Search in sources :

Example 11 with KeyUsageExtension

use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageCertificateAuthority.

public X509Builder keyUsageCertificateAuthority() {
    try {
        v3();
        // certificate authority basic constraint
        // true indicates this is a CA;  -1 means no restriction on path length;  0 or more to set a restriction on max number of certs under this one in the chain
        BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
        // certificate signing extension
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
        // add both
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageCertificateAuthority");
    }
    return this;
}
Also used : BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Example 12 with KeyUsageExtension

use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project jdk8u_jdk by JetBrains.

the class NamedBitList method main.

public static void main(String[] args) throws Exception {
    boolean[] bb = (new boolean[] { true, false, true, false, false, false });
    GeneralNames gns = new GeneralNames();
    gns.add(new GeneralName(new DNSName("dns")));
    DerOutputStream out;
    // length should be 5 since only {T,F,T} should be encoded
    KeyUsageExtension x1 = new KeyUsageExtension(bb);
    check(new DerValue(x1.getExtensionValue()).getUnalignedBitString().length(), 3);
    NetscapeCertTypeExtension x2 = new NetscapeCertTypeExtension(bb);
    check(new DerValue(x2.getExtensionValue()).getUnalignedBitString().length(), 3);
    ReasonFlags r = new ReasonFlags(bb);
    out = new DerOutputStream();
    r.encode(out);
    check(new DerValue(out.toByteArray()).getUnalignedBitString().length(), 3);
    // Read sun.security.x509.DistributionPoint for ASN.1 definition
    DistributionPoint dp = new DistributionPoint(gns, bb, gns);
    out = new DerOutputStream();
    dp.encode(out);
    DerValue v = new DerValue(out.toByteArray());
    // skip distributionPoint
    v.data.getDerValue();
    // read reasons
    DerValue v2 = v.data.getDerValue();
    // reset to BitString since it's context-specfic[1] encoded
    v2.resetTag(DerValue.tag_BitString);
    // length should be 5 since only {T,F,T} should be encoded
    check(v2.getUnalignedBitString().length(), 3);
    BitArray ba;
    ba = new BitArray(new boolean[] { false, false, false });
    check(ba.length(), 3);
    ba = ba.truncate();
    check(ba.length(), 1);
    ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, false, false });
    check(ba.length(), 10);
    check(ba.toByteArray().length, 2);
    ba = ba.truncate();
    check(ba.length(), 8);
    check(ba.toByteArray().length, 1);
    ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, true, false });
    check(ba.length(), 10);
    check(ba.toByteArray().length, 2);
    ba = ba.truncate();
    check(ba.length(), 9);
    check(ba.toByteArray().length, 2);
}
Also used : GeneralNames(sun.security.x509.GeneralNames) DerOutputStream(sun.security.util.DerOutputStream) ReasonFlags(sun.security.x509.ReasonFlags) DerValue(sun.security.util.DerValue) GeneralName(sun.security.x509.GeneralName) DistributionPoint(sun.security.x509.DistributionPoint) BitArray(sun.security.util.BitArray) DNSName(sun.security.x509.DNSName) NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Example 13 with KeyUsageExtension

use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project j2objc by google.

the class SignerInfo method verify.

/* Returns null if verify fails, this signerInfo if
       verify succeeds. */
SignerInfo verify(PKCS7 block, InputStream inputStream) throws NoSuchAlgorithmException, SignatureException, IOException {
    try {
        ContentInfo content = block.getContentInfo();
        if (inputStream == null) {
            inputStream = new ByteArrayInputStream(content.getContentBytes());
        }
        String digestAlgname = getDigestAlgorithmId().getName();
        InputStream dataSigned;
        // digest and compare it with the digest of data
        if (authenticatedAttributes == null) {
            dataSigned = inputStream;
        } else {
            // first, check content type
            ObjectIdentifier contentType = (ObjectIdentifier) authenticatedAttributes.getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
            if (contentType == null || !contentType.equals(content.contentType))
                // contentType does not match, bad SignerInfo
                return null;
            // now, check message digest
            byte[] messageDigest = (byte[]) authenticatedAttributes.getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID);
            if (// fail if there is no message digest
            messageDigest == null)
                return null;
            MessageDigest md = MessageDigest.getInstance(convertToStandardName(digestAlgname));
            byte[] buffer = new byte[4096];
            int read = 0;
            while ((read = inputStream.read(buffer)) != -1) {
                md.update(buffer, 0, read);
            }
            byte[] computedMessageDigest = md.digest();
            if (messageDigest.length != computedMessageDigest.length)
                return null;
            for (int i = 0; i < messageDigest.length; i++) {
                if (messageDigest[i] != computedMessageDigest[i])
                    return null;
            }
            // message digest attribute matched
            // digest of original data
            // the data actually signed is the DER encoding of
            // the authenticated attributes (tagged with
            // the "SET OF" tag, not 0xA0).
            dataSigned = new ByteArrayInputStream(authenticatedAttributes.getDerEncoding());
        }
        // put together digest algorithm and encryption algorithm
        // to form signing algorithm
        String encryptionAlgname = getDigestEncryptionAlgorithmId().getName();
        // Workaround: sometimes the encryptionAlgname is actually
        // a signature name
        String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname);
        if (tmp != null)
            encryptionAlgname = tmp;
        String algname = AlgorithmId.makeSigAlg(digestAlgname, encryptionAlgname);
        Signature sig = Signature.getInstance(algname);
        X509Certificate cert = getCertificate(block);
        if (cert == null) {
            return null;
        }
        if (cert.hasUnsupportedCriticalExtension()) {
            throw new SignatureException("Certificate has unsupported " + "critical extension(s)");
        }
        // Make sure that if the usage of the key in the certificate is
        // restricted, it can be used for digital signatures.
        // XXX We may want to check for additional extensions in the
        // future.
        boolean[] keyUsageBits = cert.getKeyUsage();
        if (keyUsageBits != null) {
            KeyUsageExtension keyUsage;
            try {
                // We don't care whether or not this extension was marked
                // critical in the certificate.
                // We're interested only in its value (i.e., the bits set)
                // and treat the extension as critical.
                keyUsage = new KeyUsageExtension(keyUsageBits);
            } catch (IOException ioe) {
                throw new SignatureException("Failed to parse keyUsage " + "extension");
            }
            boolean digSigAllowed = ((Boolean) keyUsage.get(KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue();
            boolean nonRepuAllowed = ((Boolean) keyUsage.get(KeyUsageExtension.NON_REPUDIATION)).booleanValue();
            if (!digSigAllowed && !nonRepuAllowed) {
                throw new SignatureException("Key usage restricted: " + "cannot be used for " + "digital signatures");
            }
        }
        PublicKey key = cert.getPublicKey();
        sig.initVerify(key);
        byte[] buffer = new byte[4096];
        int read = 0;
        while ((read = dataSigned.read(buffer)) != -1) {
            sig.update(buffer, 0, read);
        }
        if (sig.verify(encryptedDigest)) {
            return this;
        }
    } catch (IOException e) {
        throw new SignatureException("IO error verifying signature:\n" + e.getMessage());
    } catch (InvalidKeyException e) {
        throw new SignatureException("InvalidKey: " + e.getMessage());
    }
    return null;
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Example 14 with KeyUsageExtension

use of org.mozilla.jss.netscape.security.x509.KeyUsageExtension in project mockserver by mock-server.

the class X509Generator method updateWithRootCertificateExtensions.

private void updateWithRootCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey) throws IOException, CertificateException {
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
    certificateExtensions.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(// is critical
    true, // is CA
    true, // path length
    -1));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
    boolean[] keyUsage = new boolean[9];
    // keyCertSign
    keyUsage[5] = true;
    certificateExtensions.set(KeyUsageExtension.NAME, new KeyUsageExtension(keyUsage));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
    certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Also used : SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) KeyIdentifier(sun.security.x509.KeyIdentifier) CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Aggregations

KeyUsageExtension (sun.security.x509.KeyUsageExtension)12 CertificateExtensions (sun.security.x509.CertificateExtensions)8 ExtendedKeyUsageExtension (sun.security.x509.ExtendedKeyUsageExtension)6 IOException (java.io.IOException)5 X509Certificate (java.security.cert.X509Certificate)3 InvalidKeyException (java.security.InvalidKeyException)2 MessageDigest (java.security.MessageDigest)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 PublicKey (java.security.PublicKey)2 Signature (java.security.Signature)2 SignatureException (java.security.SignatureException)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 CertificateException (java.security.cert.CertificateException)2 ExtendedKeyUsageExtension (org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)2 KeyUsageExtension (org.mozilla.jss.netscape.security.x509.KeyUsageExtension)2 ConstraintsParameters (sun.security.util.ConstraintsParameters)2 ObjectIdentifier (sun.security.util.ObjectIdentifier)2 BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)2 NAEException (com.ingrian.security.nae.NAEException)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1