Examples with PublicKey java.security.PublicKey used on opensource projects

Example 6 with PublicKey

use of java.security.PublicKey in project Openfire by igniterealtime.

the class CertificateManager method buildChain.

/**
     * Builds the certificate chain of the specified certificate based on the known list of certificates
     * that were issued by their respective Principals. Returns true if the entire chain of all certificates
     * was successfully built.
     *
     * @param certificate certificate to build its chain.
     * @param answer      the certificate chain for the corresponding certificate.
     * @param knownCerts  list of known certificates grouped by their issues (i.e. Principals).
     * @return true if the entire chain of all certificates was successfully built.
     */
private static boolean buildChain(X509Certificate certificate, LinkedList<X509Certificate> answer, Map<String, List<X509Certificate>> knownCerts) {
    Principal subject = certificate.getSubjectDN();
    Principal issuer = certificate.getIssuerDN();
    // is present in the subject)
    if (subject.equals(issuer)) {
        answer.addFirst(certificate);
        return true;
    }
    // Get the list of known certificates of the certificate's issuer
    List<X509Certificate> issuerCerts = knownCerts.get(issuer.getName());
    if (issuerCerts == null || issuerCerts.isEmpty()) {
        // No certificates were found so building of chain failed
        return false;
    }
    for (X509Certificate issuerCert : issuerCerts) {
        PublicKey publickey = issuerCert.getPublicKey();
        try {
            // Verify the certificate with the specified public key
            certificate.verify(publickey);
            // Certificate was verified successfully so build chain of issuer's certificate
            if (!buildChain(issuerCert, answer, knownCerts)) {
                return false;
            }
        } catch (Exception exception) {
            // Failed to verify certificate
            return false;
        }
    }
    answer.addFirst(certificate);
    return true;
}

Example 7 with PublicKey

use of java.security.PublicKey in project android_frameworks_base by ParanoidAndroid.

the class PackageParser method parseVerifier.

private static VerifierInfo parseVerifier(Resources res, XmlPullParser parser, AttributeSet attrs, int flags, String[] outError) throws XmlPullParserException, IOException {
    final TypedArray sa = res.obtainAttributes(attrs, com.android.internal.R.styleable.AndroidManifestPackageVerifier);
    final String packageName = sa.getNonResourceString(com.android.internal.R.styleable.AndroidManifestPackageVerifier_name);
    final String encodedPublicKey = sa.getNonResourceString(com.android.internal.R.styleable.AndroidManifestPackageVerifier_publicKey);
    sa.recycle();
    if (packageName == null || packageName.length() == 0) {
        Slog.i(TAG, "verifier package name was null; skipping");
        return null;
    } else if (encodedPublicKey == null) {
        Slog.i(TAG, "verifier " + packageName + " public key was null; skipping");
    }
    EncodedKeySpec keySpec;
    try {
        final byte[] encoded = Base64.decode(encodedPublicKey, Base64.DEFAULT);
        keySpec = new X509EncodedKeySpec(encoded);
    } catch (IllegalArgumentException e) {
        Slog.i(TAG, "Could not parse verifier " + packageName + " public key; invalid Base64");
        return null;
    }
    /* First try the key as an RSA key. */
    try {
        final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        final PublicKey publicKey = keyFactory.generatePublic(keySpec);
        return new VerifierInfo(packageName, publicKey);
    } catch (NoSuchAlgorithmException e) {
        Log.wtf(TAG, "Could not parse public key because RSA isn't included in build");
        return null;
    } catch (InvalidKeySpecException e) {
    // Not a RSA public key.
    }
    /* Now try it as a DSA key. */
    try {
        final KeyFactory keyFactory = KeyFactory.getInstance("DSA");
        final PublicKey publicKey = keyFactory.generatePublic(keySpec);
        return new VerifierInfo(packageName, publicKey);
    } catch (NoSuchAlgorithmException e) {
        Log.wtf(TAG, "Could not parse public key because DSA isn't included in build");
        return null;
    } catch (InvalidKeySpecException e) {
    // Not a DSA public key.
    }
    return null;
}

Example 8 with PublicKey

use of java.security.PublicKey in project android_frameworks_base by ParanoidAndroid.

the class RecoverySystem method verifyPackage.

/**
     * Verify the cryptographic signature of a system update package
     * before installing it.  Note that the package is also verified
     * separately by the installer once the device is rebooted into
     * the recovery system.  This function will return only if the
     * package was successfully verified; otherwise it will throw an
     * exception.
     *
     * Verification of a package can take significant time, so this
     * function should not be called from a UI thread.  Interrupting
     * the thread while this function is in progress will result in a
     * SecurityException being thrown (and the thread's interrupt flag
     * will be cleared).
     *
     * @param packageFile  the package to be verified
     * @param listener     an object to receive periodic progress
     * updates as verification proceeds.  May be null.
     * @param deviceCertsZipFile  the zip file of certificates whose
     * public keys we will accept.  Verification succeeds if the
     * package is signed by the private key corresponding to any
     * public key in this file.  May be null to use the system default
     * file (currently "/system/etc/security/otacerts.zip").
     *
     * @throws IOException if there were any errors reading the
     * package or certs files.
     * @throws GeneralSecurityException if verification failed
     */
public static void verifyPackage(File packageFile, ProgressListener listener, File deviceCertsZipFile) throws IOException, GeneralSecurityException {
    long fileLen = packageFile.length();
    RandomAccessFile raf = new RandomAccessFile(packageFile, "r");
    try {
        int lastPercent = 0;
        long lastPublishTime = System.currentTimeMillis();
        if (listener != null) {
            listener.onProgress(lastPercent);
        }
        raf.seek(fileLen - 6);
        byte[] footer = new byte[6];
        raf.readFully(footer);
        if (footer[2] != (byte) 0xff || footer[3] != (byte) 0xff) {
            throw new SignatureException("no signature in file (no footer)");
        }
        int commentSize = (footer[4] & 0xff) | ((footer[5] & 0xff) << 8);
        int signatureStart = (footer[0] & 0xff) | ((footer[1] & 0xff) << 8);
        byte[] eocd = new byte[commentSize + 22];
        raf.seek(fileLen - (commentSize + 22));
        raf.readFully(eocd);
        // end-of-central-directory record.
        if (eocd[0] != (byte) 0x50 || eocd[1] != (byte) 0x4b || eocd[2] != (byte) 0x05 || eocd[3] != (byte) 0x06) {
            throw new SignatureException("no signature in file (bad footer)");
        }
        for (int i = 4; i < eocd.length - 3; ++i) {
            if (eocd[i] == (byte) 0x50 && eocd[i + 1] == (byte) 0x4b && eocd[i + 2] == (byte) 0x05 && eocd[i + 3] == (byte) 0x06) {
                throw new SignatureException("EOCD marker found after start of EOCD");
            }
        }
        // The following code is largely copied from
        // JarUtils.verifySignature().  We could just *call* that
        // method here if that function didn't read the entire
        // input (ie, the whole OTA package) into memory just to
        // compute its message digest.
        BerInputStream bis = new BerInputStream(new ByteArrayInputStream(eocd, commentSize + 22 - signatureStart, signatureStart));
        ContentInfo info = (ContentInfo) ContentInfo.ASN1.decode(bis);
        SignedData signedData = info.getSignedData();
        if (signedData == null) {
            throw new IOException("signedData is null");
        }
        Collection encCerts = signedData.getCertificates();
        if (encCerts.isEmpty()) {
            throw new IOException("encCerts is empty");
        }
        // Take the first certificate from the signature (packages
        // should contain only one).
        Iterator it = encCerts.iterator();
        X509Certificate cert = null;
        if (it.hasNext()) {
            cert = new X509CertImpl((org.apache.harmony.security.x509.Certificate) it.next());
        } else {
            throw new SignatureException("signature contains no certificates");
        }
        List sigInfos = signedData.getSignerInfos();
        SignerInfo sigInfo;
        if (!sigInfos.isEmpty()) {
            sigInfo = (SignerInfo) sigInfos.get(0);
        } else {
            throw new IOException("no signer infos!");
        }
        // Check that the public key of the certificate contained
        // in the package equals one of our trusted public keys.
        HashSet<Certificate> trusted = getTrustedCerts(deviceCertsZipFile == null ? DEFAULT_KEYSTORE : deviceCertsZipFile);
        PublicKey signatureKey = cert.getPublicKey();
        boolean verified = false;
        for (Certificate c : trusted) {
            if (c.getPublicKey().equals(signatureKey)) {
                verified = true;
                break;
            }
        }
        if (!verified) {
            throw new SignatureException("signature doesn't match any trusted key");
        }
        // The signature cert matches a trusted key.  Now verify that
        // the digest in the cert matches the actual file data.
        // The verifier in recovery *only* handles SHA1withRSA
        // signatures.  SignApk.java always uses SHA1withRSA, no
        // matter what the cert says to use.  Ignore
        // cert.getSigAlgName(), and instead use whatever
        // algorithm is used by the signature (which should be
        // SHA1withRSA).
        String da = sigInfo.getDigestAlgorithm();
        String dea = sigInfo.getDigestEncryptionAlgorithm();
        String alg = null;
        if (da == null || dea == null) {
            // fall back to the cert algorithm if the sig one
            // doesn't look right.
            alg = cert.getSigAlgName();
        } else {
            alg = da + "with" + dea;
        }
        Signature sig = Signature.getInstance(alg);
        sig.initVerify(cert);
        // The signature covers all of the OTA package except the
        // archive comment and its 2-byte length.
        long toRead = fileLen - commentSize - 2;
        long soFar = 0;
        raf.seek(0);
        byte[] buffer = new byte[4096];
        boolean interrupted = false;
        while (soFar < toRead) {
            interrupted = Thread.interrupted();
            if (interrupted)
                break;
            int size = buffer.length;
            if (soFar + size > toRead) {
                size = (int) (toRead - soFar);
            }
            int read = raf.read(buffer, 0, size);
            sig.update(buffer, 0, read);
            soFar += read;
            if (listener != null) {
                long now = System.currentTimeMillis();
                int p = (int) (soFar * 100 / toRead);
                if (p > lastPercent && now - lastPublishTime > PUBLISH_PROGRESS_INTERVAL_MS) {
                    lastPercent = p;
                    lastPublishTime = now;
                    listener.onProgress(lastPercent);
                }
            }
        }
        if (listener != null) {
            listener.onProgress(100);
        }
        if (interrupted) {
            throw new SignatureException("verification was interrupted");
        }
        if (!sig.verify(sigInfo.getEncryptedDigest())) {
            throw new SignatureException("signature digest verification failed");
        }
    } finally {
        raf.close();
    }
}

Example 9 with PublicKey

use of java.security.PublicKey in project android_frameworks_base by ParanoidAndroid.

the class AndroidKeyStoreTest method testKeyStore_KeyOperations_Wrap_Encrypted_Success.

public void testKeyStore_KeyOperations_Wrap_Encrypted_Success() throws Exception {
    setupPassword();
    mKeyStore.load(null, null);
    setupKey();
    // Test key usage
    Entry e = mKeyStore.getEntry(TEST_ALIAS_1, null);
    assertNotNull(e);
    assertTrue(e instanceof PrivateKeyEntry);
    PrivateKeyEntry privEntry = (PrivateKeyEntry) e;
    PrivateKey privKey = privEntry.getPrivateKey();
    assertNotNull(privKey);
    PublicKey pubKey = privEntry.getCertificate().getPublicKey();
    Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
    c.init(Cipher.WRAP_MODE, pubKey);
    byte[] expectedKey = new byte[] { 0x00, 0x05, (byte) 0xAA, (byte) 0x0A5, (byte) 0xFF, 0x55, 0x0A };
    SecretKey expectedSecret = new SecretKeySpec(expectedKey, "AES");
    byte[] wrappedExpected = c.wrap(expectedSecret);
    c.init(Cipher.UNWRAP_MODE, privKey);
    SecretKey actualSecret = (SecretKey) c.unwrap(wrappedExpected, "AES", Cipher.SECRET_KEY);
    assertEquals(Arrays.toString(expectedSecret.getEncoded()), Arrays.toString(actualSecret.getEncoded()));
}

Example 10 with PublicKey

use of java.security.PublicKey in project OpenAM by OpenRock.

the class KeyUtil method getEncInfo.

/**
     * Returns the encryption information which will be used in
     * encrypting messages intended for the partner entity.
     * @param roled <code>RoleDescriptor</code> for the partner entity
     * @param entityID partner entity's ID
     * @param role entity's role
     * @return <code>EncInfo</code> which includes partner entity's
     * public key for wrapping the secret key, data encryption algorithm,
     * and data encryption strength 
     */
public static EncInfo getEncInfo(RoleDescriptorType roled, String entityID, String role) {
    String classMethod = "KeyUtil.getEncInfo: ";
    if (SAML2SDKUtils.debug.messageEnabled()) {
        SAML2SDKUtils.debug.message(classMethod + "Entering... \nEntityID=" + entityID + "\nRole=" + role);
    }
    // first try to get it from cache
    String index = entityID.trim() + "|" + role;
    EncInfo encInfo = (EncInfo) encHash.get(index);
    if (encInfo != null) {
        return encInfo;
    }
    // else get it from meta
    if (roled == null) {
        SAML2SDKUtils.debug.error(classMethod + "Null RoleDescriptorType input for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    KeyDescriptorType kd = getKeyDescriptor(roled, SAML2Constants.ENCRYPTION);
    if (kd == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption KeyDescriptor for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    java.security.cert.X509Certificate cert = getCert(kd);
    if (cert == null) {
        SAML2SDKUtils.debug.error(classMethod + "No encryption cert for entityID=" + entityID + " in " + role + " role.");
        return null;
    }
    List emList = kd.getEncryptionMethod();
    EncryptionMethodType em = null;
    String algorithm = null;
    int keySize = 0;
    if (emList != null && !emList.isEmpty()) {
        em = (EncryptionMethodType) emList.get(0);
        if (em != null) {
            algorithm = em.getAlgorithm();
            List cList = em.getContent();
            if (cList != null) {
                Iterator cIter = cList.iterator();
                while (cIter.hasNext()) {
                    Object cObject = cIter.next();
                    if (cObject instanceof EncryptionMethodType.KeySize) {
                        keySize = ((EncryptionMethodType.KeySize) (cList.get(0))).getValue().intValue();
                        break;
                    }
                }
            }
        }
    }
    if (algorithm == null || algorithm.length() == 0) {
        algorithm = XMLCipher.AES_128;
        keySize = 128;
    }
    PublicKey pk = cert.getPublicKey();
    if (pk != null) {
        encInfo = new EncInfo(pk, algorithm, keySize);
    }
    if (encInfo != null) {
        encHash.put(index, encInfo);
    }
    return encInfo;
}