Example 21 with AlgorithmId
use of sun.security.x509.AlgorithmId in project jdk8u_jdk by JetBrains.
the class AlgorithmChecker method check.
@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
if (!(cert instanceof X509Certificate) || constraints == null) {
// ignore the check for non-x.509 certificate or null constraints
return;
}
// check the key usage and key size
boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
if (keyUsage != null && keyUsage.length < 9) {
throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate) cert);
algorithmId = (AlgorithmId) x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
PublicKey currPubKey = cert.getPublicKey();
String currSigAlg = ((X509Certificate) cert).getSigAlgName();
// Check the signature algorithm and parameters against constraints.
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException("Algorithm constraints check failed on signature " + "algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Assume all key usage bits are set if key usage is not present
Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
if (keyUsage != null) {
primitives = EnumSet.noneOf(CryptoPrimitive.class);
if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
// keyUsage[0]: KeyUsage.digitalSignature
// keyUsage[1]: KeyUsage.nonRepudiation
// keyUsage[5]: KeyUsage.keyCertSign
// keyUsage[6]: KeyUsage.cRLSign
primitives.add(CryptoPrimitive.SIGNATURE);
}
if (keyUsage[2]) {
// KeyUsage.keyEncipherment
primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
}
if (keyUsage[3]) {
// KeyUsage.dataEncipherment
primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
}
if (keyUsage[4]) {
// KeyUsage.keyAgreement
primitives.add(CryptoPrimitive.KEY_AGREEMENT);
}
if (primitives.isEmpty()) {
throw new CertPathValidatorException("incorrect KeyUsage extension bits", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
}
ConstraintsParameters cp = new ConstraintsParameters((X509Certificate) cert, trustedMatch, pkixdate, jarTimestamp, variant);
// Check against local constraints if it is DisabledAlgorithmConstraints
if (constraints instanceof DisabledAlgorithmConstraints) {
((DisabledAlgorithmConstraints) constraints).permits(currSigAlg, cp);
// DisabledAlgorithmsConstraints does not check primitives, so key
// additional key check.
} else {
// Perform the default constraints checking anyway.
certPathDefaultConstraints.permits(currSigAlg, cp);
// Call locally set constraints to check key with primitives.
if (!constraints.permits(primitives, currPubKey)) {
throw new CertPathValidatorException("Algorithm constraints check failed on key " + currPubKey.getAlgorithm() + " with size of " + sun.security.util.KeyUtil.getKeySize(currPubKey) + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
// Check with previous cert for signature algorithm and public key
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, prevPubKey, currSigAlgParams)) {
throw new CertPathValidatorException("Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Inherit key parameters from previous key
if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
// Inherit DSA parameters from previous key
if (!(prevPubKey instanceof DSAPublicKey)) {
throw new CertPathValidatorException("Input key is not " + "of a appropriate type for inheriting parameters");
}
DSAParams params = ((DSAPublicKey) prevPubKey).getParams();
if (params == null) {
throw new CertPathValidatorException("Key parameters missing from public key.");
}
try {
BigInteger y = ((DSAPublicKey) currPubKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG());
currPubKey = kf.generatePublic(ks);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e);
}
}
// reset the previous public key
prevPubKey = currPubKey;
}
Also used :
DisabledAlgorithmConstraints(sun.security.util.DisabledAlgorithmConstraints)
CryptoPrimitive(java.security.CryptoPrimitive)
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
CertificateException(java.security.cert.CertificateException)
DSAParams(java.security.interfaces.DSAParams)
ConstraintsParameters(sun.security.util.ConstraintsParameters)
X509Certificate(java.security.cert.X509Certificate)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AlgorithmId(sun.security.x509.AlgorithmId)
X509CertImpl(sun.security.x509.X509CertImpl)
BigInteger(java.math.BigInteger)
KeyFactory(java.security.KeyFactory)
AlgorithmParameters(java.security.AlgorithmParameters)
DSAPublicKeySpec(java.security.spec.DSAPublicKeySpec)
Example 22 with AlgorithmId
use of sun.security.x509.AlgorithmId in project jdk8u_jdk by JetBrains.
the class AlgorithmChecker method check.
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException {
X509CRLImpl x509CRLImpl = null;
try {
x509CRLImpl = X509CRLImpl.toImpl(crl);
} catch (CRLException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
check(key, algorithmId, variant);
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AlgorithmId(sun.security.x509.AlgorithmId)
X509CRLImpl(sun.security.x509.X509CRLImpl)
CRLException(java.security.cert.CRLException)
Example 23 with AlgorithmId
use of sun.security.x509.AlgorithmId in project jdk8u_jdk by JetBrains.
the class PKCS7 method parseOldSignedData.
/*
* Parses an old-style SignedData encoding (for backwards
* compatibility with JDK1.1.x).
*/
private void parseOldSignedData(DerValue val) throws ParsingException, IOException {
DerInputStream dis = val.toDerInputStream();
// Version
version = dis.getBigInteger();
// digestAlgorithmIds
DerValue[] digestAlgorithmIdVals = dis.getSet(1);
int len = digestAlgorithmIdVals.length;
digestAlgorithmIds = new AlgorithmId[len];
try {
for (int i = 0; i < len; i++) {
DerValue oid = digestAlgorithmIdVals[i];
digestAlgorithmIds[i] = AlgorithmId.parse(oid);
}
} catch (IOException e) {
throw new ParsingException("Error parsing digest AlgorithmId IDs");
}
// contentInfo
contentInfo = new ContentInfo(dis, true);
// certificates
CertificateFactory certfac = null;
try {
certfac = CertificateFactory.getInstance("X.509");
} catch (CertificateException ce) {
// do nothing
}
DerValue[] certVals = dis.getSet(2);
len = certVals.length;
certificates = new X509Certificate[len];
for (int i = 0; i < len; i++) {
ByteArrayInputStream bais = null;
try {
if (certfac == null)
certificates[i] = new X509CertImpl(certVals[i]);
else {
byte[] encoded = certVals[i].toByteArray();
bais = new ByteArrayInputStream(encoded);
certificates[i] = (X509Certificate) certfac.generateCertificate(bais);
bais.close();
bais = null;
}
} catch (CertificateException ce) {
ParsingException pe = new ParsingException(ce.getMessage());
pe.initCause(ce);
throw pe;
} catch (IOException ioe) {
ParsingException pe = new ParsingException(ioe.getMessage());
pe.initCause(ioe);
throw pe;
} finally {
if (bais != null)
bais.close();
}
}
// crls are ignored.
dis.getSet(0);
// signerInfos
DerValue[] signerInfoVals = dis.getSet(1);
len = signerInfoVals.length;
signerInfos = new SignerInfo[len];
for (int i = 0; i < len; i++) {
DerInputStream in = signerInfoVals[i].toDerInputStream();
signerInfos[i] = new SignerInfo(in, true);
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
CertificateFactory(java.security.cert.CertificateFactory)
X509CertImpl(sun.security.x509.X509CertImpl)
Example 24 with AlgorithmId
use of sun.security.x509.AlgorithmId in project jdk8u_jdk by JetBrains.
the class PKCS7 method parseSignedData.
private void parseSignedData(DerValue val) throws ParsingException, IOException {
DerInputStream dis = val.toDerInputStream();
// Version
version = dis.getBigInteger();
// digestAlgorithmIds
DerValue[] digestAlgorithmIdVals = dis.getSet(1);
int len = digestAlgorithmIdVals.length;
digestAlgorithmIds = new AlgorithmId[len];
try {
for (int i = 0; i < len; i++) {
DerValue oid = digestAlgorithmIdVals[i];
digestAlgorithmIds[i] = AlgorithmId.parse(oid);
}
} catch (IOException e) {
ParsingException pe = new ParsingException("Error parsing digest AlgorithmId IDs: " + e.getMessage());
pe.initCause(e);
throw pe;
}
// contentInfo
contentInfo = new ContentInfo(dis);
CertificateFactory certfac = null;
try {
certfac = CertificateFactory.getInstance("X.509");
} catch (CertificateException ce) {
// do nothing
}
/*
* check if certificates (implicit tag) are provided
* (certificates are OPTIONAL)
*/
if ((byte) (dis.peekByte()) == (byte) 0xA0) {
DerValue[] certVals = dis.getSet(2, true);
len = certVals.length;
certificates = new X509Certificate[len];
int count = 0;
for (int i = 0; i < len; i++) {
ByteArrayInputStream bais = null;
try {
byte tag = certVals[i].getTag();
// CertificateChoices ignored.
if (tag == DerValue.tag_Sequence) {
if (certfac == null) {
certificates[count] = new X509CertImpl(certVals[i]);
} else {
byte[] encoded = certVals[i].toByteArray();
bais = new ByteArrayInputStream(encoded);
certificates[count] = (X509Certificate) certfac.generateCertificate(bais);
bais.close();
bais = null;
}
count++;
}
} catch (CertificateException ce) {
ParsingException pe = new ParsingException(ce.getMessage());
pe.initCause(ce);
throw pe;
} catch (IOException ioe) {
ParsingException pe = new ParsingException(ioe.getMessage());
pe.initCause(ioe);
throw pe;
} finally {
if (bais != null)
bais.close();
}
}
if (count != len) {
certificates = Arrays.copyOf(certificates, count);
}
}
// check if crls (implicit tag) are provided (crls are OPTIONAL)
if ((byte) (dis.peekByte()) == (byte) 0xA1) {
DerValue[] crlVals = dis.getSet(1, true);
len = crlVals.length;
crls = new X509CRL[len];
for (int i = 0; i < len; i++) {
ByteArrayInputStream bais = null;
try {
if (certfac == null)
crls[i] = new X509CRLImpl(crlVals[i]);
else {
byte[] encoded = crlVals[i].toByteArray();
bais = new ByteArrayInputStream(encoded);
crls[i] = (X509CRL) certfac.generateCRL(bais);
bais.close();
bais = null;
}
} catch (CRLException e) {
ParsingException pe = new ParsingException(e.getMessage());
pe.initCause(e);
throw pe;
} finally {
if (bais != null)
bais.close();
}
}
}
// signerInfos
DerValue[] signerInfoVals = dis.getSet(1);
len = signerInfoVals.length;
signerInfos = new SignerInfo[len];
for (int i = 0; i < len; i++) {
DerInputStream in = signerInfoVals[i].toDerInputStream();
signerInfos[i] = new SignerInfo(in);
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
CertificateFactory(java.security.cert.CertificateFactory)
X509CertImpl(sun.security.x509.X509CertImpl)
X509CRLImpl(sun.security.x509.X509CRLImpl)
CRLException(java.security.cert.CRLException)
Example 25 with AlgorithmId
use of sun.security.x509.AlgorithmId in project jdk8u_jdk by JetBrains.
the class KeyProtector method recover.
/*
* Recovers the plaintext version of the given key (in protected format),
* using the password provided at construction time.
*/
public Key recover(EncryptedPrivateKeyInfo encrInfo) throws UnrecoverableKeyException {
int i;
byte[] digest;
int numRounds;
// offset in xorKey where next digest will be stored
int xorOffset;
// the length of the encrpyted key
int encrKeyLen;
// do we support the algorithm?
AlgorithmId encrAlg = encrInfo.getAlgorithm();
if (!(encrAlg.getOID().toString().equals(KEY_PROTECTOR_OID))) {
throw new UnrecoverableKeyException("Unsupported key protection " + "algorithm");
}
byte[] protectedKey = encrInfo.getEncryptedData();
/*
* Get the salt associated with this key (the first SALT_LEN bytes of
* <code>protectedKey</code>)
*/
byte[] salt = new byte[SALT_LEN];
System.arraycopy(protectedKey, 0, salt, 0, SALT_LEN);
// Determine the number of digest rounds
encrKeyLen = protectedKey.length - SALT_LEN - DIGEST_LEN;
numRounds = encrKeyLen / DIGEST_LEN;
if ((encrKeyLen % DIGEST_LEN) != 0)
numRounds++;
// Get the encrypted key portion and store it in "encrKey"
byte[] encrKey = new byte[encrKeyLen];
System.arraycopy(protectedKey, SALT_LEN, encrKey, 0, encrKeyLen);
// Set up the byte array which will be XORed with "encrKey"
byte[] xorKey = new byte[encrKey.length];
// Compute the digests, and store them in "xorKey"
for (i = 0, xorOffset = 0, digest = salt; i < numRounds; i++, xorOffset += DIGEST_LEN) {
md.update(passwdBytes);
md.update(digest);
digest = md.digest();
md.reset();
// Copy the digest into "xorKey"
if (i < numRounds - 1) {
System.arraycopy(digest, 0, xorKey, xorOffset, digest.length);
} else {
System.arraycopy(digest, 0, xorKey, xorOffset, xorKey.length - xorOffset);
}
}
// XOR "encrKey" with "xorKey", and store the result in "plainKey"
byte[] plainKey = new byte[encrKey.length];
for (i = 0; i < plainKey.length; i++) {
plainKey[i] = (byte) (encrKey[i] ^ xorKey[i]);
}
/*
* Check the integrity of the recovered key by concatenating it with
* the password, digesting the concatenation, and comparing the
* result of the digest operation with the digest provided at the end
* of <code>protectedKey</code>. If the two digest values are
* different, throw an exception.
*/
md.update(passwdBytes);
Arrays.fill(passwdBytes, (byte) 0x00);
passwdBytes = null;
md.update(plainKey);
digest = md.digest();
md.reset();
for (i = 0; i < digest.length; i++) {
if (digest[i] != protectedKey[SALT_LEN + encrKeyLen + i]) {
throw new UnrecoverableKeyException("Cannot recover key");
}
}
// which in turn parses the key material.
try {
return PKCS8Key.parseKey(new DerValue(plainKey));
} catch (IOException ioe) {
throw new UnrecoverableKeyException(ioe.getMessage());
}
}
Also used :
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
AlgorithmId(sun.security.x509.AlgorithmId)
DerValue(sun.security.util.DerValue)
IOException(java.io.IOException)
Aggregations
AlgorithmId (sun.security.x509.AlgorithmId)24
CertificateException (java.security.cert.CertificateException)10
X500Name (sun.security.x509.X500Name)10
X509CertImpl (sun.security.x509.X509CertImpl)9
AlgorithmParameters (java.security.AlgorithmParameters)7
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7
X509Certificate (java.security.cert.X509Certificate)7
SecretKey (javax.crypto.SecretKey)7
IOException (java.io.IOException)6
BigInteger (java.math.BigInteger)6
UnrecoverableKeyException (java.security.UnrecoverableKeyException)6
ObjectIdentifier (sun.security.util.ObjectIdentifier)6
CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)6
KeyStoreException (java.security.KeyStoreException)5
CertificateFactory (java.security.cert.CertificateFactory)5
ContentInfo (sun.security.pkcs.ContentInfo)5
PKCS7 (sun.security.pkcs.PKCS7)5
SignerInfo (sun.security.pkcs.SignerInfo)5
PrivateKey (java.security.PrivateKey)4
UnrecoverableEntryException (java.security.UnrecoverableEntryException)4
