Example 11 with KeyIdentifier
use of org.mozilla.jss.netscape.security.x509.KeyIdentifier in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
// The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
/* The getExtensionValue returns us the Extension extnValue element which is an octet string. For
* the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier. The actual
* KeyIdentifier is also an octet string. The extnValue for the SubjectKeyIdentifier
* is therefore ultimately an octet string of an octet string. See Appendix A of RFC 5280. */
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
if (ski == null) {
/* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
* from the certificate's public key. */
return buildAuthorityKeyIdentifier(caCert.getPublicKey());
}
/* RFC 5280 section 4.2.1.1 is a bit odd. It states the AuthorityKeyIdentifier MAY contain
* a KeyIdentifier or the issuer name and CertificateSerialNumber. The KeyIdentifier is mandatory for
* non-self-signed certificates, but there is no additional guidance about when or why one should
* provide the issuer name or CertificateSerialNumber. I've found at least one place,
* https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them. Also,
* the semantics around the issuer field in this extension can be very confusing
* (see https://www.openssl.org/docs/faq.html#USER14). Our old crypto code that used BouncyCastle
* did include the issuer and serial number along with the key identifier, but I think it's best if
* we leave it out.
*/
KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
return new AuthorityKeyIdentifierExtension(ki, null, null);
}
Also used :
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
Example 12 with KeyIdentifier
use of org.mozilla.jss.netscape.security.x509.KeyIdentifier in project candlepin by candlepin.
the class DefaultSubjectKeyIdentifierWriter method getSubjectKeyIdentifier.
@Override
public byte[] getSubjectKeyIdentifier(KeyPair clientKeyPair, Set<X509ExtensionWrapper> extensions) throws IOException {
try {
MessageDigest d = MessageDigest.getInstance("SHA-1");
byte[] encodedKey = clientKeyPair.getPublic().getEncoded();
DerInputStream s = new DerValue(encodedKey).toDerInputStream();
// Skip the first item in the sequence, AlgorithmIdentifier.
// The parameter, startLen, is required for skipSequence although it's unused.
s.skipSequence(0);
// Get the key's bit string
BitArray b = s.getUnalignedBitString();
byte[] digest = d.digest(b.toByteArray());
KeyIdentifier ki = new KeyIdentifier(digest);
return ASN1Util.encode(new OCTET_STRING(ki.getIdentifier()));
} catch (NoSuchAlgorithmException e) {
throw new IOException("Could not create KeyIdentifier", e);
}
}
Also used :
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
DerValue(org.mozilla.jss.netscape.security.util.DerValue)
DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
MessageDigest(java.security.MessageDigest)
Example 13 with KeyIdentifier
use of org.mozilla.jss.netscape.security.x509.KeyIdentifier in project j2objc by google.
the class AdaptableX509CertSelector method parseAuthorityKeyIdentifierExtension.
/**
* Parse the authority key identifier extension.
*
* If the keyIdentifier field of the extension is non-null, set the
* subjectKeyIdentifier criterion. If the authorityCertSerialNumber
* field is non-null, set the serialNumber criterion.
*
* Note that we will not set the subject criterion according to the
* authorityCertIssuer field of the extension. The caller MUST set
* the subject criterion before call match().
*
* @param akidext the authorityKeyIdentifier extension
*/
void parseAuthorityKeyIdentifierExtension(AuthorityKeyIdentifierExtension akidext) throws IOException {
if (akidext != null) {
KeyIdentifier akid = (KeyIdentifier) akidext.get(AuthorityKeyIdentifierExtension.KEY_ID);
if (akid != null) {
// Do not override the previous setting for initial selection.
if (isSKIDSensitive || getSubjectKeyIdentifier() == null) {
DerOutputStream derout = new DerOutputStream();
derout.putOctetString(akid.getIdentifier());
super.setSubjectKeyIdentifier(derout.toByteArray());
isSKIDSensitive = true;
}
}
SerialNumber asn = (SerialNumber) akidext.get(AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
if (asn != null) {
// Do not override the previous setting for initial selection.
if (isSNSensitive || getSerialNumber() == null) {
super.setSerialNumber(asn.getNumber());
isSNSensitive = true;
}
}
// the subject criterion should be set by the caller.
}
}
Also used :
KeyIdentifier(sun.security.x509.KeyIdentifier)
SerialNumber(sun.security.x509.SerialNumber)
DerOutputStream(sun.security.util.DerOutputStream)
Example 14 with KeyIdentifier
use of org.mozilla.jss.netscape.security.x509.KeyIdentifier in project j2objc by google.
the class Vertex method certToString.
/**
* Return string representation of this vertex's
* certificate information.
*
* @returns String representation of certificate info
*/
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
ce.printStackTrace();
}
return sb.toString();
}
sb.append("Issuer: ").append(x509Cert.getIssuerX500Principal()).append("\n");
sb.append("Subject: ").append(x509Cert.getSubjectX500Principal()).append("\n");
sb.append("SerialNum: ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
sb.append("Expires: ").append(x509Cert.getNotAfter().toString()).append("\n");
boolean[] iUID = x509Cert.getIssuerUniqueID();
if (iUID != null) {
sb.append("IssuerUID: ");
for (boolean b : iUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
boolean[] sUID = x509Cert.getSubjectUniqueID();
if (sUID != null) {
sb.append("SubjectUID: ");
for (boolean b : sUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
try {
SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
if (sKeyID != null) {
KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
sb.append("SubjKeyID: ").append(keyID.toString());
}
AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
if (aKeyID != null) {
KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
sb.append("AuthKeyID: ").append(keyID.toString());
}
} catch (IOException e) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
e.printStackTrace();
}
}
return sb.toString();
}
Also used :
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Example 15 with KeyIdentifier
use of org.mozilla.jss.netscape.security.x509.KeyIdentifier in project mockserver by mock-server.
the class X509Generator method updateWithCertificateExtensions.
private void updateWithCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey, final PublicKey caPublicKey, final Set<String> subjectAlternativeNames) throws IOException, CertificateException {
CertificateExtensions certificateExtensions = new CertificateExtensions();
GeneralNames generalNames = subjectAlternativeNames.stream().filter(StringUtils::isNotBlank).map(this::buildGeneralName).filter(Objects::nonNull).collect(Collector.of(GeneralNames::new, GeneralNames::add, // do nothing
(generalNames1, generalNames2) -> null));
if (!generalNames.isEmpty()) {
certificateExtensions.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(Boolean.FALSE, generalNames));
}
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(caPublicKey), null, null));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Also used :
CertificateValidity(sun.security.x509.CertificateValidity)
X509Certificate(java.security.cert.X509Certificate)
java.util(java.util)
InternetDomainName(com.google.common.net.InternetDomainName)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
CertificateSerialNumber(sun.security.x509.CertificateSerialNumber)
StringUtils(org.apache.commons.lang3.StringUtils)
GeneralName(sun.security.x509.GeneralName)
IPAddressName(sun.security.x509.IPAddressName)
X500Name(sun.security.x509.X500Name)
Level(org.slf4j.event.Level)
CertificateExtensions(sun.security.x509.CertificateExtensions)
BigInteger(java.math.BigInteger)
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
Collector(java.util.stream.Collector)
BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension)
DerValue(sun.security.util.DerValue)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
java.security(java.security)
KeyIdentifier(sun.security.x509.KeyIdentifier)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateSigningRequest(org.mockserver.socket.tls.jdk.CertificateSigningRequest)
IOException(java.io.IOException)
DNSName(sun.security.x509.DNSName)
CertificateException(java.security.cert.CertificateException)
X509CertImpl(sun.security.x509.X509CertImpl)
CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)
CertificateX509Key(sun.security.x509.CertificateX509Key)
PEMToFile(org.mockserver.socket.tls.PEMToFile)
LogEntry(org.mockserver.log.model.LogEntry)
CertificateVersion(sun.security.x509.CertificateVersion)
MockServerLogger(org.mockserver.logging.MockServerLogger)
InetAddresses(com.google.common.net.InetAddresses)
GeneralNames(sun.security.x509.GeneralNames)
AlgorithmId(sun.security.x509.AlgorithmId)
X509CertInfo(sun.security.x509.X509CertInfo)
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
GeneralNames(sun.security.x509.GeneralNames)
KeyIdentifier(sun.security.x509.KeyIdentifier)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
Aggregations
IOException (java.io.IOException)11
KeyIdentifier (sun.security.x509.KeyIdentifier)9
KeyIdentifier (org.mozilla.jss.netscape.security.x509.KeyIdentifier)8
AuthorityKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)7
AuthorityKeyIdentifierExtension (sun.security.x509.AuthorityKeyIdentifierExtension)6
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
CertificateException (java.security.cert.CertificateException)5
SubjectKeyIdentifierExtension (sun.security.x509.SubjectKeyIdentifierExtension)5
X509CertImpl (sun.security.x509.X509CertImpl)5
MessageDigest (java.security.MessageDigest)4
OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)3
BitArray (org.mozilla.jss.netscape.security.util.BitArray)3
DerInputStream (org.mozilla.jss.netscape.security.util.DerInputStream)3
DerValue (org.mozilla.jss.netscape.security.util.DerValue)3
BigInteger (java.math.BigInteger)2
SecureRandom (java.security.SecureRandom)2
Date (java.util.Date)2
BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)2
CertificateExtensions (sun.security.x509.CertificateExtensions)2
KeyUsageExtension (sun.security.x509.KeyUsageExtension)2
