Example 31 with DerValue
use of org.mozilla.jss.netscape.security.util.DerValue in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
/**
* Calculate the KeyIdentifier for a public key and place it in an AuthorityKeyIdentifier extension.
*
* Java encodes RSA public keys using the SubjectPublicKeyInfo type described in RFC 5280.
* <pre>
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* </pre>
*
* A KeyIdentifier is a SHA-1 digest of the subjectPublicKey bit string from the ASN.1 above.
*
* @param key the public key to use
* @return an AuthorityKeyIdentifierExtension based on the key
* @throws IOException if we can't construct a MessageDigest object.
*/
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(PublicKey key) throws IOException {
try {
Provider provider = JSSProviderLoader.getProvider(true);
MessageDigest d = MessageDigest.getInstance("SHA-1", provider);
byte[] encodedKey = key.getEncoded();
DerInputStream s = new DerValue(encodedKey).toDerInputStream();
// Skip the first item in the sequence, AlgorithmIdentifier.
// The parameter, startLen, is required for skipSequence although it's unused.
s.skipSequence(0);
// Get the key's bit string
BitArray b = s.getUnalignedBitString();
byte[] digest = d.digest(b.toByteArray());
KeyIdentifier ki = new KeyIdentifier(digest);
return new AuthorityKeyIdentifierExtension(ki, null, null);
} catch (NoSuchAlgorithmException e) {
throw new IOException("Could not find SHA1 implementation", e);
}
}
Also used :
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
MessageDigest(java.security.MessageDigest)
Provider(java.security.Provider)
Example 32 with DerValue
use of org.mozilla.jss.netscape.security.util.DerValue in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
/**
* Calculate the KeyIdentifier for an RSAPublicKey and place it in an AuthorityKeyIdentifier extension.
*
* Java encodes RSA public keys using the SubjectPublicKeyInfo type described in RFC 5280.
* <pre>
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* </pre>
*
* A KeyIdentifier is a SHA-1 digest of the subjectPublicKey bit string from the ASN.1 above.
*
* @param key the RSAPublicKey to use
* @return an AuthorityKeyIdentifierExtension based on the key
* @throws IOException if we can't construct a MessageDigest object.
*/
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(RSAPublicKey key) throws IOException {
try {
MessageDigest d = MessageDigest.getInstance("SHA-1");
byte[] encodedKey = key.getEncoded();
DerInputStream s = new DerValue(encodedKey).toDerInputStream();
// Skip the first item in the sequence, AlgorithmIdentifier.
// The parameter, startLen, is required for skipSequence although it's unused.
s.skipSequence(0);
// Get the key's bit string
BitArray b = s.getUnalignedBitString();
byte[] digest = d.digest(b.toByteArray());
KeyIdentifier ki = new KeyIdentifier(digest);
return new AuthorityKeyIdentifierExtension(ki, null, null);
} catch (NoSuchAlgorithmException e) {
throw new IOException("Could not find SHA1 implementation", e);
}
}
Also used :
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
MessageDigest(java.security.MessageDigest)
Example 33 with DerValue
use of org.mozilla.jss.netscape.security.util.DerValue in project candlepin by candlepin.
the class JSSPKIUtility method createX509Certificate.
@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws IOException {
// Ensure JSS is properly initialized before attempting any operations with it
JSSProviderLoader.initialize();
X509CertInfo certInfo = new X509CertInfo();
try {
X509Certificate caCert = reader.getCACert();
byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
certInfo.set(X509CertInfo.ISSUER, new CertificateIssuerName(new X500Name(caCert.getSubjectX500Principal().getEncoded())));
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity(startDate, endDate));
certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(dn)));
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(X509Key.parse(new DerValue(publicKeyEncoded))));
certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(SIGNING_ALG_ID)));
certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
CertificateExtensions certExtensions = buildStandardExtensions(new CertificateExtensions(), dn, clientKeyPair, extensions, caCert, alternateName);
certInfo.set(X509CertInfo.EXTENSIONS, certExtensions);
if (extensions != null) {
for (X509ExtensionWrapper wrapper : extensions) {
// Avoid null values. Set them to blank if they are null
String value = wrapper.getValue() == null ? "" : wrapper.getValue();
UTF8String der = new UTF8String(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
if (byteExtensions != null) {
for (X509ByteExtensionWrapper wrapper : byteExtensions) {
// Avoid null values. Set them to blank if they are null
byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
OCTET_STRING der = new OCTET_STRING(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
X509CertImpl certImpl = new X509CertImpl(certInfo);
certImpl.sign(reader.getCaKey(), SIGNING_ALG_ID);
// valid, it just won't have any extensions present in the object.
return new X509CertImpl(certImpl.getEncoded());
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not create X.509 certificate", e);
}
}
Also used :
CertificateSubjectName(org.mozilla.jss.netscape.security.x509.CertificateSubjectName)
UTF8String(org.mozilla.jss.asn1.UTF8String)
X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo)
CertificateIssuerName(org.mozilla.jss.netscape.security.x509.CertificateIssuerName)
GeneralSecurityException(java.security.GeneralSecurityException)
CertificateVersion(org.mozilla.jss.netscape.security.x509.CertificateVersion)
CertificateValidity(org.mozilla.jss.netscape.security.x509.CertificateValidity)
CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions)
X500Name(org.mozilla.jss.netscape.security.x509.X500Name)
UTF8String(org.mozilla.jss.asn1.UTF8String)
CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key)
X509Certificate(java.security.cert.X509Certificate)
CertificateSerialNumber(org.mozilla.jss.netscape.security.x509.CertificateSerialNumber)
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
TokenRuntimeException(org.mozilla.jss.crypto.TokenRuntimeException)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl)
X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper)
X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper)
CertificateAlgorithmId(org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId)
Example 34 with DerValue
use of org.mozilla.jss.netscape.security.util.DerValue in project candlepin by candlepin.
the class DefaultSubjectKeyIdentifierWriter method getSubjectKeyIdentifier.
@Override
public byte[] getSubjectKeyIdentifier(KeyPair clientKeyPair, Set<X509ExtensionWrapper> extensions) throws IOException {
try {
MessageDigest d = MessageDigest.getInstance("SHA-1");
byte[] encodedKey = clientKeyPair.getPublic().getEncoded();
DerInputStream s = new DerValue(encodedKey).toDerInputStream();
// Skip the first item in the sequence, AlgorithmIdentifier.
// The parameter, startLen, is required for skipSequence although it's unused.
s.skipSequence(0);
// Get the key's bit string
BitArray b = s.getUnalignedBitString();
byte[] digest = d.digest(b.toByteArray());
KeyIdentifier ki = new KeyIdentifier(digest);
return ASN1Util.encode(new OCTET_STRING(ki.getIdentifier()));
} catch (NoSuchAlgorithmException e) {
throw new IOException("Could not create KeyIdentifier", e);
}
}
Also used :
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
MessageDigest(java.security.MessageDigest)
Example 35 with DerValue
use of org.mozilla.jss.netscape.security.util.DerValue in project jss by dogtagpki.
the class CertificateValidity method decode.
/**
* Decode the CertificateValidity period from the InputStream.
*
* @param in the InputStream to unmarshal the contents from.
* @exception IOException on errors.
*/
@Override
public void decode(InputStream in) throws IOException {
DerValue derVal = new DerValue(in);
construct(derVal);
}
Also used :
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
Aggregations
DerValue (org.mozilla.jss.netscape.security.util.DerValue)70
IOException (java.io.IOException)31
DerInputStream (org.mozilla.jss.netscape.security.util.DerInputStream)20
DerOutputStream (org.mozilla.jss.netscape.security.util.DerOutputStream)8
ObjectIdentifier (org.mozilla.jss.netscape.security.util.ObjectIdentifier)8
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
ByteBuffer (java.nio.ByteBuffer)4
CharBuffer (java.nio.CharBuffer)4
CharacterCodingException (java.nio.charset.CharacterCodingException)4
CharsetEncoder (java.nio.charset.CharsetEncoder)4
MessageDigest (java.security.MessageDigest)4
CRLException (java.security.cert.CRLException)4
BitArray (org.mozilla.jss.netscape.security.util.BitArray)4
AuthorityKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)4
KeyIdentifier (org.mozilla.jss.netscape.security.x509.KeyIdentifier)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
InvalidKeyException (java.security.InvalidKeyException)3
BigInt (org.mozilla.jss.netscape.security.util.BigInt)3
GeneralName (org.mozilla.jss.netscape.security.x509.GeneralName)3
CertificateException (java.security.cert.CertificateException)2
