Examples with X509CertImpl org.mozilla.jss.netscape.security.x509.X509CertImpl used on opensource projects

Example 41 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project Bytecoder by mirkosertic.

the class Builder method targetDistance.

/**
 * Determine how close a given certificate gets you toward
 * a given target.
 *
 * @param constraints Current NameConstraints; if null,
 *        then caller must verify NameConstraints
 *        independently, realizing that this certificate
 *        may not actually lead to the target at all.
 * @param cert Candidate certificate for chain
 * @param target GeneralNameInterface name of target
 * @return distance from this certificate to target:
 * <ul>
 * <li>-1 means certificate could be CA for target, but
 *     there are no NameConstraints limiting how close
 * <li> 0 means certificate subject or subjectAltName
 *      matches target
 * <li> 1 means certificate is permitted to be CA for
 *      target.
 * <li> 2 means certificate is permitted to be CA for
 *      parent of target.
 * <li>&gt;0 in general, means certificate is permitted
 *     to be a CA for this distance higher in the naming
 *     hierarchy than the target, plus 1.
 * </ul>
 * <p>Note that the subject and/or subjectAltName of the
 * candidate cert does not have to be an ancestor of the
 * target in order to be a CA that can issue a certificate to
 * the target. In these cases, the target distance is calculated
 * by inspecting the NameConstraints extension in the candidate
 * certificate. For example, suppose the target is an X.500 DN with
 * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
 * NameConstraints extension in the candidate certificate
 * includes a permitted component of "O=sun,C=us", which implies
 * that the candidate certificate is allowed to issue certs in
 * the "O=sun,C=us" namespace. The target distance is 3
 * ((distance of permitted NC from target) + 1).
 * The (+1) is added to distinguish the result from the case
 * which returns (0).
 * @throws IOException if certificate does not get closer
 */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}

Example 42 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project Bytecoder by mirkosertic.

the class PKCS7 method parseOldSignedData.

/*
     * Parses an old-style SignedData encoding (for backwards
     * compatibility with JDK1.1.x).
     */
private void parseOldSignedData(DerValue val) throws ParsingException, IOException {
    DerInputStream dis = val.toDerInputStream();
    // Version
    version = dis.getBigInteger();
    // digestAlgorithmIds
    DerValue[] digestAlgorithmIdVals = dis.getSet(1);
    int len = digestAlgorithmIdVals.length;
    digestAlgorithmIds = new AlgorithmId[len];
    try {
        for (int i = 0; i < len; i++) {
            DerValue oid = digestAlgorithmIdVals[i];
            digestAlgorithmIds[i] = AlgorithmId.parse(oid);
        }
    } catch (IOException e) {
        throw new ParsingException("Error parsing digest AlgorithmId IDs");
    }
    // contentInfo
    contentInfo = new ContentInfo(dis, true);
    // certificates
    CertificateFactory certfac = null;
    try {
        certfac = CertificateFactory.getInstance("X.509");
    } catch (CertificateException ce) {
    // do nothing
    }
    DerValue[] certVals = dis.getSet(2);
    len = certVals.length;
    certificates = new X509Certificate[len];
    for (int i = 0; i < len; i++) {
        ByteArrayInputStream bais = null;
        try {
            if (certfac == null)
                certificates[i] = new X509CertImpl(certVals[i]);
            else {
                byte[] encoded = certVals[i].toByteArray();
                bais = new ByteArrayInputStream(encoded);
                certificates[i] = (X509Certificate) certfac.generateCertificate(bais);
                bais.close();
                bais = null;
            }
        } catch (CertificateException ce) {
            ParsingException pe = new ParsingException(ce.getMessage());
            pe.initCause(ce);
            throw pe;
        } catch (IOException ioe) {
            ParsingException pe = new ParsingException(ioe.getMessage());
            pe.initCause(ioe);
            throw pe;
        } finally {
            if (bais != null)
                bais.close();
        }
    }
    // crls are ignored.
    dis.getSet(0);
    // signerInfos
    DerValue[] signerInfoVals = dis.getSet(1);
    len = signerInfoVals.length;
    signerInfos = new SignerInfo[len];
    for (int i = 0; i < len; i++) {
        DerInputStream in = signerInfoVals[i].toDerInputStream();
        signerInfos[i] = new SignerInfo(in, true);
    }
}

Example 43 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project Bytecoder by mirkosertic.

the class PKCS7 method encodeSignedData.

/**
 * Encodes the signed data to a DerOutputStream.
 *
 * @param out the DerOutputStream to write the encoded data to.
 * @exception IOException on encoding errors.
 */
public void encodeSignedData(DerOutputStream out) throws IOException {
    DerOutputStream signedData = new DerOutputStream();
    // version
    signedData.putInteger(version);
    // digestAlgorithmIds
    signedData.putOrderedSetOf(DerValue.tag_Set, digestAlgorithmIds);
    // contentInfo
    contentInfo.encode(signedData);
    // certificates (optional)
    if (certificates != null && certificates.length != 0) {
        // cast to X509CertImpl[] since X509CertImpl implements DerEncoder
        X509CertImpl[] implCerts = new X509CertImpl[certificates.length];
        for (int i = 0; i < certificates.length; i++) {
            if (certificates[i] instanceof X509CertImpl)
                implCerts[i] = (X509CertImpl) certificates[i];
            else {
                try {
                    byte[] encoded = certificates[i].getEncoded();
                    implCerts[i] = new X509CertImpl(encoded);
                } catch (CertificateException ce) {
                    throw new IOException(ce);
                }
            }
        }
        // Add the certificate set (tagged with [0] IMPLICIT)
        // to the signed data
        signedData.putOrderedSetOf((byte) 0xA0, implCerts);
    }
    // CRLs (optional)
    if (crls != null && crls.length != 0) {
        // cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder
        Set<X509CRLImpl> implCRLs = new HashSet<>(crls.length);
        for (X509CRL crl : crls) {
            if (crl instanceof X509CRLImpl)
                implCRLs.add((X509CRLImpl) crl);
            else {
                try {
                    byte[] encoded = crl.getEncoded();
                    implCRLs.add(new X509CRLImpl(encoded));
                } catch (CRLException ce) {
                    throw new IOException(ce);
                }
            }
        }
        // Add the CRL set (tagged with [1] IMPLICIT)
        // to the signed data
        signedData.putOrderedSetOf((byte) 0xA1, implCRLs.toArray(new X509CRLImpl[implCRLs.size()]));
    }
    // signerInfos
    signedData.putOrderedSetOf(DerValue.tag_Set, signerInfos);
    // making it a signed data block
    DerValue signedDataSeq = new DerValue(DerValue.tag_Sequence, signedData.toByteArray());
    // making it a content info sequence
    ContentInfo block = new ContentInfo(ContentInfo.SIGNED_DATA_OID, signedDataSeq);
    // writing out the contentInfo sequence
    block.encode(out);
}

Example 44 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project cdap by caskdata.

the class KeyStores method getCertificate.

/**
 * Generate an X.509 certificate
 *
 * @param dn Distinguished name for the owner of the certificate, it will also be the signer of the certificate.
 * @param pair Key pair used for signing the certificate.
 * @param days Validity of the certificate.
 * @param algorithm Name of the signature algorithm used.
 * @return A X.509 certificate
 */
private static X509Certificate getCertificate(String dn, KeyPair pair, int days, String algorithm) throws IOException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    // Calculate the validity interval of the certificate
    Date from = new Date();
    Date to = DateUtils.addDays(from, days);
    CertificateValidity interval = new CertificateValidity(from, to);
    // Generate a random number to use as the serial number for the certificate
    BigInteger sn = new BigInteger(64, new SecureRandom());
    // Create the name of the owner based on the provided distinguished name
    X500Name owner = new X500Name(dn);
    // Create an info objects with the provided information, which will be used to create the certificate
    X509CertInfo info = new X509CertInfo();
    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    // In java 7, subject is of type CertificateSubjectName and issuer is of type CertificateIssuerName.
    // These were changed to X500Name in Java8. So looking at the field type before setting them.
    // This certificate will be self signed, hence the subject and the issuer are same.
    Field subjectField = null;
    try {
        subjectField = info.getClass().getDeclaredField("subject");
        if (subjectField.getType().equals(X500Name.class)) {
            info.set(X509CertInfo.SUBJECT, owner);
            info.set(X509CertInfo.ISSUER, owner);
        } else {
            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
        }
    } catch (NoSuchFieldException e) {
        // Trying to set it to Java 8 types. If one of the underlying fields has changed then this will throw a
        // CertificateException which is handled by the caller.
        info.set(X509CertInfo.SUBJECT, owner);
        info.set(X509CertInfo.ISSUER, owner);
    }
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
    // Create the certificate and sign it with the private key
    X509CertImpl cert = new X509CertImpl(info);
    PrivateKey privateKey = pair.getPrivate();
    cert.sign(privateKey, algorithm);
    return cert;
}

Example 45 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project ariADDna by StnetixDevTeam.

the class CertFactory method getNewCertificate.

public File getNewCertificate(String alias) throws KeyStoreException {
    KeyPairGenerator keyPairGenerator = null;
    try {
        keyPairGenerator = KeyPairGenerator.getInstance(CRYPTO_ALGORITHM_RSA);
        keyPairGenerator.initialize(CERTIFICATE_SIZE);
        KeyPair keyPair = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = keyPair.getPrivate();
        X509CertInfo certInfo = new X509CertInfo();
        CertificateValidity interval = new CertificateValidity(FROM, TO);
        BigInteger sn = new BigInteger(64, new SecureRandom());
        X500Name owner = new X500Name(SUBJECT_CN + alias + ", " + SUBJECT_L_C);
        certInfo.set(X509CertInfo.VALIDITY, interval);
        certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
        certInfo.set(X509CertInfo.SUBJECT, owner);
        certInfo.set(X509CertInfo.ISSUER, owner);
        certInfo.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
        certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
        AlgorithmId algorithm = new AlgorithmId(AlgorithmId.md2WithRSAEncryption_oid);
        certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithm));
        X509CertImpl cert = new X509CertImpl(certInfo);
        cert.sign(privateKey, CRYPTO_ALGORITHM_SHA1RSA);
        algorithm = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
        certInfo.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algorithm);
        cert = new X509CertImpl(certInfo);
        cert.sign(privateKey, CRYPTO_ALGORITHM_SHA1RSA);
        File certFile = new File(alias + ".cer");
        if (certFile.createNewFile()) {
            FileOutputStream fos = new FileOutputStream(certFile);
            fos.write(cert.getEncoded());
            fos.close();
        }
        LOGGER.info("Certificate generated with filename {}", certFile.getAbsolutePath());
        CertificateDTO storedCert = persistHelper.storeCertificete(new CertificateDTO(alias, true));
        LOGGER.info("Certificate stored id DB with id {}", storedCert.getId());
        return certFile;
    } catch (Exception e) {
        LOGGER.error("Exception: ", e);
        throw new KeyStoreException("Caused by: ", e);
    }
}