Example 1 with ContentInfo
use of sun.security.pkcs.ContentInfo in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method engineStore.
/**
* Stores this keystore to the given output stream, and protects its
* integrity with the given password.
*
* @param stream the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
*
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity
* algorithm could not be found
* @exception CertificateException if any of the certificates included in
* the keystore data could not be stored
*/
public synchronized void engineStore(OutputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
// password is mandatory when storing
if (password == null) {
throw new IllegalArgumentException("password can't be null");
}
// -- Create PFX
DerOutputStream pfx = new DerOutputStream();
// PFX version (always write the latest version)
DerOutputStream version = new DerOutputStream();
version.putInteger(VERSION_3);
byte[] pfxVersion = version.toByteArray();
pfx.write(pfxVersion);
// -- Create AuthSafe
DerOutputStream authSafe = new DerOutputStream();
// -- Create ContentInfos
DerOutputStream authSafeContentInfo = new DerOutputStream();
// -- create safeContent Data ContentInfo
if (privateKeyCount > 0 || secretKeyCount > 0) {
if (debug != null) {
debug.println("Storing " + (privateKeyCount + secretKeyCount) + " protected key(s) in a PKCS#7 data content-type");
}
byte[] safeContentData = createSafeContent();
ContentInfo dataContentInfo = new ContentInfo(safeContentData);
dataContentInfo.encode(authSafeContentInfo);
}
// -- create EncryptedContentInfo
if (certificateCount > 0) {
if (debug != null) {
debug.println("Storing " + certificateCount + " certificate(s) in a PKCS#7 encryptedData content-type");
}
byte[] encrData = createEncryptedData(password);
ContentInfo encrContentInfo = new ContentInfo(ContentInfo.ENCRYPTED_DATA_OID, new DerValue(encrData));
encrContentInfo.encode(authSafeContentInfo);
}
// wrap as SequenceOf ContentInfos
DerOutputStream cInfo = new DerOutputStream();
cInfo.write(DerValue.tag_SequenceOf, authSafeContentInfo);
byte[] authenticatedSafe = cInfo.toByteArray();
// Create Encapsulated ContentInfo
ContentInfo contentInfo = new ContentInfo(authenticatedSafe);
contentInfo.encode(authSafe);
byte[] authSafeData = authSafe.toByteArray();
pfx.write(authSafeData);
// -- MAC
byte[] macData = calculateMac(password, authenticatedSafe);
pfx.write(macData);
// write PFX to output stream
DerOutputStream pfxout = new DerOutputStream();
pfxout.write(DerValue.tag_Sequence, pfx);
byte[] pfxData = pfxout.toByteArray();
stream.write(pfxData);
stream.flush();
}
Also used :
DerOutputStream(sun.security.util.DerOutputStream)
ContentInfo(sun.security.pkcs.ContentInfo)
DerValue(sun.security.util.DerValue)
Example 2 with ContentInfo
use of sun.security.pkcs.ContentInfo in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method engineLoad.
/**
* Loads the keystore from the given input stream.
*
* <p>If a password is given, it is used to check the integrity of the
* keystore data. Otherwise, the integrity of the keystore is not checked.
*
* @param stream the input stream from which the keystore is loaded
* @param password the (optional) password used to check the integrity of
* the keystore.
*
* @exception IOException if there is an I/O or format problem with the
* keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check
* the integrity of the keystore cannot be found
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*/
public synchronized void engineLoad(InputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
DataInputStream dis;
CertificateFactory cf = null;
ByteArrayInputStream bais = null;
byte[] encoded = null;
if (stream == null)
return;
// reset the counter
counter = 0;
DerValue val = new DerValue(stream);
DerInputStream s = val.toDerInputStream();
int version = s.getInteger();
if (version != VERSION_3) {
throw new IOException("PKCS12 keystore not in version 3 format");
}
entries.clear();
/*
* Read the authSafe.
*/
byte[] authSafeData;
ContentInfo authSafe = new ContentInfo(s);
ObjectIdentifier contentType = authSafe.getContentType();
if (contentType.equals((Object) ContentInfo.DATA_OID)) {
authSafeData = authSafe.getData();
} else /* signed data */
{
throw new IOException("public key protected PKCS12 not supported");
}
DerInputStream as = new DerInputStream(authSafeData);
DerValue[] safeContentsArray = as.getSequence(2);
int count = safeContentsArray.length;
// reset the counters at the start
privateKeyCount = 0;
secretKeyCount = 0;
certificateCount = 0;
/*
* Spin over the ContentInfos.
*/
for (int i = 0; i < count; i++) {
byte[] safeContentsData;
ContentInfo safeContents;
DerInputStream sci;
byte[] eAlgId = null;
sci = new DerInputStream(safeContentsArray[i].toByteArray());
safeContents = new ContentInfo(sci);
contentType = safeContents.getContentType();
safeContentsData = null;
if (contentType.equals((Object) ContentInfo.DATA_OID)) {
if (debug != null) {
debug.println("Loading PKCS#7 data content-type");
}
safeContentsData = safeContents.getData();
} else if (contentType.equals((Object) ContentInfo.ENCRYPTED_DATA_OID)) {
if (password == null) {
if (debug != null) {
debug.println("Warning: skipping PKCS#7 encryptedData" + " content-type - no password was supplied");
}
continue;
}
if (debug != null) {
debug.println("Loading PKCS#7 encryptedData content-type");
}
DerInputStream edi = safeContents.getContent().toDerInputStream();
int edVersion = edi.getInteger();
DerValue[] seq = edi.getSequence(2);
ObjectIdentifier edContentType = seq[0].getOID();
eAlgId = seq[1].toByteArray();
if (!seq[2].isContextSpecific((byte) 0)) {
throw new IOException("encrypted content not present!");
}
byte newTag = DerValue.tag_OctetString;
if (seq[2].isConstructed())
newTag |= 0x20;
seq[2].resetTag(newTag);
safeContentsData = seq[2].getOctetString();
// parse Algorithm parameters
DerInputStream in = seq[1].toDerInputStream();
ObjectIdentifier algOid = in.getOID();
AlgorithmParameters algParams = parseAlgParameters(algOid, in);
while (true) {
try {
// Use JCE
SecretKey skey = getPBEKey(password);
Cipher cipher = Cipher.getInstance(algOid.toString());
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
safeContentsData = cipher.doFinal(safeContentsData);
break;
} catch (Exception e) {
if (password.length == 0) {
// Retry using an empty password
// without a NULL terminator.
password = new char[1];
continue;
}
throw new IOException("keystore password was incorrect", new UnrecoverableKeyException("failed to decrypt safe contents entry: " + e));
}
}
} else {
throw new IOException("public key protected PKCS12" + " not supported");
}
DerInputStream sc = new DerInputStream(safeContentsData);
loadSafeContents(sc, password);
}
// The MacData is optional.
if (password != null && s.available() > 0) {
MacData macData = new MacData(s);
try {
String algName = macData.getDigestAlgName().toUpperCase(Locale.ENGLISH);
// Change SHA-1 to SHA1
algName = algName.replace("-", "");
// generate MAC (MAC key is created within JCE)
Mac m = Mac.getInstance("HmacPBE" + algName);
PBEParameterSpec params = new PBEParameterSpec(macData.getSalt(), macData.getIterations());
SecretKey key = getPBEKey(password);
m.init(key, params);
m.update(authSafeData);
byte[] macResult = m.doFinal();
if (debug != null) {
debug.println("Checking keystore integrity " + "(MAC algorithm: " + m.getAlgorithm() + ")");
}
if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
throw new UnrecoverableKeyException("Failed PKCS12" + " integrity checking");
}
} catch (Exception e) {
throw new IOException("Integrity check failed: " + e, e);
}
}
/*
* Match up private keys with certificate chains.
*/
PrivateKeyEntry[] list = keyList.toArray(new PrivateKeyEntry[keyList.size()]);
for (int m = 0; m < list.length; m++) {
PrivateKeyEntry entry = list[m];
if (entry.keyId != null) {
ArrayList<X509Certificate> chain = new ArrayList<X509Certificate>();
X509Certificate cert = findMatchedCertificate(entry);
mainloop: while (cert != null) {
// Check for loops in the certificate chain
if (!chain.isEmpty()) {
for (X509Certificate chainCert : chain) {
if (cert.equals(chainCert)) {
if (debug != null) {
debug.println("Loop detected in " + "certificate chain. Skip adding " + "repeated cert to chain. Subject: " + cert.getSubjectX500Principal().toString());
}
break mainloop;
}
}
}
chain.add(cert);
X500Principal issuerDN = cert.getIssuerX500Principal();
if (issuerDN.equals(cert.getSubjectX500Principal())) {
break;
}
cert = certsMap.get(issuerDN);
}
/* Update existing KeyEntry in entries table */
if (chain.size() > 0)
entry.chain = chain.toArray(new Certificate[chain.size()]);
}
}
if (debug != null) {
if (privateKeyCount > 0) {
debug.println("Loaded " + privateKeyCount + " protected private key(s)");
}
if (secretKeyCount > 0) {
debug.println("Loaded " + secretKeyCount + " protected secret key(s)");
}
if (certificateCount > 0) {
debug.println("Loaded " + certificateCount + " certificate(s)");
}
}
certEntries.clear();
certsMap.clear();
keyList.clear();
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
ContentInfo(sun.security.pkcs.ContentInfo)
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
PBEParameterSpec(javax.crypto.spec.PBEParameterSpec)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Mac(javax.crypto.Mac)
X509Certificate(java.security.cert.X509Certificate)
SecretKey(javax.crypto.SecretKey)
X500Principal(javax.security.auth.x500.X500Principal)
Cipher(javax.crypto.Cipher)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 3 with ContentInfo
use of sun.security.pkcs.ContentInfo in project jdk8u_jdk by JetBrains.
the class X509CertPath method encodePKCS7.
/**
* Encode the CertPath using PKCS#7 format.
*
* @return a byte array containing the binary encoding of the PKCS#7 object
* @exception CertificateEncodingException if an exception occurs
*/
private byte[] encodePKCS7() throws CertificateEncodingException {
PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(ContentInfo.DATA_OID, null), certs.toArray(new X509Certificate[certs.size()]), new SignerInfo[0]);
DerOutputStream derout = new DerOutputStream();
try {
p7.encodeSignedData(derout);
} catch (IOException ioe) {
throw new CertificateEncodingException(ioe.getMessage());
}
return derout.toByteArray();
}
Also used :
ContentInfo(sun.security.pkcs.ContentInfo)
DerOutputStream(sun.security.util.DerOutputStream)
PKCS7(sun.security.pkcs.PKCS7)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
Example 4 with ContentInfo
use of sun.security.pkcs.ContentInfo in project portal by ixinportal.
the class SignTool method signP7.
/**
* 签名
*
* @param data
* 数据
* @return signature 签名结果
* @throws GeneralSecurityException
* @throws IOException
* @throws IllegalArgumentException
*/
public String signP7(byte[] data) throws Exception {
if (mode != SIGNER)
throw new IllegalStateException("call a PKCS7Tool instance not for signature.");
Signature signer = Signature.getInstance(signingAlgorithm);
signer.initSign(privateKey);
signer.update(data, 0, data.length);
byte[] signedAttributes = signer.sign();
ContentInfo contentInfo = null;
Field data_oidField = ContentInfo.class.getField("DATA_OID");
Object data_oid = data_oidField.get(null);
Constructor contentInfoConstructor = ContentInfo.class.getConstructor(new Class[] { data_oid.getClass(), derValue });
contentInfo = (ContentInfo) contentInfoConstructor.newInstance(new Object[] { data_oid, null });
// 根证书
X509Certificate x509 = certificates[0];
java.math.BigInteger serial = x509.getSerialNumber();
// X500Name
Constructor x500NameConstructor = x500Name.getConstructor(new Class[] { String.class });
Object x500NameObject = x500NameConstructor.newInstance(new Object[] { x509.getIssuerDN().getName() });
// AlgorithmId
Method algorithmIdGet = algorithmId.getMethod("get", new Class[] { String.class });
Object digestAlgorithmId = algorithmIdGet.invoke(null, new Object[] { digestAlgorithm });
Field algorithmIdfield = algorithmId.getField("RSAEncryption_oid");
Object rsaOid = algorithmIdfield.get(null);
Constructor algorithmConstructor = algorithmId.getConstructor(new Class[] { objectIdentifier });
Object algorithmRsaOid = algorithmConstructor.newInstance(new Object[] { rsaOid });
// SignerInfo
Constructor signerInfoConstructor = SignerInfo.class.getConstructor(new Class[] { x500Name, BigInteger.class, algorithmId, PKCS9Attributes.class, algorithmId, byte[].class, PKCS9Attributes.class });
// 签名信息
SignerInfo si = (SignerInfo) signerInfoConstructor.newInstance(new Object[] { // X500Name,
x500NameObject, // x509.getSerialNumber(), BigInteger serial,
serial, // AlgorithmId, digestAlgorithmId,
digestAlgorithmId, // PKCS9Attributes, authenticatedAttributes,
null, // AlgorithmId,
algorithmRsaOid, // byte[] encryptedDigest,
signedAttributes, // PKCS9Attributes unauthenticatedAttributes)
null });
SignerInfo[] signerInfos = { si };
// 构造PKCS7数据
Object digestAlgorithmIds = Array.newInstance(algorithmId, 1);
Array.set(digestAlgorithmIds, 0, digestAlgorithmId);
// PKCS7
Constructor pkcs7Constructor = PKCS7.class.getConstructor(new Class[] { digestAlgorithmIds.getClass(), ContentInfo.class, X509Certificate[].class, signerInfos.getClass() });
PKCS7 p7 = (PKCS7) pkcs7Constructor.newInstance(new Object[] { digestAlgorithmIds, contentInfo, certificates, signerInfos });
// PKCS7 p7 = new PKCS7(digestAlgorithmIds, contentInfo, certificates,
// signerInfos);
// public PKCS7(com.ibm.security.x509.AlgorithmId[] arg0,
// sun.security.pkcs.ContentInfo arg1,
// java.security.cert.X509Certificate[] arg2,
// sun.security.pkcs.SignerInfo[] arg3);
// public PKCS7(sun.security.x509.AlgorithmId[] arg0,
// sun.security.pkcs.ContentInfo arg1,
// java.security.cert.X509Certificate[] arg2,
// sun.security.pkcs.SignerInfo[] arg3);
ByteArrayOutputStream baout = new ByteArrayOutputStream();
p7.encodeSignedData(baout);
// Base64编码
return new BASE64Encoder().encode(baout.toByteArray());
}
Also used :
Constructor(java.lang.reflect.Constructor)
PKCS7(sun.security.pkcs.PKCS7)
BASE64Encoder(sun.misc.BASE64Encoder)
Method(java.lang.reflect.Method)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
X509Certificate(java.security.cert.X509Certificate)
Field(java.lang.reflect.Field)
SignerInfo(sun.security.pkcs.SignerInfo)
ContentInfo(sun.security.pkcs.ContentInfo)
Signature(java.security.Signature)
BigInteger(java.math.BigInteger)
Example 5 with ContentInfo
use of sun.security.pkcs.ContentInfo in project Bytecoder by mirkosertic.
the class X509CertPath method encodePKCS7.
/**
* Encode the CertPath using PKCS#7 format.
*
* @return a byte array containing the binary encoding of the PKCS#7 object
* @exception CertificateEncodingException if an exception occurs
*/
private byte[] encodePKCS7() throws CertificateEncodingException {
PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(ContentInfo.DATA_OID, null), certs.toArray(new X509Certificate[certs.size()]), new SignerInfo[0]);
DerOutputStream derout = new DerOutputStream();
try {
p7.encodeSignedData(derout);
} catch (IOException ioe) {
throw new CertificateEncodingException(ioe.getMessage());
}
return derout.toByteArray();
}
Also used :
ContentInfo(sun.security.pkcs.ContentInfo)
DerOutputStream(sun.security.util.DerOutputStream)
PKCS7(sun.security.pkcs.PKCS7)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
ContentInfo (sun.security.pkcs.ContentInfo)14
PKCS7 (sun.security.pkcs.PKCS7)10
X509Certificate (java.security.cert.X509Certificate)9
SignerInfo (sun.security.pkcs.SignerInfo)7
DerOutputStream (sun.security.util.DerOutputStream)6
DerValue (sun.security.util.DerValue)4
X500Name (sun.security.x509.X500Name)4
IOException (java.io.IOException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
Signature (java.security.Signature)3
CertificateEncodingException (java.security.cert.CertificateEncodingException)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)2
AlgorithmParameters (java.security.AlgorithmParameters)2
KeyStoreException (java.security.KeyStoreException)2
UnrecoverableEntryException (java.security.UnrecoverableEntryException)2
UnrecoverableKeyException (java.security.UnrecoverableKeyException)2
CertificateException (java.security.cert.CertificateException)2
CertificateFactory (java.security.cert.CertificateFactory)2
Cipher (javax.crypto.Cipher)2
Mac (javax.crypto.Mac)2
