use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageCertificateAuthority.
public X509Builder keyUsageCertificateAuthority() {
try {
v3();
// certificate authority basic constraint
// true indicates this is a CA; -1 means no restriction on path length; 0 or more to set a restriction on max number of certs under this one in the chain
BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
// certificate signing extension
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
// add both
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageCertificateAuthority");
}
return this;
}
use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project jdk8u_jdk by JetBrains.
the class NamedBitList method main.
public static void main(String[] args) throws Exception {
boolean[] bb = (new boolean[] { true, false, true, false, false, false });
GeneralNames gns = new GeneralNames();
gns.add(new GeneralName(new DNSName("dns")));
DerOutputStream out;
// length should be 5 since only {T,F,T} should be encoded
KeyUsageExtension x1 = new KeyUsageExtension(bb);
check(new DerValue(x1.getExtensionValue()).getUnalignedBitString().length(), 3);
NetscapeCertTypeExtension x2 = new NetscapeCertTypeExtension(bb);
check(new DerValue(x2.getExtensionValue()).getUnalignedBitString().length(), 3);
ReasonFlags r = new ReasonFlags(bb);
out = new DerOutputStream();
r.encode(out);
check(new DerValue(out.toByteArray()).getUnalignedBitString().length(), 3);
// Read sun.security.x509.DistributionPoint for ASN.1 definition
DistributionPoint dp = new DistributionPoint(gns, bb, gns);
out = new DerOutputStream();
dp.encode(out);
DerValue v = new DerValue(out.toByteArray());
// skip distributionPoint
v.data.getDerValue();
// read reasons
DerValue v2 = v.data.getDerValue();
// reset to BitString since it's context-specfic[1] encoded
v2.resetTag(DerValue.tag_BitString);
// length should be 5 since only {T,F,T} should be encoded
check(v2.getUnalignedBitString().length(), 3);
BitArray ba;
ba = new BitArray(new boolean[] { false, false, false });
check(ba.length(), 3);
ba = ba.truncate();
check(ba.length(), 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, false, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 8);
check(ba.toByteArray().length, 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, true, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 9);
check(ba.toByteArray().length, 2);
}
use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project j2objc by google.
the class SignerInfo method verify.
/* Returns null if verify fails, this signerInfo if
verify succeeds. */
SignerInfo verify(PKCS7 block, InputStream inputStream) throws NoSuchAlgorithmException, SignatureException, IOException {
try {
ContentInfo content = block.getContentInfo();
if (inputStream == null) {
inputStream = new ByteArrayInputStream(content.getContentBytes());
}
String digestAlgname = getDigestAlgorithmId().getName();
InputStream dataSigned;
// digest and compare it with the digest of data
if (authenticatedAttributes == null) {
dataSigned = inputStream;
} else {
// first, check content type
ObjectIdentifier contentType = (ObjectIdentifier) authenticatedAttributes.getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
if (contentType == null || !contentType.equals(content.contentType))
// contentType does not match, bad SignerInfo
return null;
// now, check message digest
byte[] messageDigest = (byte[]) authenticatedAttributes.getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID);
if (// fail if there is no message digest
messageDigest == null)
return null;
MessageDigest md = MessageDigest.getInstance(convertToStandardName(digestAlgname));
byte[] buffer = new byte[4096];
int read = 0;
while ((read = inputStream.read(buffer)) != -1) {
md.update(buffer, 0, read);
}
byte[] computedMessageDigest = md.digest();
if (messageDigest.length != computedMessageDigest.length)
return null;
for (int i = 0; i < messageDigest.length; i++) {
if (messageDigest[i] != computedMessageDigest[i])
return null;
}
// message digest attribute matched
// digest of original data
// the data actually signed is the DER encoding of
// the authenticated attributes (tagged with
// the "SET OF" tag, not 0xA0).
dataSigned = new ByteArrayInputStream(authenticatedAttributes.getDerEncoding());
}
// put together digest algorithm and encryption algorithm
// to form signing algorithm
String encryptionAlgname = getDigestEncryptionAlgorithmId().getName();
// Workaround: sometimes the encryptionAlgname is actually
// a signature name
String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname);
if (tmp != null)
encryptionAlgname = tmp;
String algname = AlgorithmId.makeSigAlg(digestAlgname, encryptionAlgname);
Signature sig = Signature.getInstance(algname);
X509Certificate cert = getCertificate(block);
if (cert == null) {
return null;
}
if (cert.hasUnsupportedCriticalExtension()) {
throw new SignatureException("Certificate has unsupported " + "critical extension(s)");
}
// Make sure that if the usage of the key in the certificate is
// restricted, it can be used for digital signatures.
// XXX We may want to check for additional extensions in the
// future.
boolean[] keyUsageBits = cert.getKeyUsage();
if (keyUsageBits != null) {
KeyUsageExtension keyUsage;
try {
// We don't care whether or not this extension was marked
// critical in the certificate.
// We're interested only in its value (i.e., the bits set)
// and treat the extension as critical.
keyUsage = new KeyUsageExtension(keyUsageBits);
} catch (IOException ioe) {
throw new SignatureException("Failed to parse keyUsage " + "extension");
}
boolean digSigAllowed = ((Boolean) keyUsage.get(KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue();
boolean nonRepuAllowed = ((Boolean) keyUsage.get(KeyUsageExtension.NON_REPUDIATION)).booleanValue();
if (!digSigAllowed && !nonRepuAllowed) {
throw new SignatureException("Key usage restricted: " + "cannot be used for " + "digital signatures");
}
}
PublicKey key = cert.getPublicKey();
sig.initVerify(key);
byte[] buffer = new byte[4096];
int read = 0;
while ((read = dataSigned.read(buffer)) != -1) {
sig.update(buffer, 0, read);
}
if (sig.verify(encryptedDigest)) {
return this;
}
} catch (IOException e) {
throw new SignatureException("IO error verifying signature:\n" + e.getMessage());
} catch (InvalidKeyException e) {
throw new SignatureException("InvalidKey: " + e.getMessage());
}
return null;
}
use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project mockserver by mock-server.
the class X509Generator method updateWithRootCertificateExtensions.
private void updateWithRootCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey) throws IOException, CertificateException {
CertificateExtensions certificateExtensions = new CertificateExtensions();
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
certificateExtensions.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(// is critical
true, // is CA
true, // path length
-1));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
boolean[] keyUsage = new boolean[9];
// keyCertSign
keyUsage[5] = true;
certificateExtensions.set(KeyUsageExtension.NAME, new KeyUsageExtension(keyUsage));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Aggregations