Search in sources :

Example 6 with KeyUsageExtension

use of sun.security.x509.KeyUsageExtension in project Bytecoder by mirkosertic.

the class SignerInfo method verify.

/* Returns null if verify fails, this signerInfo if
       verify succeeds. */
SignerInfo verify(PKCS7 block, byte[] data) throws NoSuchAlgorithmException, SignatureException {
    try {
        ContentInfo content = block.getContentInfo();
        if (data == null) {
            data = content.getContentBytes();
        }
        Timestamp timestamp = null;
        try {
            timestamp = getTimestamp();
        } catch (Exception ignore) {
        }
        ConstraintsParameters cparams = new ConstraintsParameters(timestamp);
        String digestAlgname = getDigestAlgorithmId().getName();
        byte[] dataSigned;
        // digest and compare it with the digest of data
        if (authenticatedAttributes == null) {
            dataSigned = data;
        } else {
            // first, check content type
            ObjectIdentifier contentType = (ObjectIdentifier) authenticatedAttributes.getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
            if (contentType == null || !contentType.equals(content.contentType))
                // contentType does not match, bad SignerInfo
                return null;
            // now, check message digest
            byte[] messageDigest = (byte[]) authenticatedAttributes.getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID);
            if (// fail if there is no message digest
            messageDigest == null)
                return null;
            // check that digest algorithm is not restricted
            try {
                JAR_DISABLED_CHECK.permits(digestAlgname, cparams);
            } catch (CertPathValidatorException e) {
                throw new SignatureException(e.getMessage(), e);
            }
            MessageDigest md = MessageDigest.getInstance(digestAlgname);
            byte[] computedMessageDigest = md.digest(data);
            if (messageDigest.length != computedMessageDigest.length)
                return null;
            for (int i = 0; i < messageDigest.length; i++) {
                if (messageDigest[i] != computedMessageDigest[i])
                    return null;
            }
            // message digest attribute matched
            // digest of original data
            // the data actually signed is the DER encoding of
            // the authenticated attributes (tagged with
            // the "SET OF" tag, not 0xA0).
            dataSigned = authenticatedAttributes.getDerEncoding();
        }
        // put together digest algorithm and encryption algorithm
        // to form signing algorithm
        String encryptionAlgname = getDigestEncryptionAlgorithmId().getName();
        // Workaround: sometimes the encryptionAlgname is actually
        // a signature name
        String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname);
        if (tmp != null)
            encryptionAlgname = tmp;
        String algname = AlgorithmId.makeSigAlg(digestAlgname, encryptionAlgname);
        // check that jar signature algorithm is not restricted
        try {
            JAR_DISABLED_CHECK.permits(algname, cparams);
        } catch (CertPathValidatorException e) {
            throw new SignatureException(e.getMessage(), e);
        }
        X509Certificate cert = getCertificate(block);
        if (cert == null) {
            return null;
        }
        PublicKey key = cert.getPublicKey();
        // check if the public key is restricted
        if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
            throw new SignatureException("Public key check failed. " + "Disabled key used: " + KeyUtil.getKeySize(key) + " bit " + key.getAlgorithm());
        }
        if (cert.hasUnsupportedCriticalExtension()) {
            throw new SignatureException("Certificate has unsupported " + "critical extension(s)");
        }
        // Make sure that if the usage of the key in the certificate is
        // restricted, it can be used for digital signatures.
        // XXX We may want to check for additional extensions in the
        // future.
        boolean[] keyUsageBits = cert.getKeyUsage();
        if (keyUsageBits != null) {
            KeyUsageExtension keyUsage;
            try {
                // We don't care whether or not this extension was marked
                // critical in the certificate.
                // We're interested only in its value (i.e., the bits set)
                // and treat the extension as critical.
                keyUsage = new KeyUsageExtension(keyUsageBits);
            } catch (IOException ioe) {
                throw new SignatureException("Failed to parse keyUsage " + "extension");
            }
            boolean digSigAllowed = keyUsage.get(KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue();
            boolean nonRepuAllowed = keyUsage.get(KeyUsageExtension.NON_REPUDIATION).booleanValue();
            if (!digSigAllowed && !nonRepuAllowed) {
                throw new SignatureException("Key usage restricted: " + "cannot be used for " + "digital signatures");
            }
        }
        Signature sig = Signature.getInstance(algname);
        sig.initVerify(key);
        sig.update(dataSigned);
        if (sig.verify(encryptedDigest)) {
            return this;
        }
    } catch (IOException e) {
        throw new SignatureException("IO error verifying signature:\n" + e.getMessage());
    } catch (InvalidKeyException e) {
        throw new SignatureException("InvalidKey: " + e.getMessage());
    }
    return null;
}
Also used : PublicKey(java.security.PublicKey) SignatureException(java.security.SignatureException) IOException(java.io.IOException) ConstraintsParameters(sun.security.util.ConstraintsParameters) InvalidKeyException(java.security.InvalidKeyException) Timestamp(java.security.Timestamp) CertPathValidatorException(java.security.cert.CertPathValidatorException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) X509Certificate(java.security.cert.X509Certificate) CertPathValidatorException(java.security.cert.CertPathValidatorException) Signature(java.security.Signature) MessageDigest(java.security.MessageDigest) ObjectIdentifier(sun.security.util.ObjectIdentifier) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Example 7 with KeyUsageExtension

use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageKeyEncipherment.

public X509Builder keyUsageKeyEncipherment() {
    // for encrypting and transporting other keys
    try {
        v3();
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageKeyEncipherment");
    }
    return this;
}
Also used : CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Example 8 with KeyUsageExtension

use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageNonRepudiation.

public X509Builder keyUsageNonRepudiation() {
    // other than CA or CRL; this applies to API clients
    try {
        v3();
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.NON_REPUDIATION, true);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageNonRepudiation");
    }
    return this;
}
Also used : CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Example 9 with KeyUsageExtension

use of sun.security.x509.KeyUsageExtension in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageCertificateAuthority.

public X509Builder keyUsageCertificateAuthority() {
    try {
        v3();
        // certificate authority basic constraint
        // true indicates this is a CA;  -1 means no restriction on path length;  0 or more to set a restriction on max number of certs under this one in the chain
        BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
        // certificate signing extension
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
        // add both
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageCertificateAuthority");
    }
    return this;
}
Also used : BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Example 10 with KeyUsageExtension

use of sun.security.x509.KeyUsageExtension in project jdk8u_jdk by JetBrains.

the class NamedBitList method main.

public static void main(String[] args) throws Exception {
    boolean[] bb = (new boolean[] { true, false, true, false, false, false });
    GeneralNames gns = new GeneralNames();
    gns.add(new GeneralName(new DNSName("dns")));
    DerOutputStream out;
    // length should be 5 since only {T,F,T} should be encoded
    KeyUsageExtension x1 = new KeyUsageExtension(bb);
    check(new DerValue(x1.getExtensionValue()).getUnalignedBitString().length(), 3);
    NetscapeCertTypeExtension x2 = new NetscapeCertTypeExtension(bb);
    check(new DerValue(x2.getExtensionValue()).getUnalignedBitString().length(), 3);
    ReasonFlags r = new ReasonFlags(bb);
    out = new DerOutputStream();
    r.encode(out);
    check(new DerValue(out.toByteArray()).getUnalignedBitString().length(), 3);
    // Read sun.security.x509.DistributionPoint for ASN.1 definition
    DistributionPoint dp = new DistributionPoint(gns, bb, gns);
    out = new DerOutputStream();
    dp.encode(out);
    DerValue v = new DerValue(out.toByteArray());
    // skip distributionPoint
    v.data.getDerValue();
    // read reasons
    DerValue v2 = v.data.getDerValue();
    // reset to BitString since it's context-specfic[1] encoded
    v2.resetTag(DerValue.tag_BitString);
    // length should be 5 since only {T,F,T} should be encoded
    check(v2.getUnalignedBitString().length(), 3);
    BitArray ba;
    ba = new BitArray(new boolean[] { false, false, false });
    check(ba.length(), 3);
    ba = ba.truncate();
    check(ba.length(), 1);
    ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, false, false });
    check(ba.length(), 10);
    check(ba.toByteArray().length, 2);
    ba = ba.truncate();
    check(ba.length(), 8);
    check(ba.toByteArray().length, 1);
    ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, true, false });
    check(ba.length(), 10);
    check(ba.toByteArray().length, 2);
    ba = ba.truncate();
    check(ba.length(), 9);
    check(ba.toByteArray().length, 2);
}
Also used : GeneralNames(sun.security.x509.GeneralNames) DerOutputStream(sun.security.util.DerOutputStream) ReasonFlags(sun.security.x509.ReasonFlags) DerValue(sun.security.util.DerValue) GeneralName(sun.security.x509.GeneralName) DistributionPoint(sun.security.x509.DistributionPoint) BitArray(sun.security.util.BitArray) DNSName(sun.security.x509.DNSName) NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Aggregations

KeyUsageExtension (sun.security.x509.KeyUsageExtension)10 CertificateExtensions (sun.security.x509.CertificateExtensions)6 ExtendedKeyUsageExtension (sun.security.x509.ExtendedKeyUsageExtension)6 IOException (java.io.IOException)3 X509Certificate (java.security.cert.X509Certificate)3 ObjectIdentifier (sun.security.util.ObjectIdentifier)3 InvalidKeyException (java.security.InvalidKeyException)2 MessageDigest (java.security.MessageDigest)2 PublicKey (java.security.PublicKey)2 Signature (java.security.Signature)2 SignatureException (java.security.SignatureException)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 CertificateException (java.security.cert.CertificateException)2 ConstraintsParameters (sun.security.util.ConstraintsParameters)2 DerValue (sun.security.util.DerValue)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 InputStream (java.io.InputStream)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Timestamp (java.security.Timestamp)1