Beispiel #1
0
  /**
   * Returns the encoded SPNEGO token Note: inserts the required CHOICE tags
   *
   * @return the encoded token
   * @exception GSSException
   */
  byte[] getEncoded() throws IOException, GSSException {

    // get the token encoded value
    DerOutputStream token = new DerOutputStream();
    token.write(encode());

    // now insert the CHOICE
    switch (tokenType) {
      case NEG_TOKEN_INIT_ID:
        // Insert CHOICE of Negotiation Token
        DerOutputStream initToken = new DerOutputStream();
        initToken.write(
            DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_INIT_ID), token);
        return initToken.toByteArray();

      case NEG_TOKEN_TARG_ID:
        // Insert CHOICE of Negotiation Token
        DerOutputStream targToken = new DerOutputStream();
        targToken.write(
            DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_TARG_ID), token);
        return targToken.toByteArray();
      default:
        return token.toByteArray();
    }
  }
Beispiel #2
0
  @SuppressWarnings("deprecation")
  private byte[] extractKeyData(DerInputStream stream)
      throws IOException, NoSuchAlgorithmException, CertificateException {
    byte[] returnValue = null;
    DerValue[] safeBags = stream.getSequence(2);
    int count = safeBags.length;

    /*
     * Spin over the SafeBags.
     */
    for (int i = 0; i < count; i++) {
      ObjectIdentifier bagId;
      DerInputStream sbi;
      DerValue bagValue;
      Object bagItem = null;

      sbi = safeBags[i].toDerInputStream();
      bagId = sbi.getOID();
      bagValue = sbi.getDerValue();
      if (!bagValue.isContextSpecific((byte) 0)) {
        throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
      }
      bagValue = bagValue.data.getDerValue();
      if (bagId.equals(PKCS8ShroudedKeyBag_OID)) {
        // got what we were looking for.  Return it.
        returnValue = bagValue.toByteArray();
      } else {
        // log error message for "unsupported PKCS12 bag type"
        System.out.println("Unsupported bag type '" + bagId + "'");
      }
    }

    return returnValue;
  }
Beispiel #3
0
  @SuppressWarnings("deprecation")
  private byte[] fetchPrivateKeyFromBag(byte[] privateKeyInfo)
      throws IOException, NoSuchAlgorithmException, CertificateException {
    byte[] returnValue = null;
    DerValue val = new DerValue(new ByteArrayInputStream(privateKeyInfo));
    DerInputStream s = val.toDerInputStream();
    int version = s.getInteger();

    if (version != 3) {
      throw new IOException("PKCS12 keystore not in version 3 format");
    }

    /*
     * Read the authSafe.
     */
    byte[] authSafeData;
    ContentInfo authSafe = new ContentInfo(s);
    ObjectIdentifier contentType = authSafe.getContentType();

    if (contentType.equals(ContentInfo.DATA_OID)) {
      authSafeData = authSafe.getData();
    } else /* signed data */ {
      throw new IOException("public key protected PKCS12 not supported");
    }

    DerInputStream as = new DerInputStream(authSafeData);
    DerValue[] safeContentsArray = as.getSequence(2);
    int count = safeContentsArray.length;

    /*
     * Spin over the ContentInfos.
     */
    for (int i = 0; i < count; i++) {
      byte[] safeContentsData;
      ContentInfo safeContents;
      DerInputStream sci;
      byte[] eAlgId = null;

      sci = new DerInputStream(safeContentsArray[i].toByteArray());
      safeContents = new ContentInfo(sci);
      contentType = safeContents.getContentType();
      safeContentsData = null;

      if (contentType.equals(ContentInfo.DATA_OID)) {
        safeContentsData = safeContents.getData();
      } else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) {
        // The password was used to export the private key from the keychain.
        // The Keychain won't export the key with encrypted data, so we don't need
        // to worry about it.
        continue;
      } else {
        throw new IOException("public key protected PKCS12" + " not supported");
      }
      DerInputStream sc = new DerInputStream(safeContentsData);
      returnValue = extractKeyData(sc);
    }

    return returnValue;
  }
Beispiel #4
0
 /**
  * Parse (unmarshal) a realm from a DER input stream. This form parsing might be used when
  * expanding a value which is part of a constructed sequence and uses explicitly tagged type.
  *
  * @exception Asn1Exception on error.
  * @param data the Der input stream value, which contains one or more marshaled value.
  * @param explicitTag tag number.
  * @param optional indicate if this data field is optional
  * @return an instance of Realm.
  */
 public static Realm parse(DerInputStream data, byte explicitTag, boolean optional)
     throws Asn1Exception, IOException, RealmException {
   if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) {
     return null;
   }
   DerValue der = data.getDerValue();
   if (explicitTag != (der.getTag() & (byte) 0x1F)) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   } else {
     DerValue subDer = der.getData().getDerValue();
     return new Realm(subDer);
   }
 }
Beispiel #5
0
 /*     */ public static TicketFlags parse(
     DerInputStream paramDerInputStream, byte paramByte, boolean paramBoolean)
     /*     */ throws Asn1Exception, IOException
       /*     */ {
   /*  92 */ if ((paramBoolean) && (((byte) paramDerInputStream.peekByte() & 0x1F) != paramByte))
     /*  93 */ return null;
   /*  94 */ DerValue localDerValue1 = paramDerInputStream.getDerValue();
   /*  95 */ if (paramByte != (localDerValue1.getTag() & 0x1F)) {
     /*  96 */ throw new Asn1Exception(906);
     /*     */ }
   /*     */
   /*  99 */ DerValue localDerValue2 = localDerValue1.getData().getDerValue();
   /* 100 */ return new TicketFlags(localDerValue2);
   /*     */ }
Beispiel #6
0
  /**
   * Encodes an MethodData object.
   *
   * @return the byte array of encoded MethodData object.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
   */
  public byte[] asn1Encode() throws Asn1Exception, IOException {
    DerOutputStream bytes = new DerOutputStream();
    DerOutputStream temp = new DerOutputStream();
    temp.putInteger(BigInteger.valueOf(methodType));
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
    if (methodData != null) {
      temp = new DerOutputStream();
      temp.putOctetString(methodData);
      bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
    }

    temp = new DerOutputStream();
    temp.write(DerValue.tag_Sequence, bytes);
    return temp.toByteArray();
  }
 /*     */ public byte[] asn1Encode() /*     */ throws Asn1Exception, IOException /*     */ {
   /* 104 */ DerOutputStream localDerOutputStream1 = new DerOutputStream();
   /* 105 */ DerOutputStream localDerOutputStream2 = new DerOutputStream();
   /* 106 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 0), this.pATimeStamp.asn1Encode());
   /* 107 */ if (this.pAUSec != null) {
     /* 108 */ localDerOutputStream2 = new DerOutputStream();
     /* 109 */ localDerOutputStream2.putInteger(BigInteger.valueOf(this.pAUSec.intValue()));
     /* 110 */ localDerOutputStream1.write(
         DerValue.createTag((byte) -128, true, (byte) 1), localDerOutputStream2);
     /*     */ }
   /* 112 */ localDerOutputStream2 = new DerOutputStream();
   /* 113 */ localDerOutputStream2.write((byte) 48, localDerOutputStream1);
   /* 114 */ return localDerOutputStream2.toByteArray();
   /*     */ }
 /*     */ private void construct(DerValue paramDerValue) throws IOException /*     */ {
   /*  72 */ if (paramDerValue.tag != 48) {
     /*  73 */ throw new IOException(
         "Invalid encoded CertificateValidity, starting sequence tag missing.");
     /*     */ }
   /*     */
   /*  77 */ if (paramDerValue.data.available() == 0) {
     /*  78 */ throw new IOException("No data encoded for CertificateValidity");
     /*     */ }
   /*  80 */ DerInputStream localDerInputStream = new DerInputStream(paramDerValue.toByteArray());
   /*  81 */ DerValue[] arrayOfDerValue = localDerInputStream.getSequence(2);
   /*  82 */ if (arrayOfDerValue.length != 2) {
     /*  83 */ throw new IOException("Invalid encoding for CertificateValidity");
     /*     */ }
   /*  85 */ if (arrayOfDerValue[0].tag == 23)
     /*  86 */ this.notBefore = paramDerValue.data.getUTCTime();
   /*  87 */ else if (arrayOfDerValue[0].tag == 24)
     /*  88 */ this.notBefore = paramDerValue.data.getGeneralizedTime();
   /*     */ else {
     /*  90 */ throw new IOException("Invalid encoding for CertificateValidity");
     /*     */ }
   /*     */
   /*  93 */ if (arrayOfDerValue[1].tag == 23)
     /*  94 */ this.notAfter = paramDerValue.data.getUTCTime();
   /*  95 */ else if (arrayOfDerValue[1].tag == 24)
     /*  96 */ this.notAfter = paramDerValue.data.getGeneralizedTime();
   /*     */ else /*  98 */ throw new IOException("Invalid encoding for CertificateValidity");
   /*     */ }
  /** Creates the extension (also called by the subclass). */
  protected CRLNumberExtension(
      ObjectIdentifier extensionId,
      Boolean critical,
      Object value,
      String extensionName,
      String extensionLabel)
      throws IOException {

    this.extensionId = extensionId;
    this.critical = critical.booleanValue();
    this.extensionValue = (byte[]) value;
    DerValue val = new DerValue(this.extensionValue);
    this.crlNumber = val.getBigInteger();
    this.extensionName = extensionName;
    this.extensionLabel = extensionLabel;
  }
  /**
   * Parse (unmarshal) a <code>PrincipalName</code> from a DER input stream. This form parsing might
   * be used when expanding a value which is part of a constructed sequence and uses explicitly
   * tagged type.
   *
   * @exception Asn1Exception on error.
   * @param data the Der input stream value, which contains one or more marshaled value.
   * @param explicitTag tag number.
   * @param optional indicate if this data field is optional
   * @param realm the realm for the name
   * @return an instance of <code>PrincipalName</code>, or null if the field is optional and
   *     missing.
   */
  public static PrincipalName parse(
      DerInputStream data, byte explicitTag, boolean optional, Realm realm)
      throws Asn1Exception, IOException, RealmException {

    if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) return null;
    DerValue der = data.getDerValue();
    if (explicitTag != (der.getTag() & (byte) 0x1F)) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    } else {
      DerValue subDer = der.getData().getDerValue();
      if (realm == null) {
        realm = Realm.getDefault();
      }
      return new PrincipalName(subDer, realm);
    }
  }
 /**
  * Encodes a <code>PrincipalName</code> object. Note that only the type and names are encoded. To
  * encode the realm, call getRealm().asn1Encode().
  *
  * @return the byte array of the encoded PrncipalName object.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
  */
 public byte[] asn1Encode() throws Asn1Exception, IOException {
   DerOutputStream bytes = new DerOutputStream();
   DerOutputStream temp = new DerOutputStream();
   BigInteger bint = BigInteger.valueOf(this.nameType);
   temp.putInteger(bint);
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
   temp = new DerOutputStream();
   DerValue der[] = new DerValue[nameStrings.length];
   for (int i = 0; i < nameStrings.length; i++) {
     der[i] = new KerberosString(nameStrings[i]).toDerValue();
   }
   temp.putSequence(der);
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
   temp = new DerOutputStream();
   temp.write(DerValue.tag_Sequence, bytes);
   return temp.toByteArray();
 }
  /* Translate to encoded bytes */
  private void emit(DerOutputStream out) throws IOException, CertificateEncodingException {
    DerOutputStream tagged = new DerOutputStream();

    if (forward != null) {
      DerOutputStream tmp = new DerOutputStream();
      tmp.putDerValue(new DerValue(forward.getEncoded()));
      tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_FORWARD), tmp);
    }

    if (reverse != null) {
      DerOutputStream tmp = new DerOutputStream();
      tmp.putDerValue(new DerValue(reverse.getEncoded()));
      tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_REVERSE), tmp);
    }

    out.write(DerValue.tag_Sequence, tagged);
  }
  /* Parse the encoded bytes */
  private void parse(DerValue val) throws IOException, CertificateException {
    if (val.tag != DerValue.tag_Sequence) {
      throw new IOException("Sequence tag missing for X509CertificatePair");
    }

    while (val.data != null && val.data.available() != 0) {
      DerValue opt = val.data.getDerValue();
      short tag = (byte) (opt.tag & 0x01f);
      switch (tag) {
        case TAG_FORWARD:
          if (opt.isContextSpecific() && opt.isConstructed()) {
            if (forward != null) {
              throw new IOException("Duplicate forward " + "certificate in X509CertificatePair");
            }
            opt = opt.data.getDerValue();
            forward = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
          }
          break;
        case TAG_REVERSE:
          if (opt.isContextSpecific() && opt.isConstructed()) {
            if (reverse != null) {
              throw new IOException("Duplicate reverse " + "certificate in X509CertificatePair");
            }
            opt = opt.data.getDerValue();
            reverse = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
          }
          break;
        default:
          throw new IOException("Invalid encoding of " + "X509CertificatePair");
      }
    }
    if (forward == null && reverse == null) {
      throw new CertificateException("at least one of certificate pair " + "must be non-null");
    }
  }
Beispiel #14
0
  /* Verify that the DER object is correct */
  private static void verifyDER(String type, DerValue der, byte tag, byte[] data) throws Exception {
    if (der.tag != tag) throw new Exception("Problem with tag for " + type);

    if (!equalBytes(der.data.toByteArray(), data))
      throw new Exception("Problem with data for " + type);

    System.out.println(type + " checks out OK");
    System.out.println("Calling toString on it: " + der.toString() + "\n");
  }
Beispiel #15
0
 /**
  * Constructs a MethodData object.
  *
  * @param encoding a Der-encoded data.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
  */
 public MethodData(DerValue encoding) throws Asn1Exception, IOException {
   DerValue der;
   if (encoding.getTag() != DerValue.tag_Sequence) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   }
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x1F) == 0x00) {
     BigInteger bint = der.getData().getBigInteger();
     methodType = bint.intValue();
   } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   if (encoding.getData().available() > 0) {
     der = encoding.getData().getDerValue();
     if ((der.getTag() & 0x1F) == 0x01) {
       methodData = der.getData().getOctetString();
     } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   }
   if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID);
 }
 /*     */ public PAEncTSEnc(DerValue paramDerValue) /*     */ throws Asn1Exception, IOException
       /*     */ {
   /*  81 */ if (paramDerValue.getTag() != 48) {
     /*  82 */ throw new Asn1Exception(906);
     /*     */ }
   /*  84 */ this.pATimeStamp = KerberosTime.parse(paramDerValue.getData(), (byte) 0, false);
   /*  85 */ if (paramDerValue.getData().available() > 0) {
     /*  86 */ DerValue localDerValue = paramDerValue.getData().getDerValue();
     /*  87 */ if ((localDerValue.getTag() & 0x1F) == 1)
       /*  88 */ this.pAUSec = new Integer(localDerValue.getData().getBigInteger().intValue());
     /*     */ else /*  90 */ throw new Asn1Exception(906);
     /*     */ }
   /*  92 */ if (paramDerValue.getData().available() > 0) /*  93 */ throw new Asn1Exception(906);
   /*     */ }
Beispiel #17
0
 /** Construct a key from its components. Used by the RSAKeyFactory and the RSAKeyPairGenerator. */
 RSAPrivateCrtKeyImpl(
     BigInteger n,
     BigInteger e,
     BigInteger d,
     BigInteger p,
     BigInteger q,
     BigInteger pe,
     BigInteger qe,
     BigInteger coeff)
     throws InvalidKeyException {
   this.n = n;
   this.e = e;
   this.d = d;
   this.p = p;
   this.q = q;
   this.pe = pe;
   this.qe = qe;
   this.coeff = coeff;
   RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
   // generate the encoding
   algid = rsaId;
   try {
     DerOutputStream out = new DerOutputStream();
     out.putInteger(0); // version must be 0
     out.putInteger(n);
     out.putInteger(e);
     out.putInteger(d);
     out.putInteger(p);
     out.putInteger(q);
     out.putInteger(pe);
     out.putInteger(qe);
     out.putInteger(coeff);
     DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray());
     key = val.toByteArray();
   } catch (IOException exc) {
     // should never occur
     throw new InvalidKeyException(exc);
   }
 }
Beispiel #18
0
 /*
  * parse Algorithm Parameters
  */
 private AlgorithmParameters parseAlgParameters(DerInputStream in) throws IOException {
   AlgorithmParameters algParams = null;
   try {
     DerValue params;
     if (in.available() == 0) {
       params = null;
     } else {
       params = in.getDerValue();
       if (params.tag == DerValue.tag_Null) {
         params = null;
       }
     }
     if (params != null) {
       algParams = AlgorithmParameters.getInstance("PBE");
       algParams.init(params.toByteArray());
     }
   } catch (Exception e) {
     IOException ioe = new IOException("parseAlgParameters failed: " + e.getMessage());
     ioe.initCause(e);
     throw ioe;
   }
   return algParams;
 }
  /**
   * Encodes an EncTicketPart object.
   *
   * @return byte array of encoded EncTicketPart object.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
   */
  public byte[] asn1Encode() throws Asn1Exception, IOException {
    DerOutputStream bytes = new DerOutputStream();
    DerOutputStream temp = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), flags.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode());
    bytes.write(
        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.getRealm().asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode());
    bytes.write(
        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), transited.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x05), authtime.asn1Encode());
    if (starttime != null) {
      bytes.write(
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x06), starttime.asn1Encode());
    }
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x07), endtime.asn1Encode());

    if (renewTill != null) {
      bytes.write(
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x08), renewTill.asn1Encode());
    }

    if (caddr != null) {
      bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x09), caddr.asn1Encode());
    }

    if (authorizationData != null) {
      bytes.write(
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A),
          authorizationData.asn1Encode());
    }
    temp.write(DerValue.tag_Sequence, bytes);
    bytes = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x03), temp);
    return bytes.toByteArray();
  }
Beispiel #20
0
 /*     */ public TicketFlags(DerValue paramDerValue) throws IOException, Asn1Exception {
   /*  76 */ this(paramDerValue.getUnalignedBitString(true).toBooleanArray());
   /*     */ }
Beispiel #21
0
  /**
   * Make a DH public key from its DER encoding (X.509).
   *
   * @param encodedKey the encoded key
   * @exception InvalidKeyException if the encoded key does not represent a Diffie-Hellman public
   *     key
   */
  DHPublicKey(byte[] encodedKey) throws InvalidKeyException {
    InputStream inStream = new ByteArrayInputStream(encodedKey);
    try {
      DerValue derKeyVal = new DerValue(inStream);
      if (derKeyVal.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("Invalid key format");
      }

      /*
       * Parse the algorithm identifier
       */
      DerValue algid = derKeyVal.data.getDerValue();
      if (algid.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("AlgId is not a SEQUENCE");
      }
      DerInputStream derInStream = algid.toDerInputStream();
      ObjectIdentifier oid = derInStream.getOID();
      if (oid == null) {
        throw new InvalidKeyException("Null OID");
      }
      if (derInStream.available() == 0) {
        throw new InvalidKeyException("Parameters missing");
      }

      /*
       * Parse the parameters
       */
      DerValue params = derInStream.getDerValue();
      if (params.tag == DerValue.tag_Null) {
        throw new InvalidKeyException("Null parameters");
      }
      if (params.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("Parameters not a SEQUENCE");
      }
      params.data.reset();
      this.p = params.data.getBigInteger();
      this.g = params.data.getBigInteger();
      // Private-value length is OPTIONAL
      if (params.data.available() != 0) {
        this.l = params.data.getInteger();
      }
      if (params.data.available() != 0) {
        throw new InvalidKeyException("Extra parameter data");
      }

      /*
       * Parse the key
       */
      this.key = derKeyVal.data.getBitString();
      parseKeyBits();
      if (derKeyVal.data.available() != 0) {
        throw new InvalidKeyException("Excess key data");
      }

      this.encodedKey = (byte[]) encodedKey.clone();

    } catch (NumberFormatException e) {
      throw new InvalidKeyException("Private-value length too big");

    } catch (IOException e) {
      throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
    }
  }
  private void init(DerValue encoding) throws Asn1Exception, IOException, RealmException {
    DerValue der, subDer;

    renewTill = null;
    caddr = null;
    authorizationData = null;
    if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x03)
        || (encoding.isApplication() != true)
        || (encoding.isConstructed() != true)) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    }
    der = encoding.getData().getDerValue();
    if (der.getTag() != DerValue.tag_Sequence) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    }
    flags = TicketFlags.parse(der.getData(), (byte) 0x00, false);
    key = EncryptionKey.parse(der.getData(), (byte) 0x01, false);
    Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false);
    cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm);
    transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false);
    authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false);
    starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true);
    endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false);
    if (der.getData().available() > 0) {
      renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true);
    }
    if (der.getData().available() > 0) {
      caddr = HostAddresses.parse(der.getData(), (byte) 0x09, true);
    }
    if (der.getData().available() > 0) {
      authorizationData = AuthorizationData.parse(der.getData(), (byte) 0x0A, true);
    }
    if (der.getData().available() > 0) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    }
  }
 /*     */ private void init(DerValue paramDerValue)
     /*     */ throws Asn1Exception, IOException, RealmException
       /*     */ {
   /* 140 */ this.renewTill = null;
   /* 141 */ this.caddr = null;
   /* 142 */ this.authorizationData = null;
   /* 143 */ if (((paramDerValue.getTag() & 0x1F) != 3)
       || (paramDerValue.isApplication() != true)
       || (paramDerValue.isConstructed() != true))
   /*     */ {
     /* 146 */ throw new Asn1Exception(906);
     /*     */ }
   /* 148 */ DerValue localDerValue = paramDerValue.getData().getDerValue();
   /* 149 */ if (localDerValue.getTag() != 48) {
     /* 150 */ throw new Asn1Exception(906);
     /*     */ }
   /* 152 */ this.flags = TicketFlags.parse(localDerValue.getData(), (byte) 0, false);
   /* 153 */ this.key = EncryptionKey.parse(localDerValue.getData(), (byte) 1, false);
   /* 154 */ this.crealm = Realm.parse(localDerValue.getData(), (byte) 2, false);
   /* 155 */ this.cname = PrincipalName.parse(localDerValue.getData(), (byte) 3, false);
   /* 156 */ this.transited = TransitedEncoding.parse(localDerValue.getData(), (byte) 4, false);
   /* 157 */ this.authtime = KerberosTime.parse(localDerValue.getData(), (byte) 5, false);
   /* 158 */ this.starttime = KerberosTime.parse(localDerValue.getData(), (byte) 6, true);
   /* 159 */ this.endtime = KerberosTime.parse(localDerValue.getData(), (byte) 7, false);
   /* 160 */ if (localDerValue.getData().available() > 0) {
     /* 161 */ this.renewTill = KerberosTime.parse(localDerValue.getData(), (byte) 8, true);
     /*     */ }
   /* 163 */ if (localDerValue.getData().available() > 0) {
     /* 164 */ this.caddr = HostAddresses.parse(localDerValue.getData(), (byte) 9, true);
     /*     */ }
   /* 166 */ if (localDerValue.getData().available() > 0) {
     /* 167 */ this.authorizationData =
         AuthorizationData.parse(localDerValue.getData(), (byte) 10, true);
     /*     */ }
   /* 169 */ if (localDerValue.getData().available() > 0) /* 170 */ throw new Asn1Exception(906);
   /*     */ }
 /*     */ public byte[] asn1Encode() /*     */ throws Asn1Exception, IOException /*     */ {
   /* 182 */ DerOutputStream localDerOutputStream1 = new DerOutputStream();
   /* 183 */ DerOutputStream localDerOutputStream2 = new DerOutputStream();
   /* 184 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 0), this.flags.asn1Encode());
   /*     */
   /* 186 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 1), this.key.asn1Encode());
   /*     */
   /* 188 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 2), this.crealm.asn1Encode());
   /*     */
   /* 190 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 3), this.cname.asn1Encode());
   /*     */
   /* 192 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 4), this.transited.asn1Encode());
   /*     */
   /* 194 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 5), this.authtime.asn1Encode());
   /*     */
   /* 196 */ if (this.starttime != null) {
     /* 197 */ localDerOutputStream1.write(
         DerValue.createTag((byte) -128, true, (byte) 6), this.starttime.asn1Encode());
     /*     */ }
   /*     */
   /* 200 */ localDerOutputStream1.write(
       DerValue.createTag((byte) -128, true, (byte) 7), this.endtime.asn1Encode());
   /*     */
   /* 203 */ if (this.renewTill != null) {
     /* 204 */ localDerOutputStream1.write(
         DerValue.createTag((byte) -128, true, (byte) 8), this.renewTill.asn1Encode());
     /*     */ }
   /*     */
   /* 208 */ if (this.caddr != null) {
     /* 209 */ localDerOutputStream1.write(
         DerValue.createTag((byte) -128, true, (byte) 9), this.caddr.asn1Encode());
     /*     */ }
   /*     */
   /* 213 */ if (this.authorizationData != null) {
     /* 214 */ localDerOutputStream1.write(
         DerValue.createTag((byte) -128, true, (byte) 10), this.authorizationData.asn1Encode());
     /*     */ }
   /*     */
   /* 217 */ localDerOutputStream2.write((byte) 48, localDerOutputStream1);
   /* 218 */ localDerOutputStream1 = new DerOutputStream();
   /* 219 */ localDerOutputStream1.write(
       DerValue.createTag((byte) 64, true, (byte) 3), localDerOutputStream2);
   /*     */
   /* 221 */ return localDerOutputStream1.toByteArray();
   /*     */ }
Beispiel #25
0
  /**
   * Returns the key associated with the given alias, using the given password to recover it.
   *
   * @param alias the alias name
   * @param password the password for recovering the key. This password is used internally as the
   *     key is exported in a PKCS12 format.
   * @return the requested key, or null if the given alias does not exist or does not identify a
   *     <i>key entry</i>.
   * @exception NoSuchAlgorithmException if the algorithm for recovering the key cannot be found
   * @exception UnrecoverableKeyException if the key cannot be recovered (e.g., the given password
   *     is wrong).
   */
  public Key engineGetKey(String alias, char[] password)
      throws NoSuchAlgorithmException, UnrecoverableKeyException {
    permissionCheck();

    // An empty password is rejected by MacOS API, no private key data
    // is exported. If no password is passed (as is the case when
    // this implementation is used as browser keystore in various
    // deployment scenarios like Webstart, JFX and applets), create
    // a dummy password so MacOS API is happy.
    if (password == null || password.length == 0) {
      // Must not be a char array with only a 0, as this is an empty
      // string.
      if (random == null) {
        random = new SecureRandom();
      }
      password = Long.toString(random.nextLong()).toCharArray();
    }

    Object entry = entries.get(alias.toLowerCase());

    if (entry == null || !(entry instanceof KeyEntry)) {
      return null;
    }

    // This call gives us a PKCS12 bag, with the key inside it.
    byte[] exportedKeyInfo = _getEncodedKeyData(((KeyEntry) entry).keyRef, password);
    if (exportedKeyInfo == null) {
      return null;
    }

    PrivateKey returnValue = null;

    try {
      byte[] pkcs8KeyData = fetchPrivateKeyFromBag(exportedKeyInfo);
      byte[] encryptedKey;
      AlgorithmParameters algParams;
      ObjectIdentifier algOid;
      try {
        // get the encrypted private key
        EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(pkcs8KeyData);
        encryptedKey = encrInfo.getEncryptedData();

        // parse Algorithm parameters
        DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
        DerInputStream in = val.toDerInputStream();
        algOid = in.getOID();
        algParams = parseAlgParameters(in);

      } catch (IOException ioe) {
        UnrecoverableKeyException uke =
            new UnrecoverableKeyException(
                "Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
        uke.initCause(ioe);
        throw uke;
      }

      // Use JCE to decrypt the data using the supplied password.
      SecretKey skey = getPBEKey(password);
      Cipher cipher = Cipher.getInstance(algOid.toString());
      cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
      byte[] decryptedPrivateKey = cipher.doFinal(encryptedKey);
      PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(decryptedPrivateKey);

      // Parse the key algorithm and then use a JCA key factory to create the private key.
      DerValue val = new DerValue(decryptedPrivateKey);
      DerInputStream in = val.toDerInputStream();

      // Ignore this -- version should be 0.
      int i = in.getInteger();

      // Get the Algorithm ID next
      DerValue[] value = in.getSequence(2);
      AlgorithmId algId = new AlgorithmId(value[0].getOID());
      String algName = algId.getName();

      // Get a key factory for this algorithm.  It's likely to be 'RSA'.
      KeyFactory kfac = KeyFactory.getInstance(algName);
      returnValue = kfac.generatePrivate(kspec);
    } catch (Exception e) {
      UnrecoverableKeyException uke =
          new UnrecoverableKeyException("Get Key failed: " + e.getMessage());
      uke.initCause(e);
      throw uke;
    }

    return returnValue;
  }
    private SingleResponse(DerValue der) throws IOException {
      if (der.tag != DerValue.tag_Sequence) {
        throw new IOException("Bad ASN.1 encoding in SingleResponse");
      }
      DerInputStream tmp = der.data;

      certId = new CertId(tmp.getDerValue().data);
      DerValue derVal = tmp.getDerValue();
      short tag = (byte) (derVal.tag & 0x1f);
      if (tag == CERT_STATUS_REVOKED) {
        certStatus = CertStatus.REVOKED;
        revocationTime = derVal.data.getGeneralizedTime();
        if (derVal.data.available() != 0) {
          DerValue dv = derVal.data.getDerValue();
          tag = (byte) (dv.tag & 0x1f);
          if (tag == 0) {
            int reason = dv.data.getEnumerated();
            // if reason out-of-range just leave as UNSPECIFIED
            if (reason >= 0 && reason < values.length) {
              revocationReason = values[reason];
            } else {
              revocationReason = CRLReason.UNSPECIFIED;
            }
          } else {
            revocationReason = CRLReason.UNSPECIFIED;
          }
        } else {
          revocationReason = CRLReason.UNSPECIFIED;
        }
        // RevokedInfo
        if (debug != null) {
          debug.println("Revocation time: " + revocationTime);
          debug.println("Revocation reason: " + revocationReason);
        }
      } else {
        revocationTime = null;
        revocationReason = CRLReason.UNSPECIFIED;
        if (tag == CERT_STATUS_GOOD) {
          certStatus = CertStatus.GOOD;
        } else if (tag == CERT_STATUS_UNKNOWN) {
          certStatus = CertStatus.UNKNOWN;
        } else {
          throw new IOException("Invalid certificate status");
        }
      }

      thisUpdate = tmp.getGeneralizedTime();

      if (tmp.available() == 0) {
        // we are done
        nextUpdate = null;
      } else {
        derVal = tmp.getDerValue();
        tag = (byte) (derVal.tag & 0x1f);
        if (tag == 0) {
          // next update
          nextUpdate = derVal.data.getGeneralizedTime();

          if (tmp.available() == 0) {
            // we are done
          } else {
            derVal = tmp.getDerValue();
            tag = (byte) (derVal.tag & 0x1f);
          }
        } else {
          nextUpdate = null;
        }
      }
      // singleExtensions
      if (tmp.available() > 0) {
        derVal = tmp.getDerValue();
        if (derVal.isContextSpecific((byte) 1)) {
          DerValue[] singleExtDer = derVal.data.getSequence(3);
          singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
          for (int i = 0; i < singleExtDer.length; i++) {
            Extension ext = new Extension(singleExtDer[i]);
            if (debug != null) {
              debug.println("OCSP single extension: " + ext);
            }
            // We don't support any extensions yet. Therefore, if it
            // is critical we must throw an exception because we
            // don't know how to process it.
            if (ext.isCritical()) {
              throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
            }
            singleExtensions.put(ext.getId(), ext);
          }
        } else {
          singleExtensions = Collections.emptyMap();
        }
      } else {
        singleExtensions = Collections.emptyMap();
      }
    }
 /**
  * Returns the ASN.1 encoding of the <xmp> PrincipalName ::= SEQUENCE { name-type [0] Int32,
  * name-string [1] SEQUENCE OF KerberosString }
  *
  * <p>KerberosString ::= GeneralString (IA5String) </xmp>
  *
  * <p>This definition reflects the Network Working Group RFC 4120 specification available at <a
  * href="http://www.ietf.org/rfc/rfc4120.txt">http://www.ietf.org/rfc/rfc4120.txt</a>.
  *
  * @param encoding a Der-encoded data.
  * @param realm the realm for this name
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception Asn1Exception if there is an ASN1 encoding error
  * @exception IOException if an I/O error occurs
  * @exception IllegalArgumentException if encoding is null reading encoded data.
  */
 public PrincipalName(DerValue encoding, Realm realm) throws Asn1Exception, IOException {
   if (realm == null) {
     throw new IllegalArgumentException("Null realm not allowed");
   }
   nameRealm = realm;
   DerValue der;
   if (encoding == null) {
     throw new IllegalArgumentException("Null encoding not allowed");
   }
   if (encoding.getTag() != DerValue.tag_Sequence) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   }
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x1F) == 0x00) {
     BigInteger bint = der.getData().getBigInteger();
     nameType = bint.intValue();
   } else {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   }
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x01F) == 0x01) {
     DerValue subDer = der.getData().getDerValue();
     if (subDer.getTag() != DerValue.tag_SequenceOf) {
       throw new Asn1Exception(Krb5.ASN1_BAD_ID);
     }
     Vector<String> v = new Vector<>();
     DerValue subSubDer;
     while (subDer.getData().available() > 0) {
       subSubDer = subDer.getData().getDerValue();
       String namePart = new KerberosString(subSubDer).toString();
       v.addElement(namePart);
     }
     nameStrings = new String[v.size()];
     v.copyInto(nameStrings);
     validateNameStrings(nameStrings);
   } else {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   }
 }
  /*
   * Create an OCSP response from its ASN.1 DER encoding.
   */
  OCSPResponse(byte[] bytes) throws IOException {
    if (dump) {
      HexDumpEncoder hexEnc = new HexDumpEncoder();
      System.out.println("OCSPResponse bytes are...");
      System.out.println(hexEnc.encode(bytes));
    }
    DerValue der = new DerValue(bytes);
    if (der.tag != DerValue.tag_Sequence) {
      throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
    }
    DerInputStream derIn = der.getData();

    // responseStatus
    int status = derIn.getEnumerated();
    if (status >= 0 && status < rsvalues.length) {
      responseStatus = rsvalues[status];
    } else {
      // unspecified responseStatus
      throw new IOException("Unknown OCSPResponse status: " + status);
    }
    if (debug != null) {
      debug.println("OCSP response status: " + responseStatus);
    }
    if (responseStatus != ResponseStatus.SUCCESSFUL) {
      // no need to continue, responseBytes are not set.
      singleResponseMap = Collections.emptyMap();
      certs = Collections.<X509CertImpl>emptyList();
      sigAlgId = null;
      signature = null;
      tbsResponseData = null;
      responseNonce = null;
      return;
    }

    // responseBytes
    der = derIn.getDerValue();
    if (!der.isContextSpecific((byte) 0)) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 context specific tag 0.");
    }
    DerValue tmp = der.data.getDerValue();
    if (tmp.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 SEQUENCE tag.");
    }

    // responseType
    derIn = tmp.data;
    ObjectIdentifier responseType = derIn.getOID();
    if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
      if (debug != null) {
        debug.println("OCSP response type: basic");
      }
    } else {
      if (debug != null) {
        debug.println("OCSP response type: " + responseType);
      }
      throw new IOException("Unsupported OCSP response type: " + responseType);
    }

    // BasicOCSPResponse
    DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());

    DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
    if (seqTmp.length < 3) {
      throw new IOException("Unexpected BasicOCSPResponse value");
    }

    DerValue responseData = seqTmp[0];

    // Need the DER encoded ResponseData to verify the signature later
    tbsResponseData = seqTmp[0].toByteArray();

    // tbsResponseData
    if (responseData.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in tbsResponseData "
              + "element of OCSP response: expected ASN.1 SEQUENCE tag.");
    }
    DerInputStream seqDerIn = responseData.data;
    DerValue seq = seqDerIn.getDerValue();

    // version
    if (seq.isContextSpecific((byte) 0)) {
      // seq[0] is version
      if (seq.isConstructed() && seq.isContextSpecific()) {
        // System.out.println ("version is available");
        seq = seq.data.getDerValue();
        int version = seq.getInteger();
        if (seq.data.available() != 0) {
          throw new IOException(
              "Bad encoding in version " + " element of OCSP response: bad format");
        }
        seq = seqDerIn.getDerValue();
      }
    }

    // responderID
    short tag = (byte) (seq.tag & 0x1f);
    if (tag == NAME_TAG) {
      if (debug != null) {
        X500Principal responderName = new X500Principal(seq.getData().toByteArray());
        debug.println("OCSP Responder name: " + responderName);
      }
    } else if (tag == KEY_TAG) {
      if (debug != null) {
        byte[] responderKey = seq.getData().getOctetString();
        debug.println("OCSP Responder key: " + Debug.toString(responderKey));
      }
    } else {
      throw new IOException(
          "Bad encoding in responderID element of "
              + "OCSP response: expected ASN.1 context specific tag 0 or 1");
    }

    // producedAt
    seq = seqDerIn.getDerValue();
    if (debug != null) {
      Date producedAtDate = seq.getGeneralizedTime();
      debug.println("OCSP response produced at: " + producedAtDate);
    }

    // responses
    DerValue[] singleResponseDer = seqDerIn.getSequence(1);
    singleResponseMap = new HashMap<>(singleResponseDer.length);
    if (debug != null) {
      debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
    }
    for (int i = 0; i < singleResponseDer.length; i++) {
      SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
      singleResponseMap.put(singleResponse.getCertId(), singleResponse);
    }

    // responseExtensions
    byte[] nonce = null;
    if (seqDerIn.available() > 0) {
      seq = seqDerIn.getDerValue();
      if (seq.isContextSpecific((byte) 1)) {
        DerValue[] responseExtDer = seq.data.getSequence(3);
        for (int i = 0; i < responseExtDer.length; i++) {
          Extension ext = new Extension(responseExtDer[i]);
          if (debug != null) {
            debug.println("OCSP extension: " + ext);
          }
          // Only the NONCE extension is recognized
          if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
            nonce = ext.getExtensionValue();
          } else if (ext.isCritical()) {
            throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
          }
        }
      }
    }
    responseNonce = nonce;

    // signatureAlgorithmId
    sigAlgId = AlgorithmId.parse(seqTmp[1]);

    // signature
    signature = seqTmp[2].getBitString();

    // if seq[3] is available , then it is a sequence of certificates
    if (seqTmp.length > 3) {
      // certs are available
      DerValue seqCert = seqTmp[3];
      if (!seqCert.isContextSpecific((byte) 0)) {
        throw new IOException(
            "Bad encoding in certs element of "
                + "OCSP response: expected ASN.1 context specific tag 0.");
      }
      DerValue[] derCerts = seqCert.getData().getSequence(3);
      certs = new ArrayList<X509CertImpl>(derCerts.length);
      try {
        for (int i = 0; i < derCerts.length; i++) {
          certs.add(new X509CertImpl(derCerts[i].toByteArray()));
        }
      } catch (CertificateException ce) {
        throw new IOException("Bad encoding in X509 Certificate", ce);
      }
    } else {
      certs = Collections.<X509CertImpl>emptyList();
    }
  }