public void processServerCertificate(Certificate serverCertificate) throws IOException {
    X509CertificateStructure x509Cert = serverCertificate.certs[0];
    SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo();

    try {
      this.serverPublicKey = PublicKeyFactory.createKey(keyInfo);
    } catch (RuntimeException e) {
      throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
    }

    if (tlsSigner == null) {
      try {
        this.dhAgreeServerPublicKey =
            validateDHPublicKey((DHPublicKeyParameters) this.serverPublicKey);
      } catch (ClassCastException e) {
        throw new TlsFatalAlert(AlertDescription.certificate_unknown);
      }

      TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyAgreement);
    } else {
      if (!tlsSigner.isValidPublicKey(this.serverPublicKey)) {
        throw new TlsFatalAlert(AlertDescription.certificate_unknown);
      }

      TlsUtils.validateKeyUsage(x509Cert, KeyUsage.digitalSignature);
    }

    // TODO
    /*
     * Perform various checks per RFC2246 7.4.2: "Unless otherwise specified, the
     * signing algorithm for the certificate must be the same as the algorithm for the
     * certificate key."
     */
  }
  /**
   * Add a given extension field for the standard extensions tag (tag 3) copying the extension value
   * from another certificate.
   *
   * @param oid the OID defining the extension type.
   * @param isCritical true if the copied extension is to be marked as critical, false otherwise.
   * @param certHolder the holder for the certificate that the extension is to be copied from.
   * @return this builder object.
   */
  public X509v3CertificateBuilder copyAndAddExtension(
      ASN1ObjectIdentifier oid, boolean isCritical, X509CertificateHolder certHolder) {
    X509CertificateStructure cert = certHolder.toASN1Structure();

    X509Extension extension = cert.getTBSCertificate().getExtensions().getExtension(oid);

    if (extension == null) {
      throw new NullPointerException("extension " + oid + " not present");
    }

    extGenerator.addExtension(oid, isCritical, extension.getValue().getOctets());

    return this;
  }
 public static void checkOrCreateKeyStore(
     final String file, final String password, final String domainName)
     throws IllegalArgumentException, OperatorCreationException {
   final String hostname;
   if ("0.0.0.0".equals(domainName)) {
     hostname = "localhost";
   } else {
     hostname = domainName;
   }
   try {
     KeyStore ks = KeyStore.getInstance("JKS");
     File keyStoreFile = new File(file);
     if (!keyStoreFile.exists()) {
       keyStoreFile.createNewFile();
       ks.load(null, null);
       KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
       keyPairGenerator.initialize(1024);
       KeyPair KPair = keyPairGenerator.generateKeyPair();
       X509v3CertificateBuilder v3CertGen =
           new X509v3CertificateBuilder(
               new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
               BigInteger.valueOf(System.currentTimeMillis()),
               new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30),
               new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)),
               new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
               SubjectPublicKeyInfo.getInstance(KPair.getPublic().getEncoded()));
       AlgorithmIdentifier sigAlgId =
           new DefaultSignatureAlgorithmIdentifierFinder().find("SHA512withRSA");
       AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
       AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(KPair.getPrivate().getEncoded());
       ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
       X509CertificateHolder PKCertificateHolder = v3CertGen.build(sigGen);
       X509CertificateStructure eeX509CertificateStructure = PKCertificateHolder.toASN1Structure();
       CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
       X509Certificate cert;
       try (InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded())) {
         cert = (X509Certificate) cf.generateCertificate(is1);
       }
       ks.setKeyEntry(
           "siesta",
           KPair.getPrivate(),
           password.toCharArray(),
           new java.security.cert.Certificate[] {cert});
       ks.store(new FileOutputStream(file), password.toCharArray());
     }
   } catch (GeneralSecurityException | IOException | IllegalStateException ex) {
     throw new IllegalArgumentException("Error creating keystore, please manually create one", ex);
   }
 }
 private static boolean certHasPolicy(X509Certificate cert, String sOid) {
   try {
     if (m_logger.isDebugEnabled())
       m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
     ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
     ASN1InputStream aIn = new ASN1InputStream(bIn);
     ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
     X509CertificateStructure obj = new X509CertificateStructure(seq);
     TBSCertificateStructure tbsCert = obj.getTBSCertificate();
     if (tbsCert.getVersion() == 3) {
       X509Extensions ext = tbsCert.getExtensions();
       if (ext != null) {
         Enumeration en = ext.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
           X509Extension extVal = ext.getExtension(oid);
           ASN1OctetString oct = extVal.getValue();
           ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
           // if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
           // X509Extension.certificatePolicies
           if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
             // X509Extension.certificatePolicies
             ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
             for (int i = 0; i != cp.size(); i++) {
               PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
               DERObjectIdentifier dOid = pol.getPolicyIdentifier();
               String soid2 = dOid.getId();
               if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
               if (soid2.startsWith(sOid)) return true;
             }
           }
         }
       }
     }
   } catch (Exception ex) {
     m_logger.error("Error reading cert policies: " + ex);
   }
   return false;
 }
  private CscaMasterList(ASN1Sequence seq) {
    if (seq == null || seq.size() == 0) {
      throw new IllegalArgumentException("null or empty sequence passed.");
    }
    if (seq.size() != 2) {
      throw new IllegalArgumentException("Incorrect sequence size: " + seq.size());
    }

    version = DERInteger.getInstance(seq.getObjectAt(0));
    ASN1Set certSet = ASN1Set.getInstance(seq.getObjectAt(1));
    certList = new X509CertificateStructure[certSet.size()];
    for (int i = 0; i < certList.length; i++) {
      certList[i] = X509CertificateStructure.getInstance(certSet.getObjectAt(i));
    }
  }
Beispiel #6
0
 /**
  * Parse the ServerCertificate message.
  *
  * @param is The stream where to parse from.
  * @return A Certificate object with the certs, the server has sended.
  * @throws IOException If something goes wrong during parsing.
  */
 public static Certificate parse(InputStream is) throws IOException {
   X509CertificateStructure[] certs;
   int left = TlsUtils.readUint24(is);
   Vector tmp = new Vector();
   while (left > 0) {
     int size = TlsUtils.readUint24(is);
     left -= 3 + size;
     byte[] buf = new byte[size];
     TlsUtils.readFully(buf, is);
     ByteArrayInputStream bis = new ByteArrayInputStream(buf);
     ASN1InputStream ais = new ASN1InputStream(bis);
     DERObject o = ais.readObject();
     tmp.addElement(X509CertificateStructure.getInstance(o));
     if (bis.available() > 0) {
       throw new IllegalArgumentException(
           "Sorry, there is garbage data left after the certificate");
     }
   }
   certs = new X509CertificateStructure[tmp.size()];
   for (int i = 0; i < tmp.size(); i++) {
     certs[i] = (X509CertificateStructure) tmp.elementAt(i);
   }
   return new Certificate(certs);
 }