Example 6 with RDN
use of org.bouncycastle.asn1.x500.RDN in project ddf by codice.
the class SubjectUtilsTest method testFilterDNDropTwo.
@Test
public void testFilterDNDropTwo() {
Predicate<RDN> predicate = rdn -> !ImmutableSet.of(BCStyle.C, BCStyle.ST).contains(rdn.getTypesAndValues()[0].getType());
String baseDN = SubjectUtils.filterDN(dnPrincipal, predicate);
assertThat(baseDN, is("CN=Foo,OU=Engineering,OU=Dev,O=DDF"));
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers(org.hamcrest.CoreMatchers)
Arrays(java.util.Arrays)
X500Principal(javax.security.auth.x500.X500Principal)
SortedSet(java.util.SortedSet)
KeyStoreException(java.security.KeyStoreException)
BCStyle(org.bouncycastle.asn1.x500.style.BCStyle)
Assert.assertThat(org.junit.Assert.assertThat)
Attribute(org.opensaml.saml.saml2.core.Attribute)
ImmutableList(com.google.common.collect.ImmutableList)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Map(java.util.Map)
Is.is(org.hamcrest.core.Is.is)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
XSString(org.opensaml.core.xml.schema.XSString)
Mockito.doReturn(org.mockito.Mockito.doReturn)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
Before(org.junit.Before)
SimpleSession(org.apache.shiro.session.mgt.SimpleSession)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Matchers.empty(org.hamcrest.Matchers.empty)
ImmutableSet(com.google.common.collect.ImmutableSet)
DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager)
RDN(org.bouncycastle.asn1.x500.RDN)
ImmutableMap(com.google.common.collect.ImmutableMap)
CoreMatchers.hasItems(org.hamcrest.CoreMatchers.hasItems)
Predicate(java.util.function.Predicate)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
Test(org.junit.Test)
CertificateException(java.security.cert.CertificateException)
Collectors(java.util.stream.Collectors)
List(java.util.List)
Assert.assertNull(org.junit.Assert.assertNull)
Principal(java.security.Principal)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Collections(java.util.Collections)
Assert.assertEquals(org.junit.Assert.assertEquals)
Mockito.mock(org.mockito.Mockito.mock)
InputStream(java.io.InputStream)
XSString(org.opensaml.core.xml.schema.XSString)
RDN(org.bouncycastle.asn1.x500.RDN)
Test(org.junit.Test)
Example 7 with RDN
use of org.bouncycastle.asn1.x500.RDN in project ddf by codice.
the class SubjectUtilsTest method testFilterDNRemoveAll.
@Test
public void testFilterDNRemoveAll() {
Predicate<RDN> predicate = rdn -> !ImmutableSet.of(BCStyle.OU, BCStyle.CN, BCStyle.O, BCStyle.ST, BCStyle.C).contains(rdn.getTypesAndValues()[0].getType());
String baseDN = SubjectUtils.filterDN(dnPrincipal, predicate);
assertThat(baseDN, is(""));
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers(org.hamcrest.CoreMatchers)
Arrays(java.util.Arrays)
X500Principal(javax.security.auth.x500.X500Principal)
SortedSet(java.util.SortedSet)
KeyStoreException(java.security.KeyStoreException)
BCStyle(org.bouncycastle.asn1.x500.style.BCStyle)
Assert.assertThat(org.junit.Assert.assertThat)
Attribute(org.opensaml.saml.saml2.core.Attribute)
ImmutableList(com.google.common.collect.ImmutableList)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Map(java.util.Map)
Is.is(org.hamcrest.core.Is.is)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
XSString(org.opensaml.core.xml.schema.XSString)
Mockito.doReturn(org.mockito.Mockito.doReturn)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
Before(org.junit.Before)
SimpleSession(org.apache.shiro.session.mgt.SimpleSession)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Matchers.empty(org.hamcrest.Matchers.empty)
ImmutableSet(com.google.common.collect.ImmutableSet)
DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager)
RDN(org.bouncycastle.asn1.x500.RDN)
ImmutableMap(com.google.common.collect.ImmutableMap)
CoreMatchers.hasItems(org.hamcrest.CoreMatchers.hasItems)
Predicate(java.util.function.Predicate)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
Test(org.junit.Test)
CertificateException(java.security.cert.CertificateException)
Collectors(java.util.stream.Collectors)
List(java.util.List)
Assert.assertNull(org.junit.Assert.assertNull)
Principal(java.security.Principal)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Collections(java.util.Collections)
Assert.assertEquals(org.junit.Assert.assertEquals)
Mockito.mock(org.mockito.Mockito.mock)
InputStream(java.io.InputStream)
XSString(org.opensaml.core.xml.schema.XSString)
RDN(org.bouncycastle.asn1.x500.RDN)
Test(org.junit.Test)
Example 8 with RDN
use of org.bouncycastle.asn1.x500.RDN in project ddf by codice.
the class KeystoreEditor method addToStore.
private synchronized void addToStore(String alias, String keyPassword, String storePassword, String data, String type, String fileName, String path, String storepass, KeyStore store) throws KeystoreEditorException {
OutputStream fos = null;
try (InputStream inputStream = new ByteArrayInputStream(Base64.getDecoder().decode(data))) {
if (StringUtils.isBlank(alias)) {
throw new IllegalArgumentException("Alias cannot be null.");
}
Path storeFile = Paths.get(path);
//check the two most common key/cert stores first (pkcs12 and jks)
if (PKCS12_TYPE.equals(type) || StringUtils.endsWithIgnoreCase(fileName, ".p12")) {
//priv key + cert chain
KeyStore pkcs12Store = KeyStore.getInstance("PKCS12");
pkcs12Store.load(inputStream, storePassword.toCharArray());
Certificate[] chain = pkcs12Store.getCertificateChain(alias);
Key key = pkcs12Store.getKey(alias, keyPassword.toCharArray());
if (key != null) {
store.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
}
} else if (JKS_TYPE.equals(type) || StringUtils.endsWithIgnoreCase(fileName, ".jks")) {
//java keystore file
KeyStore jks = KeyStore.getInstance("jks");
jks.load(inputStream, storePassword.toCharArray());
Enumeration<String> aliases = jks.aliases();
//we are going to store all entries from the jks regardless of the passed in alias
while (aliases.hasMoreElements()) {
String jksAlias = aliases.nextElement();
if (jks.isKeyEntry(jksAlias)) {
Key key = jks.getKey(jksAlias, keyPassword.toCharArray());
Certificate[] certificateChain = jks.getCertificateChain(jksAlias);
store.setKeyEntry(jksAlias, key, keyPassword.toCharArray(), certificateChain);
} else {
Certificate certificate = jks.getCertificate(jksAlias);
store.setCertificateEntry(jksAlias, certificate);
}
}
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
//need to parse der separately from pem, der has the same mime type but is binary hence checking both
} else if (DER_TYPE.equals(type) && StringUtils.endsWithIgnoreCase(fileName, ".der")) {
ASN1InputStream asn1InputStream = new ASN1InputStream(inputStream);
ASN1Primitive asn1Primitive = asn1InputStream.readObject();
X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(asn1Primitive.getEncoded());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
X500Name x500name = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
RDN cn = x500name.getRDNs(BCStyle.CN)[0];
String cnStr = IETFUtils.valueToString(cn.getFirst().getValue());
if (!store.isCertificateEntry(cnStr) && !store.isKeyEntry(cnStr)) {
store.setCertificateEntry(cnStr, certificate);
}
store.setCertificateEntry(alias, certificate);
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
//if it isn't one of the stores we support, it might be a key or cert by itself
} else if (isPemParsable(type, fileName)) {
//This is the catch all case for PEM, P7B, etc. with common file extensions if the mime type isn't read correctly in the browser
Reader reader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
PEMParser pemParser = new PEMParser(reader);
Object object;
boolean setEntry = false;
while ((object = pemParser.readObject()) != null) {
if (object instanceof PEMEncryptedKeyPair || object instanceof PEMKeyPair) {
PEMKeyPair pemKeyPair;
if (object instanceof PEMEncryptedKeyPair) {
PEMEncryptedKeyPair pemEncryptedKeyPairKeyPair = (PEMEncryptedKeyPair) object;
JcePEMDecryptorProviderBuilder jcePEMDecryptorProviderBuilder = new JcePEMDecryptorProviderBuilder();
pemKeyPair = pemEncryptedKeyPairKeyPair.decryptKeyPair(jcePEMDecryptorProviderBuilder.build(keyPassword.toCharArray()));
} else {
pemKeyPair = (PEMKeyPair) object;
}
KeyPair keyPair = new JcaPEMKeyConverter().setProvider("BC").getKeyPair(pemKeyPair);
PrivateKey privateKey = keyPair.getPrivate();
Certificate[] chain = store.getCertificateChain(alias);
if (chain == null) {
chain = buildCertChain(alias, store);
}
store.setKeyEntry(alias, privateKey, keyPassword.toCharArray(), chain);
setEntry = true;
} else if (object instanceof X509CertificateHolder) {
X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) object;
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
X500Name x500name = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
RDN cn = x500name.getRDNs(BCStyle.CN)[0];
String cnStr = IETFUtils.valueToString(cn.getFirst().getValue());
if (!store.isCertificateEntry(cnStr) && !store.isKeyEntry(cnStr)) {
store.setCertificateEntry(cnStr, certificate);
}
store.setCertificateEntry(alias, certificate);
setEntry = true;
} else if (object instanceof ContentInfo) {
ContentInfo contentInfo = (ContentInfo) object;
if (contentInfo.getContentType().equals(CMSObjectIdentifiers.envelopedData)) {
CMSEnvelopedData cmsEnvelopedData = new CMSEnvelopedData(contentInfo);
OriginatorInfo originatorInfo = cmsEnvelopedData.getOriginatorInfo().toASN1Structure();
ASN1Set certificates = originatorInfo.getCertificates();
setEntry = importASN1CertificatesToStore(store, setEntry, certificates);
} else if (contentInfo.getContentType().equals(CMSObjectIdentifiers.signedData)) {
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
ASN1Set certificates = signedData.getCertificates();
setEntry = importASN1CertificatesToStore(store, setEntry, certificates);
}
} else if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
PKCS8EncryptedPrivateKeyInfo pkcs8EncryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) object;
Certificate[] chain = store.getCertificateChain(alias);
if (chain == null) {
chain = buildCertChain(alias, store);
}
try {
store.setKeyEntry(alias, pkcs8EncryptedPrivateKeyInfo.getEncoded(), chain);
setEntry = true;
} catch (KeyStoreException keyEx) {
try {
PKCS8Key pkcs8Key = new PKCS8Key(pkcs8EncryptedPrivateKeyInfo.getEncoded(), keyPassword.toCharArray());
store.setKeyEntry(alias, pkcs8Key.getPrivateKey(), keyPassword.toCharArray(), chain);
setEntry = true;
} catch (GeneralSecurityException e) {
LOGGER.info("Unable to add PKCS8 key to keystore with secondary method. Throwing original exception.", e);
throw keyEx;
}
}
}
}
if (setEntry) {
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
}
}
} catch (Exception e) {
LOGGER.info("Unable to add entry {} to store", alias, e);
throw new KeystoreEditorException("Unable to add entry " + alias + " to store", e);
} finally {
if (fos != null) {
try {
fos.close();
} catch (IOException ignore) {
}
}
}
init();
}
Also used :
OriginatorInfo(org.bouncycastle.asn1.cms.OriginatorInfo)
PrivateKey(java.security.PrivateKey)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
Reader(java.io.Reader)
InputStreamReader(java.io.InputStreamReader)
BufferedReader(java.io.BufferedReader)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
X500Name(org.bouncycastle.asn1.x500.X500Name)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
CertificateFactory(java.security.cert.CertificateFactory)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
PEMParser(org.bouncycastle.openssl.PEMParser)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
RDN(org.bouncycastle.asn1.x500.RDN)
Path(java.nio.file.Path)
PKCS8Key(org.apache.commons.ssl.PKCS8Key)
CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
KeyPair(java.security.KeyPair)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
Enumeration(java.util.Enumeration)
InputStreamReader(java.io.InputStreamReader)
SignedData(org.bouncycastle.asn1.cms.SignedData)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
InputStream(java.io.InputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
GeneralSecurityException(java.security.GeneralSecurityException)
InstanceAlreadyExistsException(javax.management.InstanceAlreadyExistsException)
KeyManagementException(java.security.KeyManagementException)
MalformedObjectNameException(javax.management.MalformedObjectNameException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchProviderException(java.security.NoSuchProviderException)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
ByteArrayInputStream(java.io.ByteArrayInputStream)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BufferedReader(java.io.BufferedReader)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
PKCS8Key(org.apache.commons.ssl.PKCS8Key)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 9 with RDN
use of org.bouncycastle.asn1.x500.RDN in project robovm by robovm.
the class IETFUtils method rDNsFromString.
public static RDN[] rDNsFromString(String name, X500NameStyle x500Style) {
X500NameTokenizer nTok = new X500NameTokenizer(name);
X500NameBuilder builder = new X500NameBuilder(x500Style);
while (nTok.hasMoreTokens()) {
String token = nTok.nextToken();
if (token.indexOf('+') > 0) {
X500NameTokenizer pTok = new X500NameTokenizer(token, '+');
X500NameTokenizer vTok = new X500NameTokenizer(pTok.nextToken(), '=');
String attr = vTok.nextToken();
if (!vTok.hasMoreTokens()) {
throw new IllegalArgumentException("badly formatted directory string");
}
String value = vTok.nextToken();
ASN1ObjectIdentifier oid = x500Style.attrNameToOID(attr.trim());
if (pTok.hasMoreTokens()) {
Vector oids = new Vector();
Vector values = new Vector();
oids.addElement(oid);
values.addElement(unescape(value));
while (pTok.hasMoreTokens()) {
vTok = new X500NameTokenizer(pTok.nextToken(), '=');
attr = vTok.nextToken();
if (!vTok.hasMoreTokens()) {
throw new IllegalArgumentException("badly formatted directory string");
}
value = vTok.nextToken();
oid = x500Style.attrNameToOID(attr.trim());
oids.addElement(oid);
values.addElement(unescape(value));
}
builder.addMultiValuedRDN(toOIDArray(oids), toValueArray(values));
} else {
builder.addRDN(oid, unescape(value));
}
} else {
X500NameTokenizer vTok = new X500NameTokenizer(token, '=');
String attr = vTok.nextToken();
if (!vTok.hasMoreTokens()) {
throw new IllegalArgumentException("badly formatted directory string");
}
String value = vTok.nextToken();
ASN1ObjectIdentifier oid = x500Style.attrNameToOID(attr.trim());
builder.addRDN(oid, unescape(value));
}
}
return builder.build().getRDNs();
}
Also used :
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
ASN1String(org.bouncycastle.asn1.ASN1String)
DERUniversalString(org.bouncycastle.asn1.DERUniversalString)
Vector(java.util.Vector)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 10 with RDN
use of org.bouncycastle.asn1.x500.RDN in project keywhiz by square.
the class LdapAuthenticator method rolesFromDN.
private Set<String> rolesFromDN(String userDN) throws LDAPException, GeneralSecurityException {
SearchRequest searchRequest = new SearchRequest(config.getRoleBaseDN(), SearchScope.SUB, Filter.createEqualityFilter("uniqueMember", userDN));
Set<String> roles = Sets.newLinkedHashSet();
LDAPConnection connection = connectionFactory.getLDAPConnection();
try {
SearchResult sr = connection.search(searchRequest);
for (SearchResultEntry sre : sr.getSearchEntries()) {
X500Name x500Name = new X500Name(sre.getDN());
RDN[] rdns = x500Name.getRDNs(BCStyle.CN);
if (rdns.length == 0) {
logger.error("Could not create X500 Name for role:" + sre.getDN());
} else {
String commonName = IETFUtils.valueToString(rdns[0].getFirst().getValue());
roles.add(commonName);
}
}
} finally {
connection.close();
}
return roles;
}
Also used :
SearchRequest(com.unboundid.ldap.sdk.SearchRequest)
SearchResult(com.unboundid.ldap.sdk.SearchResult)
LDAPConnection(com.unboundid.ldap.sdk.LDAPConnection)
X500Name(org.bouncycastle.asn1.x500.X500Name)
RDN(org.bouncycastle.asn1.x500.RDN)
SearchResultEntry(com.unboundid.ldap.sdk.SearchResultEntry)
Aggregations
RDN (org.bouncycastle.asn1.x500.RDN)17
IOException (java.io.IOException)12
X509Certificate (java.security.cert.X509Certificate)12
X500Name (org.bouncycastle.asn1.x500.X500Name)12
KeyStoreException (java.security.KeyStoreException)8
InputStream (java.io.InputStream)7
KeyStore (java.security.KeyStore)7
CertificateException (java.security.cert.CertificateException)7
List (java.util.List)7
JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)7
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6
Principal (java.security.Principal)6
Map (java.util.Map)6
ImmutableList (com.google.common.collect.ImmutableList)5
ImmutableMap (com.google.common.collect.ImmutableMap)5
ImmutableSet (com.google.common.collect.ImmutableSet)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)5
ArrayList (java.util.ArrayList)5
Arrays (java.util.Arrays)5
Collections (java.util.Collections)5
