Search in sources :

Example 1 with AuthenticatedSafes

use of org.mozilla.jss.pkcs12.AuthenticatedSafes in project OpenAM by OpenRock.

the class SecureLogHelperJSSImpl method readFromSecretStore.

/**
     * Returns matched secret data from from the secret Storage. 
     * At a time there are only 3 things in logger's secure store file 
     *    - initialkey, currentkey and current signature
     * In the verifier secure store file there is just the initial key of the
     * logger and the currentKey
     * @param filename file for secret storage
     * @param dataType The kind of data to be read, whether it is a
     *                 signature or a key
     * @param password password for the file
     * @return secure data that is matched with dataType
     * @throws Exception if it fails to read secret data from secret store
     */
byte[] readFromSecretStore(String filename, String dataType, AMPassword password) throws Exception {
    // open input file for reading
    FileInputStream infile = null;
    infile = new FileInputStream(filename);
    // Decode the P12 file
    PFX.Template pfxt = new PFX.Template();
    PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048));
    // Verify the MAC on the PFX.  This is important to be sure
    // it hasn't been tampered with.
    StringBuffer reason = new StringBuffer();
    MessageDigest md = MessageDigest.getInstance("SHA");
    Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
    md.reset();
    if (!pfx.verifyAuthSafes(jssPasswd, reason)) {
        throw new Exception("AuthSafes failed to verify because: " + reason.toString());
    }
    AuthenticatedSafes authSafes = pfx.getAuthSafes();
    SEQUENCE safeContentsSequence = authSafes.getSequence();
    byte[] cryptoData = null;
    // Loop over contents of the authenticated safes
    for (int i = 0; i < safeContentsSequence.size(); i++) {
        // The safeContents may or may not be encrypted.  We always send
        // the password in.  It will get used if it is needed.  If the
        // decryption of the safeContents fails for some reason (like
        // a bad password), then this method will throw an exception
        SEQUENCE safeContents = authSafes.getSafeContentsAt(jssPasswd, i);
        SafeBag safeBag = null;
        ASN1Value val = null;
        // Go through all the bags in this SafeContents
        for (int j = 0; j < safeContents.size(); j++) {
            safeBag = (SafeBag) safeContents.elementAt(j);
            // look for bag attributes and then choose the key
            SET attribs = safeBag.getBagAttributes();
            if (attribs == null) {
                Debug.error("Bag has no attributes");
            } else {
                for (int b = 0; b < attribs.size(); b++) {
                    Attribute a = (Attribute) attribs.elementAt(b);
                    if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                        // the friendly name attribute is a nickname
                        BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                        if (dataType.equals(bs.toString())) {
                            // look at the contents of the bag
                            val = safeBag.getInterpretedBagContent();
                            break;
                        }
                    }
                }
            }
        }
        if (val instanceof ANY)
            cryptoData = ((ANY) val).getContents();
    }
    // Close the file
    infile.close();
    return cryptoData;
}
Also used : PFX(org.mozilla.jss.pkcs12.PFX) SET(org.mozilla.jss.asn1.SET) Attribute(org.mozilla.jss.pkix.primitive.Attribute) BMPString(org.mozilla.jss.asn1.BMPString) SafeBag(org.mozilla.jss.pkcs12.SafeBag) ANY(org.mozilla.jss.asn1.ANY) FileInputStream(java.io.FileInputStream) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes) ASN1Value(org.mozilla.jss.asn1.ASN1Value) BufferedInputStream(java.io.BufferedInputStream) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) MessageDigest(java.security.MessageDigest) BMPString(org.mozilla.jss.asn1.BMPString) AMPassword(com.sun.identity.security.keystore.AMPassword) Password(org.mozilla.jss.util.Password)

Example 2 with AuthenticatedSafes

use of org.mozilla.jss.pkcs12.AuthenticatedSafes in project OpenAM by OpenRock.

the class SecureLogHelperJSSImpl method writeToSecretStore.

/**
     * Writes to the secret Storage. If the data to be written is a key, then
     * writes the older signature also. If it is a signature then writes the
     * older key also
     * @param cryptoMaterial The data to be written to the secret storage
     * @param filename The file for secret storage
     * @param password The password for the file
     * @param dataType The kind of cryptoMaterial, whether it is a signature
     * or a key
     * @throws Exception if it fails to write secret data from secret store
     */
void writeToSecretStore(byte[] cryptoMaterial, String filename, AMPassword password, String dataType) throws Exception {
    byte[] oldDataFromSecretStorage = null;
    String oldDataType = null;
    MessageDigest md = MessageDigest.getInstance("SHA");
    Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
    md.reset();
    // Do this only when the logger's file is being used
    if (filename.equals(logFileName) && loggerInitialized) {
        // current signature in the PKCS12 file
        if (dataType.equals(currentSignature)) {
            oldDataFromSecretStorage = readFromSecretStore(logFileName, currentKey, password);
            oldDataType = currentKey;
        } else if (dataType.equals(currentKey)) {
            // need to read the currentSignature 
            // for the same reason as above
            oldDataFromSecretStorage = readFromSecretStore(logFileName, currentSignature, password);
            oldDataType = currentSignature;
        }
    }
    // Start building the new contents by adding the older content first
    AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
    if (oldDataFromSecretStorage != null) {
        SEQUENCE oldSafeContents = AddToSecretStore(oldDataFromSecretStorage, oldDataType);
        // Add the old contents to the existing safe
        newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, oldSafeContents);
    }
    // not being added for the first time
    if ((filename.equals(logFileName)) && !dataType.equals(initialKey) && loggerInitialized) {
        byte[] key = readFromSecretStore(filename, initialKey, password);
        if (key != null) {
            SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
            newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
        }
    }
    if ((filename.equals(verifierFileName)) && !dataType.equals(initialKey) && verifierInitialized) {
        byte[] key = readFromSecretStore(filename, initialKey, password);
        if (key != null) {
            SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
            newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
        }
    }
    // Add the new contents
    SEQUENCE encSafeContents = AddToSecretStore(cryptoMaterial, dataType);
    // Add the new contents to the existing safe
    newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, encSafeContents);
    PFX newpfx = new PFX(newAuthSafes);
    newpfx.computeMacData(jssPasswd, null, 5);
    // write the new PFX out to the logger
    FileOutputStream fos = new FileOutputStream(filename);
    newpfx.encode(fos);
    fos.close();
}
Also used : PFX(org.mozilla.jss.pkcs12.PFX) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) FileOutputStream(java.io.FileOutputStream) BMPString(org.mozilla.jss.asn1.BMPString) MessageDigest(java.security.MessageDigest) AMPassword(com.sun.identity.security.keystore.AMPassword) Password(org.mozilla.jss.util.Password) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)

Aggregations

AMPassword (com.sun.identity.security.keystore.AMPassword)2 MessageDigest (java.security.MessageDigest)2 BMPString (org.mozilla.jss.asn1.BMPString)2 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)2 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)2 PFX (org.mozilla.jss.pkcs12.PFX)2 Password (org.mozilla.jss.util.Password)2 BufferedInputStream (java.io.BufferedInputStream)1 FileInputStream (java.io.FileInputStream)1 FileOutputStream (java.io.FileOutputStream)1 ANY (org.mozilla.jss.asn1.ANY)1 ASN1Value (org.mozilla.jss.asn1.ASN1Value)1 SET (org.mozilla.jss.asn1.SET)1 SafeBag (org.mozilla.jss.pkcs12.SafeBag)1 Attribute (org.mozilla.jss.pkix.primitive.Attribute)1