Search in sources :

Example 1 with BOOLEAN

use of org.mozilla.jss.asn1.BOOLEAN in project jss by dogtagpki.

the class SSLClientAuth method makeBasicConstraintsExtension.

static Extension makeBasicConstraintsExtension() throws Exception {
    SEQUENCE bc = new SEQUENCE();
    // cA
    bc.addElement(new BOOLEAN(true));
    OBJECT_IDENTIFIER bcOID = new OBJECT_IDENTIFIER(// from RFC 2459
    new long[] { 2, 5, 29, 19 });
    OCTET_STRING enc = new OCTET_STRING(ASN1Util.encode(bc));
    return new Extension(bcOID, true, enc);
}
Also used : Extension(org.mozilla.jss.pkix.cert.Extension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) BOOLEAN(org.mozilla.jss.asn1.BOOLEAN)

Example 2 with BOOLEAN

use of org.mozilla.jss.asn1.BOOLEAN in project jss by dogtagpki.

the class GenerateTestCert method makeBasicConstraintsExtension.

/**
 * Make basic extension.
 */
private Extension makeBasicConstraintsExtension() throws Exception {
    SEQUENCE bc = new SEQUENCE();
    // cA
    bc.addElement(new BOOLEAN(true));
    OBJECT_IDENTIFIER bcOID = new OBJECT_IDENTIFIER(// from RFC 2459
    new long[] { 2, 5, 29, 19 });
    OCTET_STRING enc = new OCTET_STRING(ASN1Util.encode(bc));
    return new Extension(bcOID, true, enc);
}
Also used : Extension(org.mozilla.jss.pkix.cert.Extension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) BOOLEAN(org.mozilla.jss.asn1.BOOLEAN)

Example 3 with BOOLEAN

use of org.mozilla.jss.asn1.BOOLEAN in project jss by dogtagpki.

the class PKCS12Util method storeCertIntoNSS.

/**
 * Store a certificate (and key, if present) in NSSDB.
 */
public void storeCertIntoNSS(PKCS12 pkcs12, Password password, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
    CryptoManager cm = CryptoManager.getInstance();
    CryptoToken ct = cm.getInternalKeyStorageToken();
    CryptoStore store = ct.getCryptoStore();
    String nickname = certInfo.getFriendlyName();
    for (X509Certificate cert : cm.findCertsByNickname(nickname)) {
        if (!overwrite) {
            return;
        }
        store.deleteCert(cert);
    }
    X509CertImpl certImpl = certInfo.getCert();
    X509Certificate cert;
    byte[] keyID = certInfo.getKeyID();
    if (keyID != null) {
        // cert has key
        logger.debug("Importing private key for " + certInfo.getFriendlyName());
        PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(keyID);
        importKey(pkcs12, password, certInfo.getFriendlyName(), keyInfo);
        logger.debug("Importing user certificate " + certInfo.getFriendlyName());
        cert = cm.importUserCACertPackage(certImpl.getEncoded(), certInfo.getFriendlyName());
    } else {
        // cert has no key
        logger.debug("Importing CA certificate " + certInfo.getFriendlyName());
        // Note: JSS does not preserve CA certificate nickname
        cert = cm.importCACertPackage(certImpl.getEncoded());
    }
    String trustFlags = certInfo.getTrustFlags();
    if (trustFlags != null && trustFlagsEnabled) {
        PK11Cert pk11Cert = (PK11Cert) cert;
        pk11Cert.setTrustFlags(trustFlags);
    }
}
Also used : CryptoStore(org.mozilla.jss.crypto.CryptoStore) CryptoToken(org.mozilla.jss.crypto.CryptoToken) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) CryptoManager(org.mozilla.jss.CryptoManager) BMPString(org.mozilla.jss.asn1.BMPString) X509Certificate(org.mozilla.jss.crypto.X509Certificate) PK11Cert(org.mozilla.jss.pkcs11.PK11Cert)

Example 4 with BOOLEAN

use of org.mozilla.jss.asn1.BOOLEAN in project jss by dogtagpki.

the class Extension method encode.

@Override
public void encode(Tag implicit, OutputStream ostream) throws IOException {
    SEQUENCE seq = new SEQUENCE();
    seq.addElement(extnId);
    if (critical == true) {
        // false is default, so we only code true
        seq.addElement(new BOOLEAN(true));
    }
    seq.addElement(extnValue);
    seq.encode(implicit, ostream);
}
Also used : SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) BOOLEAN(org.mozilla.jss.asn1.BOOLEAN)

Example 5 with BOOLEAN

use of org.mozilla.jss.asn1.BOOLEAN in project jss by dogtagpki.

the class SignerInfo method verifyWithAuthenticatedAttributes.

/**
 * Verifies a SignerInfo with authenticated attributes.  If authenticated
 * attributes are present, then two particular attributes must
 * be present: <ul>
 * <li>PKCS #9 Content-Type, the type of content that is being signed.
 *      This must match the contentType parameter.
 * <li>PKCS #9 Message-Digest, the digest of the content that is being
 *      signed. This must match the messageDigest parameter.
 * </ul>
 * After these two attributes are verified to be both present and correct,
 * the encryptedDigest field of the SignerInfo is verified to be the
 * signature of the contents octets of the DER encoding of the
 * authenticatedAttributes field.
 */
private void verifyWithAuthenticatedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
    int numAttrib = authenticatedAttributes.size();
    if (numAttrib < 2) {
        throw new SignatureException("At least two authenticated attributes must be present:" + " content-type and message-digest");
    }
    // go through the authenticated attributes, verifying the
    // interesting ones
    boolean foundContentType = false;
    boolean foundMessageDigest = false;
    for (int i = 0; i < numAttrib; i++) {
        if (!(authenticatedAttributes.elementAt(i) instanceof Attribute)) {
            throw new SignatureException("Element of authenticatedAttributes is not an Attribute");
        }
        Attribute attrib = (Attribute) authenticatedAttributes.elementAt(i);
        if (attrib.getType().equals(CONTENT_TYPE)) {
            // content-type.  Compare with what was passed in.
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Content-Type attribute " + " does not have exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            OBJECT_IDENTIFIER ctype;
            try {
                if (val instanceof OBJECT_IDENTIFIER) {
                    ctype = (OBJECT_IDENTIFIER) val;
                } else if (val instanceof ANY) {
                    ctype = (OBJECT_IDENTIFIER) ((ANY) val).decodeWith(OBJECT_IDENTIFIER.getTemplate());
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Content-Type authenticated attribute does not have " + "OBJECT IDENTIFIER value");
            }
            // contentType parameter
            if (!ctype.equals(contentType)) {
                throw new SignatureException("Content-type in authenticated attributes does not " + "match content-type being verified");
            }
            // content type is A-OK
            foundContentType = true;
        } else if (attrib.getType().equals(MESSAGE_DIGEST)) {
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Message-digest attribute does not have" + " exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            byte[] mdigest;
            try {
                if (val instanceof OCTET_STRING) {
                    mdigest = ((OCTET_STRING) val).toByteArray();
                } else if (val instanceof ANY) {
                    OCTET_STRING os;
                    os = (OCTET_STRING) ((ANY) val).decodeWith(OCTET_STRING.getTemplate());
                    mdigest = os.toByteArray();
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Message-digest attribute does not" + " have OCTET STRING value");
            }
            // message digest being verified
            if (!byteArraysAreSame(mdigest, messageDigest)) {
                throw new SignatureException("Message-digest attribute does not" + " match message digest being verified");
            }
            // message digest is A-OK
            foundMessageDigest = true;
        }
    // we don't care about other attributes
    }
    if (!foundContentType) {
        throw new SignatureException("Authenticated attributes does not contain" + " PKCS #9 content-type attribute");
    }
    if (!foundMessageDigest) {
        throw new SignatureException("Authenticate attributes does not contain" + " PKCS #9 message-digest attribute");
    }
    SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
    // All the authenticated attributes are present and correct.
    // Now verify the signature.
    CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
    Signature sig = token.getSignatureContext(sigAlg);
    sig.initVerify(pubkey);
    // verify the contents octets of the DER encoded authenticated attribs
    byte[] toBeDigested;
    toBeDigested = ASN1Util.encode(authenticatedAttributes);
    MessageDigest md = MessageDigest.getInstance(DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString());
    byte[] digest = md.digest(toBeDigested);
    byte[] toBeVerified;
    if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
        // create DigestInfo structure
        SEQUENCE digestInfo = new SEQUENCE();
        digestInfo.addElement(new AlgorithmIdentifier(digestAlgorithm.getOID(), null));
        digestInfo.addElement(new OCTET_STRING(digest));
        toBeVerified = ASN1Util.encode(digestInfo);
    } else {
        toBeVerified = digest;
    }
    sig.update(toBeVerified);
    if (!sig.verify(encryptedDigest.toByteArray())) {
        // signature is invalid
        throw new SignatureException("encryptedDigest was not the correct" + " signature of the contents octets of the DER-encoded" + " authenticated attributes");
    }
// SUCCESSFULLY VERIFIED
}
Also used : SET(org.mozilla.jss.asn1.SET) CryptoToken(org.mozilla.jss.crypto.CryptoToken) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) SignatureAlgorithm(org.mozilla.jss.crypto.SignatureAlgorithm) SignatureException(java.security.SignatureException) ANY(org.mozilla.jss.asn1.ANY) AlgorithmIdentifier(org.mozilla.jss.pkix.primitive.AlgorithmIdentifier) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) Signature(org.mozilla.jss.crypto.Signature) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) MessageDigest(java.security.MessageDigest)

Aggregations

org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Boolean (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Boolean)7 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)7 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Bigint (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Bigint)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Binary (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Binary)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Blob (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Blob)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Char (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Char)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Clob (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Clob)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Date (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Date)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Datetime (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Datetime)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Decimal (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Decimal)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Double (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Double)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Float (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Float)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Smallint (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Smallint)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Time (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Time)6 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Int (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Int)5 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Tinyint (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Tinyint)5 BOOLEAN (org.mozilla.jss.asn1.BOOLEAN)5 OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)5 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Enum (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Enum)4 org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Integer (org.jaxdb.www.ddlx_0_5.xLygluGCXAA.$Integer)4