Search in sources :

Example 21 with DerInputStream

use of sun.security.util.DerInputStream in project otertool by wuntee.

the class JarSigner method checkCertUsage.

/**
     * Check if userCert is designed to be a code signer
     * @param userCert the certificate to be examined
     * @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
     *            NetscapeCertType has codeSigning flag turned on.
     *            If null, the class field badKeyUsage, badExtendedKeyUsage,
     *            badNetscapeCertType will be set.
     */
void checkCertUsage(X509Certificate userCert, boolean[] bad) {
    if (bad != null) {
        bad[0] = bad[1] = bad[2] = false;
    }
    boolean[] keyUsage = userCert.getKeyUsage();
    if (keyUsage != null) {
        if (keyUsage.length < 1 || !keyUsage[0]) {
            if (bad != null) {
                bad[0] = true;
            } else {
                badKeyUsage = true;
            }
        }
    }
    try {
        List<String> xKeyUsage = userCert.getExtendedKeyUsage();
        if (xKeyUsage != null) {
            if (// anyExtendedKeyUsage
            !xKeyUsage.contains("2.5.29.37.0") && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {
                // codeSigning
                if (bad != null) {
                    bad[1] = true;
                } else {
                    badExtendedKeyUsage = true;
                }
            }
        }
    } catch (java.security.cert.CertificateParsingException e) {
    // shouldn't happen
    }
    try {
        // OID_NETSCAPE_CERT_TYPE
        byte[] netscapeEx = userCert.getExtensionValue("2.16.840.1.113730.1.1");
        if (netscapeEx != null) {
            DerInputStream in = new DerInputStream(netscapeEx);
            byte[] encoded = in.getOctetString();
            encoded = new DerValue(encoded).getUnalignedBitString().toByteArray();
            NetscapeCertTypeExtension extn = new NetscapeCertTypeExtension(encoded);
            Boolean val = (Boolean) extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
            if (!val) {
                if (bad != null) {
                    bad[2] = true;
                } else {
                    badNetscapeCertType = true;
                }
            }
        }
    } catch (IOException e) {
    // 
    }
}
Also used : DerValue(sun.security.util.DerValue) DerInputStream(sun.security.util.DerInputStream) IOException(java.io.IOException) NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension)

Example 22 with DerInputStream

use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.

the class PKCS12KeyStore method engineGetKey.

/**
     * Returns the key associated with the given alias, using the given
     * password to recover it.
     *
     * @param alias the alias name
     * @param password the password for recovering the key
     *
     * @return the requested key, or null if the given alias does not exist
     * or does not identify a <i>key entry</i>.
     *
     * @exception NoSuchAlgorithmException if the algorithm for recovering the
     * key cannot be found
     * @exception UnrecoverableKeyException if the key cannot be recovered
     * (e.g., the given password is wrong).
     */
public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException {
    Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
    Key key = null;
    if (entry == null || (!(entry instanceof KeyEntry))) {
        return null;
    }
    // get the encoded private key or secret key
    byte[] encrBytes = null;
    if (entry instanceof PrivateKeyEntry) {
        encrBytes = ((PrivateKeyEntry) entry).protectedPrivKey;
    } else if (entry instanceof SecretKeyEntry) {
        encrBytes = ((SecretKeyEntry) entry).protectedSecretKey;
    } else {
        throw new UnrecoverableKeyException("Error locating key");
    }
    byte[] encryptedKey;
    AlgorithmParameters algParams;
    ObjectIdentifier algOid;
    try {
        // get the encrypted private key
        EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(encrBytes);
        encryptedKey = encrInfo.getEncryptedData();
        // parse Algorithm parameters
        DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
        DerInputStream in = val.toDerInputStream();
        algOid = in.getOID();
        algParams = parseAlgParameters(algOid, in);
    } catch (IOException ioe) {
        UnrecoverableKeyException uke = new UnrecoverableKeyException("Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
        uke.initCause(ioe);
        throw uke;
    }
    try {
        byte[] keyInfo;
        while (true) {
            try {
                // Use JCE
                SecretKey skey = getPBEKey(password);
                Cipher cipher = Cipher.getInstance(mapPBEParamsToAlgorithm(algOid, algParams));
                cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
                keyInfo = cipher.doFinal(encryptedKey);
                break;
            } catch (Exception e) {
                if (password.length == 0) {
                    // Retry using an empty password
                    // without a NULL terminator.
                    password = new char[1];
                    continue;
                }
                throw e;
            }
        }
        /*
             * Parse the key algorithm and then use a JCA key factory
             * to re-create the key.
             */
        DerValue val = new DerValue(keyInfo);
        DerInputStream in = val.toDerInputStream();
        int i = in.getInteger();
        DerValue[] value = in.getSequence(2);
        AlgorithmId algId = new AlgorithmId(value[0].getOID());
        String keyAlgo = algId.getName();
        // decode private key
        if (entry instanceof PrivateKeyEntry) {
            KeyFactory kfac = KeyFactory.getInstance(keyAlgo);
            PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(keyInfo);
            key = kfac.generatePrivate(kspec);
            if (debug != null) {
                debug.println("Retrieved a protected private key (" + key.getClass().getName() + ") at alias '" + alias + "'");
            }
        // decode secret key
        } else {
            byte[] keyBytes = in.getOctetString();
            SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, keyAlgo);
            // Special handling required for PBE: needs a PBEKeySpec
            if (keyAlgo.startsWith("PBE")) {
                SecretKeyFactory sKeyFactory = SecretKeyFactory.getInstance(keyAlgo);
                KeySpec pbeKeySpec = sKeyFactory.getKeySpec(secretKeySpec, PBEKeySpec.class);
                key = sKeyFactory.generateSecret(pbeKeySpec);
            } else {
                key = secretKeySpec;
            }
            if (debug != null) {
                debug.println("Retrieved a protected secret key (" + key.getClass().getName() + ") at alias '" + alias + "'");
            }
        }
    } catch (Exception e) {
        UnrecoverableKeyException uke = new UnrecoverableKeyException("Get Key failed: " + e.getMessage());
        uke.initCause(e);
        throw uke;
    }
    return key;
}
Also used : SecretKeySpec(javax.crypto.spec.SecretKeySpec) KeySpec(java.security.spec.KeySpec) PBEKeySpec(javax.crypto.spec.PBEKeySpec) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) UnrecoverableKeyException(java.security.UnrecoverableKeyException) SecretKeySpec(javax.crypto.spec.SecretKeySpec) DerValue(sun.security.util.DerValue) DerInputStream(sun.security.util.DerInputStream) SecretKeyFactory(javax.crypto.SecretKeyFactory) SecretKeyFactory(javax.crypto.SecretKeyFactory) KeyFactory(java.security.KeyFactory) ObjectIdentifier(sun.security.util.ObjectIdentifier) KeyStoreException(java.security.KeyStoreException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) UnrecoverableEntryException(java.security.UnrecoverableEntryException) DestroyFailedException(javax.security.auth.DestroyFailedException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SecretKey(javax.crypto.SecretKey) AlgorithmId(sun.security.x509.AlgorithmId) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) EncryptedPrivateKeyInfo(sun.security.pkcs.EncryptedPrivateKeyInfo) Cipher(javax.crypto.Cipher) Key(java.security.Key) PrivateKey(java.security.PrivateKey) SecretKey(javax.crypto.SecretKey) AlgorithmParameters(java.security.AlgorithmParameters)

Example 23 with DerInputStream

use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.

the class PKCS12KeyStore method loadSafeContents.

private void loadSafeContents(DerInputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
    DerValue[] safeBags = stream.getSequence(2);
    int count = safeBags.length;
    /*
         * Spin over the SafeBags.
         */
    for (int i = 0; i < count; i++) {
        ObjectIdentifier bagId;
        DerInputStream sbi;
        DerValue bagValue;
        Object bagItem = null;
        sbi = safeBags[i].toDerInputStream();
        bagId = sbi.getOID();
        bagValue = sbi.getDerValue();
        if (!bagValue.isContextSpecific((byte) 0)) {
            throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
        }
        bagValue = bagValue.data.getDerValue();
        if (bagId.equals((Object) PKCS8ShroudedKeyBag_OID)) {
            PrivateKeyEntry kEntry = new PrivateKeyEntry();
            kEntry.protectedPrivKey = bagValue.toByteArray();
            bagItem = kEntry;
            privateKeyCount++;
        } else if (bagId.equals((Object) CertBag_OID)) {
            DerInputStream cs = new DerInputStream(bagValue.toByteArray());
            DerValue[] certValues = cs.getSequence(2);
            ObjectIdentifier certId = certValues[0].getOID();
            if (!certValues[1].isContextSpecific((byte) 0)) {
                throw new IOException("unsupported PKCS12 cert value type " + certValues[1].tag);
            }
            DerValue certValue = certValues[1].data.getDerValue();
            CertificateFactory cf = CertificateFactory.getInstance("X509");
            X509Certificate cert;
            cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certValue.getOctetString()));
            bagItem = cert;
            certificateCount++;
        } else if (bagId.equals((Object) SecretBag_OID)) {
            DerInputStream ss = new DerInputStream(bagValue.toByteArray());
            DerValue[] secretValues = ss.getSequence(2);
            ObjectIdentifier secretId = secretValues[0].getOID();
            if (!secretValues[1].isContextSpecific((byte) 0)) {
                throw new IOException("unsupported PKCS12 secret value type " + secretValues[1].tag);
            }
            DerValue secretValue = secretValues[1].data.getDerValue();
            SecretKeyEntry kEntry = new SecretKeyEntry();
            kEntry.protectedSecretKey = secretValue.getOctetString();
            bagItem = kEntry;
            secretKeyCount++;
        } else {
            if (debug != null) {
                debug.println("Unsupported PKCS12 bag type: " + bagId);
            }
        }
        DerValue[] attrSet;
        try {
            attrSet = sbi.getSet(3);
        } catch (IOException e) {
            // entry does not have attributes
            // Note: CA certs can have no attributes
            // OpenSSL generates pkcs12 with no attr for CA certs.
            attrSet = null;
        }
        String alias = null;
        byte[] keyId = null;
        ObjectIdentifier[] trustedKeyUsage = null;
        Set<PKCS12Attribute> attributes = new HashSet<>();
        if (attrSet != null) {
            for (int j = 0; j < attrSet.length; j++) {
                byte[] encoded = attrSet[j].toByteArray();
                DerInputStream as = new DerInputStream(encoded);
                DerValue[] attrSeq = as.getSequence(2);
                ObjectIdentifier attrId = attrSeq[0].getOID();
                DerInputStream vs = new DerInputStream(attrSeq[1].toByteArray());
                DerValue[] valSet;
                try {
                    valSet = vs.getSet(1);
                } catch (IOException e) {
                    throw new IOException("Attribute " + attrId + " should have a value " + e.getMessage());
                }
                if (attrId.equals((Object) PKCS9FriendlyName_OID)) {
                    alias = valSet[0].getBMPString();
                } else if (attrId.equals((Object) PKCS9LocalKeyId_OID)) {
                    keyId = valSet[0].getOctetString();
                } else if (attrId.equals((Object) TrustedKeyUsage_OID)) {
                    trustedKeyUsage = new ObjectIdentifier[valSet.length];
                    for (int k = 0; k < valSet.length; k++) {
                        trustedKeyUsage[k] = valSet[k].getOID();
                    }
                } else {
                    attributes.add(new PKCS12Attribute(encoded));
                }
            }
        }
        /*
             * As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId)
             * are optional PKCS12 bagAttributes. But entries in the keyStore
             * are identified by their alias. Hence we need to have an
             * Unfriendlyname in the alias, if alias is null. The keyId
             * attribute is required to match the private key with the
             * certificate. If we get a bagItem of type KeyEntry with a
             * null keyId, we should skip it entirely.
             */
        if (bagItem instanceof KeyEntry) {
            KeyEntry entry = (KeyEntry) bagItem;
            if (bagItem instanceof PrivateKeyEntry) {
                if (keyId == null) {
                    // associated cert-chain
                    if (privateKeyCount == 1) {
                        keyId = "01".getBytes("UTF8");
                    } else {
                        continue;
                    }
                }
            }
            entry.keyId = keyId;
            // restore date if it exists
            String keyIdStr = new String(keyId, "UTF8");
            Date date = null;
            if (keyIdStr.startsWith("Time ")) {
                try {
                    date = new Date(Long.parseLong(keyIdStr.substring(5)));
                } catch (Exception e) {
                    date = null;
                }
            }
            if (date == null) {
                date = new Date();
            }
            entry.date = date;
            if (bagItem instanceof PrivateKeyEntry) {
                keyList.add((PrivateKeyEntry) entry);
            }
            if (entry.attributes == null) {
                entry.attributes = new HashSet<>();
            }
            entry.attributes.addAll(attributes);
            if (alias == null) {
                alias = getUnfriendlyName();
            }
            entry.alias = alias;
            entries.put(alias.toLowerCase(Locale.ENGLISH), entry);
        } else if (bagItem instanceof X509Certificate) {
            X509Certificate cert = (X509Certificate) bagItem;
            // associated cert-chain
            if ((keyId == null) && (privateKeyCount == 1)) {
                // insert localKeyID only for EE cert or self-signed cert
                if (i == 0) {
                    keyId = "01".getBytes("UTF8");
                }
            }
            // Trusted certificate
            if (trustedKeyUsage != null) {
                if (alias == null) {
                    alias = getUnfriendlyName();
                }
                CertEntry certEntry = new CertEntry(cert, keyId, alias, trustedKeyUsage, attributes);
                entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry);
            } else {
                certEntries.add(new CertEntry(cert, keyId, alias));
            }
            X500Principal subjectDN = cert.getSubjectX500Principal();
            if (subjectDN != null) {
                if (!certsMap.containsKey(subjectDN)) {
                    certsMap.put(subjectDN, cert);
                }
            }
        }
    }
}
Also used : CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) KeyStoreException(java.security.KeyStoreException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) UnrecoverableEntryException(java.security.UnrecoverableEntryException) DestroyFailedException(javax.security.auth.DestroyFailedException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) PKCS12Attribute(java.security.PKCS12Attribute) DerValue(sun.security.util.DerValue) X500Principal(javax.security.auth.x500.X500Principal) DerInputStream(sun.security.util.DerInputStream) ObjectIdentifier(sun.security.util.ObjectIdentifier)

Example 24 with DerInputStream

use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.

the class AdaptableX509CertSelector method matchSubjectKeyID.

/*
     * Match on subject key identifier extension value. These matching rules
     * are identical to X509CertSelector except that if the certificate does
     * not have a subject key identifier extension, it returns true.
     */
private boolean matchSubjectKeyID(X509Certificate xcert) {
    if (ski == null) {
        return true;
    }
    try {
        byte[] extVal = xcert.getExtensionValue("2.5.29.14");
        if (extVal == null) {
            if (debug != null) {
                debug.println("AdaptableX509CertSelector.match: " + "no subject key ID extension. Subject: " + xcert.getSubjectX500Principal());
            }
            return true;
        }
        DerInputStream in = new DerInputStream(extVal);
        byte[] certSubjectKeyID = in.getOctetString();
        if (certSubjectKeyID == null || !Arrays.equals(ski, certSubjectKeyID)) {
            if (debug != null) {
                debug.println("AdaptableX509CertSelector.match: " + "subject key IDs don't match. " + "Expected: " + Arrays.toString(ski) + " " + "Cert's: " + Arrays.toString(certSubjectKeyID));
            }
            return false;
        }
    } catch (IOException ex) {
        if (debug != null) {
            debug.println("AdaptableX509CertSelector.match: " + "exception in subject key ID check");
        }
        return false;
    }
    return true;
}
Also used : DerInputStream(sun.security.util.DerInputStream) IOException(java.io.IOException)

Example 25 with DerInputStream

use of sun.security.util.DerInputStream in project jdk8u_jdk by JetBrains.

the class SimpleValidator method getNetscapeCertTypeBit.

/**
     * Get the value of the specified bit in the Netscape certificate type
     * extension. If the extension is not present at all, we return true.
     */
static boolean getNetscapeCertTypeBit(X509Certificate cert, String type) {
    try {
        NetscapeCertTypeExtension ext;
        if (cert instanceof X509CertImpl) {
            X509CertImpl certImpl = (X509CertImpl) cert;
            ObjectIdentifier oid = OBJID_NETSCAPE_CERT_TYPE;
            ext = (NetscapeCertTypeExtension) certImpl.getExtension(oid);
            if (ext == null) {
                return true;
            }
        } else {
            byte[] extVal = cert.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
            if (extVal == null) {
                return true;
            }
            DerInputStream in = new DerInputStream(extVal);
            byte[] encoded = in.getOctetString();
            encoded = new DerValue(encoded).getUnalignedBitString().toByteArray();
            ext = new NetscapeCertTypeExtension(encoded);
        }
        Boolean val = ext.get(type);
        return val.booleanValue();
    } catch (IOException e) {
        return false;
    }
}
Also used : X509CertImpl(sun.security.x509.X509CertImpl) DerValue(sun.security.util.DerValue) DerInputStream(sun.security.util.DerInputStream) IOException(java.io.IOException) NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension) ObjectIdentifier(sun.security.util.ObjectIdentifier)

Aggregations

DerInputStream (sun.security.util.DerInputStream)40 DerValue (sun.security.util.DerValue)17 IOException (java.io.IOException)12 ObjectIdentifier (sun.security.util.ObjectIdentifier)11 X509CertSelector (java.security.cert.X509CertSelector)6 BigInteger (java.math.BigInteger)5 X509Certificate (java.security.cert.X509Certificate)5 CertificateException (java.security.cert.CertificateException)4 CertificateFactory (java.security.cert.CertificateFactory)4 X500Principal (javax.security.auth.x500.X500Principal)4 SocketException (java.net.SocketException)3 KeyStoreException (java.security.KeyStoreException)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 UnrecoverableEntryException (java.security.UnrecoverableEntryException)3 UnrecoverableKeyException (java.security.UnrecoverableKeyException)3 DestroyFailedException (javax.security.auth.DestroyFailedException)3 AlgorithmParameters (java.security.AlgorithmParameters)2 InvalidKeyException (java.security.InvalidKeyException)2 KeyFactory (java.security.KeyFactory)2 Date (java.util.Date)2