Examples with Asn1Container org.apache.kerby.asn1.parse.Asn1Container used on opensource projects

Example 1 with Asn1Container

use of org.apache.kerby.asn1.parse.Asn1Container in project webauthn4j by webauthn4j.

the class CertificateUtil method extractSubjectKeyIdentifier.

@NonNull
public static byte[] extractSubjectKeyIdentifier(X509Certificate certificate) {
    try {
        byte[] publicKeyEncoded = certificate.getPublicKey().getEncoded();
        Asn1ParseResult result = Asn1Parser.parse(ByteBuffer.wrap(publicKeyEncoded));
        List<Asn1ParseResult> children = ((Asn1Container) result).getChildren();
        Asn1BitString asn1BitString = new Asn1BitString();
        asn1BitString.decode(children.get(1));
        byte[] publicKeyBytes = asn1BitString.getValue();
        return MessageDigestUtil.createMessageDigest("SHA-1").digest(publicKeyBytes);
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}

Example 2 with Asn1Container

use of org.apache.kerby.asn1.parse.Asn1Container in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method validate.

public void validate(@NonNull X509Certificate x509Certificate, @NonNull byte[] clientDataHash, boolean teeEnforcedOnly) {
    AssertUtil.notNull(x509Certificate, "x509Certificate must not be null");
    AssertUtil.notNull(clientDataHash, "clientDataHash must not be null");
    try {
        Asn1Container keyDescription = extractKeyDescription(x509Certificate);
        doValidate(keyDescription, clientDataHash, teeEnforcedOnly);
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}

Example 3 with Asn1Container

use of org.apache.kerby.asn1.parse.Asn1Container in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method doValidate.

void doValidate(@NonNull Asn1Container keyDescription, @NonNull byte[] clientDataHash, boolean teeEnforcedOnly) throws IOException {
    // / Verify that the attestationChallenge field in the attestation certificate extension data is identical to clientDataHash.
    byte[] attestationChallenge = keyDescription.getChildren().get(ATTESTATION_CHALLENGE_INDEX).readBodyBytes();
    // there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
    if (!Arrays.equals(attestationChallenge, clientDataHash)) {
        throw new KeyDescriptionValidationException("Attestation challenge doesn't match.");
    }
    // / Verify the following using the appropriate authorization list from the attestation certificate extension data:
    // / The AuthorizationList.allApplications field is not present on either authorization list (softwareEnforced nor teeEnforced), since PublicKeyCredential MUST be scoped to the RP ID.
    Asn1Container softwareEnforced = (Asn1Container) keyDescription.getChildren().get(SW_ENFORCED_INDEX);
    Asn1Container teeEnforced = (Asn1Container) keyDescription.getChildren().get(TEE_ENFORCED_INDEX);
    if (findAuthorizationListEntry(softwareEnforced, KM_TAG_ALL_APPLICATIONS) != null || findAuthorizationListEntry(teeEnforced, KM_TAG_ALL_APPLICATIONS) != null) {
        throw new KeyDescriptionValidationException("Key is not scoped properly.");
    }
    validateAuthorizationList(teeEnforcedOnly, softwareEnforced, teeEnforced);
}

Example 4 with Asn1Container

use of org.apache.kerby.asn1.parse.Asn1Container in project jans by JanssenProject.

the class AppleAttestationProcessor method getExtension.

/*-
	[
	   {
	       "type": "OBJECT_IDENTIFIER",
	       "data": "1.2.840.113635.100.8.2"
	   },
	   {
	       "type": "OCTET_STRING",
	       "data": [
	           {
	               "type": "SEQUENCE",
	               "data": [
	                   {
	                       "type": "[1]",
	                       "data": [
	                           {
	                               "type": "OCTET_STRING",
	                               "data": {
	                                   "type": "Buffer",
	                                   "data": [92, 219, 157, 144, 115, 64, 69, 91, 99, 115, 230, 117, 43, 115, 252, 54, 132, 83, 96, 34, 21, 250, 234, 187, 124, 22, 95, 11, 173, 172, 7, 204]
	                               }
	                           }
	                       ]
	                   }
	               ]
	           }
	       ]
	   }
	]
	*/
public byte[] getExtension(X509Certificate attestationCert) {
    byte[] extensionValue = attestationCert.getExtensionValue(KEY_DESCRIPTION_OID);
    byte[] extracted;
    try {
        Asn1OctetString extensionEnvelope = new Asn1OctetString();
        extensionEnvelope.decode(extensionValue);
        extensionEnvelope.getValue();
        byte[] extensionEnvelopeValue = extensionEnvelope.getValue();
        Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(extensionEnvelopeValue));
        Asn1ParseResult firstElement = container.getChildren().get(0);
        Asn1OctetString octetString = new Asn1OctetString();
        octetString.decode(firstElement);
        extracted = octetString.getValue();
        return extracted;
    } catch (IOException | RuntimeException e) {
        throw new AttestationException("Failed to extract nonce from Apple anonymous attestation statement.");
    }
}

Example 5 with Asn1Container

use of org.apache.kerby.asn1.parse.Asn1Container in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method extractKeyDescription.

@NonNull
Asn1Container extractKeyDescription(@NonNull X509Certificate x509Certificate) throws IOException {
    byte[] attestationExtensionBytes = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
    Asn1OctetString envelope = new Asn1OctetString();
    if (attestationExtensionBytes == null) {
        throw new KeyDescriptionValidationException("KeyDescription must not be null");
    }
    envelope.decode(attestationExtensionBytes);
    return (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(envelope.getValue()));
}