Examples with X509CertImpl sun.security.x509.X509CertImpl used on opensource projects

Example 26 with X509CertImpl

use of sun.security.x509.X509CertImpl in project cloudstack by apache.

the class AprSocketWrapperImpl method upgradeToSsl.

@Override
public void upgradeToSsl() {
    try {
        long sslContext;
        try {
            sslContext = SSLContext.make(pool, SSL.SSL_PROTOCOL_TLSV1, SSL.SSL_MODE_CLIENT);
        } catch (Exception e) {
            throw new RuntimeException("Cannot create SSL context using Tomcat native library.", e);
        }
        SSLContext.setOptions(sslContext, SSL.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | SSL.SSL_OP_TLS_BLOCK_PADDING_BUG | SSL.SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | SSL.SSL_OP_MSIE_SSLV2_RSA_PADDING);
        // FIXME: verify certificate by default
        SSLContext.setVerify(sslContext, SSL.SSL_CVERIFY_NONE, 0);
        int ret;
        try {
            ret = SSLSocket.attach(sslContext, socket);
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot attach SSL context to socket: ", e);
        }
        if (ret != 0)
            throw new RuntimeException("[" + this + "] ERROR: Cannot attach SSL context to socket(" + ret + "): " + SSL.getLastError());
        try {
            ret = SSLSocket.handshake(socket);
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot make SSL handshake with server: ", e);
        }
        if (// 20014: bad certificate signature FIXME: show prompt for self signed certificate
        ret != 0 && ret != 20014)
            throw new RuntimeException("[" + this + "] ERROR: Cannot make SSL handshake with server(" + ret + "): " + SSL.getLastError());
        try {
            byte[] key = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
            //*DEBUG*/System.out.println("DEBUG: Server cert:\n"+new ByteBuffer(key).dump());
            sslState.serverCertificateSubjectPublicKeyInfo = new X509CertImpl(key).getPublicKey().getEncoded();
        } catch (Exception e) {
            throw new RuntimeException("[" + this + "] ERROR: Cannot get server public key: ", e);
        }
    } catch (RuntimeException e) {
        shutdown();
        throw e;
    }
}

Example 27 with X509CertImpl

use of sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class AlgorithmChecker method check.

@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
    if (!(cert instanceof X509Certificate) || constraints == null) {
        // ignore the check for non-x.509 certificate or null constraints
        return;
    }
    // check the key usage and key size
    boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
    if (keyUsage != null && keyUsage.length < 9) {
        throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
    }
    X509CertImpl x509Cert;
    AlgorithmId algorithmId;
    try {
        x509Cert = X509CertImpl.toImpl((X509Certificate) cert);
        algorithmId = (AlgorithmId) x509Cert.get(X509CertImpl.SIG_ALG);
    } catch (CertificateException ce) {
        throw new CertPathValidatorException(ce);
    }
    AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
    PublicKey currPubKey = cert.getPublicKey();
    String currSigAlg = ((X509Certificate) cert).getSigAlgName();
    // Check the signature algorithm and parameters against constraints.
    if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, currSigAlgParams)) {
        throw new CertPathValidatorException("Algorithm constraints check failed on signature " + "algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
    // Assume all key usage bits are set if key usage is not present
    Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
    if (keyUsage != null) {
        primitives = EnumSet.noneOf(CryptoPrimitive.class);
        if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
            // keyUsage[0]: KeyUsage.digitalSignature
            // keyUsage[1]: KeyUsage.nonRepudiation
            // keyUsage[5]: KeyUsage.keyCertSign
            // keyUsage[6]: KeyUsage.cRLSign
            primitives.add(CryptoPrimitive.SIGNATURE);
        }
        if (keyUsage[2]) {
            // KeyUsage.keyEncipherment
            primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
        }
        if (keyUsage[3]) {
            // KeyUsage.dataEncipherment
            primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
        }
        if (keyUsage[4]) {
            // KeyUsage.keyAgreement
            primitives.add(CryptoPrimitive.KEY_AGREEMENT);
        }
        if (primitives.isEmpty()) {
            throw new CertPathValidatorException("incorrect KeyUsage extension bits", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
        }
    }
    ConstraintsParameters cp = new ConstraintsParameters((X509Certificate) cert, trustedMatch, pkixdate, jarTimestamp, variant);
    // Check against local constraints if it is DisabledAlgorithmConstraints
    if (constraints instanceof DisabledAlgorithmConstraints) {
        ((DisabledAlgorithmConstraints) constraints).permits(currSigAlg, cp);
    // DisabledAlgorithmsConstraints does not check primitives, so key
    // additional key check.
    } else {
        // Perform the default constraints checking anyway.
        certPathDefaultConstraints.permits(currSigAlg, cp);
        // Call locally set constraints to check key with primitives.
        if (!constraints.permits(primitives, currPubKey)) {
            throw new CertPathValidatorException("Algorithm constraints check failed on key " + currPubKey.getAlgorithm() + " with size of " + sun.security.util.KeyUtil.getKeySize(currPubKey) + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
        }
    }
    // If there is no previous key, set one and exit
    if (prevPubKey == null) {
        prevPubKey = currPubKey;
        return;
    }
    // Check with previous cert for signature algorithm and public key
    if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, prevPubKey, currSigAlgParams)) {
        throw new CertPathValidatorException("Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
    // Inherit key parameters from previous key
    if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
        // Inherit DSA parameters from previous key
        if (!(prevPubKey instanceof DSAPublicKey)) {
            throw new CertPathValidatorException("Input key is not " + "of a appropriate type for inheriting parameters");
        }
        DSAParams params = ((DSAPublicKey) prevPubKey).getParams();
        if (params == null) {
            throw new CertPathValidatorException("Key parameters missing from public key.");
        }
        try {
            BigInteger y = ((DSAPublicKey) currPubKey).getY();
            KeyFactory kf = KeyFactory.getInstance("DSA");
            DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG());
            currPubKey = kf.generatePublic(ks);
        } catch (GeneralSecurityException e) {
            throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e);
        }
    }
    // reset the previous public key
    prevPubKey = currPubKey;
}

Example 28 with X509CertImpl

use of sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class OCSP method getResponderURI.

static URI getResponderURI(X509CertImpl certImpl) {
    // Examine the certificate's AuthorityInfoAccess extension
    AuthorityInfoAccessExtension aia = certImpl.getAuthorityInfoAccessExtension();
    if (aia == null) {
        return null;
    }
    List<AccessDescription> descriptions = aia.getAccessDescriptions();
    for (AccessDescription description : descriptions) {
        if (description.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) {
            GeneralName generalName = description.getAccessLocation();
            if (generalName.getType() == GeneralNameInterface.NAME_URI) {
                URIName uri = (URIName) generalName.getName();
                return uri.getURI();
            }
        }
    }
    return null;
}

Example 29 with X509CertImpl

use of sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class SimpleValidator method getNetscapeCertTypeBit.

/**
     * Get the value of the specified bit in the Netscape certificate type
     * extension. If the extension is not present at all, we return true.
     */
static boolean getNetscapeCertTypeBit(X509Certificate cert, String type) {
    try {
        NetscapeCertTypeExtension ext;
        if (cert instanceof X509CertImpl) {
            X509CertImpl certImpl = (X509CertImpl) cert;
            ObjectIdentifier oid = OBJID_NETSCAPE_CERT_TYPE;
            ext = (NetscapeCertTypeExtension) certImpl.getExtension(oid);
            if (ext == null) {
                return true;
            }
        } else {
            byte[] extVal = cert.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
            if (extVal == null) {
                return true;
            }
            DerInputStream in = new DerInputStream(extVal);
            byte[] encoded = in.getOctetString();
            encoded = new DerValue(encoded).getUnalignedBitString().toByteArray();
            ext = new NetscapeCertTypeExtension(encoded);
        }
        Boolean val = ext.get(type);
        return val.booleanValue();
    } catch (IOException e) {
        return false;
    }
}

Example 30 with X509CertImpl

use of sun.security.x509.X509CertImpl in project jdk8u_jdk by JetBrains.

the class PKCS7 method parseOldSignedData.

/*
     * Parses an old-style SignedData encoding (for backwards
     * compatibility with JDK1.1.x).
     */
private void parseOldSignedData(DerValue val) throws ParsingException, IOException {
    DerInputStream dis = val.toDerInputStream();
    // Version
    version = dis.getBigInteger();
    // digestAlgorithmIds
    DerValue[] digestAlgorithmIdVals = dis.getSet(1);
    int len = digestAlgorithmIdVals.length;
    digestAlgorithmIds = new AlgorithmId[len];
    try {
        for (int i = 0; i < len; i++) {
            DerValue oid = digestAlgorithmIdVals[i];
            digestAlgorithmIds[i] = AlgorithmId.parse(oid);
        }
    } catch (IOException e) {
        throw new ParsingException("Error parsing digest AlgorithmId IDs");
    }
    // contentInfo
    contentInfo = new ContentInfo(dis, true);
    // certificates
    CertificateFactory certfac = null;
    try {
        certfac = CertificateFactory.getInstance("X.509");
    } catch (CertificateException ce) {
    // do nothing
    }
    DerValue[] certVals = dis.getSet(2);
    len = certVals.length;
    certificates = new X509Certificate[len];
    for (int i = 0; i < len; i++) {
        ByteArrayInputStream bais = null;
        try {
            if (certfac == null)
                certificates[i] = new X509CertImpl(certVals[i]);
            else {
                byte[] encoded = certVals[i].toByteArray();
                bais = new ByteArrayInputStream(encoded);
                certificates[i] = (X509Certificate) certfac.generateCertificate(bais);
                bais.close();
                bais = null;
            }
        } catch (CertificateException ce) {
            ParsingException pe = new ParsingException(ce.getMessage());
            pe.initCause(ce);
            throw pe;
        } catch (IOException ioe) {
            ParsingException pe = new ParsingException(ioe.getMessage());
            pe.initCause(ioe);
            throw pe;
        } finally {
            if (bais != null)
                bais.close();
        }
    }
    // crls are ignored.
    dis.getSet(0);
    // signerInfos
    DerValue[] signerInfoVals = dis.getSet(1);
    len = signerInfoVals.length;
    signerInfos = new SignerInfo[len];
    for (int i = 0; i < len; i++) {
        DerInputStream in = signerInfoVals[i].toDerInputStream();
        signerInfos[i] = new SignerInfo(in, true);
    }
}