Examples with NULL org.mozilla.jss.asn1.NULL used on opensource projects

Example 36 with NULL

use of org.mozilla.jss.asn1.NULL in project candlepin by candlepin.

the class JSSPKIUtility method buildAuthorityKeyIdentifier.

public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
    // The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
    byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
    /* The getExtensionValue returns us the Extension extnValue element which is an octet string.  For
         * the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier.  The actual
         * KeyIdentifier is also an octet string.  The extnValue for the SubjectKeyIdentifier
         * is therefore ultimately an octet string of an octet string.  See Appendix A of RFC 5280. */
    OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
    OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
    if (ski == null) {
        /* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
             * from the certificate's public key. */
        return buildAuthorityKeyIdentifier(caCert.getPublicKey());
    }
    /* RFC 5280 section 4.2.1.1 is a bit odd.  It states the AuthorityKeyIdentifier MAY contain
         * a KeyIdentifier or the issuer name and CertificateSerialNumber.  The KeyIdentifier is mandatory for
         * non-self-signed certificates, but there is no additional guidance about when or why one should
         * provide the issuer name or CertificateSerialNumber.  I've found at least one place,
         * https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them.  Also,
         * the semantics around the issuer field in this extension can be very confusing
         * (see https://www.openssl.org/docs/faq.html#USER14).  Our old crypto code that used BouncyCastle
         * did include the issuer and serial number along with the key identifier, but I think it's best if
         * we leave it out.
         */
    KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
    return new AuthorityKeyIdentifierExtension(ki, null, null);
}

Example 37 with NULL

use of org.mozilla.jss.asn1.NULL in project candlepin by candlepin.

the class JSSPKIUtility method getKeyEncoding.

/**
 * Fetches the encoded form of the specified private key
 *
 * @param privateKey
 *  the private key from which to fetch the encoded form
 *
 * @return
 *  the encoded form of the given private key
 */
private byte[] getKeyEncoding(PrivateKey privateKey) throws KeyException {
    byte[] unwrapped = privateKey.getEncoded();
    if (unwrapped != null) {
        return unwrapped;
    }
    try {
        String algorithm = "AES";
        String transformation = "AES/CBC/PKCS5Padding";
        // bytes
        int blockSize = 16;
        // bits
        int keySize = 256;
        Provider provider = JSSProviderLoader.getProvider(true);
        KeyGenerator keygen = KeyGenerator.getInstance(algorithm, provider);
        keygen.init(keySize);
        SecretKey skey = keygen.generateKey();
        IvParameterSpec ivspec = new IvParameterSpec(new byte[blockSize]);
        Arrays.fill(ivspec.getIV(), (byte) blockSize);
        Cipher cipher = Cipher.getInstance(transformation, provider);
        cipher.init(Cipher.WRAP_MODE, skey, ivspec);
        byte[] wrapped = cipher.wrap(privateKey);
        cipher = Cipher.getInstance(transformation, provider);
        cipher.init(Cipher.DECRYPT_MODE, skey, ivspec);
        unwrapped = cipher.doFinal(wrapped);
    } catch (Exception e) {
        throw new KeyException(e);
    }
    return unwrapped;
}

Example 38 with NULL

use of org.mozilla.jss.asn1.NULL in project jss by dogtagpki.

the class CRLDistributionPoint method main.

public static void main(String[] args) throws GeneralNamesException, IOException, InvalidBERException {
    try (FileOutputStream fos = new FileOutputStream(args[0]);
        ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
        if (args.length != 1) {
            System.out.println("Usage: CRLDistributionPoint <outfile>");
            System.exit(-1);
        }
        SEQUENCE cdps = new SEQUENCE();
        // URI only
        CRLDistributionPoint cdp = new CRLDistributionPoint();
        URIName uri = new URIName("http://www.mycrl.com/go/here");
        GeneralNames generalNames = new GeneralNames();
        generalNames.addElement(uri);
        cdp.setFullName(generalNames);
        cdps.addElement(cdp);
        // DN only
        cdp = new CRLDistributionPoint();
        X500Name dn = new X500Name("CN=Otis Smith,E=otis@fedoraproject.org" + ",OU=Certificate Server,O=Fedora,C=US");
        generalNames = new GeneralNames();
        generalNames.addElement(dn);
        cdp.setFullName(generalNames);
        cdps.addElement(cdp);
        // DN + reason
        BitArray ba = new BitArray(5, new byte[] { (byte) 0x28 });
        cdp = new CRLDistributionPoint();
        cdp.setFullName(generalNames);
        cdp.setReasons(ba);
        cdps.addElement(cdp);
        // relative DN + reason + crlIssuer
        cdp = new CRLDistributionPoint();
        RDN rdn = new RDN("OU=foobar dept");
        cdp.setRelativeName(rdn);
        cdp.setReasons(ba);
        cdp.setCRLIssuer(generalNames);
        cdps.addElement(cdp);
        cdps.encode(bos);
        byte[] encoded = bos.toByteArray();
        fos.write(encoded);
        SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(getTemplate());
        cdps = (SEQUENCE) ASN1Util.decode(seqt, encoded);
        int size = cdps.size();
        System.out.println("Total number of CDPs: " + size);
        for (int i = 0; i < size; i++) {
            System.out.println("\nCDP " + i);
            cdp = (CRLDistributionPoint) cdps.elementAt(i);
            GeneralNames gn = cdp.getFullName();
            if (gn == null) {
                System.out.println("No full name");
            } else {
                System.out.println(gn);
            }
            rdn = cdp.getRelativeName();
            if (rdn == null) {
                System.out.println("No relative name");
            } else {
                System.out.println(rdn);
            }
            if (cdp.getReasons() == null) {
                System.out.println("No reasons");
            } else {
                System.out.println(cdp.getReasons());
            }
            gn = cdp.getCRLIssuer();
            if (gn == null) {
                System.out.println("No cRLIssuer");
            } else {
                System.out.println(gn);
            }
        }
        System.out.println("Done");
    }
}

Example 39 with NULL

use of org.mozilla.jss.asn1.NULL in project jss by dogtagpki.

the class CRLDistributionPoint method setCRLIssuer.

/**
 * Sets the CRLIssuer for the CRL at this distribution point.
 * May be set to <code>null</code>.
 *
 * @exception GeneralNamesException If an error occurs encoding the name.
 */
public void setCRLIssuer(GeneralNames CRLIssuer) throws GeneralNamesException, IOException {
    this.CRLIssuer = CRLIssuer;
    if (CRLIssuer != null) {
        // encode the name to catch any problems with it
        DerOutputStream derOut = new DerOutputStream();
        CRLIssuer.encode(derOut);
        try {
            ANY raw = new ANY(derOut.toByteArray());
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            raw.encodeWithAlternateTag(Tag.get(2), bos);
            CRLIssuerEncoding = new ANY(bos.toByteArray());
        } catch (InvalidBERException e) {
            throw new GeneralNamesException(e.toString());
        }
    }
}

Example 40 with NULL

use of org.mozilla.jss.asn1.NULL in project jss by dogtagpki.

the class CRLDistributionPoint method encode.

@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
    SEQUENCE seq = new SEQUENCE();
    DerOutputStream derOut;
    try {
        // is a CHOICE, the [0] tag is forced to be EXPLICIT.
        if (fullName != null) {
            EXPLICIT distPoint = new EXPLICIT(Tag.get(0), fullNameEncoding);
            seq.addElement(distPoint);
        } else if (relativeName != null) {
            derOut = new DerOutputStream();
            relativeName.encode(derOut);
            ANY rn = new ANY(derOut.toByteArray());
            EXPLICIT raw = new EXPLICIT(Tag.get(1), rn);
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            raw.encode(bos);
            ANY distPointName = new ANY(bos.toByteArray());
            EXPLICIT distPoint = new EXPLICIT(Tag.get(0), distPointName);
            seq.addElement(distPoint);
        }
        // Encodes the ReasonFlags.
        if (reasons != null) {
            derOut = new DerOutputStream();
            derOut.putUnalignedBitString(reasons);
            ANY raw = new ANY(derOut.toByteArray());
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            raw.encodeWithAlternateTag(Tag.get(1), bos);
            ANY reasonEncoding = new ANY(bos.toByteArray());
            seq.addElement(Tag.get(1), reasonEncoding);
        }
        // Encodes the CRLIssuer
        if (CRLIssuer != null) {
            seq.addElement(Tag.get(2), CRLIssuerEncoding);
        }
        seq.encode(implicitTag, ostream);
    } catch (InvalidBERException e) {
        // the Sun encoding classes
        throw new IOException(e.toString());
    }
}