Example 51 with X509CertImpl
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project ddf by codice.
the class SignerConditionTest method testIsSatisfied.
@Test
public void testIsSatisfied() throws CertificateException {
Bundle bundle = mock(Bundle.class);
Map<X509Certificate, List<X509Certificate>> trustedCerts = new HashMap<>();
X509Certificate key = new X509CertImpl(SignerConditionTest.class.getResourceAsStream("/asdf.der"));
trustedCerts.put(key, new ArrayList<>());
when(bundle.getSignerCertificates(Bundle.SIGNERS_TRUSTED)).thenReturn(trustedCerts);
SignerCondition principalCondition = new SignerCondition(bundle, new ConditionInfo(SignerCondition.class.getName(), new String[] { "asdf" }));
boolean satisfied = principalCondition.isSatisfied();
assertThat(satisfied, is(true));
}
Also used :
ConditionInfo(org.osgi.service.condpermadmin.ConditionInfo)
HashMap(java.util.HashMap)
Bundle(org.osgi.framework.Bundle)
X509CertImpl(sun.security.x509.X509CertImpl)
ArrayList(java.util.ArrayList)
List(java.util.List)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 52 with X509CertImpl
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project alpha-wallet-android by AlphaWallet.
the class TestAttestation method testX509Comp.
@org.junit.Test
public void testX509Comp() throws Exception {
AttestationManager manager = new AttestationManager(OID_SHA256ECDSA, issuerKeys);
Attestation att = makeUnsignedx509Att();
byte[] signature = manager.sign(att);
byte[] signedAtt = manager.constructSignedAttestation(att, signature);
X509Certificate cert = new X509CertImpl(signedAtt);
try {
cert.checkValidity();
} catch (CertificateExpiredException | CertificateNotYetValidException e) {
Assert.fail();
}
cert.verify(issuerKeys.getPublic(), new BouncyCastleProvider());
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
X509CertImpl(sun.security.x509.X509CertImpl)
X509Certificate(java.security.cert.X509Certificate)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 53 with X509CertImpl
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project OpenAM by OpenRock.
the class ApprovalCallback method approve.
/*
* Invoked by JSS protocol handler whenever ssl handshaking hits issue.
* It validates reported issue if it can be ignored.
*
* @return <code>true</code> if the reported issue can be ignored.
*/
public boolean approve(X509Certificate cert, SSLCertificateApprovalCallback.ValidityStatus status) {
ValidityItem item;
Enumeration errors = status.getReasons();
int reason;
if (trustAllServerCerts) {
return true;
}
if ((reqHost == null) && !errors.hasMoreElements()) {
return true;
}
boolean approve = true;
while (approve && errors.hasMoreElements()) {
item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
reason = item.getReason();
if (debug.messageEnabled()) {
debug.message("ApprovalCallback: reason " + reason);
}
// bad domain -12276
if (reason != ValidityStatus.BAD_CERT_DOMAIN) {
approve = false;
} else {
String cn = null;
try {
String subjectDN = cert.getSubjectDN().getName();
cn = new X500Name(subjectDN).getCommonName();
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback:", ex);
}
approve = false;
}
if (cn == null) {
return false;
}
if (!sslTrustHosts.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback: server cert CN : " + cn);
}
if (sslTrustHosts.contains(cn.toLowerCase())) {
return true;
}
}
if (resolveIPAddress) {
try {
approve = InetAddress.getByName(cn).getHostAddress().equals(InetAddress.getByName(reqHost).getHostAddress());
} catch (UnknownHostException ex) {
if (debug.messageEnabled()) {
debug.message("ApprovalCallback:", ex);
}
approve = false;
}
} else
approve = false;
if (!approve && checkSubjectAltName) {
try {
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
if (altNameExt != null) {
GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
Method meth = getMethod();
GeneralName generalname = null;
if (meth.getName().equals(OLD_METHOD_NAME)) {
// pre 1.4.2 implementation
Enumeration e = (Enumeration) meth.invoke(names, params);
for (; !approve && e.hasMoreElements(); ) {
approve = compareHosts((GeneralName) e.nextElement());
}
} else {
// post 1.4.2 implementation
Iterator i = (Iterator) meth.invoke(names, params);
for (; !approve && i.hasNext(); ) {
approve = compareHosts((GeneralName) i.next());
}
}
}
} catch (Exception ex) {
return false;
}
}
}
}
return approve;
}
Also used :
Enumeration(java.util.Enumeration)
UnknownHostException(java.net.UnknownHostException)
X509CertInfo(sun.security.x509.X509CertInfo)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
X500Name(sun.security.x509.X500Name)
Method(java.lang.reflect.Method)
UnknownHostException(java.net.UnknownHostException)
SSLCertificateApprovalCallback(org.mozilla.jss.ssl.SSLCertificateApprovalCallback)
GeneralNames(sun.security.x509.GeneralNames)
X509CertImpl(sun.security.x509.X509CertImpl)
Iterator(java.util.Iterator)
GeneralName(sun.security.x509.GeneralName)
Example 54 with X509CertImpl
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.
the class AlgorithmChecker method check.
@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
if (!(cert instanceof X509Certificate) || constraints == null) {
// ignore the check for non-x.509 certificate or null constraints
return;
}
// check the key usage and key size
boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
if (keyUsage != null && keyUsage.length < 9) {
throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate) cert);
algorithmId = (AlgorithmId) x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
PublicKey currPubKey = cert.getPublicKey();
String currSigAlg = ((X509Certificate) cert).getSigAlgName();
// Check the signature algorithm and parameters against constraints.
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException("Algorithm constraints check failed on signature " + "algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Assume all key usage bits are set if key usage is not present
Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
if (keyUsage != null) {
primitives = EnumSet.noneOf(CryptoPrimitive.class);
if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
// keyUsage[0]: KeyUsage.digitalSignature
// keyUsage[1]: KeyUsage.nonRepudiation
// keyUsage[5]: KeyUsage.keyCertSign
// keyUsage[6]: KeyUsage.cRLSign
primitives.add(CryptoPrimitive.SIGNATURE);
}
if (keyUsage[2]) {
// KeyUsage.keyEncipherment
primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
}
if (keyUsage[3]) {
// KeyUsage.dataEncipherment
primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
}
if (keyUsage[4]) {
// KeyUsage.keyAgreement
primitives.add(CryptoPrimitive.KEY_AGREEMENT);
}
if (primitives.isEmpty()) {
throw new CertPathValidatorException("incorrect KeyUsage extension bits", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
}
ConstraintsParameters cp = new ConstraintsParameters((X509Certificate) cert, trustedMatch, pkixdate, jarTimestamp, variant);
// Check against local constraints if it is DisabledAlgorithmConstraints
if (constraints instanceof DisabledAlgorithmConstraints) {
((DisabledAlgorithmConstraints) constraints).permits(currSigAlg, cp);
// DisabledAlgorithmsConstraints does not check primitives, so key
// additional key check.
} else {
// Perform the default constraints checking anyway.
certPathDefaultConstraints.permits(currSigAlg, cp);
// Call locally set constraints to check key with primitives.
if (!constraints.permits(primitives, currPubKey)) {
throw new CertPathValidatorException("Algorithm constraints check failed on key " + currPubKey.getAlgorithm() + " with size of " + sun.security.util.KeyUtil.getKeySize(currPubKey) + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
// Check with previous cert for signature algorithm and public key
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, prevPubKey, currSigAlgParams)) {
throw new CertPathValidatorException("Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Inherit key parameters from previous key
if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
// Inherit DSA parameters from previous key
if (!(prevPubKey instanceof DSAPublicKey)) {
throw new CertPathValidatorException("Input key is not " + "of a appropriate type for inheriting parameters");
}
DSAParams params = ((DSAPublicKey) prevPubKey).getParams();
if (params == null) {
throw new CertPathValidatorException("Key parameters missing from public key.");
}
try {
BigInteger y = ((DSAPublicKey) currPubKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG());
currPubKey = kf.generatePublic(ks);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e);
}
}
// reset the previous public key
prevPubKey = currPubKey;
}
Also used :
DisabledAlgorithmConstraints(sun.security.util.DisabledAlgorithmConstraints)
CryptoPrimitive(java.security.CryptoPrimitive)
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
CertificateException(java.security.cert.CertificateException)
DSAParams(java.security.interfaces.DSAParams)
ConstraintsParameters(sun.security.util.ConstraintsParameters)
X509Certificate(java.security.cert.X509Certificate)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AlgorithmId(sun.security.x509.AlgorithmId)
X509CertImpl(sun.security.x509.X509CertImpl)
BigInteger(java.math.BigInteger)
KeyFactory(java.security.KeyFactory)
AlgorithmParameters(java.security.AlgorithmParameters)
DSAPublicKeySpec(java.security.spec.DSAPublicKeySpec)
Example 55 with X509CertImpl
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.
the class SimpleValidator method getNetscapeCertTypeBit.
/**
* Get the value of the specified bit in the Netscape certificate type
* extension. If the extension is not present at all, we return true.
*/
static boolean getNetscapeCertTypeBit(X509Certificate cert, String type) {
try {
NetscapeCertTypeExtension ext;
if (cert instanceof X509CertImpl) {
X509CertImpl certImpl = (X509CertImpl) cert;
ObjectIdentifier oid = OBJID_NETSCAPE_CERT_TYPE;
ext = (NetscapeCertTypeExtension) certImpl.getExtension(oid);
if (ext == null) {
return true;
}
} else {
byte[] extVal = cert.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
if (extVal == null) {
return true;
}
DerInputStream in = new DerInputStream(extVal);
byte[] encoded = in.getOctetString();
encoded = new DerValue(encoded).getUnalignedBitString().toByteArray();
ext = new NetscapeCertTypeExtension(encoded);
}
Boolean val = ext.get(type);
return val.booleanValue();
} catch (IOException e) {
return false;
}
}
Also used :
X509CertImpl(sun.security.x509.X509CertImpl)
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
IOException(java.io.IOException)
NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Aggregations
X509CertImpl (sun.security.x509.X509CertImpl)92
CertificateException (java.security.cert.CertificateException)41
IOException (java.io.IOException)31
X509Certificate (java.security.cert.X509Certificate)23
CertPathValidatorException (java.security.cert.CertPathValidatorException)17
BigInteger (java.math.BigInteger)16
PublicKey (java.security.PublicKey)15
X500Name (sun.security.x509.X500Name)14
X509CertInfo (sun.security.x509.X509CertInfo)14
AlgorithmId (sun.security.x509.AlgorithmId)13
CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)13
X509CertImpl (org.mozilla.jss.netscape.security.x509.X509CertImpl)12
CertificateSerialNumber (sun.security.x509.CertificateSerialNumber)11
CertificateValidity (sun.security.x509.CertificateValidity)11
CertificateX509Key (sun.security.x509.CertificateX509Key)11
CertificateFactory (java.security.cert.CertificateFactory)10
CertificateVersion (sun.security.x509.CertificateVersion)10
SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)9
CertificateIssuerName (sun.security.x509.CertificateIssuerName)8
CertificateSubjectName (sun.security.x509.CertificateSubjectName)8
