Beispiel #1
0
  private CipherTest(PeerFactory peerFactory) throws IOException {
    THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
    factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket socket = (SSLSocket) factory.createSocket();
    String[] cipherSuites = socket.getSupportedCipherSuites();
    String[] protocols = socket.getSupportedProtocols();
    //      String[] clientAuths = {null, "RSA", "DSA"};
    String[] clientAuths = {null};
    tests =
        new ArrayList<TestParameters>(cipherSuites.length * protocols.length * clientAuths.length);
    for (int i = 0; i < cipherSuites.length; i++) {
      String cipherSuite = cipherSuites[i];

      for (int j = 0; j < protocols.length; j++) {
        String protocol = protocols[j];

        if (!peerFactory.isSupported(cipherSuite, protocol)) {
          continue;
        }

        for (int k = 0; k < clientAuths.length; k++) {
          String clientAuth = clientAuths[k];
          if ((clientAuth != null) && (cipherSuite.indexOf("DH_anon") != -1)) {
            // no client with anonymous ciphersuites
            continue;
          }
          tests.add(new TestParameters(cipherSuite, protocol, clientAuth));
        }
      }
    }
    testIterator = tests.iterator();
  }
 /**
  * Check if the certificate allows use of the given DNS name.
  *
  * <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as
  * the identity. Otherwise, the (most specific) Common Name field in the Subject field of the
  * certificate MUST be used. Although the use of the Common Name is existing practice, it is
  * deprecated and Certification Authorities are encouraged to use the dNSName instead.
  *
  * <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one
  * identity of a given type is present in the certificate (e.g., more than one dNSName name, a
  * match in any one of the set is considered acceptable.)
  */
 private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
   Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
   if (subjAltNames != null) {
     boolean foundDNS = false;
     for (List<?> next : subjAltNames) {
       if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
         foundDNS = true;
         String dnsName = (String) next.get(1);
         if (isMatched(expectedName, dnsName)) {
           return;
         }
       }
     }
     if (foundDNS) {
       // if certificate contains any subject alt names of type DNS
       // but none match, reject
       throw new CertificateException(
           "No subject alternative DNS " + "name matching " + expectedName + " found.");
     }
   }
   X500Name subjectName = getSubjectX500Name(cert);
   DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
   if (derValue != null) {
     try {
       if (isMatched(expectedName, derValue.getAsString())) {
         return;
       }
     } catch (IOException e) {
       // ignore
     }
   }
   String msg = "No name matching " + expectedName + " found";
   throw new CertificateException(msg);
 }
Beispiel #3
0
 private ConditionalPermissionInfo setConditionalPermissionInfo(
     String name, ConditionInfo[] conds, PermissionInfo[] perms, boolean firstTry) {
   ConditionalPermissionUpdate update = newConditionalPermissionUpdate();
   List rows = update.getConditionalPermissionInfos();
   ConditionalPermissionInfo newInfo =
       newConditionalPermissionInfo(name, conds, perms, ConditionalPermissionInfo.ALLOW);
   int index = -1;
   if (name != null) {
     for (int i = 0; i < rows.size() && index < 0; i++) {
       ConditionalPermissionInfo info = (ConditionalPermissionInfo) rows.get(i);
       if (name.equals(info.getName())) {
         index = i;
       }
     }
   }
   if (index < 0) {
     // must always add to the beginning (bug 303930)
     rows.add(0, newInfo);
     index = 0;
   } else {
     rows.set(index, newInfo);
   }
   synchronized (lock) {
     if (!update.commit()) {
       if (firstTry)
         // try again
         setConditionalPermissionInfo(name, conds, perms, false);
     }
     return condAdminTable.getRow(index);
   }
 }
Beispiel #4
0
 private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
     throws CertificateException {
   List list = path.getCertificates();
   X509Certificate[] chain = new X509Certificate[list.size() + 1];
   list.toArray(chain);
   X509Certificate trustedCert = anchor.getTrustedCert();
   if (trustedCert == null) {
     throw new ValidatorException("TrustAnchor must be specified as certificate");
   }
   chain[chain.length - 1] = trustedCert;
   return chain;
 }
 /**
  * Check if the certificate allows use of the given IP address.
  *
  * <p>From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname.
  * In this case, the iPAddress subjectAltName must be present in the certificate and must exactly
  * match the IP in the URI.
  */
 private static void matchIP(String expectedIP, X509Certificate cert) throws CertificateException {
   Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
   if (subjAltNames == null) {
     throw new CertificateException("No subject alternative names present");
   }
   for (List<?> next : subjAltNames) {
     // For IP address, it needs to be exact match
     if (((Integer) next.get(0)).intValue() == ALTNAME_IP) {
       String ipAddress = (String) next.get(1);
       if (expectedIP.equalsIgnoreCase(ipAddress)) {
         return;
       }
     }
   }
   throw new CertificateException(
       "No subject alternative " + "names matching " + "IP address " + expectedIP + " found");
 }
Beispiel #6
0
 void delete(SecurityRow securityRow, boolean firstTry) {
   ConditionalPermissionUpdate update = newConditionalPermissionUpdate();
   List rows = update.getConditionalPermissionInfos();
   for (Iterator iRows = rows.iterator(); iRows.hasNext(); ) {
     ConditionalPermissionInfo info = (ConditionalPermissionInfo) iRows.next();
     if (securityRow.getName().equals(info.getName())) {
       iRows.remove();
       synchronized (lock) {
         if (!update.commit()) {
           if (firstTry)
             // try again
             delete(securityRow, false);
         }
       }
       break;
     }
   }
 }
Beispiel #7
0
 private static Bundle createMockBundle(String[] signers) {
   Map /* <X509Certificate, List<X509Certificate>> */ signersMap = new HashMap();
   for (int i = 0; i < signers.length; i++) {
     List chain = parseDNchain(signers[i]);
     List /* <X509Certificate> */ signersList = new ArrayList();
     Principal subject = null, issuer = null;
     X509Certificate first = null;
     for (Iterator iChain = chain.iterator(); iChain.hasNext(); ) {
       subject = issuer == null ? new MockPrincipal((String) iChain.next()) : issuer;
       issuer = iChain.hasNext() ? new MockPrincipal((String) iChain.next()) : subject;
       X509Certificate cert = new MockX509Certificate(subject, issuer);
       if (first == null) first = cert;
       signersList.add(cert);
     }
     if (subject != issuer) signersList.add(new MockX509Certificate(issuer, issuer));
     signersMap.put(first, signersList);
   }
   return new MockBundle(signersMap);
 }
Beispiel #8
0
 boolean commit(List rows, long updateStamp) {
   checkAllPermission();
   synchronized (lock) {
     if (updateStamp != timeStamp) return false;
     SecurityRow[] newRows = new SecurityRow[rows.size()];
     Collection names = new ArrayList();
     for (int i = 0; i < newRows.length; i++) {
       Object rowObj = rows.get(i);
       if (!(rowObj instanceof ConditionalPermissionInfo))
         throw new IllegalStateException(
             "Invalid type \""
                 + rowObj.getClass().getName()
                 + "\" at row: "
                 + i); //$NON-NLS-1$//$NON-NLS-2$
       ConditionalPermissionInfo infoBaseRow = (ConditionalPermissionInfo) rowObj;
       String name = infoBaseRow.getName();
       if (name == null) name = generateName();
       if (names.contains(name))
         throw new IllegalStateException(
             "Duplicate name \"" + name + "\" at row: " + i); // $NON-NLS-1$//$NON-NLS-2$
       newRows[i] =
           new SecurityRow(
               this,
               name,
               infoBaseRow.getConditionInfos(),
               infoBaseRow.getPermissionInfos(),
               infoBaseRow.getAccessDecision());
     }
     condAdminTable = new SecurityTable(this, newRows);
     try {
       permissionStorage.saveConditionalPermissionInfos(condAdminTable.getEncodedRows());
     } catch (IOException e) {
       // TODO log
       e.printStackTrace();
     }
     timeStamp += 1;
     return true;
   }
 }
Beispiel #9
0
 private void initCommon() {
   if (TRY_VALIDATOR == false) {
     return;
   }
   trustedSubjects = new HashMap<X500Principal, List<PublicKey>>();
   for (Iterator t = trustedCerts.iterator(); t.hasNext(); ) {
     X509Certificate cert = (X509Certificate) t.next();
     X500Principal dn = cert.getSubjectX500Principal();
     List<PublicKey> keys;
     if (trustedSubjects.containsKey(dn)) {
       keys = trustedSubjects.get(dn);
     } else {
       keys = new ArrayList<PublicKey>();
       trustedSubjects.put(dn, keys);
     }
     keys.add(cert.getPublicKey());
   }
   try {
     factory = CertificateFactory.getInstance("X.509");
   } catch (CertificateException e) {
     throw new RuntimeException("Internal error", e);
   }
   plugin = variant.equals(VAR_PLUGIN_CODE_SIGNING);
 }
Beispiel #10
0
  /**
   * Callback method from _scanKeychain. If an identity is found, this method will be called to
   * create Java certificate and private key objects from the keychain data.
   */
  private void createKeyEntry(
      String alias,
      long creationDate,
      long secKeyRef,
      long[] secCertificateRefs,
      byte[][] rawCertData)
      throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
    KeyEntry ke = new KeyEntry();

    // First, store off the private key information.  This is the easy part.
    ke.protectedPrivKey = null;
    ke.keyRef = secKeyRef;

    // Make a creation date.
    if (creationDate != 0) ke.date = new Date(creationDate);
    else ke.date = new Date();

    // Next, create X.509 Certificate objects from the raw data.  This is complicated
    // because a certificate's public key may be too long for Java's default encryption strength.
    List<CertKeychainItemPair> createdCerts = new ArrayList<>();

    try {
      CertificateFactory cf = CertificateFactory.getInstance("X.509");

      for (int i = 0; i < rawCertData.length; i++) {
        try {
          InputStream input = new ByteArrayInputStream(rawCertData[i]);
          X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
          input.close();

          // We successfully created the certificate, so track it and its corresponding
          // SecCertificateRef.
          createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
        } catch (CertificateException e) {
          // The certificate will be skipped.
          System.err.println("KeychainStore Ignored Exception: " + e);
        }
      }
    } catch (CertificateException e) {
      e.printStackTrace();
    } catch (IOException ioe) {
      ioe.printStackTrace(); // How would this happen?
    }

    // We have our certificates in the List, so now extract them into an array of
    // Certificates and SecCertificateRefs.
    CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
    Certificate[] certArray = new Certificate[objArray.length];
    long[] certRefArray = new long[objArray.length];

    for (int i = 0; i < objArray.length; i++) {
      CertKeychainItemPair addedItem = objArray[i];
      certArray[i] = addedItem.mCert;
      certRefArray[i] = addedItem.mCertificateRef;
    }

    ke.chain = certArray;
    ke.chainRefs = certRefArray;

    // If we don't have already have an item with this item's alias
    // create a new one for it.
    int uniqueVal = 1;
    String originalAlias = alias;

    while (entries.containsKey(alias.toLowerCase())) {
      alias = originalAlias + " " + uniqueVal;
      uniqueVal++;
    }

    entries.put(alias.toLowerCase(), ke);
  }