Examples with X509CertImpl org.mozilla.jss.netscape.security.x509.X509CertImpl used on opensource projects

Example 91 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project j2objc by google.

the class PKIXCertPathValidator method validate.

private static PKIXCertPathValidatorResult validate(ValidatorParams params) throws CertPathValidatorException {
    if (debug != null)
        debug.println("PKIXCertPathValidator.engineValidate()...");
    // Retrieve the first certificate in the certpath
    // (to be used later in pre-screening)
    AdaptableX509CertSelector selector = null;
    List<X509Certificate> certList = params.certificates();
    if (!certList.isEmpty()) {
        selector = new AdaptableX509CertSelector();
        X509Certificate firstCert = certList.get(0);
        // check trusted certificate's subject
        selector.setSubject(firstCert.getIssuerX500Principal());
        // check the validity period
        selector.setValidityPeriod(firstCert.getNotBefore(), firstCert.getNotAfter());
        /*
             * Facilitate certification path construction with authority
             * key identifier and subject key identifier.
             */
        try {
            X509CertImpl firstCertImpl = X509CertImpl.toImpl(firstCert);
            selector.parseAuthorityKeyIdentifierExtension(firstCertImpl.getAuthorityKeyIdentifierExtension());
        } catch (CertificateException | IOException e) {
        // ignore
        }
    }
    CertPathValidatorException lastException = null;
    // one that works at which time we stop iterating
    for (TrustAnchor anchor : params.trustAnchors()) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            // we move on to the next one
            if (selector != null && !selector.match(trustedCert)) {
                if (debug != null) {
                    debug.println("NO - don't try this trustedCert");
                }
                continue;
            }
            if (debug != null) {
                debug.println("YES - try this trustedCert");
                debug.println("anchor.getTrustedCert()." + "getSubjectX500Principal() = " + trustedCert.getSubjectX500Principal());
            }
        } else {
            if (debug != null) {
                debug.println("PKIXCertPathValidator.engineValidate(): " + "anchor.getTrustedCert() == null");
            }
        }
        try {
            return validate(anchor, params);
        } catch (CertPathValidatorException cpe) {
            // remember this exception
            lastException = cpe;
        }
    }
    // (a) if we did a validation and it failed, use that exception
    if (lastException != null) {
        throw lastException;
    }
    // (b) otherwise, generate new exception
    throw new CertPathValidatorException("Path does not chain with any of the trust anchors", null, null, -1, PKIXReason.NO_TRUST_ANCHOR);
}

Example 92 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project j2objc by google.

the class Builder method targetDistance.

/**
 * Determine how close a given certificate gets you toward
 * a given target.
 *
 * @param constraints Current NameConstraints; if null,
 *        then caller must verify NameConstraints
 *        independently, realizing that this certificate
 *        may not actually lead to the target at all.
 * @param cert Candidate certificate for chain
 * @param target GeneralNameInterface name of target
 * @return distance from this certificate to target:
 * <ul>
 * <li>-1 means certificate could be CA for target, but
 *     there are no NameConstraints limiting how close
 * <li> 0 means certificate subject or subjectAltName
 *      matches target
 * <li> 1 means certificate is permitted to be CA for
 *      target.
 * <li> 2 means certificate is permitted to be CA for
 *      parent of target.
 * <li>&gt;0 in general, means certificate is permitted
 *     to be a CA for this distance higher in the naming
 *     hierarchy than the target, plus 1.
 * </ul>
 * <p>Note that the subject and/or subjectAltName of the
 * candidate cert does not have to be an ancestor of the
 * target in order to be a CA that can issue a certificate to
 * the target. In these cases, the target distance is calculated
 * by inspecting the NameConstraints extension in the candidate
 * certificate. For example, suppose the target is an X.500 DN with
 * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
 * NameConstraints extension in the candidate certificate
 * includes a permitted component of "O=sun,C=us", which implies
 * that the candidate certificate is allowed to issue certs in
 * the "O=sun,C=us" namespace. The target distance is 3
 * ((distance of permitted NC from target) + 1).
 * The (+1) is added to distinguish the result from the case
 * which returns (0).
 * @throws IOException if certificate does not get closer
 */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}

Example 93 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project j2objc by google.

the class Vertex method certToString.

/**
 * Return string representation of this vertex's
 * certificate information.
 *
 * @returns String representation of certificate info
 */
public String certToString() {
    StringBuilder sb = new StringBuilder();
    X509CertImpl x509Cert = null;
    try {
        x509Cert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            ce.printStackTrace();
        }
        return sb.toString();
    }
    sb.append("Issuer:     ").append(x509Cert.getIssuerX500Principal()).append("\n");
    sb.append("Subject:    ").append(x509Cert.getSubjectX500Principal()).append("\n");
    sb.append("SerialNum:  ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
    sb.append("Expires:    ").append(x509Cert.getNotAfter().toString()).append("\n");
    boolean[] iUID = x509Cert.getIssuerUniqueID();
    if (iUID != null) {
        sb.append("IssuerUID:  ");
        for (boolean b : iUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    boolean[] sUID = x509Cert.getSubjectUniqueID();
    if (sUID != null) {
        sb.append("SubjectUID: ");
        for (boolean b : sUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    try {
        SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
        if (sKeyID != null) {
            KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
            sb.append("SubjKeyID:  ").append(keyID.toString());
        }
        AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
        if (aKeyID != null) {
            KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
            sb.append("AuthKeyID:  ").append(keyID.toString());
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            e.printStackTrace();
        }
    }
    return sb.toString();
}

Example 94 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project j2objc by google.

the class PKCS7 method parseNetscapeCertChain.

private void parseNetscapeCertChain(DerValue val) throws ParsingException, IOException {
    DerInputStream dis = new DerInputStream(val.toByteArray());
    DerValue[] contents = dis.getSequence(2, true);
    certificates = new X509Certificate[contents.length];
    CertificateFactory certfac = null;
    try {
        certfac = CertificateFactory.getInstance("X.509");
    } catch (CertificateException ce) {
    // do nothing
    }
    for (int i = 0; i < contents.length; i++) {
        ByteArrayInputStream bais = null;
        try {
            byte[] original = contents[i].getOriginalEncodedForm();
            if (certfac == null)
                certificates[i] = new X509CertImpl(contents[i], original);
            else {
                bais = new ByteArrayInputStream(original);
                certificates[i] = new VerbatimX509Certificate((X509Certificate) certfac.generateCertificate(bais), original);
                bais.close();
                bais = null;
            }
        } catch (CertificateException ce) {
            ParsingException pe = new ParsingException(ce.getMessage());
            pe.initCause(ce);
            throw pe;
        } catch (IOException ioe) {
            ParsingException pe = new ParsingException(ioe.getMessage());
            pe.initCause(ioe);
            throw pe;
        } finally {
            if (bais != null)
                bais.close();
        }
    }
}

Example 95 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project cloudstack by apache.

the class AprSocketWrapperImpl method upgradeToSsl.

@Override
public void upgradeToSsl() {
    try {
        long sslContext;
        try {
            sslContext = SSLContext.make(pool, SSL.SSL_PROTOCOL_TLSV1, SSL.SSL_MODE_CLIENT);
        } catch (Exception e) {
            throw new RuntimeException("Cannot create SSL context using Tomcat native library.", e);
        }
        SSLContext.setOptions(sslContext, SSL.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | SSL.SSL_OP_TLS_BLOCK_PADDING_BUG | SSL.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | SSL.SSL_OP_MSIE_SSLV2_RSA_PADDING);
        // FIXME: verify certificate by default
        SSLContext.setVerify(sslContext, SSL.SSL_CVERIFY_NONE, 0);
        int ret;
        try {
            ret = SSLSocket.attach(sslContext, socket);
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot attach SSL context to socket: ", e);
        }
        if (ret != 0)
            throw new RuntimeException("[" + this + "] ERROR: Cannot attach SSL context to socket(" + ret + "): " + SSL.getLastError());
        try {
            ret = SSLSocket.handshake(socket);
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot make SSL handshake with server: ", e);
        }
        if (// 20014: bad certificate signature FIXME: show prompt for self signed certificate
        ret != 0 && ret != 20014)
            throw new RuntimeException("[" + this + "] ERROR: Cannot make SSL handshake with server(" + ret + "): " + SSL.getLastError());
        try {
            byte[] key = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
            // *DEBUG*/System.out.println("DEBUG: Server cert:\n"+new ByteBuffer(key).dump());
            sslState.serverCertificateSubjectPublicKeyInfo = new X509CertImpl(key).getPublicKey().getEncoded();
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot get server public key: ", e);
        }
    } catch (RuntimeException e) {
        shutdown();
        throw e;
    }
}