Example 6 with KeyUsageExtension
use of sun.security.x509.KeyUsageExtension in project Bytecoder by mirkosertic.
the class SignerInfo method verify.
/* Returns null if verify fails, this signerInfo if
verify succeeds. */
SignerInfo verify(PKCS7 block, byte[] data) throws NoSuchAlgorithmException, SignatureException {
try {
ContentInfo content = block.getContentInfo();
if (data == null) {
data = content.getContentBytes();
}
Timestamp timestamp = null;
try {
timestamp = getTimestamp();
} catch (Exception ignore) {
}
ConstraintsParameters cparams = new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName();
byte[] dataSigned;
// digest and compare it with the digest of data
if (authenticatedAttributes == null) {
dataSigned = data;
} else {
// first, check content type
ObjectIdentifier contentType = (ObjectIdentifier) authenticatedAttributes.getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
if (contentType == null || !contentType.equals(content.contentType))
// contentType does not match, bad SignerInfo
return null;
// now, check message digest
byte[] messageDigest = (byte[]) authenticatedAttributes.getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID);
if (// fail if there is no message digest
messageDigest == null)
return null;
// check that digest algorithm is not restricted
try {
JAR_DISABLED_CHECK.permits(digestAlgname, cparams);
} catch (CertPathValidatorException e) {
throw new SignatureException(e.getMessage(), e);
}
MessageDigest md = MessageDigest.getInstance(digestAlgname);
byte[] computedMessageDigest = md.digest(data);
if (messageDigest.length != computedMessageDigest.length)
return null;
for (int i = 0; i < messageDigest.length; i++) {
if (messageDigest[i] != computedMessageDigest[i])
return null;
}
// message digest attribute matched
// digest of original data
// the data actually signed is the DER encoding of
// the authenticated attributes (tagged with
// the "SET OF" tag, not 0xA0).
dataSigned = authenticatedAttributes.getDerEncoding();
}
// put together digest algorithm and encryption algorithm
// to form signing algorithm
String encryptionAlgname = getDigestEncryptionAlgorithmId().getName();
// Workaround: sometimes the encryptionAlgname is actually
// a signature name
String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname);
if (tmp != null)
encryptionAlgname = tmp;
String algname = AlgorithmId.makeSigAlg(digestAlgname, encryptionAlgname);
// check that jar signature algorithm is not restricted
try {
JAR_DISABLED_CHECK.permits(algname, cparams);
} catch (CertPathValidatorException e) {
throw new SignatureException(e.getMessage(), e);
}
X509Certificate cert = getCertificate(block);
if (cert == null) {
return null;
}
PublicKey key = cert.getPublicKey();
// check if the public key is restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
throw new SignatureException("Public key check failed. " + "Disabled key used: " + KeyUtil.getKeySize(key) + " bit " + key.getAlgorithm());
}
if (cert.hasUnsupportedCriticalExtension()) {
throw new SignatureException("Certificate has unsupported " + "critical extension(s)");
}
// Make sure that if the usage of the key in the certificate is
// restricted, it can be used for digital signatures.
// XXX We may want to check for additional extensions in the
// future.
boolean[] keyUsageBits = cert.getKeyUsage();
if (keyUsageBits != null) {
KeyUsageExtension keyUsage;
try {
// We don't care whether or not this extension was marked
// critical in the certificate.
// We're interested only in its value (i.e., the bits set)
// and treat the extension as critical.
keyUsage = new KeyUsageExtension(keyUsageBits);
} catch (IOException ioe) {
throw new SignatureException("Failed to parse keyUsage " + "extension");
}
boolean digSigAllowed = keyUsage.get(KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue();
boolean nonRepuAllowed = keyUsage.get(KeyUsageExtension.NON_REPUDIATION).booleanValue();
if (!digSigAllowed && !nonRepuAllowed) {
throw new SignatureException("Key usage restricted: " + "cannot be used for " + "digital signatures");
}
}
Signature sig = Signature.getInstance(algname);
sig.initVerify(key);
sig.update(dataSigned);
if (sig.verify(encryptedDigest)) {
return this;
}
} catch (IOException e) {
throw new SignatureException("IO error verifying signature:\n" + e.getMessage());
} catch (InvalidKeyException e) {
throw new SignatureException("InvalidKey: " + e.getMessage());
}
return null;
}
Also used :
PublicKey(java.security.PublicKey)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
ConstraintsParameters(sun.security.util.ConstraintsParameters)
InvalidKeyException(java.security.InvalidKeyException)
Timestamp(java.security.Timestamp)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
X509Certificate(java.security.cert.X509Certificate)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
Signature(java.security.Signature)
MessageDigest(java.security.MessageDigest)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
Example 7 with KeyUsageExtension
use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageKeyEncipherment.
public X509Builder keyUsageKeyEncipherment() {
// for encrypting and transporting other keys
try {
v3();
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageKeyEncipherment");
}
return this;
}
Also used :
CertificateExtensions(sun.security.x509.CertificateExtensions)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)
Example 8 with KeyUsageExtension
use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageNonRepudiation.
public X509Builder keyUsageNonRepudiation() {
// other than CA or CRL; this applies to API clients
try {
v3();
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.NON_REPUDIATION, true);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageNonRepudiation");
}
return this;
}
Also used :
CertificateExtensions(sun.security.x509.CertificateExtensions)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)
Example 9 with KeyUsageExtension
use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageCertificateAuthority.
public X509Builder keyUsageCertificateAuthority() {
try {
v3();
// certificate authority basic constraint
// true indicates this is a CA; -1 means no restriction on path length; 0 or more to set a restriction on max number of certs under this one in the chain
BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
// certificate signing extension
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
// add both
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageCertificateAuthority");
}
return this;
}
Also used :
BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)
Example 10 with KeyUsageExtension
use of sun.security.x509.KeyUsageExtension in project jdk8u_jdk by JetBrains.
the class NamedBitList method main.
public static void main(String[] args) throws Exception {
boolean[] bb = (new boolean[] { true, false, true, false, false, false });
GeneralNames gns = new GeneralNames();
gns.add(new GeneralName(new DNSName("dns")));
DerOutputStream out;
// length should be 5 since only {T,F,T} should be encoded
KeyUsageExtension x1 = new KeyUsageExtension(bb);
check(new DerValue(x1.getExtensionValue()).getUnalignedBitString().length(), 3);
NetscapeCertTypeExtension x2 = new NetscapeCertTypeExtension(bb);
check(new DerValue(x2.getExtensionValue()).getUnalignedBitString().length(), 3);
ReasonFlags r = new ReasonFlags(bb);
out = new DerOutputStream();
r.encode(out);
check(new DerValue(out.toByteArray()).getUnalignedBitString().length(), 3);
// Read sun.security.x509.DistributionPoint for ASN.1 definition
DistributionPoint dp = new DistributionPoint(gns, bb, gns);
out = new DerOutputStream();
dp.encode(out);
DerValue v = new DerValue(out.toByteArray());
// skip distributionPoint
v.data.getDerValue();
// read reasons
DerValue v2 = v.data.getDerValue();
// reset to BitString since it's context-specfic[1] encoded
v2.resetTag(DerValue.tag_BitString);
// length should be 5 since only {T,F,T} should be encoded
check(v2.getUnalignedBitString().length(), 3);
BitArray ba;
ba = new BitArray(new boolean[] { false, false, false });
check(ba.length(), 3);
ba = ba.truncate();
check(ba.length(), 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, false, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 8);
check(ba.toByteArray().length, 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, true, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 9);
check(ba.toByteArray().length, 2);
}
Also used :
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
ReasonFlags(sun.security.x509.ReasonFlags)
DerValue(sun.security.util.DerValue)
GeneralName(sun.security.x509.GeneralName)
DistributionPoint(sun.security.x509.DistributionPoint)
BitArray(sun.security.util.BitArray)
DNSName(sun.security.x509.DNSName)
NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
Aggregations
KeyUsageExtension (sun.security.x509.KeyUsageExtension)10
CertificateExtensions (sun.security.x509.CertificateExtensions)6
ExtendedKeyUsageExtension (sun.security.x509.ExtendedKeyUsageExtension)6
IOException (java.io.IOException)3
X509Certificate (java.security.cert.X509Certificate)3
ObjectIdentifier (sun.security.util.ObjectIdentifier)3
InvalidKeyException (java.security.InvalidKeyException)2
MessageDigest (java.security.MessageDigest)2
PublicKey (java.security.PublicKey)2
Signature (java.security.Signature)2
SignatureException (java.security.SignatureException)2
CertPathValidatorException (java.security.cert.CertPathValidatorException)2
CertificateException (java.security.cert.CertificateException)2
ConstraintsParameters (sun.security.util.ConstraintsParameters)2
DerValue (sun.security.util.DerValue)2
ByteArrayInputStream (java.io.ByteArrayInputStream)1
InputStream (java.io.InputStream)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
Timestamp (java.security.Timestamp)1
