/** Test for X.509 Certificate provider */
  public void test_toString() throws Exception {

    // Regression for HARMONY-3384
    CertificateFactory certFact = CertificateFactory.getInstance("X509");
    X509Certificate pemCert =
        (X509Certificate)
            certFact.generateCertificate(
                new ByteArrayInputStream(TestUtils.getX509Certificate_v3()));

    // extension value is empty sequence
    byte[] extnValue = pemCert.getExtensionValue("2.5.29.35");
    assertTrue(Arrays.equals(new byte[] {0x04, 0x02, 0x30, 0x00}, extnValue));
    assertNotNull(pemCert.toString());
    // End regression for HARMONY-3384
  }
 public String toString() {
   return "Signature verification ["
       + "\n signName="
       + signName
       + "\n name="
       + name
       + "\n subject="
       + subject
       + "\n date="
       + date.getTime()
       + "\n reason="
       + reason
       + "\n location="
       + location
       + "\n revision="
       + revision
       + "\n wholeDocument="
       + wholeDocument
       + "\n modified="
       + modified
       + "\n certificationLevel="
       + getCertificationLevel().name()
       + "\n signCertTrustedAndValid="
       + signCertTrustedAndValid
       + "\n ocspPresent="
       + ocspPresent
       + "\n ocspValid="
       + ocspValid
       + "\n crlPresent="
       + crlPresent
       + "\n ocspInCertPresent="
       + ocspInCertPresent
       + "\n ocspInCertValid="
       + ocspInCertValid
       + "\n timeStampTokenPresent="
       + tsTokenPresent
       + "\n timeStampTokenValidationFail="
       + (tsTokenValidationResult == null ? "no" : tsTokenValidationResult.getMessage())
       + "\n fails="
       + (fails == null ? "no" : Arrays.asList(fails))
       + "\n certPath="
       + (certPath == null ? "no" : certPath.getCertificates())
       + "\n signingCertificate="
       + (signingCertificate == null ? "no" : signingCertificate.toString())
       + "\n]";
 }
Beispiel #3
0
 @Function(
     doc = "Export the certificate in the key store to another location.",
     parameters = {
       @Parameter(name = "name", type = "string", doc = "The name of the certificate"),
       @Parameter(name = "path", doc = "The export file path", type = "string")
     })
 public void exportCertificate(String name, String path) throws KeyStoreException, IOException {
   X509Certificate cert = (X509Certificate) keystore.getCertificate(name);
   if (cert != null) {
     File output = new File(path);
     if (!output.exists()) {
       if (!output.getParentFile().exists()) output.getParentFile().mkdirs();
       output.createNewFile();
     }
     FileWriter writer = new FileWriter(path);
     writer.write(cert.toString());
     writer.flush();
     writer.close();
   }
 }
  @Override
  public SecurityKeyData processRegistrationResponse(
      RegistrationResponse registrationResponse, long currentTimeInMillis) throws U2FException {
    Log.info(">> processRegistrationResponse");

    String sessionId = registrationResponse.getSessionId();
    String clientDataBase64 = registrationResponse.getClientData();
    String rawRegistrationDataBase64 = registrationResponse.getRegistrationData();

    Log.info(">> rawRegistrationDataBase64: " + rawRegistrationDataBase64);
    EnrollSessionData sessionData = dataStore.getEnrollSessionData(sessionId);

    if (sessionData == null) {
      throw new U2FException("Unknown session_id");
    }

    String appId = sessionData.getAppId();
    String clientData = new String(Base64.decodeBase64(clientDataBase64));
    byte[] rawRegistrationData = Base64.decodeBase64(rawRegistrationDataBase64);
    Log.info("-- Input --");
    Log.info("  sessionId: " + sessionId);
    Log.info("  challenge: " + Hex.encodeHexString(sessionData.getChallenge()));
    Log.info("  accountName: " + sessionData.getAccountName());
    Log.info("  clientData: " + clientData);
    Log.info("  rawRegistrationData: " + Hex.encodeHexString(rawRegistrationData));

    RegisterResponse registerResponse = RawMessageCodec.decodeRegisterResponse(rawRegistrationData);

    byte[] userPublicKey = registerResponse.getUserPublicKey();
    byte[] keyHandle = registerResponse.getKeyHandle();
    X509Certificate attestationCertificate = registerResponse.getAttestationCertificate();
    byte[] signature = registerResponse.getSignature();
    List<Transports> transports = null;
    try {
      transports = U2fAttestation.Parse(attestationCertificate).getTransports();
    } catch (CertificateParsingException e) {
      Log.warning("Could not parse transports extension " + e.getMessage());
    }

    Log.info("-- Parsed rawRegistrationResponse --");
    Log.info("  userPublicKey: " + Hex.encodeHexString(userPublicKey));
    Log.info("  keyHandle: " + Hex.encodeHexString(keyHandle));
    Log.info("  attestationCertificate: " + attestationCertificate.toString());
    Log.info("  transports: " + transports);
    try {
      Log.info(
          "  attestationCertificate bytes: "
              + Hex.encodeHexString(attestationCertificate.getEncoded()));
    } catch (CertificateEncodingException e) {
      throw new U2FException("Cannot encode certificate", e);
    }
    Log.info("  signature: " + Hex.encodeHexString(signature));

    byte[] appIdSha256 = cryto.computeSha256(appId.getBytes());
    byte[] clientDataSha256 = cryto.computeSha256(clientData.getBytes());
    byte[] signedBytes =
        RawMessageCodec.encodeRegistrationSignedBytes(
            appIdSha256, clientDataSha256, keyHandle, userPublicKey);

    Set<X509Certificate> trustedCertificates = dataStore.getTrustedCertificates();
    if (!trustedCertificates.contains(attestationCertificate)) {
      Log.warning("attestion cert is not trusted");
    }

    verifyBrowserData(
        new JsonParser().parse(clientData), "navigator.id.finishEnrollment", sessionData);

    Log.info("Verifying signature of bytes " + Hex.encodeHexString(signedBytes));
    if (!cryto.verifySignature(attestationCertificate, signedBytes, signature)) {
      throw new U2FException("Signature is invalid");
    }

    // The first time we create the SecurityKeyData, we set the counter value to 0.
    // We don't actually know what the counter value of the real device is - but it will
    // be something bigger (or equal) to 0, so subsequent signatures will check out ok.
    SecurityKeyData securityKeyData =
        new SecurityKeyData(
            currentTimeInMillis,
            transports,
            keyHandle,
            userPublicKey,
            attestationCertificate, /* initial counter value */
            0);
    dataStore.addSecurityKeyData(sessionData.getAccountName(), securityKeyData);

    Log.info("<< processRegistrationResponse");
    return securityKeyData;
  }