Search in sources :

Example 1 with CryptoStore

use of org.mozilla.jss.crypto.CryptoStore in project jss by dogtagpki.

the class pkcs12 method main.

public static void main(String[] args) {
    try {
        // Read arguments
        if (args.length != 3) {
            System.out.println("Usage: PFX <dbdir> <infile> <outfile>");
            System.exit(-1);
        }
        // open input file for reading
        FileInputStream infile = null;
        try {
            infile = new FileInputStream(args[1]);
        } catch (FileNotFoundException f) {
            System.out.println("Cannot open file " + args[1] + " for reading: " + f.getMessage());
            return;
        }
        int certfile = 0;
        // initialize CryptoManager. This is necessary because there is
        // crypto involved with decoding a PKCS #12 file
        CryptoManager.initialize(args[0]);
        CryptoManager manager = CryptoManager.getInstance();
        // Decode the P12 file
        PFX.Template pfxt = new PFX.Template();
        PFX pfx;
        try (BufferedInputStream is = new BufferedInputStream(infile, 2048)) {
            pfx = (PFX) pfxt.decode(is);
        }
        System.out.println("Decoded PFX");
        // print out information about the top-level PFX structure
        System.out.println("Version: " + pfx.getVersion());
        AuthenticatedSafes authSafes = pfx.getAuthSafes();
        SEQUENCE safeContentsSequence = authSafes.getSequence();
        System.out.println("AuthSafes has " + safeContentsSequence.size() + " SafeContents");
        // Get the password for the old file
        System.out.println("Enter password: ");
        Password pass = Password.readPasswordFromConsole();
        // get new password, which will be used for the new file we create
        // later
        System.out.println("Enter new password:");
        Password newPass = Password.readPasswordFromConsole();
        // Verify the MAC on the PFX.  This is important to be sure
        // it hasn't been tampered with.
        StringBuffer sb = new StringBuffer();
        if (pfx.verifyAuthSafes(pass, sb)) {
            System.out.println("AuthSafes verifies correctly.");
        } else {
            System.out.println("AuthSafes failed to verify because: " + sb);
        }
        // Create a new AuthenticatedSafes. As we read the contents of the
        // old authSafes, we will store them into the new one.  After we have
        // cycled through all the contents, they will all have been copied into
        // the new authSafes.
        AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
        // for(int i=0; i < asSeq.size(); i++) {
        for (int i = 0; i < safeContentsSequence.size(); i++) {
            // The safeContents may or may not be encrypted.  We always send
            // the password in.  It will get used if it is needed.  If the
            // decryption of the safeContents fails for some reason (like
            // a bad password), then this method will throw an exception
            SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);
            System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags");
            // Go through all the bags in this SafeContents
            for (int j = 0; j < safeContents.size(); j++) {
                SafeBag safeBag = (SafeBag) safeContents.elementAt(j);
                // The type of the bag is an OID
                System.out.println("\nBag " + j + " has type " + safeBag.getBagType());
                // look for bag attributes
                SET attribs = safeBag.getBagAttributes();
                if (attribs == null) {
                    System.out.println("Bag has no attributes");
                } else {
                    for (int b = 0; b < attribs.size(); b++) {
                        Attribute a = (Attribute) attribs.elementAt(b);
                        if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                            // the friendly name attribute is a nickname
                            BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                            System.out.println("Friendly Name: " + bs);
                        } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) {
                            // the local key id is used to match a key
                            // to its cert.  The key id is the SHA-1 hash of
                            // the DER-encoded cert.
                            OCTET_STRING os = (OCTET_STRING) ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate());
                            System.out.println("LocalKeyID:");
                        /*
                            AuthenticatedSafes.
                                print_byte_array(os.toByteArray());
							*/
                        } else {
                            System.out.println("Unknown attribute type: " + a.getType().toString());
                        }
                    }
                }
                // now look at the contents of the bag
                ASN1Value val = safeBag.getInterpretedBagContent();
                if (val instanceof PrivateKeyInfo) {
                    // A PrivateKeyInfo contains an unencrypted private key
                    System.out.println("content is PrivateKeyInfo");
                } else if (val instanceof EncryptedPrivateKeyInfo) {
                    // An EncryptedPrivateKeyInfo is, well, an encrypted
                    // PrivateKeyInfo. Usually, strong crypto is used in
                    // an EncryptedPrivateKeyInfo.
                    EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val);
                    System.out.println("content is EncryptedPrivateKeyInfo, algoid:" + epki.getEncryptionAlgorithm().getOID());
                    // Because we are in a PKCS #12 file, the passwords are
                    // char-to-byte converted in a special way.  We have to
                    // use the special converter class instead of the default.
                    PrivateKeyInfo pki = epki.decrypt(pass, new org.mozilla.jss.pkcs12.PasswordConverter());
                    // import the key into the key3.db
                    CryptoToken tok = manager.getTokenByName("Internal Key Storage Token");
                    CryptoStore store = tok.getCryptoStore();
                    tok.login(new ConsolePasswordCallback());
                    ByteArrayOutputStream baos = new ByteArrayOutputStream();
                    pki.encode(baos);
                    store.importPrivateKey(baos.toByteArray(), PrivateKey.RSA);
                    // re-encrypt the PrivateKeyInfo with the new password
                    // and random salt
                    byte[] salt = new byte[PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()];
                    JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG();
                    rand.nextBytes(salt);
                    epki = EncryptedPrivateKeyInfo.createPBE(PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki);
                    // Overwrite the previous EncryptedPrivateKeyInfo with
                    // this new one we just created using the new password.
                    // This is what will get put in the new PKCS #12 file
                    // we are creating.
                    safeContents.insertElementAt(new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), i);
                    safeContents.removeElementAt(i + 1);
                } else if (val instanceof CertBag) {
                    System.out.println("content is CertBag");
                    CertBag cb = (CertBag) val;
                    if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
                        // this is an X.509 certificate
                        OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert();
                        Certificate cert = (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray());
                        cert.getInfo().print(System.out);
                    } else {
                        System.out.println("Unrecognized cert type");
                    }
                } else {
                    System.out.println("content is ANY");
                }
            }
            // Add the new safe contents to the new authsafes
            if (authSafes.safeContentsIsEncrypted(i)) {
                newAuthSafes.addEncryptedSafeContents(AuthenticatedSafes.DEFAULT_KEY_GEN_ALG, newPass, null, AuthenticatedSafes.DEFAULT_ITERATIONS, safeContents);
            } else {
                newAuthSafes.addSafeContents(safeContents);
            }
        }
        // Create new PFX from the new authsafes
        PFX newPfx = new PFX(newAuthSafes);
        // Add a MAC to the new PFX
        newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS);
        // write the new PFX out to a file
        FileOutputStream fos = new FileOutputStream(args[2]);
        newPfx.encode(fos);
        fos.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : SET(org.mozilla.jss.asn1.SET) Attribute(org.mozilla.jss.pkix.primitive.Attribute) JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom) FileNotFoundException(java.io.FileNotFoundException) CryptoManager(org.mozilla.jss.CryptoManager) ANY(org.mozilla.jss.asn1.ANY) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) BufferedInputStream(java.io.BufferedInputStream) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) ConsolePasswordCallback(org.mozilla.jss.util.ConsolePasswordCallback) BMPString(org.mozilla.jss.asn1.BMPString) Password(org.mozilla.jss.util.Password) PFX(org.mozilla.jss.pkcs12.PFX) CryptoToken(org.mozilla.jss.crypto.CryptoToken) ByteArrayOutputStream(java.io.ByteArrayOutputStream) SafeBag(org.mozilla.jss.pkcs12.SafeBag) FileInputStream(java.io.FileInputStream) FileNotFoundException(java.io.FileNotFoundException) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes) CryptoStore(org.mozilla.jss.crypto.CryptoStore) CertBag(org.mozilla.jss.pkcs12.CertBag) FileOutputStream(java.io.FileOutputStream) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PasswordConverter(org.mozilla.jss.pkcs12.PasswordConverter) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PrivateKeyInfo(org.mozilla.jss.pkix.primitive.PrivateKeyInfo) Certificate(org.mozilla.jss.pkix.cert.Certificate)

Example 2 with CryptoStore

use of org.mozilla.jss.crypto.CryptoStore in project jss by dogtagpki.

the class CloseDBs method main.

public static void main(String[] args) {
    int i;
    try {
        if (args.length != 1) {
            System.err.println("Usage: CloseDBs <dbdir>");
            System.exit(0);
        }
        CryptoManager manager = CryptoManager.getInstance();
        Enumeration<CryptoToken> tokens = manager.getAllTokens();
        CryptoStore store;
        X509Certificate[] certs;
        java.security.PrivateKey[] keys;
        while (tokens.hasMoreElements()) {
            CryptoToken token = tokens.nextElement();
            store = token.getCryptoStore();
            System.out.println("Token: " + token.getName());
            certs = store.getCertificates();
            System.out.println("Certs:");
            for (i = 0; i < certs.length; i++) {
                System.out.println(certs[i].getNickname());
            }
            keys = store.getPrivateKeys();
            System.out.println("Keys:");
            try {
                for (i = 0; i < keys.length; i++) {
                    System.out.println(new BigInteger(1, keys[i].getEncoded()));
                }
            } catch (Exception ex) {
                System.out.println(ex.getMessage());
            }
        }
        System.out.println("Closing databases...");
        try {
            (new CloseDBs()).closeDatabases();
        } catch (Exception ex) {
            System.out.println(ex.getMessage());
            System.exit(1);
        }
        System.out.println("Databases are closed.");
        System.exit(0);
    } catch (Exception e) {
        e.printStackTrace();
        System.exit(1);
    }
}
Also used : CryptoToken(org.mozilla.jss.crypto.CryptoToken) CryptoManager(org.mozilla.jss.CryptoManager) X509Certificate(org.mozilla.jss.crypto.X509Certificate) CryptoStore(org.mozilla.jss.crypto.CryptoStore) BigInteger(java.math.BigInteger)

Example 3 with CryptoStore

use of org.mozilla.jss.crypto.CryptoStore in project jss by dogtagpki.

the class JSSKeyStoreSpi method engineGetKey.

@Override
public Key engineGetKey(String alias, char[] password) {
    logger.debug("JSSKeyStoreSpi: engineGetKey(" + alias + ")");
    try {
        CryptoManager cm = CryptoManager.getInstance();
        logger.debug("JSSKeyStoreSpi: searching for cert");
        try {
            X509Certificate cert = cm.findCertByNickname(alias);
            logger.debug("JSSKeyStoreSpi: found cert: " + alias);
            PrivateKey privateKey = cm.findPrivKeyByCert(cert);
            logger.debug("JSSKeyStoreSpi: found private key: " + alias);
            return privateKey;
        } catch (ObjectNotFoundException e) {
            logger.debug("JSSKeyStoreSpi: cert/key not found, searching for key");
        }
        String[] parts = parseAlias(alias);
        String tokenName = parts[0];
        String nickname = parts[1];
        CryptoToken token;
        if (tokenName == null) {
            token = cm.getInternalKeyStorageToken();
        } else {
            token = cm.getTokenByName(tokenName);
        }
        CryptoStore store = token.getCryptoStore();
        logger.debug("JSSKeyStoreSpi: searching for private key");
        for (PrivateKey privateKey : store.getPrivateKeys()) {
            // convert key ID into hexadecimal
            String keyID = Utils.HexEncode(privateKey.getUniqueID());
            logger.debug("JSSKeyStoreSpi: - " + keyID);
            if (nickname.equals(keyID)) {
                logger.debug("JSSKeyStoreSpi: found private key: " + nickname);
                return privateKey;
            }
        }
        logger.debug("JSSKeyStoreSpi: searching for symmetric key");
        for (SymmetricKey symmetricKey : store.getSymmetricKeys()) {
            logger.debug("JSSKeyStoreSpi: - " + symmetricKey.getNickName());
            if (nickname.equals(symmetricKey.getNickName())) {
                logger.debug("JSSKeyStoreSpi: found symmetric key: " + nickname);
                return new SecretKeyFacade(symmetricKey);
            }
        }
        logger.debug("JSSKeyStoreSpi: key not found: " + nickname);
        return null;
    } catch (NoSuchTokenException e) {
        throw new RuntimeException(e);
    } catch (NotInitializedException e) {
        throw new RuntimeException(e);
    } catch (TokenException e) {
        throw new RuntimeException(e);
    }
}
Also used : PrivateKey(org.mozilla.jss.crypto.PrivateKey) CryptoToken(org.mozilla.jss.crypto.CryptoToken) NotInitializedException(org.mozilla.jss.NotInitializedException) SymmetricKey(org.mozilla.jss.crypto.SymmetricKey) CryptoManager(org.mozilla.jss.CryptoManager) X509Certificate(org.mozilla.jss.crypto.X509Certificate) CryptoStore(org.mozilla.jss.crypto.CryptoStore) SecretKeyFacade(org.mozilla.jss.crypto.SecretKeyFacade) NoSuchTokenException(org.mozilla.jss.NoSuchTokenException) ObjectNotFoundException(org.mozilla.jss.crypto.ObjectNotFoundException) NoSuchTokenException(org.mozilla.jss.NoSuchTokenException) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) TokenException(org.mozilla.jss.crypto.TokenException)

Example 4 with CryptoStore

use of org.mozilla.jss.crypto.CryptoStore in project jss by dogtagpki.

the class JSSKeyStoreSpi method getAliases.

public Collection<String> getAliases() {
    logger.debug("JSSKeyStoreSpi: getAliases()");
    Set<String> aliases = new LinkedHashSet<>();
    try {
        List<CryptoToken> tokens = new ArrayList<>();
        CryptoManager cm = CryptoManager.getInstance();
        if (token == null) {
            logger.debug("JSSKeyStoreSpi: getting aliases from all tokens");
            Enumeration<CryptoToken> e = cm.getAllTokens();
            while (e.hasMoreElements()) {
                CryptoToken t = e.nextElement();
                if (t == cm.getInternalCryptoToken()) {
                    // exclude crypto token
                    continue;
                }
                tokens.add(t);
            }
        } else {
            logger.debug("JSSKeyStoreSpi: getting aliases from keystore token");
            tokens.add(token);
        }
        for (CryptoToken token : tokens) {
            String tokenName;
            if (token == cm.getInternalKeyStorageToken()) {
                tokenName = null;
                logger.debug("JSSKeyStoreSpi: token: internal");
            } else {
                tokenName = token.getName();
                logger.debug("JSSKeyStoreSpi: token: " + tokenName);
            }
            CryptoStore store = token.getCryptoStore();
            logger.debug("JSSKeyStoreSpi: - certificates:");
            for (X509Certificate cert : store.getCertificates()) {
                String nickname = cert.getNickname();
                logger.debug("JSSKeyStoreSpi:   - " + nickname);
                aliases.add(nickname);
            }
            logger.debug("JSSKeyStoreSpi: - private keys:");
            for (PrivateKey privateKey : store.getPrivateKeys()) {
                // convert key ID into hexadecimal
                String keyID = Utils.HexEncode(privateKey.getUniqueID());
                String nickname;
                if (tokenName == null) {
                    nickname = keyID;
                } else {
                    nickname = tokenName + ":" + keyID;
                }
                logger.debug("JSSKeyStoreSpi:   - " + nickname);
                aliases.add(nickname);
            }
        }
        return aliases;
    } catch (NotInitializedException e) {
        throw new RuntimeException(e);
    } catch (TokenException e) {
        throw new RuntimeException(e);
    }
}
Also used : LinkedHashSet(java.util.LinkedHashSet) CryptoToken(org.mozilla.jss.crypto.CryptoToken) PrivateKey(org.mozilla.jss.crypto.PrivateKey) NotInitializedException(org.mozilla.jss.NotInitializedException) ArrayList(java.util.ArrayList) CryptoManager(org.mozilla.jss.CryptoManager) X509Certificate(org.mozilla.jss.crypto.X509Certificate) CryptoStore(org.mozilla.jss.crypto.CryptoStore) NoSuchTokenException(org.mozilla.jss.NoSuchTokenException) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) TokenException(org.mozilla.jss.crypto.TokenException)

Example 5 with CryptoStore

use of org.mozilla.jss.crypto.CryptoStore in project jss by dogtagpki.

the class PKCS12Util method create_EPKI_with_PBE_PKCS5_PBES2.

public ASN1Value create_EPKI_with_PBE_PKCS5_PBES2(CryptoToken token, PrivateKey privateKey, Password password) throws Exception {
    CryptoStore store = token.getCryptoStore();
    byte[] bytes = store.getEncryptedPrivateKeyInfo(// password converter
    null, password, // alg.  To avoid mismatch, use AES_256_CBC.
    EncryptionAlgorithm.AES_256_CBC, // iterations (default)
    0, privateKey);
    return new ANY(bytes);
}
Also used : CryptoStore(org.mozilla.jss.crypto.CryptoStore) ANY(org.mozilla.jss.asn1.ANY)

Aggregations

CryptoStore (org.mozilla.jss.crypto.CryptoStore)8 CryptoManager (org.mozilla.jss.CryptoManager)7 CryptoToken (org.mozilla.jss.crypto.CryptoToken)7 X509Certificate (org.mozilla.jss.crypto.X509Certificate)6 NoSuchTokenException (org.mozilla.jss.NoSuchTokenException)3 NotInitializedException (org.mozilla.jss.NotInitializedException)3 NoSuchItemOnTokenException (org.mozilla.jss.crypto.NoSuchItemOnTokenException)3 PrivateKey (org.mozilla.jss.crypto.PrivateKey)3 TokenException (org.mozilla.jss.crypto.TokenException)3 ANY (org.mozilla.jss.asn1.ANY)2 BMPString (org.mozilla.jss.asn1.BMPString)2 ObjectNotFoundException (org.mozilla.jss.crypto.ObjectNotFoundException)2 BufferedInputStream (java.io.BufferedInputStream)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 FileInputStream (java.io.FileInputStream)1 FileNotFoundException (java.io.FileNotFoundException)1 FileOutputStream (java.io.FileOutputStream)1 BigInteger (java.math.BigInteger)1 KeyStoreException (java.security.KeyStoreException)1 PublicKey (java.security.PublicKey)1