Example 76 with X500Principal
use of javax.security.auth.x500.X500Principal in project XobotOS by xamarin.
the class ClientHandshakeImpl method processServerHelloDone.
/**
* Processes ServerHelloDone: makes verification of the server messages; sends
* client messages, computers masterSecret, sends ChangeCipherSpec
*/
void processServerHelloDone() {
PrivateKey clientKey = null;
if (serverCert != null) {
if (session.cipherSuite.isAnonymous()) {
unexpectedMessage();
return;
}
verifyServerCert();
} else {
if (!session.cipherSuite.isAnonymous()) {
unexpectedMessage();
return;
}
}
// Client certificate
if (certificateRequest != null) {
X509Certificate[] certs = null;
// obtain certificates from key manager
String alias = null;
String[] certTypes = certificateRequest.getTypesAsString();
X500Principal[] issuers = certificateRequest.certificate_authorities;
X509KeyManager km = parameters.getKeyManager();
if (km instanceof X509ExtendedKeyManager) {
X509ExtendedKeyManager ekm = (X509ExtendedKeyManager) km;
if (this.socketOwner != null) {
alias = ekm.chooseClientAlias(certTypes, issuers, this.socketOwner);
} else {
alias = ekm.chooseEngineClientAlias(certTypes, issuers, this.engineOwner);
}
if (alias != null) {
certs = ekm.getCertificateChain(alias);
}
} else {
alias = km.chooseClientAlias(certTypes, issuers, this.socketOwner);
if (alias != null) {
certs = km.getCertificateChain(alias);
}
}
session.localCertificates = certs;
clientCert = new CertificateMessage(certs);
clientKey = km.getPrivateKey(alias);
send(clientCert);
}
// Client key exchange
if (session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA || session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
// RSA encrypted premaster secret message
Cipher c;
try {
c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
if (serverKeyExchange != null) {
c.init(Cipher.ENCRYPT_MODE, serverKeyExchange.getRSAPublicKey());
} else {
c.init(Cipher.ENCRYPT_MODE, serverCert.certs[0]);
}
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
preMasterSecret = new byte[48];
parameters.getSecureRandom().nextBytes(preMasterSecret);
System.arraycopy(clientHello.client_version, 0, preMasterSecret, 0, 2);
try {
clientKeyExchange = new ClientKeyExchange(c.doFinal(preMasterSecret), serverHello.server_version[1] == 1);
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
} else {
try {
KeyFactory kf = KeyFactory.getInstance("DH");
KeyAgreement agreement = KeyAgreement.getInstance("DH");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
PublicKey serverPublic;
DHParameterSpec spec;
if (serverKeyExchange != null) {
serverPublic = kf.generatePublic(new DHPublicKeySpec(serverKeyExchange.par3, serverKeyExchange.par1, serverKeyExchange.par2));
spec = new DHParameterSpec(serverKeyExchange.par1, serverKeyExchange.par2);
} else {
serverPublic = serverCert.certs[0].getPublicKey();
spec = ((DHPublicKey) serverPublic).getParams();
}
kpg.initialize(spec);
KeyPair kp = kpg.generateKeyPair();
Key key = kp.getPublic();
if (clientCert != null && serverCert != null && (session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_RSA || session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_DSS)) {
PublicKey client_pk = clientCert.certs[0].getPublicKey();
PublicKey server_pk = serverCert.certs[0].getPublicKey();
if (client_pk instanceof DHKey && server_pk instanceof DHKey) {
if (((DHKey) client_pk).getParams().getG().equals(((DHKey) server_pk).getParams().getG()) && ((DHKey) client_pk).getParams().getP().equals(((DHKey) server_pk).getParams().getG())) {
// client cert message DH public key parameters
// matched those specified by the
// server in its certificate,
// empty
clientKeyExchange = new ClientKeyExchange();
}
}
} else {
clientKeyExchange = new ClientKeyExchange(((DHPublicKey) key).getY());
}
key = kp.getPrivate();
agreement.init(key);
agreement.doPhase(serverPublic, true);
preMasterSecret = agreement.generateSecret();
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
}
if (clientKeyExchange != null) {
send(clientKeyExchange);
}
computerMasterSecret();
// fixed DH parameters
if (clientCert != null && !clientKeyExchange.isEmpty()) {
// Certificate verify
String authType = clientKey.getAlgorithm();
DigitalSignature ds = new DigitalSignature(authType);
ds.init(clientKey);
if ("RSA".equals(authType)) {
ds.setMD5(io_stream.getDigestMD5());
ds.setSHA(io_stream.getDigestSHA());
} else if ("DSA".equals(authType)) {
ds.setSHA(io_stream.getDigestSHA());
// The Signature should be empty in case of anonymous signature algorithm:
// } else if ("DH".equals(authType)) {
}
certificateVerify = new CertificateVerify(ds.sign());
send(certificateVerify);
}
sendChangeCipherSpec();
}
Also used :
PrivateKey(java.security.PrivateKey)
DHPublicKey(javax.crypto.interfaces.DHPublicKey)
DHParameterSpec(javax.crypto.spec.DHParameterSpec)
X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager)
X509KeyManager(javax.net.ssl.X509KeyManager)
DHKey(javax.crypto.interfaces.DHKey)
KeyAgreement(javax.crypto.KeyAgreement)
KeyFactory(java.security.KeyFactory)
KeyPair(java.security.KeyPair)
PublicKey(java.security.PublicKey)
DHPublicKey(javax.crypto.interfaces.DHPublicKey)
KeyPairGenerator(java.security.KeyPairGenerator)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X500Principal(javax.security.auth.x500.X500Principal)
Cipher(javax.crypto.Cipher)
DHPublicKeySpec(javax.crypto.spec.DHPublicKeySpec)
PublicKey(java.security.PublicKey)
Key(java.security.Key)
DHKey(javax.crypto.interfaces.DHKey)
PrivateKey(java.security.PrivateKey)
DHPublicKey(javax.crypto.interfaces.DHPublicKey)
Example 77 with X500Principal
use of javax.security.auth.x500.X500Principal in project XobotOS by xamarin.
the class TrustedCertificateIndex method findByIssuerAndSignature.
public TrustAnchor findByIssuerAndSignature(X509Certificate cert) {
X500Principal issuer = cert.getIssuerX500Principal();
synchronized (subjectToTrustAnchors) {
List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer);
if (anchors == null) {
return null;
}
for (TrustAnchor anchor : anchors) {
PublicKey publicKey;
try {
X509Certificate caCert = anchor.getTrustedCert();
if (caCert != null) {
publicKey = caCert.getPublicKey();
} else {
publicKey = anchor.getCAPublicKey();
}
cert.verify(publicKey);
return anchor;
} catch (Exception ignored) {
}
}
}
return null;
}
Also used :
PublicKey(java.security.PublicKey)
X500Principal(javax.security.auth.x500.X500Principal)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
Example 78 with X500Principal
use of javax.security.auth.x500.X500Principal in project XobotOS by xamarin.
the class TrustedCertificateIndex method index.
public void index(TrustAnchor anchor) {
X500Principal subject;
X509Certificate cert = anchor.getTrustedCert();
if (cert != null) {
subject = cert.getSubjectX500Principal();
} else {
subject = anchor.getCA();
}
synchronized (subjectToTrustAnchors) {
List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject);
if (anchors == null) {
anchors = new ArrayList<TrustAnchor>(1);
subjectToTrustAnchors.put(subject, anchors);
}
anchors.add(anchor);
}
}
Also used :
X500Principal(javax.security.auth.x500.X500Principal)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
Example 79 with X500Principal
use of javax.security.auth.x500.X500Principal in project XobotOS by xamarin.
the class OpenSSLSocketImpl method clientCertificateRequested.
// used by NativeCrypto.SSLHandshakeCallbacks / client_cert_cb
@SuppressWarnings("unused")
public void clientCertificateRequested(byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) throws CertificateEncodingException, SSLException {
String[] keyTypes = new String[keyTypeBytes.length];
for (int i = 0; i < keyTypeBytes.length; i++) {
keyTypes[i] = CipherSuite.getClientKeyType(keyTypeBytes[i]);
}
X500Principal[] issuers;
if (asn1DerEncodedPrincipals == null) {
issuers = null;
} else {
issuers = new X500Principal[asn1DerEncodedPrincipals.length];
for (int i = 0; i < asn1DerEncodedPrincipals.length; i++) {
issuers[i] = new X500Principal(asn1DerEncodedPrincipals[i]);
}
}
setCertificate(sslParameters.getKeyManager().chooseClientAlias(keyTypes, issuers, this));
}
Also used :
X500Principal(javax.security.auth.x500.X500Principal)
Example 80 with X500Principal
use of javax.security.auth.x500.X500Principal in project XobotOS by xamarin.
the class KeyManagerImpl method chooseAlias.
private String[] chooseAlias(String[] keyTypes, Principal[] issuers) {
if (keyTypes == null || keyTypes.length == 0) {
return null;
}
List<Principal> issuersList = (issuers == null) ? null : Arrays.asList(issuers);
ArrayList<String> found = new ArrayList<String>();
for (Enumeration<String> aliases = hash.keys(); aliases.hasMoreElements(); ) {
final String alias = aliases.nextElement();
final KeyStore.PrivateKeyEntry entry = hash.get(alias);
final Certificate[] chain = entry.getCertificateChain();
final Certificate cert = chain[0];
final String certKeyAlg = cert.getPublicKey().getAlgorithm();
final String certSigAlg = (cert instanceof X509Certificate ? ((X509Certificate) cert).getSigAlgName().toUpperCase(Locale.US) : null);
for (String keyAlgorithm : keyTypes) {
if (keyAlgorithm == null) {
continue;
}
String sigAlgorithm;
// handle cases like EC_EC and EC_RSA
int index = keyAlgorithm.indexOf('_');
if (index == -1) {
sigAlgorithm = keyAlgorithm;
} else {
sigAlgorithm = keyAlgorithm.substring(index + 1);
keyAlgorithm = keyAlgorithm.substring(0, index);
}
// key algorithm does not match
if (!certKeyAlg.equals(keyAlgorithm)) {
continue;
}
// sig algorithm does not match
if (certSigAlg != null && !certSigAlg.contains(sigAlgorithm)) {
continue;
}
// no issuers to match, just add to return list and continue
if (issuers == null || issuers.length == 0) {
found.add(alias);
continue;
}
// check that a certificate in the chain was issued by one of the specified issuers
loop: for (Certificate certFromChain : chain) {
if (!(certFromChain instanceof X509Certificate)) {
// skip non-X509Certificates
continue;
}
X509Certificate xcertFromChain = (X509Certificate) certFromChain;
/*
* Note use of X500Principal from
* getIssuerX500Principal as opposed to Principal
* from getIssuerDN. Principal.equals test does
* not work in the case where
* xcertFromChain.getIssuerDN is a bouncycastle
* org.bouncycastle.jce.X509Principal.
*/
X500Principal issuerFromChain = xcertFromChain.getIssuerX500Principal();
if (issuersList.contains(issuerFromChain)) {
found.add(alias);
}
}
}
}
if (!found.isEmpty()) {
return found.toArray(new String[found.size()]);
}
return null;
}
Also used :
ArrayList(java.util.ArrayList)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
PrivateKeyEntry(java.security.KeyStore.PrivateKeyEntry)
X500Principal(javax.security.auth.x500.X500Principal)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
X500Principal (javax.security.auth.x500.X500Principal)246
X509Certificate (java.security.cert.X509Certificate)68
IOException (java.io.IOException)52
ArrayList (java.util.ArrayList)39
List (java.util.List)25
Principal (java.security.Principal)21
PublicKey (java.security.PublicKey)21
TrustAnchor (java.security.cert.TrustAnchor)21
Certificate (java.security.cert.Certificate)20
X509CertSelector (java.security.cert.X509CertSelector)16
HashMap (java.util.HashMap)16
BigInteger (java.math.BigInteger)15
KeyPair (java.security.KeyPair)15
HashSet (java.util.HashSet)14
Test (org.junit.Test)14
KeyPairGenerator (java.security.KeyPairGenerator)13
CertPathValidatorException (java.security.cert.CertPathValidatorException)13
CertificateException (java.security.cert.CertificateException)13
GeneralSecurityException (java.security.GeneralSecurityException)12
CertificateParsingException (java.security.cert.CertificateParsingException)12
