Example 36 with DerValue
use of sun.security.util.DerValue in project j2objc by google.
the class ESSCertId method parse.
public void parse(byte[] bytes) throws IOException {
// Parse signingCertificate
DerValue derValue = new DerValue(bytes);
if (derValue.tag != DerValue.tag_Sequence) {
throw new IOException("Bad encoding for signingCertificate");
}
// Parse certs
DerValue[] certs = derValue.data.getSequence(1);
certId = new ESSCertId[certs.length];
for (int i = 0; i < certs.length; i++) {
certId[i] = new ESSCertId(certs[i]);
}
// Parse policies, if present
if (derValue.data.available() > 0) {
DerValue[] policies = derValue.data.getSequence(1);
for (int i = 0; i < policies.length; i++) {
// parse PolicyInformation
}
}
}
Also used :
DerValue(sun.security.util.DerValue)
IOException(java.io.IOException)
Example 37 with DerValue
use of sun.security.util.DerValue in project otertool by wuntee.
the class JarSigner method checkCertUsage.
/**
* Check if userCert is designed to be a code signer
* @param userCert the certificate to be examined
* @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
* NetscapeCertType has codeSigning flag turned on.
* If null, the class field badKeyUsage, badExtendedKeyUsage,
* badNetscapeCertType will be set.
*/
void checkCertUsage(X509Certificate userCert, boolean[] bad) {
if (bad != null) {
bad[0] = bad[1] = bad[2] = false;
}
boolean[] keyUsage = userCert.getKeyUsage();
if (keyUsage != null) {
if (keyUsage.length < 1 || !keyUsage[0]) {
if (bad != null) {
bad[0] = true;
} else {
badKeyUsage = true;
}
}
}
try {
List<String> xKeyUsage = userCert.getExtendedKeyUsage();
if (xKeyUsage != null) {
if (// anyExtendedKeyUsage
!xKeyUsage.contains("2.5.29.37.0") && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {
// codeSigning
if (bad != null) {
bad[1] = true;
} else {
badExtendedKeyUsage = true;
}
}
}
} catch (java.security.cert.CertificateParsingException e) {
// shouldn't happen
}
try {
// OID_NETSCAPE_CERT_TYPE
byte[] netscapeEx = userCert.getExtensionValue("2.16.840.1.113730.1.1");
if (netscapeEx != null) {
DerInputStream in = new DerInputStream(netscapeEx);
byte[] encoded = in.getOctetString();
encoded = new DerValue(encoded).getUnalignedBitString().toByteArray();
NetscapeCertTypeExtension extn = new NetscapeCertTypeExtension(encoded);
Boolean val = (Boolean) extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
if (!val) {
if (bad != null) {
bad[2] = true;
} else {
badNetscapeCertType = true;
}
}
}
} catch (IOException e) {
//
}
}
Also used :
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
IOException(java.io.IOException)
NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension)
Example 38 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class NativeGSSContext method retrieveToken.
private byte[] retrieveToken(InputStream is, int mechTokenLen) throws GSSException {
try {
byte[] result = null;
if (mechTokenLen != -1) {
// Need to add back the GSS header for a complete GSS token
SunNativeProvider.debug("Precomputed mechToken length: " + mechTokenLen);
GSSHeader gssHeader = new GSSHeader(new ObjectIdentifier(cStub.getMech().toString()), mechTokenLen);
ByteArrayOutputStream baos = new ByteArrayOutputStream(600);
byte[] mechToken = new byte[mechTokenLen];
int len = is.read(mechToken);
assert (mechTokenLen == len);
gssHeader.encode(baos);
baos.write(mechToken);
result = baos.toByteArray();
} else {
// Must be unparsed GSS token or SPNEGO's NegTokenTarg token
assert (mechTokenLen == -1);
DerValue dv = new DerValue(is);
result = dv.toByteArray();
}
SunNativeProvider.debug("Complete Token length: " + result.length);
return result;
} catch (IOException ioe) {
throw new GSSExceptionImpl(GSSException.FAILURE, ioe);
}
}
Also used :
DerValue(sun.security.util.DerValue)
GSSExceptionImpl(sun.security.jgss.GSSExceptionImpl)
GSSHeader(sun.security.jgss.GSSHeader)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Example 39 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method engineGetKey.
/**
* Returns the key associated with the given alias, using the given
* password to recover it.
*
* @param alias the alias name
* @param password the password for recovering the key
*
* @return the requested key, or null if the given alias does not exist
* or does not identify a <i>key entry</i>.
*
* @exception NoSuchAlgorithmException if the algorithm for recovering the
* key cannot be found
* @exception UnrecoverableKeyException if the key cannot be recovered
* (e.g., the given password is wrong).
*/
public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException {
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
Key key = null;
if (entry == null || (!(entry instanceof KeyEntry))) {
return null;
}
// get the encoded private key or secret key
byte[] encrBytes = null;
if (entry instanceof PrivateKeyEntry) {
encrBytes = ((PrivateKeyEntry) entry).protectedPrivKey;
} else if (entry instanceof SecretKeyEntry) {
encrBytes = ((SecretKeyEntry) entry).protectedSecretKey;
} else {
throw new UnrecoverableKeyException("Error locating key");
}
byte[] encryptedKey;
AlgorithmParameters algParams;
ObjectIdentifier algOid;
try {
// get the encrypted private key
EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(encrBytes);
encryptedKey = encrInfo.getEncryptedData();
// parse Algorithm parameters
DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
DerInputStream in = val.toDerInputStream();
algOid = in.getOID();
algParams = parseAlgParameters(algOid, in);
} catch (IOException ioe) {
UnrecoverableKeyException uke = new UnrecoverableKeyException("Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
uke.initCause(ioe);
throw uke;
}
try {
byte[] keyInfo;
while (true) {
try {
// Use JCE
SecretKey skey = getPBEKey(password);
Cipher cipher = Cipher.getInstance(mapPBEParamsToAlgorithm(algOid, algParams));
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
keyInfo = cipher.doFinal(encryptedKey);
break;
} catch (Exception e) {
if (password.length == 0) {
// Retry using an empty password
// without a NULL terminator.
password = new char[1];
continue;
}
throw e;
}
}
/*
* Parse the key algorithm and then use a JCA key factory
* to re-create the key.
*/
DerValue val = new DerValue(keyInfo);
DerInputStream in = val.toDerInputStream();
int i = in.getInteger();
DerValue[] value = in.getSequence(2);
AlgorithmId algId = new AlgorithmId(value[0].getOID());
String keyAlgo = algId.getName();
// decode private key
if (entry instanceof PrivateKeyEntry) {
KeyFactory kfac = KeyFactory.getInstance(keyAlgo);
PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(keyInfo);
key = kfac.generatePrivate(kspec);
if (debug != null) {
debug.println("Retrieved a protected private key (" + key.getClass().getName() + ") at alias '" + alias + "'");
}
// decode secret key
} else {
byte[] keyBytes = in.getOctetString();
SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, keyAlgo);
// Special handling required for PBE: needs a PBEKeySpec
if (keyAlgo.startsWith("PBE")) {
SecretKeyFactory sKeyFactory = SecretKeyFactory.getInstance(keyAlgo);
KeySpec pbeKeySpec = sKeyFactory.getKeySpec(secretKeySpec, PBEKeySpec.class);
key = sKeyFactory.generateSecret(pbeKeySpec);
} else {
key = secretKeySpec;
}
if (debug != null) {
debug.println("Retrieved a protected secret key (" + key.getClass().getName() + ") at alias '" + alias + "'");
}
}
} catch (Exception e) {
UnrecoverableKeyException uke = new UnrecoverableKeyException("Get Key failed: " + e.getMessage());
uke.initCause(e);
throw uke;
}
return key;
}
Also used :
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
KeySpec(java.security.spec.KeySpec)
PBEKeySpec(javax.crypto.spec.PBEKeySpec)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
DerValue(sun.security.util.DerValue)
DerInputStream(sun.security.util.DerInputStream)
SecretKeyFactory(javax.crypto.SecretKeyFactory)
SecretKeyFactory(javax.crypto.SecretKeyFactory)
KeyFactory(java.security.KeyFactory)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SecretKey(javax.crypto.SecretKey)
AlgorithmId(sun.security.x509.AlgorithmId)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
EncryptedPrivateKeyInfo(sun.security.pkcs.EncryptedPrivateKeyInfo)
Cipher(javax.crypto.Cipher)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
SecretKey(javax.crypto.SecretKey)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 40 with DerValue
use of sun.security.util.DerValue in project jdk8u_jdk by JetBrains.
the class PKCS12KeyStore method loadSafeContents.
private void loadSafeContents(DerInputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException {
DerValue[] safeBags = stream.getSequence(2);
int count = safeBags.length;
/*
* Spin over the SafeBags.
*/
for (int i = 0; i < count; i++) {
ObjectIdentifier bagId;
DerInputStream sbi;
DerValue bagValue;
Object bagItem = null;
sbi = safeBags[i].toDerInputStream();
bagId = sbi.getOID();
bagValue = sbi.getDerValue();
if (!bagValue.isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
}
bagValue = bagValue.data.getDerValue();
if (bagId.equals((Object) PKCS8ShroudedKeyBag_OID)) {
PrivateKeyEntry kEntry = new PrivateKeyEntry();
kEntry.protectedPrivKey = bagValue.toByteArray();
bagItem = kEntry;
privateKeyCount++;
} else if (bagId.equals((Object) CertBag_OID)) {
DerInputStream cs = new DerInputStream(bagValue.toByteArray());
DerValue[] certValues = cs.getSequence(2);
ObjectIdentifier certId = certValues[0].getOID();
if (!certValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 cert value type " + certValues[1].tag);
}
DerValue certValue = certValues[1].data.getDerValue();
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert;
cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certValue.getOctetString()));
bagItem = cert;
certificateCount++;
} else if (bagId.equals((Object) SecretBag_OID)) {
DerInputStream ss = new DerInputStream(bagValue.toByteArray());
DerValue[] secretValues = ss.getSequence(2);
ObjectIdentifier secretId = secretValues[0].getOID();
if (!secretValues[1].isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 secret value type " + secretValues[1].tag);
}
DerValue secretValue = secretValues[1].data.getDerValue();
SecretKeyEntry kEntry = new SecretKeyEntry();
kEntry.protectedSecretKey = secretValue.getOctetString();
bagItem = kEntry;
secretKeyCount++;
} else {
if (debug != null) {
debug.println("Unsupported PKCS12 bag type: " + bagId);
}
}
DerValue[] attrSet;
try {
attrSet = sbi.getSet(3);
} catch (IOException e) {
// entry does not have attributes
// Note: CA certs can have no attributes
// OpenSSL generates pkcs12 with no attr for CA certs.
attrSet = null;
}
String alias = null;
byte[] keyId = null;
ObjectIdentifier[] trustedKeyUsage = null;
Set<PKCS12Attribute> attributes = new HashSet<>();
if (attrSet != null) {
for (int j = 0; j < attrSet.length; j++) {
byte[] encoded = attrSet[j].toByteArray();
DerInputStream as = new DerInputStream(encoded);
DerValue[] attrSeq = as.getSequence(2);
ObjectIdentifier attrId = attrSeq[0].getOID();
DerInputStream vs = new DerInputStream(attrSeq[1].toByteArray());
DerValue[] valSet;
try {
valSet = vs.getSet(1);
} catch (IOException e) {
throw new IOException("Attribute " + attrId + " should have a value " + e.getMessage());
}
if (attrId.equals((Object) PKCS9FriendlyName_OID)) {
alias = valSet[0].getBMPString();
} else if (attrId.equals((Object) PKCS9LocalKeyId_OID)) {
keyId = valSet[0].getOctetString();
} else if (attrId.equals((Object) TrustedKeyUsage_OID)) {
trustedKeyUsage = new ObjectIdentifier[valSet.length];
for (int k = 0; k < valSet.length; k++) {
trustedKeyUsage[k] = valSet[k].getOID();
}
} else {
attributes.add(new PKCS12Attribute(encoded));
}
}
}
/*
* As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId)
* are optional PKCS12 bagAttributes. But entries in the keyStore
* are identified by their alias. Hence we need to have an
* Unfriendlyname in the alias, if alias is null. The keyId
* attribute is required to match the private key with the
* certificate. If we get a bagItem of type KeyEntry with a
* null keyId, we should skip it entirely.
*/
if (bagItem instanceof KeyEntry) {
KeyEntry entry = (KeyEntry) bagItem;
if (bagItem instanceof PrivateKeyEntry) {
if (keyId == null) {
// associated cert-chain
if (privateKeyCount == 1) {
keyId = "01".getBytes("UTF8");
} else {
continue;
}
}
}
entry.keyId = keyId;
// restore date if it exists
String keyIdStr = new String(keyId, "UTF8");
Date date = null;
if (keyIdStr.startsWith("Time ")) {
try {
date = new Date(Long.parseLong(keyIdStr.substring(5)));
} catch (Exception e) {
date = null;
}
}
if (date == null) {
date = new Date();
}
entry.date = date;
if (bagItem instanceof PrivateKeyEntry) {
keyList.add((PrivateKeyEntry) entry);
}
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
}
entry.attributes.addAll(attributes);
if (alias == null) {
alias = getUnfriendlyName();
}
entry.alias = alias;
entries.put(alias.toLowerCase(Locale.ENGLISH), entry);
} else if (bagItem instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) bagItem;
// associated cert-chain
if ((keyId == null) && (privateKeyCount == 1)) {
// insert localKeyID only for EE cert or self-signed cert
if (i == 0) {
keyId = "01".getBytes("UTF8");
}
}
// Trusted certificate
if (trustedKeyUsage != null) {
if (alias == null) {
alias = getUnfriendlyName();
}
CertEntry certEntry = new CertEntry(cert, keyId, alias, trustedKeyUsage, attributes);
entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry);
} else {
certEntries.add(new CertEntry(cert, keyId, alias));
}
X500Principal subjectDN = cert.getSubjectX500Principal();
if (subjectDN != null) {
if (!certsMap.containsKey(subjectDN)) {
certsMap.put(subjectDN, cert);
}
}
}
}
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
DestroyFailedException(javax.security.auth.DestroyFailedException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
PKCS12Attribute(java.security.PKCS12Attribute)
DerValue(sun.security.util.DerValue)
X500Principal(javax.security.auth.x500.X500Principal)
DerInputStream(sun.security.util.DerInputStream)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Aggregations
DerValue (sun.security.util.DerValue)72
DerInputStream (sun.security.util.DerInputStream)26
IOException (java.io.IOException)25
ObjectIdentifier (sun.security.util.ObjectIdentifier)17
CertificateException (java.security.cert.CertificateException)12
DerOutputStream (sun.security.util.DerOutputStream)11
UnrecoverableKeyException (java.security.UnrecoverableKeyException)10
BigInteger (java.math.BigInteger)9
KeyStoreException (java.security.KeyStoreException)9
X509Certificate (java.security.cert.X509Certificate)9
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
UnrecoverableEntryException (java.security.UnrecoverableEntryException)8
CertificateFactory (java.security.cert.CertificateFactory)7
DestroyFailedException (javax.security.auth.DestroyFailedException)6
X500Principal (javax.security.auth.x500.X500Principal)6
X509CertImpl (sun.security.x509.X509CertImpl)6
AlgorithmId (sun.security.x509.AlgorithmId)5
AlgorithmParameters (java.security.AlgorithmParameters)4
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)4
KeyFactory (java.security.KeyFactory)4
