Search in sources :

Example 11 with X509EncodedKeySpec

use of java.security.spec.X509EncodedKeySpec in project android_frameworks_base by DirtyUnicorns.

the class PackageParser method parsePublicKey.

public static final PublicKey parsePublicKey(final String encodedPublicKey) {
    if (encodedPublicKey == null) {
        Slog.w(TAG, "Could not parse null public key");
        return null;
    }
    EncodedKeySpec keySpec;
    try {
        final byte[] encoded = Base64.decode(encodedPublicKey, Base64.DEFAULT);
        keySpec = new X509EncodedKeySpec(encoded);
    } catch (IllegalArgumentException e) {
        Slog.w(TAG, "Could not parse verifier public key; invalid Base64");
        return null;
    }
    /* First try the key as an RSA key. */
    try {
        final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        return keyFactory.generatePublic(keySpec);
    } catch (NoSuchAlgorithmException e) {
        Slog.wtf(TAG, "Could not parse public key: RSA KeyFactory not included in build");
    } catch (InvalidKeySpecException e) {
    // Not a RSA public key.
    }
    /* Now try it as a ECDSA key. */
    try {
        final KeyFactory keyFactory = KeyFactory.getInstance("EC");
        return keyFactory.generatePublic(keySpec);
    } catch (NoSuchAlgorithmException e) {
        Slog.wtf(TAG, "Could not parse public key: EC KeyFactory not included in build");
    } catch (InvalidKeySpecException e) {
    // Not a ECDSA public key.
    }
    /* Now try it as a DSA key. */
    try {
        final KeyFactory keyFactory = KeyFactory.getInstance("DSA");
        return keyFactory.generatePublic(keySpec);
    } catch (NoSuchAlgorithmException e) {
        Slog.wtf(TAG, "Could not parse public key: DSA KeyFactory not included in build");
    } catch (InvalidKeySpecException e) {
    // Not a DSA public key.
    }
    /* Not a supported key type */
    return null;
}
Also used : X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) KeyFactory(java.security.KeyFactory) EncodedKeySpec(java.security.spec.EncodedKeySpec) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)

Example 12 with X509EncodedKeySpec

use of java.security.spec.X509EncodedKeySpec in project OneSignal-Android-SDK by OneSignal.

the class Security method generatePublicKey.

/**
     * Generates a PublicKey instance from a string containing the
     * Base64-encoded public key.
     *
     * @param encodedPublicKey Base64-encoded public key
     * @throws IllegalArgumentException if encodedPublicKey is invalid
     */
public static PublicKey generatePublicKey(String encodedPublicKey) {
    try {
        byte[] decodedKey = Base64.decode(encodedPublicKey);
        KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
        return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    } catch (InvalidKeySpecException e) {
        Log.e(TAG, "Invalid key specification.");
        throw new IllegalArgumentException(e);
    } catch (Base64DecoderException e) {
        Log.e(TAG, "Base64 decoding failed.");
        throw new IllegalArgumentException(e);
    }
}
Also used : X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) KeyFactory(java.security.KeyFactory)

Example 13 with X509EncodedKeySpec

use of java.security.spec.X509EncodedKeySpec in project GNS by MobilityFirst.

the class NSAccessSupport method verifySignatureInternalSecretKey.

private static synchronized boolean verifySignatureInternalSecretKey(byte[] publickeyBytes, String signature, String message) throws InvalidKeyException, SignatureException, UnsupportedEncodingException, InvalidKeySpecException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException {
    PublicKey publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(publickeyBytes));
    // FIXME: The reason why we use CHARSET should be more throughly documented here.
    byte[] sigBytes = signature.getBytes(GNSProtocol.CHARSET.toString());
    byte[] bytes = message.getBytes(GNSProtocol.CHARSET.toString());
    // Pull the parts out of the signature
    // See CommandUtils.signDigestOfMessage for the other side of this.
    ByteBuffer bbuf = ByteBuffer.wrap(sigBytes);
    byte[] sign = new byte[bbuf.getShort()];
    bbuf.get(sign);
    byte[] skCertEncoded = new byte[bbuf.getShort()];
    bbuf.get(skCertEncoded);
    SecretKey secretKey = SessionKeys.getSecretKeyFromCertificate(skCertEncoded, publicKey);
    MessageDigest md = getMessageDigestInstance();
    byte[] digest;
    synchronized (md) {
        digest = md.digest(bytes);
    }
    Cipher cipher = getCipherInstance();
    synchronized (cipher) {
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
        return Arrays.equals(sign, cipher.doFinal(digest));
    }
}
Also used : SecretKey(javax.crypto.SecretKey) PublicKey(java.security.PublicKey) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) Cipher(javax.crypto.Cipher) MessageDigest(java.security.MessageDigest) ByteBuffer(java.nio.ByteBuffer)

Example 14 with X509EncodedKeySpec

use of java.security.spec.X509EncodedKeySpec in project GNS by MobilityFirst.

the class NSAccessSupport method verifySignatureInternal.

private static synchronized boolean verifySignatureInternal(byte[] publickeyBytes, String signature, String message) throws InvalidKeyException, SignatureException, UnsupportedEncodingException, InvalidKeySpecException {
    if (Config.getGlobalBoolean(GNSC.ENABLE_SECRET_KEY)) {
        try {
            return verifySignatureInternalSecretKey(publickeyBytes, signature, message);
        } catch (Exception e) {
            // This provided backward support for clients that don't have ENABLE_SECRET_KEY on by
            // falling through to non-secret method.
            // At the cost of potentially masking other issues that might cause exceptions
            // in the above code.
            ClientSupportConfig.getLogger().log(Level.FINE, "Falling through to non-secret key verification: {0}", new Object[] { e });
        }
    }
    // Non-secret method kept for backwards compatbility with older clients.
    X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(publickeyBytes);
    PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
    Signature sigInstance = getSignatureInstance();
    synchronized (sigInstance) {
        sigInstance.initVerify(publicKey);
        // iOS client uses UTF-8 - should switch to ISO-8859-1 to be consistent with
        // secret key version
        sigInstance.update(message.getBytes("UTF-8"));
        // we need to keep this for now.
        try {
            return sigInstance.verify(DatatypeConverter.parseHexBinary(signature));
        // This will get thrown if the signature is not a hex string.
        } catch (IllegalArgumentException e) {
            return false;
        }
    //return sigInstance.verify(ByteUtils.hexStringToByteArray(signature));
    }
}
Also used : PublicKey(java.security.PublicKey) Signature(java.security.Signature) JSONObject(org.json.JSONObject) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) RecordNotFoundException(edu.umass.cs.gnscommon.exceptions.server.RecordNotFoundException) JSONException(org.json.JSONException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) SignatureException(java.security.SignatureException) FieldNotFoundException(edu.umass.cs.gnscommon.exceptions.server.FieldNotFoundException) BadPaddingException(javax.crypto.BadPaddingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) FailedDBOperationException(edu.umass.cs.gnscommon.exceptions.server.FailedDBOperationException) InvalidKeyException(java.security.InvalidKeyException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Example 15 with X509EncodedKeySpec

use of java.security.spec.X509EncodedKeySpec in project android_frameworks_base by DirtyUnicorns.

the class ApkSignatureSchemeV2Verifier method verifySigner.

private static X509Certificate[] verifySigner(ByteBuffer signerBlock, Map<Integer, byte[]> contentDigests, CertificateFactory certFactory) throws SecurityException, IOException {
    ByteBuffer signedData = getLengthPrefixedSlice(signerBlock);
    ByteBuffer signatures = getLengthPrefixedSlice(signerBlock);
    byte[] publicKeyBytes = readLengthPrefixedByteArray(signerBlock);
    int signatureCount = 0;
    int bestSigAlgorithm = -1;
    byte[] bestSigAlgorithmSignatureBytes = null;
    List<Integer> signaturesSigAlgorithms = new ArrayList<>();
    while (signatures.hasRemaining()) {
        signatureCount++;
        try {
            ByteBuffer signature = getLengthPrefixedSlice(signatures);
            if (signature.remaining() < 8) {
                throw new SecurityException("Signature record too short");
            }
            int sigAlgorithm = signature.getInt();
            signaturesSigAlgorithms.add(sigAlgorithm);
            if (!isSupportedSignatureAlgorithm(sigAlgorithm)) {
                continue;
            }
            if ((bestSigAlgorithm == -1) || (compareSignatureAlgorithm(sigAlgorithm, bestSigAlgorithm) > 0)) {
                bestSigAlgorithm = sigAlgorithm;
                bestSigAlgorithmSignatureBytes = readLengthPrefixedByteArray(signature);
            }
        } catch (IOException | BufferUnderflowException e) {
            throw new SecurityException("Failed to parse signature record #" + signatureCount, e);
        }
    }
    if (bestSigAlgorithm == -1) {
        if (signatureCount == 0) {
            throw new SecurityException("No signatures found");
        } else {
            throw new SecurityException("No supported signatures found");
        }
    }
    String keyAlgorithm = getSignatureAlgorithmJcaKeyAlgorithm(bestSigAlgorithm);
    Pair<String, ? extends AlgorithmParameterSpec> signatureAlgorithmParams = getSignatureAlgorithmJcaSignatureAlgorithm(bestSigAlgorithm);
    String jcaSignatureAlgorithm = signatureAlgorithmParams.first;
    AlgorithmParameterSpec jcaSignatureAlgorithmParams = signatureAlgorithmParams.second;
    boolean sigVerified;
    try {
        PublicKey publicKey = KeyFactory.getInstance(keyAlgorithm).generatePublic(new X509EncodedKeySpec(publicKeyBytes));
        Signature sig = Signature.getInstance(jcaSignatureAlgorithm);
        sig.initVerify(publicKey);
        if (jcaSignatureAlgorithmParams != null) {
            sig.setParameter(jcaSignatureAlgorithmParams);
        }
        sig.update(signedData);
        sigVerified = sig.verify(bestSigAlgorithmSignatureBytes);
    } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException | InvalidAlgorithmParameterException | SignatureException e) {
        throw new SecurityException("Failed to verify " + jcaSignatureAlgorithm + " signature", e);
    }
    if (!sigVerified) {
        throw new SecurityException(jcaSignatureAlgorithm + " signature did not verify");
    }
    // Signature over signedData has verified.
    byte[] contentDigest = null;
    signedData.clear();
    ByteBuffer digests = getLengthPrefixedSlice(signedData);
    List<Integer> digestsSigAlgorithms = new ArrayList<>();
    int digestCount = 0;
    while (digests.hasRemaining()) {
        digestCount++;
        try {
            ByteBuffer digest = getLengthPrefixedSlice(digests);
            if (digest.remaining() < 8) {
                throw new IOException("Record too short");
            }
            int sigAlgorithm = digest.getInt();
            digestsSigAlgorithms.add(sigAlgorithm);
            if (sigAlgorithm == bestSigAlgorithm) {
                contentDigest = readLengthPrefixedByteArray(digest);
            }
        } catch (IOException | BufferUnderflowException e) {
            throw new IOException("Failed to parse digest record #" + digestCount, e);
        }
    }
    if (!signaturesSigAlgorithms.equals(digestsSigAlgorithms)) {
        throw new SecurityException("Signature algorithms don't match between digests and signatures records");
    }
    int digestAlgorithm = getSignatureAlgorithmContentDigestAlgorithm(bestSigAlgorithm);
    byte[] previousSignerDigest = contentDigests.put(digestAlgorithm, contentDigest);
    if ((previousSignerDigest != null) && (!MessageDigest.isEqual(previousSignerDigest, contentDigest))) {
        throw new SecurityException(getContentDigestAlgorithmJcaDigestAlgorithm(digestAlgorithm) + " contents digest does not match the digest specified by a preceding signer");
    }
    ByteBuffer certificates = getLengthPrefixedSlice(signedData);
    List<X509Certificate> certs = new ArrayList<>();
    int certificateCount = 0;
    while (certificates.hasRemaining()) {
        certificateCount++;
        byte[] encodedCert = readLengthPrefixedByteArray(certificates);
        X509Certificate certificate;
        try {
            certificate = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(encodedCert));
        } catch (CertificateException e) {
            throw new SecurityException("Failed to decode certificate #" + certificateCount, e);
        }
        certificate = new VerbatimX509Certificate(certificate, encodedCert);
        certs.add(certificate);
    }
    if (certs.isEmpty()) {
        throw new SecurityException("No certificates listed");
    }
    X509Certificate mainCertificate = certs.get(0);
    byte[] certificatePublicKeyBytes = mainCertificate.getPublicKey().getEncoded();
    if (!Arrays.equals(publicKeyBytes, certificatePublicKeyBytes)) {
        throw new SecurityException("Public key mismatch between certificate and signature record");
    }
    return certs.toArray(new X509Certificate[certs.size()]);
}
Also used : ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) BufferUnderflowException(java.nio.BufferUnderflowException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PublicKey(java.security.PublicKey) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) DirectByteBuffer(java.nio.DirectByteBuffer) ByteBuffer(java.nio.ByteBuffer) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger) ByteArrayInputStream(java.io.ByteArrayInputStream) Signature(java.security.Signature) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Aggregations

X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)343 KeyFactory (java.security.KeyFactory)228 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)154 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)142 PublicKey (java.security.PublicKey)129 PKCS8EncodedKeySpec (java.security.spec.PKCS8EncodedKeySpec)82 PrivateKey (java.security.PrivateKey)50 RSAPublicKey (java.security.interfaces.RSAPublicKey)48 IOException (java.io.IOException)39 InvalidKeyException (java.security.InvalidKeyException)37 KeyPair (java.security.KeyPair)30 Cipher (javax.crypto.Cipher)26 Signature (java.security.Signature)25 EncodedKeySpec (java.security.spec.EncodedKeySpec)21 NoSuchProviderException (java.security.NoSuchProviderException)14 ECPublicKey (java.security.interfaces.ECPublicKey)14 ByteArrayInputStream (java.io.ByteArrayInputStream)13 SecretKey (javax.crypto.SecretKey)13 BigInteger (java.math.BigInteger)12 Key (java.security.Key)12