  * Check if the certificate allows use of the given DNS name.
  * <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as
  * the identity. Otherwise, the (most specific) Common Name field in the Subject field of the
  * certificate MUST be used. Although the use of the Common Name is existing practice, it is
  * deprecated and Certification Authorities are encouraged to use the dNSName instead.
  * <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one
  * identity of a given type is present in the certificate (e.g., more than one dNSName name, a
  * match in any one of the set is considered acceptable.)
 private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
   Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
   if (subjAltNames != null) {
     boolean foundDNS = false;
     for (List<?> next : subjAltNames) {
       if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
         foundDNS = true;
         String dnsName = (String) next.get(1);
         if (isMatched(expectedName, dnsName)) {
     if (foundDNS) {
       // if certificate contains any subject alt names of type DNS
       // but none match, reject
       throw new CertificateException(
           "No subject alternative DNS " + "name matching " + expectedName + " found.");
   X500Name subjectName = getSubjectX500Name(cert);
   DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
   if (derValue != null) {
     try {
       if (isMatched(expectedName, derValue.getAsString())) {
     } catch (IOException e) {
       // ignore
   String msg = "No name matching " + expectedName + " found";
   throw new CertificateException(msg);
Esempio n. 2
   * Returns the encoded SPNEGO token Note: inserts the required CHOICE tags
   * @return the encoded token
   * @exception GSSException
  byte[] getEncoded() throws IOException, GSSException {

    // get the token encoded value
    DerOutputStream token = new DerOutputStream();

    // now insert the CHOICE
    switch (tokenType) {
      case NEG_TOKEN_INIT_ID:
        // Insert CHOICE of Negotiation Token
        DerOutputStream initToken = new DerOutputStream();
            DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_INIT_ID), token);
        return initToken.toByteArray();

      case NEG_TOKEN_TARG_ID:
        // Insert CHOICE of Negotiation Token
        DerOutputStream targToken = new DerOutputStream();
            DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_TARG_ID), token);
        return targToken.toByteArray();
        return token.toByteArray();
Esempio n. 3
  private byte[] extractKeyData(DerInputStream stream)
      throws IOException, NoSuchAlgorithmException, CertificateException {
    byte[] returnValue = null;
    DerValue[] safeBags = stream.getSequence(2);
    int count = safeBags.length;

     * Spin over the SafeBags.
    for (int i = 0; i < count; i++) {
      ObjectIdentifier bagId;
      DerInputStream sbi;
      DerValue bagValue;
      Object bagItem = null;

      sbi = safeBags[i].toDerInputStream();
      bagId = sbi.getOID();
      bagValue = sbi.getDerValue();
      if (!bagValue.isContextSpecific((byte) 0)) {
        throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
      bagValue = bagValue.data.getDerValue();
      if (bagId.equals(PKCS8ShroudedKeyBag_OID)) {
        // got what we were looking for.  Return it.
        returnValue = bagValue.toByteArray();
      } else {
        // log error message for "unsupported PKCS12 bag type"
        System.out.println("Unsupported bag type '" + bagId + "'");

    return returnValue;
Esempio n. 4
  private byte[] fetchPrivateKeyFromBag(byte[] privateKeyInfo)
      throws IOException, NoSuchAlgorithmException, CertificateException {
    byte[] returnValue = null;
    DerValue val = new DerValue(new ByteArrayInputStream(privateKeyInfo));
    DerInputStream s = val.toDerInputStream();
    int version = s.getInteger();

    if (version != 3) {
      throw new IOException("PKCS12 keystore not in version 3 format");

     * Read the authSafe.
    byte[] authSafeData;
    ContentInfo authSafe = new ContentInfo(s);
    ObjectIdentifier contentType = authSafe.getContentType();

    if (contentType.equals(ContentInfo.DATA_OID)) {
      authSafeData = authSafe.getData();
    } else /* signed data */ {
      throw new IOException("public key protected PKCS12 not supported");

    DerInputStream as = new DerInputStream(authSafeData);
    DerValue[] safeContentsArray = as.getSequence(2);
    int count = safeContentsArray.length;

     * Spin over the ContentInfos.
    for (int i = 0; i < count; i++) {
      byte[] safeContentsData;
      ContentInfo safeContents;
      DerInputStream sci;
      byte[] eAlgId = null;

      sci = new DerInputStream(safeContentsArray[i].toByteArray());
      safeContents = new ContentInfo(sci);
      contentType = safeContents.getContentType();
      safeContentsData = null;

      if (contentType.equals(ContentInfo.DATA_OID)) {
        safeContentsData = safeContents.getData();
      } else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) {
        // The password was used to export the private key from the keychain.
        // The Keychain won't export the key with encrypted data, so we don't need
        // to worry about it.
      } else {
        throw new IOException("public key protected PKCS12" + " not supported");
      DerInputStream sc = new DerInputStream(safeContentsData);
      returnValue = extractKeyData(sc);

    return returnValue;
Esempio n. 5
  * Encodes an LastReqEntry object.
  * @return the byte array of encoded LastReqEntry object.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
 public byte[] asn1Encode() throws Asn1Exception, IOException {
   DerOutputStream bytes = new DerOutputStream();
   DerOutputStream temp = new DerOutputStream();
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), lrValue.asn1Encode());
   temp = new DerOutputStream();
   temp.write(DerValue.tag_Sequence, bytes);
   return temp.toByteArray();
Esempio n. 6
  * Parse (unmarshal) a realm from a DER input stream. This form parsing might be used when
  * expanding a value which is part of a constructed sequence and uses explicitly tagged type.
  * @exception Asn1Exception on error.
  * @param data the Der input stream value, which contains one or more marshaled value.
  * @param explicitTag tag number.
  * @param optional indicate if this data field is optional
  * @return an instance of Realm.
 public static Realm parse(DerInputStream data, byte explicitTag, boolean optional)
     throws Asn1Exception, IOException, RealmException {
   if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) {
     return null;
   DerValue der = data.getDerValue();
   if (explicitTag != (der.getTag() & (byte) 0x1F)) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   } else {
     DerValue subDer = der.getData().getDerValue();
     return new Realm(subDer);
Esempio n. 7
  * Encodes an APRep object.
  * @return byte array of encoded APRep object.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
 public byte[] asn1Encode() throws Asn1Exception, IOException {
   DerOutputStream bytes = new DerOutputStream();
   DerOutputStream temp = new DerOutputStream();
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
   temp = new DerOutputStream();
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), encPart.asn1Encode());
   temp = new DerOutputStream();
   temp.write(DerValue.tag_Sequence, bytes);
   DerOutputStream aprep = new DerOutputStream();
   aprep.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x0F), temp);
   return aprep.toByteArray();
Esempio n. 8
   * Encodes an MethodData object.
   * @return the byte array of encoded MethodData object.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
  public byte[] asn1Encode() throws Asn1Exception, IOException {
    DerOutputStream bytes = new DerOutputStream();
    DerOutputStream temp = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
    if (methodData != null) {
      temp = new DerOutputStream();
      bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);

    temp = new DerOutputStream();
    temp.write(DerValue.tag_Sequence, bytes);
    return temp.toByteArray();
   * Parse (unmarshal) a <code>PrincipalName</code> from a DER input stream. This form parsing might
   * be used when expanding a value which is part of a constructed sequence and uses explicitly
   * tagged type.
   * @exception Asn1Exception on error.
   * @param data the Der input stream value, which contains one or more marshaled value.
   * @param explicitTag tag number.
   * @param optional indicate if this data field is optional
   * @param realm the realm for the name
   * @return an instance of <code>PrincipalName</code>, or null if the field is optional and
   *     missing.
  public static PrincipalName parse(
      DerInputStream data, byte explicitTag, boolean optional, Realm realm)
      throws Asn1Exception, IOException, RealmException {

    if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) return null;
    DerValue der = data.getDerValue();
    if (explicitTag != (der.getTag() & (byte) 0x1F)) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    } else {
      DerValue subDer = der.getData().getDerValue();
      if (realm == null) {
        realm = Realm.getDefault();
      return new PrincipalName(subDer, realm);
Esempio n. 10
  /** Creates the extension (also called by the subclass). */
  protected CRLNumberExtension(
      ObjectIdentifier extensionId,
      Boolean critical,
      Object value,
      String extensionName,
      String extensionLabel)
      throws IOException {

    this.extensionId = extensionId;
    this.critical = critical.booleanValue();
    this.extensionValue = (byte[]) value;
    DerValue val = new DerValue(this.extensionValue);
    this.crlNumber = val.getBigInteger();
    this.extensionName = extensionName;
    this.extensionLabel = extensionLabel;
Esempio n. 11
 /** Construct a key from its components. Used by the KeyFactory. */
 ECPrivateKeyImpl(BigInteger s, ECParameterSpec params) throws InvalidKeyException {
   this.s = s;
   this.params = params;
   // generate the encoding
   algid = new AlgorithmId(AlgorithmId.EC_oid, ECParameters.getAlgorithmParameters(params));
   try {
     DerOutputStream out = new DerOutputStream();
     out.putInteger(1); // version 1
     byte[] privBytes = ECUtil.trimZeroes(s.toByteArray());
     DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray());
     key = val.toByteArray();
   } catch (IOException exc) {
     // should never occur
     throw new InvalidKeyException(exc);
Esempio n. 12
  * Encodes a <code>PrincipalName</code> object. Note that only the type and names are encoded. To
  * encode the realm, call getRealm().asn1Encode().
  * @return the byte array of the encoded PrncipalName object.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
 public byte[] asn1Encode() throws Asn1Exception, IOException {
   DerOutputStream bytes = new DerOutputStream();
   DerOutputStream temp = new DerOutputStream();
   BigInteger bint = BigInteger.valueOf(this.nameType);
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
   temp = new DerOutputStream();
   DerValue der[] = new DerValue[nameStrings.length];
   for (int i = 0; i < nameStrings.length; i++) {
     der[i] = new KerberosString(nameStrings[i]).toDerValue();
   bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
   temp = new DerOutputStream();
   temp.write(DerValue.tag_Sequence, bytes);
   return temp.toByteArray();
Esempio n. 13
  /* Verify that the DER object is correct */
  private static void verifyDER(String type, DerValue der, byte tag, byte[] data) throws Exception {
    if (der.tag != tag) throw new Exception("Problem with tag for " + type);

    if (!equalBytes(der.data.toByteArray(), data))
      throw new Exception("Problem with data for " + type);

    System.out.println(type + " checks out OK");
    System.out.println("Calling toString on it: " + der.toString() + "\n");
Esempio n. 14
  * Constructs a MethodData object.
  * @param encoding a Der-encoded data.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
 public MethodData(DerValue encoding) throws Asn1Exception, IOException {
   DerValue der;
   if (encoding.getTag() != DerValue.tag_Sequence) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x1F) == 0x00) {
     BigInteger bint = der.getData().getBigInteger();
     methodType = bint.intValue();
   } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   if (encoding.getData().available() > 0) {
     der = encoding.getData().getDerValue();
     if ((der.getTag() & 0x1F) == 0x01) {
       methodData = der.getData().getOctetString();
     } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 15
  * Constructs an instance of Checksum from an ASN.1 encoded representation.
  * @param encoding a single DER-encoded value.
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception IOException if an I/O error occurs while reading encoded data.
 private Checksum(DerValue encoding) throws Asn1Exception, IOException {
   DerValue der;
   if (encoding.getTag() != DerValue.tag_Sequence) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   der = encoding.getData().getDerValue();
   if ((der.getTag() & (byte) 0x1F) == (byte) 0x00) {
     cksumType = der.getData().getBigInteger().intValue();
   } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   der = encoding.getData().getDerValue();
   if ((der.getTag() & (byte) 0x1F) == (byte) 0x01) {
     checksum = der.getData().getOctetString();
   } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   if (encoding.getData().available() > 0) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 16
 /** Construct a key from its components. Used by the RSAKeyFactory and the RSAKeyPairGenerator. */
     BigInteger n,
     BigInteger e,
     BigInteger d,
     BigInteger p,
     BigInteger q,
     BigInteger pe,
     BigInteger qe,
     BigInteger coeff)
     throws InvalidKeyException {
   this.n = n;
   this.e = e;
   this.d = d;
   this.p = p;
   this.q = q;
   this.pe = pe;
   this.qe = qe;
   this.coeff = coeff;
   RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
   // generate the encoding
   algid = rsaId;
   try {
     DerOutputStream out = new DerOutputStream();
     out.putInteger(0); // version must be 0
     DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray());
     key = val.toByteArray();
   } catch (IOException exc) {
     // should never occur
     throw new InvalidKeyException(exc);
Esempio n. 17
  * parse Algorithm Parameters
 private AlgorithmParameters parseAlgParameters(DerInputStream in) throws IOException {
   AlgorithmParameters algParams = null;
   try {
     DerValue params;
     if (in.available() == 0) {
       params = null;
     } else {
       params = in.getDerValue();
       if (params.tag == DerValue.tag_Null) {
         params = null;
     if (params != null) {
       algParams = AlgorithmParameters.getInstance("PBE");
   } catch (Exception e) {
     IOException ioe = new IOException("parseAlgParameters failed: " + e.getMessage());
     throw ioe;
   return algParams;
Esempio n. 18
   * Constructs a LastReqEntry object.
   * @param encoding a Der-encoded data.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
  public LastReqEntry(DerValue encoding) throws Asn1Exception, IOException {
    if (encoding.getTag() != DerValue.tag_Sequence) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    DerValue der;
    der = encoding.getData().getDerValue();
    if ((der.getTag() & 0x1F) == 0x00) {
      lrType = der.getData().getBigInteger().intValue();
    } else throw new Asn1Exception(Krb5.ASN1_BAD_ID);

    lrValue = KerberosTime.parse(encoding.getData(), (byte) 0x01, false);
    if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 19
 /** Parse the key. Called by PKCS8Key. */
 protected void parseKeyBits() throws InvalidKeyException {
   try {
     DerInputStream in = new DerInputStream(key);
     DerValue derValue = in.getDerValue();
     if (derValue.tag != DerValue.tag_Sequence) {
       throw new IOException("Not a SEQUENCE");
     DerInputStream data = derValue.data;
     int version = data.getInteger();
     if (version != 1) {
       throw new IOException("Version must be 1");
     byte[] privData = data.getOctetString();
     s = new BigInteger(1, privData);
     while (data.available() != 0) {
       DerValue value = data.getDerValue();
       if (value.isContextSpecific((byte) 0)) {
         // ignore for now
       } else if (value.isContextSpecific((byte) 1)) {
         // ignore for now
       } else {
         throw new InvalidKeyException("Unexpected value: " + value);
     AlgorithmParameters algParams = this.algid.getParameters();
     if (algParams == null) {
       throw new InvalidKeyException(
           "EC domain parameters must be " + "encoded in the algorithm identifier");
     params = algParams.getParameterSpec(ECParameterSpec.class);
   } catch (IOException e) {
     throw new InvalidKeyException("Invalid EC private key", e);
   } catch (InvalidParameterSpecException e) {
     throw new InvalidKeyException("Invalid EC private key", e);
Esempio n. 20
  private void init(DerValue encoding) throws Asn1Exception, IOException, RealmException {
    DerValue der, subDer;

    renewTill = null;
    caddr = null;
    authorizationData = null;
    if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x03)
        || (encoding.isApplication() != true)
        || (encoding.isConstructed() != true)) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    der = encoding.getData().getDerValue();
    if (der.getTag() != DerValue.tag_Sequence) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    flags = TicketFlags.parse(der.getData(), (byte) 0x00, false);
    key = EncryptionKey.parse(der.getData(), (byte) 0x01, false);
    Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false);
    cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm);
    transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false);
    authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false);
    starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true);
    endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false);
    if (der.getData().available() > 0) {
      renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true);
    if (der.getData().available() > 0) {
      caddr = HostAddresses.parse(der.getData(), (byte) 0x09, true);
    if (der.getData().available() > 0) {
      authorizationData = AuthorizationData.parse(der.getData(), (byte) 0x0A, true);
    if (der.getData().available() > 0) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 21
   * Create an OCSP response from its ASN.1 DER encoding.
  OCSPResponse(byte[] bytes) throws IOException {
    if (dump) {
      HexDumpEncoder hexEnc = new HexDumpEncoder();
      System.out.println("OCSPResponse bytes are...");
    DerValue der = new DerValue(bytes);
    if (der.tag != DerValue.tag_Sequence) {
      throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
    DerInputStream derIn = der.getData();

    // responseStatus
    int status = derIn.getEnumerated();
    if (status >= 0 && status < rsvalues.length) {
      responseStatus = rsvalues[status];
    } else {
      // unspecified responseStatus
      throw new IOException("Unknown OCSPResponse status: " + status);
    if (debug != null) {
      debug.println("OCSP response status: " + responseStatus);
    if (responseStatus != ResponseStatus.SUCCESSFUL) {
      // no need to continue, responseBytes are not set.
      singleResponseMap = Collections.emptyMap();
      certs = Collections.<X509CertImpl>emptyList();
      sigAlgId = null;
      signature = null;
      tbsResponseData = null;
      responseNonce = null;

    // responseBytes
    der = derIn.getDerValue();
    if (!der.isContextSpecific((byte) 0)) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 context specific tag 0.");
    DerValue tmp = der.data.getDerValue();
    if (tmp.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 SEQUENCE tag.");

    // responseType
    derIn = tmp.data;
    ObjectIdentifier responseType = derIn.getOID();
    if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
      if (debug != null) {
        debug.println("OCSP response type: basic");
    } else {
      if (debug != null) {
        debug.println("OCSP response type: " + responseType);
      throw new IOException("Unsupported OCSP response type: " + responseType);

    // BasicOCSPResponse
    DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());

    DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
    if (seqTmp.length < 3) {
      throw new IOException("Unexpected BasicOCSPResponse value");

    DerValue responseData = seqTmp[0];

    // Need the DER encoded ResponseData to verify the signature later
    tbsResponseData = seqTmp[0].toByteArray();

    // tbsResponseData
    if (responseData.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in tbsResponseData "
              + "element of OCSP response: expected ASN.1 SEQUENCE tag.");
    DerInputStream seqDerIn = responseData.data;
    DerValue seq = seqDerIn.getDerValue();

    // version
    if (seq.isContextSpecific((byte) 0)) {
      // seq[0] is version
      if (seq.isConstructed() && seq.isContextSpecific()) {
        // System.out.println ("version is available");
        seq = seq.data.getDerValue();
        int version = seq.getInteger();
        if (seq.data.available() != 0) {
          throw new IOException(
              "Bad encoding in version " + " element of OCSP response: bad format");
        seq = seqDerIn.getDerValue();

    // responderID
    short tag = (byte) (seq.tag & 0x1f);
    if (tag == NAME_TAG) {
      if (debug != null) {
        X500Principal responderName = new X500Principal(seq.getData().toByteArray());
        debug.println("OCSP Responder name: " + responderName);
    } else if (tag == KEY_TAG) {
      if (debug != null) {
        byte[] responderKey = seq.getData().getOctetString();
        debug.println("OCSP Responder key: " + Debug.toString(responderKey));
    } else {
      throw new IOException(
          "Bad encoding in responderID element of "
              + "OCSP response: expected ASN.1 context specific tag 0 or 1");

    // producedAt
    seq = seqDerIn.getDerValue();
    if (debug != null) {
      Date producedAtDate = seq.getGeneralizedTime();
      debug.println("OCSP response produced at: " + producedAtDate);

    // responses
    DerValue[] singleResponseDer = seqDerIn.getSequence(1);
    singleResponseMap = new HashMap<>(singleResponseDer.length);
    if (debug != null) {
      debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
    for (int i = 0; i < singleResponseDer.length; i++) {
      SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
      singleResponseMap.put(singleResponse.getCertId(), singleResponse);

    // responseExtensions
    byte[] nonce = null;
    if (seqDerIn.available() > 0) {
      seq = seqDerIn.getDerValue();
      if (seq.isContextSpecific((byte) 1)) {
        DerValue[] responseExtDer = seq.data.getSequence(3);
        for (int i = 0; i < responseExtDer.length; i++) {
          Extension ext = new Extension(responseExtDer[i]);
          if (debug != null) {
            debug.println("OCSP extension: " + ext);
          // Only the NONCE extension is recognized
          if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
            nonce = ext.getExtensionValue();
          } else if (ext.isCritical()) {
            throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
    responseNonce = nonce;

    // signatureAlgorithmId
    sigAlgId = AlgorithmId.parse(seqTmp[1]);

    // signature
    signature = seqTmp[2].getBitString();

    // if seq[3] is available , then it is a sequence of certificates
    if (seqTmp.length > 3) {
      // certs are available
      DerValue seqCert = seqTmp[3];
      if (!seqCert.isContextSpecific((byte) 0)) {
        throw new IOException(
            "Bad encoding in certs element of "
                + "OCSP response: expected ASN.1 context specific tag 0.");
      DerValue[] derCerts = seqCert.getData().getSequence(3);
      certs = new ArrayList<X509CertImpl>(derCerts.length);
      try {
        for (int i = 0; i < derCerts.length; i++) {
          certs.add(new X509CertImpl(derCerts[i].toByteArray()));
      } catch (CertificateException ce) {
        throw new IOException("Bad encoding in X509 Certificate", ce);
    } else {
      certs = Collections.<X509CertImpl>emptyList();
Esempio n. 22
   * Encodes an EncTicketPart object.
   * @return byte array of encoded EncTicketPart object.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
  public byte[] asn1Encode() throws Asn1Exception, IOException {
    DerOutputStream bytes = new DerOutputStream();
    DerOutputStream temp = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), flags.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode());
        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.getRealm().asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode());
        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), transited.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x05), authtime.asn1Encode());
    if (starttime != null) {
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x06), starttime.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x07), endtime.asn1Encode());

    if (renewTill != null) {
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x08), renewTill.asn1Encode());

    if (caddr != null) {
      bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x09), caddr.asn1Encode());

    if (authorizationData != null) {
          DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A),
    temp.write(DerValue.tag_Sequence, bytes);
    bytes = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x03), temp);
    return bytes.toByteArray();
Esempio n. 23
   * Initializes an APRep object.
   * @param encoding a single DER-encoded value.
   * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
   * @exception IOException if an I/O error occurs while reading encoded data.
   * @exception KrbApErrException if the value read from the DER-encoded data stream does not match
   *     the pre-defined value.
  private void init(DerValue encoding) throws Asn1Exception, KrbApErrException, IOException {

    if (((encoding.getTag() & (byte) (0x1F)) != Krb5.KRB_AP_REP)
        || (encoding.isApplication() != true)
        || (encoding.isConstructed() != true)) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    DerValue der = encoding.getData().getDerValue();
    if (der.getTag() != DerValue.tag_Sequence) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    DerValue subDer = der.getData().getDerValue();
    if ((subDer.getTag() & (byte) 0x1F) != (byte) 0x00) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    pvno = subDer.getData().getBigInteger().intValue();
    if (pvno != Krb5.PVNO) {
      throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION);
    subDer = der.getData().getDerValue();
    if ((subDer.getTag() & (byte) 0x1F) != (byte) 0x01) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    msgType = subDer.getData().getBigInteger().intValue();
    if (msgType != Krb5.KRB_AP_REP) {
      throw new KrbApErrException(Krb5.KRB_AP_ERR_MSG_TYPE);
    encPart = EncryptedData.parse(der.getData(), (byte) 0x02, false);
    if (der.getData().available() > 0) {
      throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 24
  * Returns the ASN.1 encoding of the <xmp> PrincipalName ::= SEQUENCE { name-type [0] Int32,
  * name-string [1] SEQUENCE OF KerberosString }
  * <p>KerberosString ::= GeneralString (IA5String) </xmp>
  * <p>This definition reflects the Network Working Group RFC 4120 specification available at <a
  * href="http://www.ietf.org/rfc/rfc4120.txt">http://www.ietf.org/rfc/rfc4120.txt</a>.
  * @param encoding a Der-encoded data.
  * @param realm the realm for this name
  * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
  * @exception Asn1Exception if there is an ASN1 encoding error
  * @exception IOException if an I/O error occurs
  * @exception IllegalArgumentException if encoding is null reading encoded data.
 public PrincipalName(DerValue encoding, Realm realm) throws Asn1Exception, IOException {
   if (realm == null) {
     throw new IllegalArgumentException("Null realm not allowed");
   nameRealm = realm;
   DerValue der;
   if (encoding == null) {
     throw new IllegalArgumentException("Null encoding not allowed");
   if (encoding.getTag() != DerValue.tag_Sequence) {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x1F) == 0x00) {
     BigInteger bint = der.getData().getBigInteger();
     nameType = bint.intValue();
   } else {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
   der = encoding.getData().getDerValue();
   if ((der.getTag() & 0x01F) == 0x01) {
     DerValue subDer = der.getData().getDerValue();
     if (subDer.getTag() != DerValue.tag_SequenceOf) {
       throw new Asn1Exception(Krb5.ASN1_BAD_ID);
     Vector<String> v = new Vector<>();
     DerValue subSubDer;
     while (subDer.getData().available() > 0) {
       subSubDer = subDer.getData().getDerValue();
       String namePart = new KerberosString(subSubDer).toString();
     nameStrings = new String[v.size()];
   } else {
     throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Esempio n. 25
   * Returns the key associated with the given alias, using the given password to recover it.
   * @param alias the alias name
   * @param password the password for recovering the key. This password is used internally as the
   *     key is exported in a PKCS12 format.
   * @return the requested key, or null if the given alias does not exist or does not identify a
   *     <i>key entry</i>.
   * @exception NoSuchAlgorithmException if the algorithm for recovering the key cannot be found
   * @exception UnrecoverableKeyException if the key cannot be recovered (e.g., the given password
   *     is wrong).
  public Key engineGetKey(String alias, char[] password)
      throws NoSuchAlgorithmException, UnrecoverableKeyException {

    // An empty password is rejected by MacOS API, no private key data
    // is exported. If no password is passed (as is the case when
    // this implementation is used as browser keystore in various
    // deployment scenarios like Webstart, JFX and applets), create
    // a dummy password so MacOS API is happy.
    if (password == null || password.length == 0) {
      // Must not be a char array with only a 0, as this is an empty
      // string.
      if (random == null) {
        random = new SecureRandom();
      password = Long.toString(random.nextLong()).toCharArray();

    Object entry = entries.get(alias.toLowerCase());

    if (entry == null || !(entry instanceof KeyEntry)) {
      return null;

    // This call gives us a PKCS12 bag, with the key inside it.
    byte[] exportedKeyInfo = _getEncodedKeyData(((KeyEntry) entry).keyRef, password);
    if (exportedKeyInfo == null) {
      return null;

    PrivateKey returnValue = null;

    try {
      byte[] pkcs8KeyData = fetchPrivateKeyFromBag(exportedKeyInfo);
      byte[] encryptedKey;
      AlgorithmParameters algParams;
      ObjectIdentifier algOid;
      try {
        // get the encrypted private key
        EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(pkcs8KeyData);
        encryptedKey = encrInfo.getEncryptedData();

        // parse Algorithm parameters
        DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
        DerInputStream in = val.toDerInputStream();
        algOid = in.getOID();
        algParams = parseAlgParameters(in);

      } catch (IOException ioe) {
        UnrecoverableKeyException uke =
            new UnrecoverableKeyException(
                "Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
        throw uke;

      // Use JCE to decrypt the data using the supplied password.
      SecretKey skey = getPBEKey(password);
      Cipher cipher = Cipher.getInstance(algOid.toString());
      cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
      byte[] decryptedPrivateKey = cipher.doFinal(encryptedKey);
      PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(decryptedPrivateKey);

      // Parse the key algorithm and then use a JCA key factory to create the private key.
      DerValue val = new DerValue(decryptedPrivateKey);
      DerInputStream in = val.toDerInputStream();

      // Ignore this -- version should be 0.
      int i = in.getInteger();

      // Get the Algorithm ID next
      DerValue[] value = in.getSequence(2);
      AlgorithmId algId = new AlgorithmId(value[0].getOID());
      String algName = algId.getName();

      // Get a key factory for this algorithm.  It's likely to be 'RSA'.
      KeyFactory kfac = KeyFactory.getInstance(algName);
      returnValue = kfac.generatePrivate(kspec);
    } catch (Exception e) {
      UnrecoverableKeyException uke =
          new UnrecoverableKeyException("Get Key failed: " + e.getMessage());
      throw uke;

    return returnValue;
 /*     */ public void putDerValue(DerValue paramDerValue) /*     */ throws IOException /*     */ {
   /* 125 */ paramDerValue.encode(this);
   /*     */ }
Esempio n. 27
    private SingleResponse(DerValue der) throws IOException {
      if (der.tag != DerValue.tag_Sequence) {
        throw new IOException("Bad ASN.1 encoding in SingleResponse");
      DerInputStream tmp = der.data;

      certId = new CertId(tmp.getDerValue().data);
      DerValue derVal = tmp.getDerValue();
      short tag = (byte) (derVal.tag & 0x1f);
      if (tag == CERT_STATUS_REVOKED) {
        certStatus = CertStatus.REVOKED;
        revocationTime = derVal.data.getGeneralizedTime();
        if (derVal.data.available() != 0) {
          DerValue dv = derVal.data.getDerValue();
          tag = (byte) (dv.tag & 0x1f);
          if (tag == 0) {
            int reason = dv.data.getEnumerated();
            // if reason out-of-range just leave as UNSPECIFIED
            if (reason >= 0 && reason < values.length) {
              revocationReason = values[reason];
            } else {
              revocationReason = CRLReason.UNSPECIFIED;
          } else {
            revocationReason = CRLReason.UNSPECIFIED;
        } else {
          revocationReason = CRLReason.UNSPECIFIED;
        // RevokedInfo
        if (debug != null) {
          debug.println("Revocation time: " + revocationTime);
          debug.println("Revocation reason: " + revocationReason);
      } else {
        revocationTime = null;
        revocationReason = CRLReason.UNSPECIFIED;
        if (tag == CERT_STATUS_GOOD) {
          certStatus = CertStatus.GOOD;
        } else if (tag == CERT_STATUS_UNKNOWN) {
          certStatus = CertStatus.UNKNOWN;
        } else {
          throw new IOException("Invalid certificate status");

      thisUpdate = tmp.getGeneralizedTime();

      if (tmp.available() == 0) {
        // we are done
        nextUpdate = null;
      } else {
        derVal = tmp.getDerValue();
        tag = (byte) (derVal.tag & 0x1f);
        if (tag == 0) {
          // next update
          nextUpdate = derVal.data.getGeneralizedTime();

          if (tmp.available() == 0) {
            // we are done
          } else {
            derVal = tmp.getDerValue();
            tag = (byte) (derVal.tag & 0x1f);
        } else {
          nextUpdate = null;
      // singleExtensions
      if (tmp.available() > 0) {
        derVal = tmp.getDerValue();
        if (derVal.isContextSpecific((byte) 1)) {
          DerValue[] singleExtDer = derVal.data.getSequence(3);
          singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
          for (int i = 0; i < singleExtDer.length; i++) {
            Extension ext = new Extension(singleExtDer[i]);
            if (debug != null) {
              debug.println("OCSP single extension: " + ext);
            // We don't support any extensions yet. Therefore, if it
            // is critical we must throw an exception because we
            // don't know how to process it.
            if (ext.isCritical()) {
              throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
            singleExtensions.put(ext.getId(), ext);
        } else {
          singleExtensions = Collections.emptyMap();
      } else {
        singleExtensions = Collections.emptyMap();
Esempio n. 28
   * Make a DH public key from its DER encoding (X.509).
   * @param encodedKey the encoded key
   * @exception InvalidKeyException if the encoded key does not represent a Diffie-Hellman public
   *     key
  DHPublicKey(byte[] encodedKey) throws InvalidKeyException {
    InputStream inStream = new ByteArrayInputStream(encodedKey);
    try {
      DerValue derKeyVal = new DerValue(inStream);
      if (derKeyVal.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("Invalid key format");

       * Parse the algorithm identifier
      DerValue algid = derKeyVal.data.getDerValue();
      if (algid.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("AlgId is not a SEQUENCE");
      DerInputStream derInStream = algid.toDerInputStream();
      ObjectIdentifier oid = derInStream.getOID();
      if (oid == null) {
        throw new InvalidKeyException("Null OID");
      if (derInStream.available() == 0) {
        throw new InvalidKeyException("Parameters missing");

       * Parse the parameters
      DerValue params = derInStream.getDerValue();
      if (params.tag == DerValue.tag_Null) {
        throw new InvalidKeyException("Null parameters");
      if (params.tag != DerValue.tag_Sequence) {
        throw new InvalidKeyException("Parameters not a SEQUENCE");
      this.p = params.data.getBigInteger();
      this.g = params.data.getBigInteger();
      // Private-value length is OPTIONAL
      if (params.data.available() != 0) {
        this.l = params.data.getInteger();
      if (params.data.available() != 0) {
        throw new InvalidKeyException("Extra parameter data");

       * Parse the key
      this.key = derKeyVal.data.getBitString();
      if (derKeyVal.data.available() != 0) {
        throw new InvalidKeyException("Excess key data");

      this.encodedKey = (byte[]) encodedKey.clone();

    } catch (NumberFormatException e) {
      throw new InvalidKeyException("Private-value length too big");

    } catch (IOException e) {
      throw new InvalidKeyException("Error parsing key encoding: " + e.toString());