
}
// friendlyName
entry.attributes.add(new PKCS12Attribute(PKCS9FriendlyName_OID.toString(), entry.alias));
// localKeyID
byte[] keyIdValue = entry.keyId;
if (keyIdValue != null) {
entry.attributes.add(new PKCS12Attribute(PKCS9LocalKeyId_OID.toString(), Debug.toString(keyIdValue)));
}
// trustedKeyUsage
if (entry instanceof CertEntry) {
ObjectIdentifier[] trustedKeyUsageValue = ((CertEntry) entry).trustedKeyUsage;
if (trustedKeyUsageValue != null) {
if (trustedKeyUsageValue.length == 1) {
// omit brackets
entry.attributes.add(new PKCS12Attribute(TrustedKeyUsage_OID.toString(), trustedKeyUsageValue[0].toString()));
} else {
// multi-valued
entry.attributes.add(new PKCS12Attribute(TrustedKeyUsage_OID.toString(), Arrays.toString(trustedKeyUsageValue)));
}
}
}
return entry.attributes;
}
Also used :
PKCS12Attribute(java.security.PKCS12Attribute)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 2 with PKCS12Attribute
use of java.security.PKCS12Attribute in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method loadSafeContents.
private void loadSafeContents(DerInputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
DerValue[] safeBags = stream.getSequence(2);
int count = safeBags.length;
/*
* Spin over the SafeBags.
*/
for (int i = 0; i < count; i++) {
ObjectIdentifier bagId;
DerInputStream sbi;
DerValue bagValue;
Object bagItem = null;
sbi = safeBags[i].toDerInputStream();
bagId = sbi.getOID();
bagValue = sbi.getDerValue();
if (!bagValue.isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
}
bagValue = bagValue.data.getDerValue();
if (bagId.equals((Object) PKCS8ShroudedKeyBag_OID)) {
PrivateKeyEntry kEntry = new PrivateKeyEntry();
kEntry.protectedPrivKey = bagValue.toByteArray();
bagItem = kEntry;
privateKeyCount++;
} else if (bagId.equals((Object) CertBag_OID)) {
DerInputStream cs = new DerInputStream(bagValue.toByteArray());
DerValue[] certValues = cs.getSequence(2);
ObjectIdentifier certId = certValues[0].getOID();
if (!certValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 cert value type " + certValues[1].tag);
}
DerValue certValue = certValues[1].data.getDerValue();
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert;
cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certValue.getOctetString()));
bagItem = cert;
certificateCount++;
} else if (bagId.equals((Object) SecretBag_OID)) {
DerInputStream ss = new DerInputStream(bagValue.toByteArray());
DerValue[] secretValues = ss.getSequence(2);
ObjectIdentifier secretId = secretValues[0].getOID();
if (!secretValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 secret value type " + secretValues[1].tag);
}
DerValue secretValue = secretValues[1].data.getDerValue();
SecretKeyEntry kEntry = new SecretKeyEntry();
kEntry.protectedSecretKey = secretValue.getOctetString();
bagItem = kEntry;
secretKeyCount++;
} else {
if (debug != null) {
debug.println("Unsupported PKCS12 bag type: " + bagId);
}
}
DerValue[] attrSet;
try {
attrSet = sbi.getSet(3);
} catch (IOException e) {
// entry does not have attributes
// Note: CA certs can have no attributes
// OpenSSL generates pkcs12 with no attr for CA certs.
attrSet = null;
}
String alias = null;
byte[] keyId = null;
ObjectIdentifier[] trustedKeyUsage = null;
Set<PKCS12Attribute> attributes = new HashSet<>();
if (attrSet != null) {
for (int j = 0; j < attrSet.length; j++) {
byte[] encoded = attrSet[j].toByteArray();
DerInputStream as = new DerInputStream(encoded);
DerValue[] attrSeq = as.getSequence(2);
ObjectIdentifier attrId = attrSeq[0].getOID();
DerInputStream vs = new DerInputStream(attrSeq[1].toByteArray());
DerValue[] valSet;
try {
valSet = vs.getSet(1);
} catch (IOException e) {
throw new IOException("Attribute " + attrId + " should have a value " + e.getMessage());
}
if (attrId.equals((Object) PKCS9FriendlyName_OID)) {
alias = valSet[0].getBMPString();
} else if (attrId.equals((Object) PKCS9LocalKeyId_OID)) {
keyId = valSet[0].getOctetString();
} else if (attrId.equals((Object) TrustedKeyUsage_OID)) {
trustedKeyUsage = new ObjectIdentifier[valSet.length];
for (int k = 0; k < valSet.length; k++) {
trustedKeyUsage[k] = valSet[k].getOID();
}
} else {
attributes.add(new PKCS12Attribute(encoded));
}
}
}
/*
* As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId)
* are optional PKCS12 bagAttributes. But entries in the keyStore
* are identified by their alias. Hence we need to have an
* Unfriendlyname in the alias, if alias is null. The keyId
* attribute is required to match the private key with the
* certificate. If we get a bagItem of type KeyEntry with a
* null keyId, we should skip it entirely.
*/
if (bagItem instanceof KeyEntry) {
KeyEntry entry = (KeyEntry) bagItem;
if (bagItem instanceof PrivateKeyEntry) {
if (keyId == null) {
// associated cert-chain
if (privateKeyCount == 1) {
keyId = "01".getBytes("UTF8");
} else {
continue;
}
}
}
entry.keyId = keyId;
// restore date if it exists
String keyIdStr = new String(keyId, "UTF8");
Date date = null;
if (keyIdStr.startsWith("Time ")) {
try {
date = new Date(Long.parseLong(keyIdStr.substring(5)));
} catch (Exception e) {
date = null;
}
}
if (date == null) {
date = new Date();
}
entry.date = date;
if (bagItem instanceof PrivateKeyEntry) {
keyList.add((PrivateKeyEntry) entry);
}
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
}
entry.attributes.addAll(attributes);
if (alias == null) {
alias = getUnfriendlyName();
}
entry.alias = alias;
entries.put(alias.toLowerCase(Locale.ENGLISH), entry);
} else if (bagItem instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) bagItem;
// associated cert-chain
if ((keyId == null) && (privateKeyCount == 1)) {
// insert localKeyID only for EE cert or self-signed cert
if (i == 0) {
keyId = "01".getBytes("UTF8");
}
}
// Trusted certificate
if (trustedKeyUsage != null) {
if (alias == null) {
alias = getUnfriendlyName();
}
CertEntry certEntry = new CertEntry(cert, keyId, alias, trustedKeyUsage, attributes);
entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry);
} else {
certEntries.add(new CertEntry(cert, keyId, alias));
}
X500Principal subjectDN = cert.getSubjectX500Principal();
if (subjectDN != null) {
if (!certsMap.containsKey(subjectDN)) {
certsMap.put(subjectDN, cert);
}
}
}
}
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
PKCS12Attribute(java.security.PKCS12Attribute)
DerValue(sun.security.util.DerValue)
X500Principal(javax.security.auth.x500.X500Principal)
DerInputStream(sun.security.util.DerInputStream)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 3 with PKCS12Attribute
use of java.security.PKCS12Attribute in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method getAttributes.
/*
* Assemble the entry attributes
*/
private Set<KeyStore.Entry.Attribute> getAttributes(Entry entry) {
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
}
// friendlyName
entry.attributes.add(new PKCS12Attribute(PKCS9FriendlyName_OID.toString(), entry.alias));
// localKeyID
byte[] keyIdValue = entry.keyId;
if (keyIdValue != null) {
entry.attributes.add(new PKCS12Attribute(PKCS9LocalKeyId_OID.toString(), Debug.toString(keyIdValue)));
}
// trustedKeyUsage
if (entry instanceof CertEntry) {
ObjectIdentifier[] trustedKeyUsageValue = ((CertEntry) entry).trustedKeyUsage;
if (trustedKeyUsageValue != null) {
if (trustedKeyUsageValue.length == 1) {
// omit brackets
entry.attributes.add(new PKCS12Attribute(TrustedKeyUsage_OID.toString(), trustedKeyUsageValue[0].toString()));
} else {
// multi-valued
entry.attributes.add(new PKCS12Attribute(TrustedKeyUsage_OID.toString(), Arrays.toString(trustedKeyUsageValue)));
}
}
}
return entry.attributes;
}
Also used :
PKCS12Attribute(java.security.PKCS12Attribute)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 4 with PKCS12Attribute
use of java.security.PKCS12Attribute in project jdk8u_jdk by JetBrains.
the class MetadataStoreLoadTest method setUp.
private void setUp() {
Utils.createKeyStore(Utils.KeyStoreType.pkcs12, KEYSTORE_PATH, ALIAS);
final String allCharsString = "`1234567890-=qwertyuiop[]asdfghjkl;'\\zx" + "cvbnm,./!@#$%^&*()_+QWERTYUIOP{}ASDFGHJKL:|>ZXCVBNM<>?\"";
StringBuilder sbPrintable = new StringBuilder();
while (sbPrintable.length() < MAX_HUGE_SIZE) {
sbPrintable.append(allCharsString);
}
final String hugePrintable = sbPrintable.toString();
final String binaryString = "00:11:22:33:44:55:66:77:88:99:AA:BB:DD:" + "EE:FF:";
StringBuilder sbBinary = new StringBuilder();
sbBinary.append(binaryString);
while (sbBinary.length() < MAX_HUGE_SIZE) {
sbBinary.append(":").append(binaryString);
}
sbBinary.insert(0, "[").append("]");
final String hugeBinary = sbBinary.toString();
ATTR_SET = new PKCS12Attribute[5];
ATTR_SET[0] = new PKCS12Attribute("1.2.840.113549.1.9.1", "Test email addres attr <test@oracle.com>");
ATTR_SET[1] = new PKCS12Attribute("1.2.110.1", "not registered attr");
ATTR_SET[2] = new PKCS12Attribute("1.2.110.2", hugePrintable);
ATTR_SET[3] = new PKCS12Attribute("1.2.110.3", hugeBinary);
ATTR_SET[4] = new PKCS12Attribute("1.2.110.2", " ");
}
Also used :
PKCS12Attribute(java.security.PKCS12Attribute)
Example 5 with PKCS12Attribute
use of java.security.PKCS12Attribute in project Bytecoder by mirkosertic.
the class PKCS12KeyStore method loadSafeContents.
private void loadSafeContents(DerInputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
DerValue[] safeBags = stream.getSequence(2);
int count = safeBags.length;
/*
* Spin over the SafeBags.
*/
for (int i = 0; i < count; i++) {
ObjectIdentifier bagId;
DerInputStream sbi;
DerValue bagValue;
Object bagItem = null;
sbi = safeBags[i].toDerInputStream();
bagId = sbi.getOID();
bagValue = sbi.getDerValue();
if (!bagValue.isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
}
bagValue = bagValue.data.getDerValue();
if (bagId.equals(PKCS8ShroudedKeyBag_OID)) {
PrivateKeyEntry kEntry = new PrivateKeyEntry();
kEntry.protectedPrivKey = bagValue.toByteArray();
bagItem = kEntry;
privateKeyCount++;
} else if (bagId.equals(CertBag_OID)) {
DerInputStream cs = new DerInputStream(bagValue.toByteArray());
DerValue[] certValues = cs.getSequence(2);
ObjectIdentifier certId = certValues[0].getOID();
if (!certValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 cert value type " + certValues[1].tag);
}
DerValue certValue = certValues[1].data.getDerValue();
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert;
cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certValue.getOctetString()));
bagItem = cert;
certificateCount++;
} else if (bagId.equals(SecretBag_OID)) {
DerInputStream ss = new DerInputStream(bagValue.toByteArray());
DerValue[] secretValues = ss.getSequence(2);
ObjectIdentifier secretId = secretValues[0].getOID();
if (!secretValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 secret value type " + secretValues[1].tag);
}
DerValue secretValue = secretValues[1].data.getDerValue();
SecretKeyEntry kEntry = new SecretKeyEntry();
kEntry.protectedSecretKey = secretValue.getOctetString();
bagItem = kEntry;
secretKeyCount++;
} else {
if (debug != null) {
debug.println("Unsupported PKCS12 bag type: " + bagId);
}
}
DerValue[] attrSet;
try {
attrSet = sbi.getSet(3);
} catch (IOException e) {
// entry does not have attributes
// Note: CA certs can have no attributes
// OpenSSL generates pkcs12 with no attr for CA certs.
attrSet = null;
}
String alias = null;
byte[] keyId = null;
ObjectIdentifier[] trustedKeyUsage = null;
Set<PKCS12Attribute> attributes = new HashSet<>();
if (attrSet != null) {
for (int j = 0; j < attrSet.length; j++) {
byte[] encoded = attrSet[j].toByteArray();
DerInputStream as = new DerInputStream(encoded);
DerValue[] attrSeq = as.getSequence(2);
ObjectIdentifier attrId = attrSeq[0].getOID();
DerInputStream vs = new DerInputStream(attrSeq[1].toByteArray());
DerValue[] valSet;
try {
valSet = vs.getSet(1);
} catch (IOException e) {
throw new IOException("Attribute " + attrId + " should have a value " + e.getMessage());
}
if (attrId.equals(PKCS9FriendlyName_OID)) {
alias = valSet[0].getBMPString();
} else if (attrId.equals(PKCS9LocalKeyId_OID)) {
keyId = valSet[0].getOctetString();
} else if (attrId.equals(TrustedKeyUsage_OID)) {
trustedKeyUsage = new ObjectIdentifier[valSet.length];
for (int k = 0; k < valSet.length; k++) {
trustedKeyUsage[k] = valSet[k].getOID();
}
} else {
attributes.add(new PKCS12Attribute(encoded));
}
}
}
/*
* As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId)
* are optional PKCS12 bagAttributes. But entries in the keyStore
* are identified by their alias. Hence we need to have an
* Unfriendlyname in the alias, if alias is null. The keyId
* attribute is required to match the private key with the
* certificate. If we get a bagItem of type KeyEntry with a
* null keyId, we should skip it entirely.
*/
if (bagItem instanceof KeyEntry) {
KeyEntry entry = (KeyEntry) bagItem;
if (bagItem instanceof PrivateKeyEntry) {
if (keyId == null) {
// associated cert-chain
if (privateKeyCount == 1) {
keyId = "01".getBytes("UTF8");
} else {
continue;
}
}
}
entry.keyId = keyId;
// restore date if it exists
String keyIdStr = new String(keyId, "UTF8");
Date date = null;
if (keyIdStr.startsWith("Time ")) {
try {
date = new Date(Long.parseLong(keyIdStr.substring(5)));
} catch (Exception e) {
date = null;
}
}
if (date == null) {
date = new Date();
}
entry.date = date;
if (bagItem instanceof PrivateKeyEntry) {
keyList.add((PrivateKeyEntry) entry);
}
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
}
entry.attributes.addAll(attributes);
if (alias == null) {
alias = getUnfriendlyName();
}
entry.alias = alias;
entries.put(alias.toLowerCase(Locale.ENGLISH), entry);
} else if (bagItem instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) bagItem;
// associated cert-chain
if ((keyId == null) && (privateKeyCount == 1)) {
// insert localKeyID only for EE cert or self-signed cert
if (i == 0) {
keyId = "01".getBytes("UTF8");
}
}
// Trusted certificate
if (trustedKeyUsage != null) {
if (alias == null) {
alias = getUnfriendlyName();
}
CertEntry certEntry = new CertEntry(cert, keyId, alias, trustedKeyUsage, attributes);
entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry);
} else {
certEntries.add(new CertEntry(cert, keyId, alias));
}
X500Principal subjectDN = cert.getSubjectX500Principal();
if (subjectDN != null) {
if (!certsMap.containsKey(subjectDN)) {
certsMap.put(subjectDN, cert);
}
}
}
}
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
PKCS12Attribute(java.security.PKCS12Attribute)
DerValue(sun.security.util.DerValue)
X500Principal(javax.security.auth.x500.X500Principal)
DerInputStream(sun.security.util.DerInputStream)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Aggregations
PKCS12Attribute (java.security.PKCS12Attribute)5
ObjectIdentifier (sun.security.util.ObjectIdentifier)4
KeyStoreException (java.security.KeyStoreException)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
UnrecoverableEntryException (java.security.UnrecoverableEntryException)2
UnrecoverableKeyException (java.security.UnrecoverableKeyException)2
CertificateException (java.security.cert.CertificateException)2
CertificateFactory (java.security.cert.CertificateFactory)2
X509Certificate (java.security.cert.X509Certificate)2
DestroyFailedException (javax.security.auth.DestroyFailedException)2
X500Principal (javax.security.auth.x500.X500Principal)2
DerInputStream (sun.security.util.DerInputStream)2
DerValue (sun.security.util.DerValue)2
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)1
InvalidKeyException (java.security.InvalidKeyException)1
