public void processServerCertificate(Certificate serverCertificate) throws IOException {
X509CertificateStructure x509Cert = serverCertificate.certs[0];
SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo();
try {
this.serverPublicKey = PublicKeyFactory.createKey(keyInfo);
} catch (RuntimeException e) {
throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
}
if (tlsSigner == null) {
try {
this.dhAgreeServerPublicKey =
validateDHPublicKey((DHPublicKeyParameters) this.serverPublicKey);
} catch (ClassCastException e) {
throw new TlsFatalAlert(AlertDescription.certificate_unknown);
}
TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyAgreement);
} else {
if (!tlsSigner.isValidPublicKey(this.serverPublicKey)) {
throw new TlsFatalAlert(AlertDescription.certificate_unknown);
}
TlsUtils.validateKeyUsage(x509Cert, KeyUsage.digitalSignature);
}
// TODO
/*
* Perform various checks per RFC2246 7.4.2: "Unless otherwise specified, the
* signing algorithm for the certificate must be the same as the algorithm for the
* certificate key."
*/
}
/**
* Add a given extension field for the standard extensions tag (tag 3) copying the extension value
* from another certificate.
*
* @param oid the OID defining the extension type.
* @param isCritical true if the copied extension is to be marked as critical, false otherwise.
* @param certHolder the holder for the certificate that the extension is to be copied from.
* @return this builder object.
*/
public X509v3CertificateBuilder copyAndAddExtension(
ASN1ObjectIdentifier oid, boolean isCritical, X509CertificateHolder certHolder) {
X509CertificateStructure cert = certHolder.toASN1Structure();
X509Extension extension = cert.getTBSCertificate().getExtensions().getExtension(oid);
if (extension == null) {
throw new NullPointerException("extension " + oid + " not present");
}
extGenerator.addExtension(oid, isCritical, extension.getValue().getOctets());
return this;
}
public static void checkOrCreateKeyStore(
final String file, final String password, final String domainName)
throws IllegalArgumentException, OperatorCreationException {
final String hostname;
if ("0.0.0.0".equals(domainName)) {
hostname = "localhost";
} else {
hostname = domainName;
}
try {
KeyStore ks = KeyStore.getInstance("JKS");
File keyStoreFile = new File(file);
if (!keyStoreFile.exists()) {
keyStoreFile.createNewFile();
ks.load(null, null);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509v3CertificateBuilder v3CertGen =
new X509v3CertificateBuilder(
new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
BigInteger.valueOf(System.currentTimeMillis()),
new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)),
new X500Name("CN=" + hostname + ", OU=None, O=None L=None, C=None"),
SubjectPublicKeyInfo.getInstance(KPair.getPublic().getEncoded()));
AlgorithmIdentifier sigAlgId =
new DefaultSignatureAlgorithmIdentifierFinder().find("SHA512withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(KPair.getPrivate().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
X509CertificateHolder PKCertificateHolder = v3CertGen.build(sigGen);
X509CertificateStructure eeX509CertificateStructure = PKCertificateHolder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate cert;
try (InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded())) {
cert = (X509Certificate) cf.generateCertificate(is1);
}
ks.setKeyEntry(
"siesta",
KPair.getPrivate(),
password.toCharArray(),
new java.security.cert.Certificate[] {cert});
ks.store(new FileOutputStream(file), password.toCharArray());
}
} catch (GeneralSecurityException | IOException | IllegalStateException ex) {
throw new IllegalArgumentException("Error creating keystore, please manually create one", ex);
}
}
private static boolean certHasPolicy(X509Certificate cert, String sOid) {
try {
if (m_logger.isDebugEnabled())
m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
ASN1InputStream aIn = new ASN1InputStream(bIn);
ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
X509CertificateStructure obj = new X509CertificateStructure(seq);
TBSCertificateStructure tbsCert = obj.getTBSCertificate();
if (tbsCert.getVersion() == 3) {
X509Extensions ext = tbsCert.getExtensions();
if (ext != null) {
Enumeration en = ext.oids();
while (en.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
X509Extension extVal = ext.getExtension(oid);
ASN1OctetString oct = extVal.getValue();
ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
// if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
for (int i = 0; i != cp.size(); i++) {
PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
DERObjectIdentifier dOid = pol.getPolicyIdentifier();
String soid2 = dOid.getId();
if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
if (soid2.startsWith(sOid)) return true;
}
}
}
}
}
} catch (Exception ex) {
m_logger.error("Error reading cert policies: " + ex);
}
return false;
}
private CscaMasterList(ASN1Sequence seq) {
if (seq == null || seq.size() == 0) {
throw new IllegalArgumentException("null or empty sequence passed.");
}
if (seq.size() != 2) {
throw new IllegalArgumentException("Incorrect sequence size: " + seq.size());
}
version = DERInteger.getInstance(seq.getObjectAt(0));
ASN1Set certSet = ASN1Set.getInstance(seq.getObjectAt(1));
certList = new X509CertificateStructure[certSet.size()];
for (int i = 0; i < certList.length; i++) {
certList[i] = X509CertificateStructure.getInstance(certSet.getObjectAt(i));
}
}
/**
* Parse the ServerCertificate message.
*
* @param is The stream where to parse from.
* @return A Certificate object with the certs, the server has sended.
* @throws IOException If something goes wrong during parsing.
*/
public static Certificate parse(InputStream is) throws IOException {
X509CertificateStructure[] certs;
int left = TlsUtils.readUint24(is);
Vector tmp = new Vector();
while (left > 0) {
int size = TlsUtils.readUint24(is);
left -= 3 + size;
byte[] buf = new byte[size];
TlsUtils.readFully(buf, is);
ByteArrayInputStream bis = new ByteArrayInputStream(buf);
ASN1InputStream ais = new ASN1InputStream(bis);
DERObject o = ais.readObject();
tmp.addElement(X509CertificateStructure.getInstance(o));
if (bis.available() > 0) {
throw new IllegalArgumentException(
"Sorry, there is garbage data left after the certificate");
}
}
certs = new X509CertificateStructure[tmp.size()];
for (int i = 0; i < tmp.size(); i++) {
certs[i] = (X509CertificateStructure) tmp.elementAt(i);
}
return new Certificate(certs);
}
