Example 6 with Attribute
use of org.bouncycastle.asn1.x509.Attribute in project android_frameworks_base by ResurrectionRemix.
the class ESTHandler method buildCSR.
private byte[] buildCSR(ByteBuffer octetBuffer, OMADMAdapter omadmAdapter, HTTPHandler httpHandler) throws IOException, GeneralSecurityException {
//Security.addProvider(new BouncyCastleProvider());
Log.d(TAG, "/csrattrs:");
/*
byte[] octets = new byte[octetBuffer.remaining()];
octetBuffer.duplicate().get(octets);
for (byte b : octets) {
System.out.printf("%02x ", b & 0xff);
}
*/
Collection<Asn1Object> csrs = Asn1Decoder.decode(octetBuffer);
for (Asn1Object asn1Object : csrs) {
Log.d(TAG, asn1Object.toString());
}
if (csrs.size() != 1) {
throw new IOException("Unexpected object count in CSR attributes response: " + csrs.size());
}
Asn1Object sequence = csrs.iterator().next();
if (sequence.getClass() != Asn1Constructed.class) {
throw new IOException("Unexpected CSR attribute container: " + sequence);
}
String keyAlgo = null;
Asn1Oid keyAlgoOID = null;
String sigAlgo = null;
String curveName = null;
Asn1Oid pubCrypto = null;
int keySize = -1;
Map<Asn1Oid, ASN1Encodable> idAttributes = new HashMap<>();
for (Asn1Object child : sequence.getChildren()) {
if (child.getTag() == Asn1Decoder.TAG_OID) {
Asn1Oid oid = (Asn1Oid) child;
OidMappings.SigEntry sigEntry = OidMappings.getSigEntry(oid);
if (sigEntry != null) {
sigAlgo = sigEntry.getSigAlgo();
keyAlgoOID = sigEntry.getKeyAlgo();
keyAlgo = OidMappings.getJCEName(keyAlgoOID);
} else if (oid.equals(OidMappings.sPkcs9AtChallengePassword)) {
byte[] tlsUnique = httpHandler.getTLSUnique();
if (tlsUnique != null) {
idAttributes.put(oid, new DERPrintableString(Base64.encodeToString(tlsUnique, Base64.DEFAULT)));
} else {
Log.w(TAG, "Cannot retrieve TLS unique channel binding");
}
}
} else if (child.getTag() == Asn1Decoder.TAG_SEQ) {
Asn1Oid oid = null;
Set<Asn1Oid> oidValues = new HashSet<>();
List<Asn1Object> values = new ArrayList<>();
for (Asn1Object attributeSeq : child.getChildren()) {
if (attributeSeq.getTag() == Asn1Decoder.TAG_OID) {
oid = (Asn1Oid) attributeSeq;
} else if (attributeSeq.getTag() == Asn1Decoder.TAG_SET) {
for (Asn1Object value : attributeSeq.getChildren()) {
if (value.getTag() == Asn1Decoder.TAG_OID) {
oidValues.add((Asn1Oid) value);
} else {
values.add(value);
}
}
}
}
if (oid == null) {
throw new IOException("Invalid attribute, no OID");
}
if (oid.equals(OidMappings.sExtensionRequest)) {
for (Asn1Oid subOid : oidValues) {
if (OidMappings.isIDAttribute(subOid)) {
if (subOid.equals(OidMappings.sMAC)) {
idAttributes.put(subOid, new DERIA5String(omadmAdapter.getMAC()));
} else if (subOid.equals(OidMappings.sIMEI)) {
idAttributes.put(subOid, new DERIA5String(omadmAdapter.getImei()));
} else if (subOid.equals(OidMappings.sMEID)) {
idAttributes.put(subOid, new DERBitString(omadmAdapter.getMeid()));
} else if (subOid.equals(OidMappings.sDevID)) {
idAttributes.put(subOid, new DERPrintableString(omadmAdapter.getDevID()));
}
}
}
} else if (OidMappings.getCryptoID(oid) != null) {
pubCrypto = oid;
if (!values.isEmpty()) {
for (Asn1Object value : values) {
if (value.getTag() == Asn1Decoder.TAG_INTEGER) {
keySize = (int) ((Asn1Integer) value).getValue();
}
}
}
if (oid.equals(OidMappings.sAlgo_EC)) {
if (oidValues.isEmpty()) {
throw new IOException("No ECC curve name provided");
}
for (Asn1Oid value : oidValues) {
curveName = OidMappings.getJCEName(value);
if (curveName != null) {
break;
}
}
if (curveName == null) {
throw new IOException("Found no ECC curve for " + oidValues);
}
}
}
}
}
if (keyAlgoOID == null) {
throw new IOException("No public key algorithm specified");
}
if (pubCrypto != null && !pubCrypto.equals(keyAlgoOID)) {
throw new IOException("Mismatching key algorithms");
}
if (keyAlgoOID.equals(OidMappings.sAlgo_RSA)) {
if (keySize < MinRSAKeySize) {
if (keySize >= 0) {
Log.i(TAG, "Upgrading suggested RSA key size from " + keySize + " to " + MinRSAKeySize);
}
keySize = MinRSAKeySize;
}
}
Log.d(TAG, String.format("pub key '%s', signature '%s', ECC curve '%s', id-atts %s", keyAlgo, sigAlgo, curveName, idAttributes));
/*
Ruckus:
SEQUENCE:
OID=1.2.840.113549.1.1.11 (algo_id_sha256WithRSAEncryption)
RFC-7030:
SEQUENCE:
OID=1.2.840.113549.1.9.7 (challengePassword)
SEQUENCE:
OID=1.2.840.10045.2.1 (algo_id_ecPublicKey)
SET:
OID=1.3.132.0.34 (secp384r1)
SEQUENCE:
OID=1.2.840.113549.1.9.14 (extensionRequest)
SET:
OID=1.3.6.1.1.1.1.22 (mac-address)
OID=1.2.840.10045.4.3.3 (eccdaWithSHA384)
1L, 3L, 6L, 1L, 1L, 1L, 1L, 22
*/
// ECC Does not appear to be supported currently
KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo);
if (curveName != null) {
AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(keyAlgo);
algorithmParameters.init(new ECNamedCurveGenParameterSpec(curveName));
kpg.initialize(algorithmParameters.getParameterSpec(ECNamedCurveGenParameterSpec.class));
} else {
kpg.initialize(keySize);
}
KeyPair kp = kpg.generateKeyPair();
X500Principal subject = new X500Principal("CN=Android, O=Google, C=US");
mClientKey = kp.getPrivate();
// !!! Map the idAttributes into an ASN1Set of values to pass to
// the PKCS10CertificationRequest - this code is using outdated BC classes and
// has *not* been tested.
ASN1Set attributes;
if (!idAttributes.isEmpty()) {
ASN1EncodableVector payload = new DEREncodableVector();
for (Map.Entry<Asn1Oid, ASN1Encodable> entry : idAttributes.entrySet()) {
DERObjectIdentifier type = new DERObjectIdentifier(entry.getKey().toOIDString());
ASN1Set values = new DERSet(entry.getValue());
Attribute attribute = new Attribute(type, values);
payload.add(attribute);
}
attributes = new DERSet(payload);
} else {
attributes = null;
}
return new PKCS10CertificationRequest(sigAlgo, subject, kp.getPublic(), attributes, mClientKey).getEncoded();
}
Also used :
DERSet(com.android.org.bouncycastle.asn1.DERSet)
ASN1Set(com.android.org.bouncycastle.asn1.ASN1Set)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(com.android.org.bouncycastle.asn1.x509.Attribute)
DERBitString(com.android.org.bouncycastle.asn1.DERBitString)
DERPrintableString(com.android.org.bouncycastle.asn1.DERPrintableString)
DERIA5String(com.android.org.bouncycastle.asn1.DERIA5String)
DERSet(com.android.org.bouncycastle.asn1.DERSet)
DERIA5String(com.android.org.bouncycastle.asn1.DERIA5String)
Asn1Integer(com.android.hotspot2.asn1.Asn1Integer)
DERPrintableString(com.android.org.bouncycastle.asn1.DERPrintableString)
ASN1EncodableVector(com.android.org.bouncycastle.asn1.ASN1EncodableVector)
List(java.util.List)
ArrayList(java.util.ArrayList)
ASN1Encodable(com.android.org.bouncycastle.asn1.ASN1Encodable)
PKCS10CertificationRequest(com.android.org.bouncycastle.jce.PKCS10CertificationRequest)
Asn1Oid(com.android.hotspot2.asn1.Asn1Oid)
KeyPair(java.security.KeyPair)
ECNamedCurveGenParameterSpec(com.android.org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec)
DEREncodableVector(com.android.org.bouncycastle.asn1.DEREncodableVector)
DERBitString(com.android.org.bouncycastle.asn1.DERBitString)
IOException(java.io.IOException)
KeyPairGenerator(java.security.KeyPairGenerator)
DERObjectIdentifier(com.android.org.bouncycastle.asn1.DERObjectIdentifier)
Asn1Object(com.android.hotspot2.asn1.Asn1Object)
OidMappings(com.android.hotspot2.asn1.OidMappings)
ASN1Set(com.android.org.bouncycastle.asn1.ASN1Set)
X500Principal(javax.security.auth.x500.X500Principal)
Map(java.util.Map)
HashMap(java.util.HashMap)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 7 with Attribute
use of org.bouncycastle.asn1.x509.Attribute in project nhin-d by DirectProject.
the class CertGenerator method createCertFromCSR.
public static X509Certificate createCertFromCSR(PKCS10CertificationRequest certReq, CertCreateFields signerCert) throws Exception {
certReq.verify();
final CertificationRequestInfo reqInfo = certReq.getCertificationRequestInfo();
final X509V3CertificateGenerator v1CertGen = new X509V3CertificateGenerator();
final Calendar start = Calendar.getInstance();
final Calendar end = Calendar.getInstance();
end.add(Calendar.YEAR, 3);
v1CertGen.setSerialNumber(BigInteger.valueOf(generatePositiveRandom()));
// issuer is the parent cert
v1CertGen.setIssuerDN(signerCert.getSignerCert().getSubjectX500Principal());
v1CertGen.setNotBefore(start.getTime());
v1CertGen.setNotAfter(end.getTime());
v1CertGen.setSubjectDN(new X509Principal(reqInfo.getSubject().toString()));
v1CertGen.setPublicKey(certReq.getPublicKey());
v1CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
final ASN1Set attributesAsn1Set = reqInfo.getAttributes();
X509Extensions certificateRequestExtensions = null;
for (int i = 0; i < attributesAsn1Set.size(); ++i) {
// There should be only only one attribute in the set. (that is, only
// the `Extension Request`, but loop through to find it properly)
final DEREncodable derEncodable = attributesAsn1Set.getObjectAt(i);
if (derEncodable instanceof DERSequence) {
final Attribute attribute = new Attribute((DERSequence) attributesAsn1Set.getObjectAt(i));
if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
// The `Extension Request` attribute is present.
final ASN1Set attributeValues = attribute.getAttrValues();
// Assume that it is the first value of the set.
if (attributeValues.size() >= 1) {
certificateRequestExtensions = new X509Extensions((ASN1Sequence) attributeValues.getObjectAt(0));
// No need to search any more.
//break;
}
}
}
}
@SuppressWarnings("unchecked") Enumeration<DERObjectIdentifier> oids = certificateRequestExtensions.oids();
while (oids.hasMoreElements()) {
DERObjectIdentifier oid = oids.nextElement();
X509Extension ex = certificateRequestExtensions.getExtension(oid);
v1CertGen.addExtension(oid, ex.isCritical(), X509Extension.convertValueToObject(ex));
}
return v1CertGen.generate((PrivateKey) signerCert.getSignerKey(), CryptoExtensions.getJCEProviderName());
}
Also used :
CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo)
Attribute(org.bouncycastle.asn1.cms.Attribute)
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
Calendar(java.util.Calendar)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
DERSequence(org.bouncycastle.asn1.DERSequence)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
X509Principal(org.bouncycastle.jce.X509Principal)
DEREncodable(org.bouncycastle.asn1.DEREncodable)
Example 8 with Attribute
use of org.bouncycastle.asn1.x509.Attribute in project nhin-d by DirectProject.
the class TrustChainValidator method getIssuerAddress.
private String getIssuerAddress(X509Certificate certificate) {
String address = "";
// check alternative names first
Collection<List<?>> altNames = null;
try {
altNames = certificate.getIssuerAlternativeNames();
} catch (CertificateParsingException ex) {
/* no -op */
}
if (altNames != null) {
for (List<?> entries : altNames) {
if (// should always be the case according the altNames spec, but checking to be defensive
entries.size() >= 2) {
Integer nameType = (Integer) entries.get(0);
// prefer email over over domain?
if (nameType == RFC822Name_TYPE)
address = (String) entries.get(1);
else if (nameType == DNSName_TYPE && address.isEmpty())
address = (String) entries.get(1);
}
}
}
if (!address.isEmpty())
return address;
// can't find issuer address in alt names... try the principal
X500Principal issuerPrin = certificate.getIssuerX500Principal();
// get the domain name
Map<String, String> oidMap = new HashMap<String, String>();
// OID for email address
oidMap.put("1.2.840.113549.1.9.1", "EMAILADDRESS");
String prinName = issuerPrin.getName(X500Principal.RFC1779, oidMap);
// see if there is an email address first in the DN
String searchString = "EMAILADDRESS=";
int index = prinName.indexOf(searchString);
if (index == -1) {
searchString = "CN=";
// no Email.. check the CN
index = prinName.indexOf(searchString);
if (index == -1)
// no CN... nothing else that can be done from here
return "";
}
// look for a "," to find the end of this attribute
int endIndex = prinName.indexOf(",", index);
if (endIndex > -1)
address = prinName.substring(index + searchString.length(), endIndex);
else
address = prinName.substring(index + searchString.length());
return address;
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
HashMap(java.util.HashMap)
X500Principal(javax.security.auth.x500.X500Principal)
ArrayList(java.util.ArrayList)
List(java.util.List)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
Thumbprint(org.nhindirect.stagent.cert.Thumbprint)
Example 9 with Attribute
use of org.bouncycastle.asn1.x509.Attribute in project nhin-d by DirectProject.
the class MessageSigInspector method main.
public static void main(String[] args) {
if (args.length == 0) {
//printUsage();
System.exit(-1);
}
String messgefile = null;
for (int i = 0; i < args.length; i++) {
String arg = args[i];
// Options
if (!arg.startsWith("-")) {
System.err.println("Error: Unexpected argument [" + arg + "]\n");
//printUsage();
System.exit(-1);
} else if (arg.equalsIgnoreCase("-msgFile")) {
if (i == args.length - 1 || args[i + 1].startsWith("-")) {
System.err.println("Error: Missing message file");
System.exit(-1);
}
messgefile = args[++i];
} else if (arg.equals("-help")) {
//printUsage();
System.exit(-1);
} else {
System.err.println("Error: Unknown argument " + arg + "\n");
//printUsage();
System.exit(-1);
}
}
if (messgefile == null) {
System.err.println("Error: missing message file\n");
}
InputStream inStream = null;
try {
inStream = FileUtils.openInputStream(new File(messgefile));
MimeMessage message = new MimeMessage(null, inStream);
MimeMultipart mm = (MimeMultipart) message.getContent();
//byte[] messageBytes = EntitySerializer.Default.serializeToBytes(mm.getBodyPart(0).getContent());
//MimeBodyPart signedContent = null;
//signedContent = new MimeBodyPart(new ByteArrayInputStream(messageBytes));
final CMSSignedData signed = new CMSSignedData(new CMSProcessableBodyPart(mm.getBodyPart(0)), mm.getBodyPart(1).getInputStream());
CertStore certs = signed.getCertificatesAndCRLs("Collection", CryptoExtensions.getJCEProviderName());
SignerInformationStore signers = signed.getSignerInfos();
@SuppressWarnings("unchecked") Collection<SignerInformation> c = signers.getSigners();
System.out.println("Found " + c.size() + " signers");
int cnt = 1;
for (SignerInformation signer : c) {
Collection<? extends Certificate> certCollection = certs.getCertificates(signer.getSID());
if (certCollection != null && certCollection.size() > 0) {
X509Certificate cert = (X509Certificate) certCollection.iterator().next();
System.out.println("\r\nInfo for certificate " + cnt++);
System.out.println("\tSubject " + cert.getSubjectDN());
FileUtils.writeByteArrayToFile(new File("SigCert.der"), cert.getEncoded());
byte[] bytes = cert.getExtensionValue("2.5.29.15");
if (bytes != null) {
final DERObject obj = getObject(bytes);
final KeyUsage keyUsage = new KeyUsage((DERBitString) obj);
final byte[] data = keyUsage.getBytes();
final int intValue = (data.length == 1) ? data[0] & 0xff : (data[1] & 0xff) << 8 | (data[0] & 0xff);
System.out.println("\tKey Usage: " + intValue);
} else
System.out.println("\tKey Usage: NONE");
//verify and get the digests
final Attribute digAttr = signer.getSignedAttributes().get(CMSAttributes.messageDigest);
final DERObject hashObj = digAttr.getAttrValues().getObjectAt(0).getDERObject();
final byte[] signedDigest = ((ASN1OctetString) hashObj).getOctets();
final String signedDigestHex = org.apache.commons.codec.binary.Hex.encodeHexString(signedDigest);
System.out.println("\r\nSigned Message Digest: " + signedDigestHex);
try {
signer.verify(cert, "BC");
System.out.println("Signature verified.");
} catch (CMSException e) {
System.out.println("Signature failed to verify.");
}
// should have the computed digest now
final byte[] digest = signer.getContentDigest();
final String digestHex = org.apache.commons.codec.binary.Hex.encodeHexString(digest);
System.out.println("\r\nComputed Message Digest: " + digestHex);
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
IOUtils.closeQuietly(inStream);
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
Attribute(org.bouncycastle.asn1.cms.Attribute)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
InputStream(java.io.InputStream)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
SignerInformation(org.bouncycastle.cms.SignerInformation)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
X509Certificate(java.security.cert.X509Certificate)
CMSException(org.bouncycastle.cms.CMSException)
PolicyProcessException(org.nhindirect.policy.PolicyProcessException)
CMSProcessableBodyPart(org.bouncycastle.mail.smime.CMSProcessableBodyPart)
DERObject(org.bouncycastle.asn1.DERObject)
MimeMessage(javax.mail.internet.MimeMessage)
MimeMultipart(javax.mail.internet.MimeMultipart)
SignerInformationStore(org.bouncycastle.cms.SignerInformationStore)
File(java.io.File)
CertStore(java.security.cert.CertStore)
CMSException(org.bouncycastle.cms.CMSException)
Example 10 with Attribute
use of org.bouncycastle.asn1.x509.Attribute in project nhin-d by DirectProject.
the class SMIMECryptographerImpl method createAttributeTable.
/*
* Construct an attribute table. Added private function to support multiple versions of BC libraries.
*/
public static AttributeTable createAttributeTable(ASN1EncodableVector signedAttrs) {
// Support for BC 146.... has a different constructor signature from 140
AttributeTable retVal = null;
try {
/*
* 140 version first
*/
Constructor<AttributeTable> constr = AttributeTable.class.getConstructor(DEREncodableVector.class);
retVal = constr.newInstance(signedAttrs);
} catch (Throwable t) {
if (LOGGER.isDebugEnabled()) {
StringBuilder builder = new StringBuilder("bcmail-jdk15-140 AttributeTable(DERObjectIdentifier) constructor could not be loaded..");
builder.append("\r\n\tAttempt to use to bcmail-jdk15-146 DERObjectIdentifier(ASN1EncodableVector)");
LOGGER.debug(builder.toString());
}
}
if (retVal == null) {
try {
/*
* 146 version
*/
Constructor<AttributeTable> constr = AttributeTable.class.getConstructor(ASN1EncodableVector.class);
retVal = constr.newInstance(signedAttrs);
} catch (Throwable t) {
LOGGER.error("Attempt to use to bcmail-jdk15-146 DERObjectIdentifier(ASN1EncodableVector constructor failed.", t);
}
}
return retVal;
}
Also used :
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
Aggregations
Attribute (org.jdom2.Attribute)149
Element (org.jdom2.Element)104
IOException (java.io.IOException)42
ArrayList (java.util.ArrayList)38
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)33
Attribute (org.bouncycastle.asn1.cms.Attribute)29
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)26
X509Certificate (java.security.cert.X509Certificate)25
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)23
Test (org.junit.Test)22
DERSequence (org.bouncycastle.asn1.DERSequence)20
DERSet (org.bouncycastle.asn1.DERSet)20
List (java.util.List)19
Attribute (org.bouncycastle.asn1.pkcs.Attribute)18
Document (org.jdom2.Document)18
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)17
DataConversionException (org.jdom2.DataConversionException)16
Editor (jmri.jmrit.display.Editor)15
CertificateEncodingException (java.security.cert.CertificateEncodingException)14
ASN1Set (org.bouncycastle.asn1.ASN1Set)14
