public static void main(String args[]) throws Exception {
// 参数
String cacert = args[0];
String lfcert = args[1];
// CA "Xu Yingxiao"的证书
CertificateFactory cf = CertificateFactory.getInstance("X.509");
FileInputStream in1 = new FileInputStream(cacert);
java.security.cert.Certificate cac = cf.generateCertificate(in1);
in1.close();
// 用户"Liu Fang"的签名证书
FileInputStream in2 = new FileInputStream(lfcert);
java.security.cert.Certificate lfc = cf.generateCertificate(in2);
in2.close();
PublicKey pbk = cac.getPublicKey();
boolean pass = false;
try {
lfc.verify(pbk);
pass = true;
} catch (Exception e) {
pass = false;
System.out.println(e);
}
if (pass) {
System.out.println("The Certificate is signed by the CA Xu Yingxiao");
} else {
System.out.println("!!!The Certificate is not signed by the CA Xu Yingxiao");
}
}
/**
* Callback method from _scanKeychain. If a trusted certificate is found, this method will be
* called.
*/
private void createTrustedCertEntry(
String alias, long keychainItemRef, long creationDate, byte[] derStream) {
TrustedCertEntry tce = new TrustedCertEntry();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream input = new ByteArrayInputStream(derStream);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
tce.cert = cert;
tce.certRef = keychainItemRef;
// Make a creation date.
if (creationDate != 0) tce.date = new Date(creationDate);
else tce.date = new Date();
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), tce);
} catch (Exception e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
/**
* Callback method from _scanKeychain. If an identity is found, this method will be called to
* create Java certificate and private key objects from the keychain data.
*/
private void createKeyEntry(
String alias,
long creationDate,
long secKeyRef,
long[] secCertificateRefs,
byte[][] rawCertData)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyEntry ke = new KeyEntry();
// First, store off the private key information. This is the easy part.
ke.protectedPrivKey = null;
ke.keyRef = secKeyRef;
// Make a creation date.
if (creationDate != 0) ke.date = new Date(creationDate);
else ke.date = new Date();
// Next, create X.509 Certificate objects from the raw data. This is complicated
// because a certificate's public key may be too long for Java's default encryption strength.
List<CertKeychainItemPair> createdCerts = new ArrayList<>();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int i = 0; i < rawCertData.length; i++) {
try {
InputStream input = new ByteArrayInputStream(rawCertData[i]);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
// We successfully created the certificate, so track it and its corresponding
// SecCertificateRef.
createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
} catch (CertificateException e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace(); // How would this happen?
}
// We have our certificates in the List, so now extract them into an array of
// Certificates and SecCertificateRefs.
CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
Certificate[] certArray = new Certificate[objArray.length];
long[] certRefArray = new long[objArray.length];
for (int i = 0; i < objArray.length; i++) {
CertKeychainItemPair addedItem = objArray[i];
certArray[i] = addedItem.mCert;
certRefArray[i] = addedItem.mCertificateRef;
}
ke.chain = certArray;
ke.chainRefs = certRefArray;
// If we don't have already have an item with this item's alias
// create a new one for it.
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), ke);
}
// The X.509 certificate factory
public static CertificateFactory X509CertFactory() throws CertificateException {
return CertificateFactory.getInstance("X.509");
}
public static void main(String[] args) throws Exception {
// Get a CertificateFactory for various tests
CF = CertificateFactory.getInstance("X509");
ByteArrayInputStream bais = new ByteArrayInputStream(readFile("int.crt").getBytes());
X509Certificate intCA = (X509Certificate) CF.generateCertificate(bais);
System.out.println(
"Successfully instantiated CA cert \"" + intCA.getSubjectX500Principal() + "\"");
CertId cid0x1500 = new CertId(intCA, new SerialNumber(0x1500));
boolean noFailures = true;
OCSPResponse.SingleResponse sr = getSRByFilename("ocsp-good-nonext.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 0);
if (sr.getRevocationTime() != null) {
throw new RuntimeException("Oops. revocationTime is non-null " + sr.getRevocationTime());
} else if (sr.getRevocationReason() != null) {
throw new RuntimeException("Oops. revocationReason is non-null " + sr.getRevocationReason());
}
sr = getSRByFilename("ocsp-good-withnext.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 0);
sr = getSRByFilename("ocsp-good-witharchcut.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 1);
sr = getSRByFilename("ocsp-rev-nocerts.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 1);
sr = getSRByFilename("ocsp-rev-nonext-noinv.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 0);
sr = getSRByFilename("ocsp-rev-withnext-noinv.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 0);
sr = getSRByFilename("ocsp-rev-nonext-withinv.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 1);
sr = getSRByFilename("ocsp-rev-withnext-withinv.resp", cid0x1500);
noFailures &= checkSingleExts(sr, 1);
try {
sr = getSRByFilename("ocsp-rev-twonext.resp", cid0x1500);
System.out.println("FAIL: Allowed two nextUpdate fields");
noFailures = false;
} catch (IOException ioe) {
System.out.println("Caught expected exception: " + ioe);
}
try {
sr = getSRByFilename("ocsp-rev-bad-sr-tag.resp", cid0x1500);
System.out.println("FAIL: Allowed invalid singleResponse item");
noFailures = false;
} catch (IOException ioe) {
System.out.println("Caught expected exception: " + ioe);
}
try {
sr = getSRByFilename("ocsp-rev-sr-cont-reverse.resp", cid0x1500);
System.out.println("FAIL: Allowed reversed " + "nextUpdate/singleExtensions");
noFailures = false;
} catch (IOException ioe) {
System.out.println("Caught expected exception: " + ioe);
}
if (!noFailures) {
throw new RuntimeException("One or more tests failed");
}
}
/**
* Uses the provided PKI method to find the corresponding public key and verify the provided
* signature. Returns null if no PKI method was specified in the {@link Protos.PaymentRequest}.
*/
public @Nullable PkiVerificationData verifyPki() throws PaymentRequestException {
try {
if (pkiVerificationData != null) return pkiVerificationData;
if (paymentRequest.getPkiType().equals("none"))
// Nothing to verify. Everything is fine. Move along.
return null;
String algorithm;
if (paymentRequest.getPkiType().equals("x509+sha256")) algorithm = "SHA256withRSA";
else if (paymentRequest.getPkiType().equals("x509+sha1")) algorithm = "SHA1withRSA";
else
throw new PaymentRequestException.InvalidPkiType(
"Unsupported PKI type: " + paymentRequest.getPkiType());
Protos.X509Certificates protoCerts =
Protos.X509Certificates.parseFrom(paymentRequest.getPkiData());
if (protoCerts.getCertificateCount() == 0)
throw new PaymentRequestException.InvalidPkiData(
"No certificates provided in message: server config error");
// Parse the certs and turn into a certificate chain object. Cert factories can parse both DER
// and base64.
// The ordering of certificates is defined by the payment protocol spec to be the same as what
// the Java
// crypto API requires - convenient!
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
List<X509Certificate> certs = Lists.newArrayList();
for (ByteString bytes : protoCerts.getCertificateList())
certs.add((X509Certificate) certificateFactory.generateCertificate(bytes.newInput()));
CertPath path = certificateFactory.generateCertPath(certs);
// Retrieves the most-trusted CAs from keystore.
PKIXParameters params = new PKIXParameters(createKeyStore(trustStorePath));
// Revocation not supported in the current version.
params.setRevocationEnabled(false);
// Now verify the certificate chain is correct and trusted. This let's us get an identity
// linked pubkey.
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult result =
(PKIXCertPathValidatorResult) validator.validate(path, params);
PublicKey publicKey = result.getPublicKey();
// OK, we got an identity, now check it was used to sign this message.
Signature signature = Signature.getInstance(algorithm);
// Note that we don't use signature.initVerify(certs.get(0)) here despite it being the most
// obvious
// way to set it up, because we don't care about the constraints specified on the
// certificates: any
// cert that links a key to a domain name or other identity will do for us.
signature.initVerify(publicKey);
Protos.PaymentRequest.Builder reqToCheck = paymentRequest.toBuilder();
reqToCheck.setSignature(ByteString.EMPTY);
signature.update(reqToCheck.build().toByteArray());
if (!signature.verify(paymentRequest.getSignature().toByteArray()))
throw new PaymentRequestException.PkiVerificationException(
"Invalid signature, this payment request is not valid.");
// Signature verifies, get the names from the identity we just verified for presentation to
// the user.
X500Principal principal = certs.get(0).getSubjectX500Principal();
// At this point the Java crypto API falls flat on its face and dies - there's no clean way to
// get the
// different parts of the certificate name except for parsing the string. That's hard because
// of various
// custom escaping rules and the usual crap. So, use Bouncy Castle to re-parse the string into
// binary form
// again and then look for the names we want. Fail!
org.spongycastle.asn1.x500.X500Name name = new X500Name(principal.getName());
String entityName = null, orgName = null;
for (RDN rdn : name.getRDNs()) {
AttributeTypeAndValue pair = rdn.getFirst();
if (pair.getType().equals(RFC4519Style.cn))
entityName = ((ASN1String) pair.getValue()).getString();
else if (pair.getType().equals(RFC4519Style.o))
orgName = ((ASN1String) pair.getValue()).getString();
}
if (entityName == null && orgName == null)
throw new PaymentRequestException.PkiVerificationException(
"Invalid certificate, no CN or O fields");
// Everything is peachy. Return some useful data to the caller.
PkiVerificationData data =
new PkiVerificationData(entityName, orgName, publicKey, result.getTrustAnchor());
// Cache the result so we don't have to re-verify if this method is called again.
pkiVerificationData = data;
return data;
} catch (InvalidProtocolBufferException e) {
// Data structures are malformed.
throw new PaymentRequestException.InvalidPkiData(e);
} catch (CertificateException e) {
// The X.509 certificate data didn't parse correctly.
throw new PaymentRequestException.PkiVerificationException(e);
} catch (NoSuchAlgorithmException e) {
// Should never happen so don't make users have to think about it. PKIX is always present.
throw new RuntimeException(e);
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException(e);
} catch (CertPathValidatorException e) {
// The certificate chain isn't known or trusted, probably, the server is using an SSL root we
// don't
// know about and the user needs to upgrade to a new version of the software (or import a root
// cert).
throw new PaymentRequestException.PkiVerificationException(e);
} catch (InvalidKeyException e) {
// Shouldn't happen if the certs verified correctly.
throw new PaymentRequestException.PkiVerificationException(e);
} catch (SignatureException e) {
// Something went wrong during hashing (yes, despite the name, this does not mean the sig was
// invalid).
throw new PaymentRequestException.PkiVerificationException(e);
} catch (IOException e) {
throw new PaymentRequestException.PkiVerificationException(e);
} catch (KeyStoreException e) {
throw new RuntimeException(e);
}
}
