Search in sources :

Example 11 with JcaX509CertificateHolder

use of org.bouncycastle.cert.jcajce.JcaX509CertificateHolder in project ddf by codice.

the class KeystoreEditor method addTrustedCertificateFromUrl.

@Override
public List<Map<String, Object>> addTrustedCertificateFromUrl(String url) {
    SSLSocket socket = null;
    String decodedUrl = null;
    List<Map<String, Object>> resultList = new ArrayList<>();
    try {
        decodedUrl = new String(Base64.getDecoder().decode(url), "UTF-8");
        socket = createNonVerifyingSslSocket(decodedUrl);
        socket.startHandshake();
        X509Certificate[] peerCertificateChain = (X509Certificate[]) socket.getSession().getPeerCertificates();
        for (X509Certificate certificate : peerCertificateChain) {
            try {
                X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
                RDN cn = x500name.getRDNs(BCStyle.CN)[0];
                String cnStr = IETFUtils.valueToString(cn.getFirst().getValue());
                trustStore.setCertificateEntry(cnStr, certificate);
                resultList.add(Collections.singletonMap("success", true));
            } catch (CertificateEncodingException e) {
                resultList.add(Collections.singletonMap("success", false));
                LOGGER.info("Unable to store certificate: {}", certificate.toString(), e);
            }
        }
        Path trustStoreFile = Paths.get(SecurityConstants.getTruststorePath());
        if (!trustStoreFile.isAbsolute()) {
            Path ddfHomePath = Paths.get(System.getProperty("ddf.home"));
            trustStoreFile = Paths.get(ddfHomePath.toString(), trustStoreFile.toString());
        }
        String keyStorePassword = SecurityConstants.getTruststorePassword();
        OutputStream fos = Files.newOutputStream(trustStoreFile);
        trustStore.store(fos, keyStorePassword.toCharArray());
    } catch (IOException | GeneralSecurityException e) {
        LOGGER.info("Unable to add certificate(s) to trust store from URL: {}", (decodedUrl != null) ? decodedUrl : url, e);
    } finally {
        IOUtils.closeQuietly(socket);
    }
    return resultList;
}
Also used : Path(java.nio.file.Path) SSLSocket(javax.net.ssl.SSLSocket) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) CertificateEncodingException(java.security.cert.CertificateEncodingException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) Map(java.util.Map) HashMap(java.util.HashMap) RDN(org.bouncycastle.asn1.x500.RDN)

Example 12 with JcaX509CertificateHolder

use of org.bouncycastle.cert.jcajce.JcaX509CertificateHolder in project ddf by codice.

the class KeystoreEditor method importASN1CertificatesToStore.

private boolean importASN1CertificatesToStore(KeyStore store, boolean setEntry, ASN1Set certificates) throws KeystoreEditorException {
    Enumeration certificateEnumeration = certificates.getObjects();
    try {
        while (certificateEnumeration.hasMoreElements()) {
            ASN1Primitive asn1Primitive = ((ASN1Encodable) certificateEnumeration.nextElement()).toASN1Primitive();
            org.bouncycastle.asn1.x509.Certificate instance = org.bouncycastle.asn1.x509.Certificate.getInstance(asn1Primitive);
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(instance.getEncoded()));
            X500Name x500name = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
            RDN cn = x500name.getRDNs(BCStyle.CN)[0];
            store.setCertificateEntry(IETFUtils.valueToString(cn.getFirst().getValue()), certificate);
            setEntry = true;
        }
    } catch (CertificateException | NoSuchProviderException | KeyStoreException | IOException e) {
        throw new KeystoreEditorException("Unable to import ASN1 certificates to store", e);
    }
    return setEntry;
}
Also used : Enumeration(java.util.Enumeration) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) CertificateFactory(java.security.cert.CertificateFactory) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) NoSuchProviderException(java.security.NoSuchProviderException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) RDN(org.bouncycastle.asn1.x500.RDN) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 13 with JcaX509CertificateHolder

use of org.bouncycastle.cert.jcajce.JcaX509CertificateHolder in project ddf by codice.

the class KeystoreEditor method buildCertChainList.

private List<Certificate> buildCertChainList(String alias, KeyStore store) throws KeystoreEditorException {
    try {
        Certificate certificate = store.getCertificate(alias);
        if (certificate != null) {
            X500Name x500nameSubject = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
            RDN subjectCn = x500nameSubject.getRDNs(BCStyle.CN)[0];
            X500Name x500nameIssuer = new JcaX509CertificateHolder((X509Certificate) certificate).getIssuer();
            RDN issuerCn = x500nameIssuer.getRDNs(BCStyle.CN)[0];
            String issuer = IETFUtils.valueToString(issuerCn.getFirst().getValue());
            String subject = IETFUtils.valueToString(subjectCn.getFirst().getValue());
            if (StringUtils.isBlank(issuer) || issuer.equals(subject)) {
                List<Certificate> certificates = new ArrayList<>();
                certificates.add(certificate);
                return certificates;
            } else {
                List<Certificate> certificates = buildCertChainList(issuer, store);
                certificates.add(certificate);
                return certificates;
            }
        } else {
            return new ArrayList<>();
        }
    } catch (CertificateEncodingException | KeyStoreException e) {
        throw new KeystoreEditorException("Unable to build cert chain list.", e);
    }
}
Also used : ArrayList(java.util.ArrayList) CertificateEncodingException(java.security.cert.CertificateEncodingException) X500Name(org.bouncycastle.asn1.x500.X500Name) KeyStoreException(java.security.KeyStoreException) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) RDN(org.bouncycastle.asn1.x500.RDN) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)13 X500Name (org.bouncycastle.asn1.x500.X500Name)10 X509Certificate (java.security.cert.X509Certificate)9 IOException (java.io.IOException)8 RDN (org.bouncycastle.asn1.x500.RDN)7 CertificateEncodingException (java.security.cert.CertificateEncodingException)6 ByteArrayInputStream (java.io.ByteArrayInputStream)4 GeneralSecurityException (java.security.GeneralSecurityException)4 Certificate (java.security.cert.Certificate)4 CertificateFactory (java.security.cert.CertificateFactory)4 ArrayList (java.util.ArrayList)4 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)4 InputStream (java.io.InputStream)3 KeyStoreException (java.security.KeyStoreException)3 Enumeration (java.util.Enumeration)3 FileOutputStream (java.io.FileOutputStream)2 OutputStream (java.io.OutputStream)2 Path (java.nio.file.Path)2 KeyStore (java.security.KeyStore)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2