Example 11 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method engineLoad.
/**
* Loads the keystore from the given input stream.
*
* <p>If a password is given, it is used to check the integrity of the
* keystore data. Otherwise, the integrity of the keystore is not checked.
*
* @param stream the input stream from which the keystore is loaded
* @param password the (optional) password used to check the integrity of
* the keystore.
*
* @exception IOException if there is an I/O or format problem with the
* keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check
* the integrity of the keystore cannot be found
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*/
public synchronized void engineLoad(InputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
DataInputStream dis;
CertificateFactory cf = null;
ByteArrayInputStream bais = null;
byte[] encoded = null;
if (stream == null)
return;
// reset the counter
counter = 0;
DerValue val = new DerValue(stream);
DerInputStream s = val.toDerInputStream();
int version = s.getInteger();
if (version != VERSION_3) {
throw new IOException("PKCS12 keystore not in version 3 format");
}
entries.clear();
/*
* Read the authSafe.
*/
byte[] authSafeData;
ContentInfo authSafe = new ContentInfo(s);
ObjectIdentifier contentType = authSafe.getContentType();
if (contentType.equals((Object) ContentInfo.DATA_OID)) {
authSafeData = authSafe.getData();
} else /* signed data */
{
throw new IOException("public key protected PKCS12 not supported");
}
DerInputStream as = new DerInputStream(authSafeData);
DerValue[] safeContentsArray = as.getSequence(2);
int count = safeContentsArray.length;
// reset the counters at the start
privateKeyCount = 0;
secretKeyCount = 0;
certificateCount = 0;
/*
* Spin over the ContentInfos.
*/
for (int i = 0; i < count; i++) {
byte[] safeContentsData;
ContentInfo safeContents;
DerInputStream sci;
byte[] eAlgId = null;
sci = new DerInputStream(safeContentsArray[i].toByteArray());
safeContents = new ContentInfo(sci);
contentType = safeContents.getContentType();
safeContentsData = null;
if (contentType.equals((Object) ContentInfo.DATA_OID)) {
if (debug != null) {
debug.println("Loading PKCS#7 data content-type");
}
safeContentsData = safeContents.getData();
} else if (contentType.equals((Object) ContentInfo.ENCRYPTED_DATA_OID)) {
if (password == null) {
if (debug != null) {
debug.println("Warning: skipping PKCS#7 encryptedData" + " content-type - no password was supplied");
}
continue;
}
if (debug != null) {
debug.println("Loading PKCS#7 encryptedData content-type");
}
DerInputStream edi = safeContents.getContent().toDerInputStream();
int edVersion = edi.getInteger();
DerValue[] seq = edi.getSequence(2);
ObjectIdentifier edContentType = seq[0].getOID();
eAlgId = seq[1].toByteArray();
if (!seq[2].isContextSpecific((byte) 0)) {
throw new IOException("encrypted content not present!");
}
byte newTag = DerValue.tag_OctetString;
if (seq[2].isConstructed())
newTag |= 0x20;
seq[2].resetTag(newTag);
safeContentsData = seq[2].getOctetString();
// parse Algorithm parameters
DerInputStream in = seq[1].toDerInputStream();
ObjectIdentifier algOid = in.getOID();
AlgorithmParameters algParams = parseAlgParameters(algOid, in);
while (true) {
try {
// Use JCE
SecretKey skey = getPBEKey(password);
Cipher cipher = Cipher.getInstance(algOid.toString());
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
safeContentsData = cipher.doFinal(safeContentsData);
break;
} catch (Exception e) {
if (password.length == 0) {
// Retry using an empty password
// without a NULL terminator.
password = new char[1];
continue;
}
throw new IOException("keystore password was incorrect", new UnrecoverableKeyException("failed to decrypt safe contents entry: " + e));
}
}
} else {
throw new IOException("public key protected PKCS12" + " not supported");
}
DerInputStream sc = new DerInputStream(safeContentsData);
loadSafeContents(sc, password);
}
// The MacData is optional.
if (password != null && s.available() > 0) {
MacData macData = new MacData(s);
try {
String algName = macData.getDigestAlgName().toUpperCase(Locale.ENGLISH);
// Change SHA-1 to SHA1
algName = algName.replace("-", "");
// generate MAC (MAC key is created within JCE)
Mac m = Mac.getInstance("HmacPBE" + algName);
PBEParameterSpec params = new PBEParameterSpec(macData.getSalt(), macData.getIterations());
SecretKey key = getPBEKey(password);
m.init(key, params);
m.update(authSafeData);
byte[] macResult = m.doFinal();
if (debug != null) {
debug.println("Checking keystore integrity " + "(MAC algorithm: " + m.getAlgorithm() + ")");
}
if (!MessageDigest.isEqual(macData.getDigest(), macResult)) {
throw new UnrecoverableKeyException("Failed PKCS12" + " integrity checking");
}
} catch (Exception e) {
throw new IOException("Integrity check failed: " + e, e);
}
}
/*
* Match up private keys with certificate chains.
*/
PrivateKeyEntry[] list = keyList.toArray(new PrivateKeyEntry[keyList.size()]);
for (int m = 0; m < list.length; m++) {
PrivateKeyEntry entry = list[m];
if (entry.keyId != null) {
ArrayList<X509Certificate> chain = new ArrayList<X509Certificate>();
X509Certificate cert = findMatchedCertificate(entry);
mainloop: while (cert != null) {
// Check for loops in the certificate chain
if (!chain.isEmpty()) {
for (X509Certificate chainCert : chain) {
if (cert.equals(chainCert)) {
if (debug != null) {
debug.println("Loop detected in " + "certificate chain. Skip adding " + "repeated cert to chain. Subject: " + cert.getSubjectX500Principal().toString());
}
break mainloop;
}
}
}
chain.add(cert);
X500Principal issuerDN = cert.getIssuerX500Principal();
if (issuerDN.equals(cert.getSubjectX500Principal())) {
break;
}
cert = certsMap.get(issuerDN);
}
/* Update existing KeyEntry in entries table */
if (chain.size() > 0)
entry.chain = chain.toArray(new Certificate[chain.size()]);
}
}
if (debug != null) {
if (privateKeyCount > 0) {
debug.println("Loaded " + privateKeyCount + " protected private key(s)");
}
if (secretKeyCount > 0) {
debug.println("Loaded " + secretKeyCount + " protected secret key(s)");
}
if (certificateCount > 0) {
debug.println("Loaded " + certificateCount + " certificate(s)");
}
}
certEntries.clear();
certsMap.clear();
keyList.clear();
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
ContentInfo(sun.security.pkcs.ContentInfo)
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
PBEParameterSpec(javax.crypto.spec.PBEParameterSpec)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Mac(javax.crypto.Mac)
X509Certificate(java.security.cert.X509Certificate)
SecretKey(javax.crypto.SecretKey)
X500Principal(javax.security.auth.x500.X500Principal)
Cipher(javax.crypto.Cipher)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 12 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class DSA method engineSign.
/**
* Sign all the data thus far updated. The signature is formatted
* according to the Canonical Encoding Rules, returned as a DER
* sequence of Integer, r and s.
*
* @return a signature block formatted according to the Canonical
* Encoding Rules.
*
* @exception SignatureException if the signature object was not
* properly initialized, or if another exception occurs.
*
* @see sun.security.DSA#engineUpdate
* @see sun.security.DSA#engineVerify
*/
protected byte[] engineSign() throws SignatureException {
BigInteger k = generateK(presetQ);
BigInteger r = generateR(presetP, presetQ, presetG, k);
BigInteger s = generateS(presetX, presetQ, r, k);
try {
DerOutputStream outseq = new DerOutputStream(100);
outseq.putInteger(r);
outseq.putInteger(s);
DerValue result = new DerValue(DerValue.tag_Sequence, outseq.toByteArray());
return result.toByteArray();
} catch (IOException e) {
throw new SignatureException("error encoding signature");
}
}
Also used :
DerOutputStream(sun.security.util.DerOutputStream)
DerValue(sun.security.util.DerValue)
BigInteger(java.math.BigInteger)
Example 13 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class DSA method engineVerify.
/**
* Verify all the data thus far updated.
*
* @param signature the alledged signature, encoded using the
* Canonical Encoding Rules, as a sequence of integers, r and s.
*
* @param offset the offset to start from in the array of bytes.
*
* @param length the number of bytes to use, starting at offset.
*
* @exception SignatureException if the signature object was not
* properly initialized, or if another exception occurs.
*
* @see sun.security.DSA#engineUpdate
* @see sun.security.DSA#engineSign
*/
protected boolean engineVerify(byte[] signature, int offset, int length) throws SignatureException {
BigInteger r = null;
BigInteger s = null;
// first decode the signature.
try {
// Enforce strict DER checking for signatures
DerInputStream in = new DerInputStream(signature, offset, length, false);
DerValue[] values = in.getSequence(2);
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
r = values[0].getBigInteger();
s = values[1].getBigInteger();
} catch (IOException e) {
throw new SignatureException("Invalid encoding for signature", e);
}
// to validate those signatures
if (r.signum() < 0) {
r = new BigInteger(1, r.toByteArray());
}
if (s.signum() < 0) {
s = new BigInteger(1, s.toByteArray());
}
if ((r.compareTo(presetQ) == -1) && (s.compareTo(presetQ) == -1)) {
BigInteger w = generateW(presetP, presetQ, presetG, s);
BigInteger v = generateV(presetY, presetP, presetQ, presetG, w, r);
return v.equals(r);
} else {
throw new SignatureException("invalid signature: out of range values");
}
}
Also used :
DerValue(sun.security.util.DerValue)
BigInteger(java.math.BigInteger)
DerInputStream(sun.security.util.DerInputStream)
Example 14 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class X509CertificatePair method parse.
/* Parse the encoded bytes */
private void parse(DerValue val) throws IOException, CertificateException {
if (val.tag != DerValue.tag_Sequence) {
throw new IOException("Sequence tag missing for X509CertificatePair");
}
while (val.data != null && val.data.available() != 0) {
DerValue opt = val.data.getDerValue();
short tag = (byte) (opt.tag & 0x01f);
switch(tag) {
case TAG_FORWARD:
if (opt.isContextSpecific() && opt.isConstructed()) {
if (forward != null) {
throw new IOException("Duplicate forward " + "certificate in X509CertificatePair");
}
opt = opt.data.getDerValue();
forward = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
}
break;
case TAG_REVERSE:
if (opt.isContextSpecific() && opt.isConstructed()) {
if (reverse != null) {
throw new IOException("Duplicate reverse " + "certificate in X509CertificatePair");
}
opt = opt.data.getDerValue();
reverse = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
}
break;
default:
throw new IOException("Invalid encoding of " + "X509CertificatePair");
}
}
if (forward == null && reverse == null) {
throw new CertificateException("at least one of certificate pair " + "must be non-null");
}
}
Also used :
DerValue(sun.security.util.DerValue)
X509CertImpl(sun.security.x509.X509CertImpl)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Example 15 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class X509CertPath method parsePKIPATH.
/**
* Parse a PKIPATH format CertPath from an InputStream. Return an
* unmodifiable List of the certificates.
*
* @param is the <code>InputStream</code> to read the data from
* @return an unmodifiable List of the certificates
* @exception CertificateException if an exception occurs
*/
private static List<X509Certificate> parsePKIPATH(InputStream is) throws CertificateException {
List<X509Certificate> certList = null;
CertificateFactory certFac = null;
if (is == null) {
throw new CertificateException("input stream is null");
}
try {
DerInputStream dis = new DerInputStream(readAllBytes(is));
DerValue[] seq = dis.getSequence(3);
if (seq.length == 0) {
return Collections.<X509Certificate>emptyList();
}
certFac = CertificateFactory.getInstance("X.509");
certList = new ArrayList<X509Certificate>(seq.length);
// append certs in reverse order (target to trust anchor)
for (int i = seq.length - 1; i >= 0; i--) {
certList.add((X509Certificate) certFac.generateCertificate(new ByteArrayInputStream(seq[i].toByteArray())));
}
return Collections.unmodifiableList(certList);
} catch (IOException ioe) {
throw new CertificateException("IOException parsing PkiPath data: " + ioe, ioe);
}
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
DerValue(sun.security.util.DerValue)
CertificateException(java.security.cert.CertificateException)
DerInputStream(sun.security.util.DerInputStream)
IOException(java.io.IOException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
DerValue (sun.security.util.DerValue)72
DerInputStream (sun.security.util.DerInputStream)26
IOException (java.io.IOException)25
ObjectIdentifier (sun.security.util.ObjectIdentifier)17
CertificateException (java.security.cert.CertificateException)12
DerOutputStream (sun.security.util.DerOutputStream)11
UnrecoverableKeyException (java.security.UnrecoverableKeyException)10
BigInteger (java.math.BigInteger)9
KeyStoreException (java.security.KeyStoreException)9
X509Certificate (java.security.cert.X509Certificate)9
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
UnrecoverableEntryException (java.security.UnrecoverableEntryException)8
CertificateFactory (java.security.cert.CertificateFactory)7
DestroyFailedException (javax.security.auth.DestroyFailedException)6
X500Principal (javax.security.auth.x500.X500Principal)6
X509CertImpl (sun.security.x509.X509CertImpl)6
AlgorithmId (sun.security.x509.AlgorithmId)5
AlgorithmParameters (java.security.AlgorithmParameters)4
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)4
KeyFactory (java.security.KeyFactory)4
