/** * Used during setup to get the certification from the keystore and encrypt the auth_value with * the private key * * @return true if the certificate was found and the string encypted correctly otherwise returns * false */ public void setCertificate() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, UnrecoverableEntryException { KeyStore store = KeyStore.getInstance(this.keystore_type); java.io.FileInputStream fis = new java.io.FileInputStream(this.keystore_path); store.load(fis, this.keystore_password); this.cipher = Cipher.getInstance(this.cipher_type); this.certificate = (X509Certificate) store.getCertificate(this.cert_alias); if (log.isDebugEnabled()) { log.debug("certificate = " + this.certificate.toString()); } this.cipher.init(Cipher.ENCRYPT_MODE, this.certificate); this.encryptedToken = this.cipher.doFinal(this.auth_value.getBytes()); if (log.isDebugEnabled()) { log.debug("encryptedToken = " + this.encryptedToken); } KeyStore.PrivateKeyEntry privateKey = (KeyStore.PrivateKeyEntry) store.getEntry(this.cert_alias, new KeyStore.PasswordProtection(this.cert_password)); this.certPrivateKey = privateKey.getPrivateKey(); this.valueSet = true; if (log.isDebugEnabled()) { log.debug("certPrivateKey = " + this.certPrivateKey.toString()); } }
public void signJar(Jar jar) { if (digestNames == null || digestNames.length == 0) error("Need at least one digest algorithm name, none are specified"); if (keystoreFile == null || !keystoreFile.getAbsoluteFile().exists()) { error("No such keystore file: " + keystoreFile); return; } if (alias == null) { error("Private key alias not set for signing"); return; } MessageDigest digestAlgorithms[] = new MessageDigest[digestNames.length]; getAlgorithms(digestNames, digestAlgorithms); try { Manifest manifest = jar.getManifest(); manifest.getMainAttributes().putValue("Signed-By", "Bnd"); // Create a new manifest that contains the // Name parts with the specified digests ByteArrayOutputStream o = new ByteArrayOutputStream(); manifest.write(o); doManifest(jar, digestNames, digestAlgorithms, o); o.flush(); byte newManifestBytes[] = o.toByteArray(); jar.putResource("META-INF/MANIFEST.MF", new EmbeddedResource(newManifestBytes, 0)); // Use the bytes from the new manifest to create // a signature file byte[] signatureFileBytes = doSignatureFile(digestNames, digestAlgorithms, newManifestBytes); jar.putResource("META-INF/BND.SF", new EmbeddedResource(signatureFileBytes, 0)); // Now we must create an RSA signature // this requires the private key from the keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); KeyStore.PrivateKeyEntry privateKeyEntry = null; java.io.FileInputStream keystoreInputStream = null; try { keystoreInputStream = new java.io.FileInputStream(keystoreFile); char[] pw = password == null ? new char[0] : password.toCharArray(); keystore.load(keystoreInputStream, pw); keystoreInputStream.close(); privateKeyEntry = (PrivateKeyEntry) keystore.getEntry(alias, new KeyStore.PasswordProtection(pw)); } catch (Exception e) { error( "No able to load the private key from the give keystore(" + keystoreFile.getAbsolutePath() + ") with alias " + alias + " : " + e); return; } finally { IO.close(keystoreInputStream); } PrivateKey privateKey = privateKeyEntry.getPrivateKey(); Signature signature = Signature.getInstance("MD5withRSA"); signature.initSign(privateKey); signature.update(signatureFileBytes); signature.sign(); // TODO, place the SF in a PCKS#7 structure ... // no standard class for this? The following // is an idea but we will to have do ASN.1 BER // encoding ... ByteArrayOutputStream tmpStream = new ByteArrayOutputStream(); jar.putResource("META-INF/BND.RSA", new EmbeddedResource(tmpStream.toByteArray(), 0)); } catch (Exception e) { error("During signing: " + e); } }
/** * Sets up a bunch of objects that we need to run tests * * @param tdhDirectHost * @param tdhDirectPort * @param tdhOnionHost * @param tdhOnionPort * @param passPhrase * @param createClientBuilder * @param context * @param directProxy Normally null but sometimes not for some odder tests, this is used for what * are supposed to be local calls. * @param onionProxy This is the proxy that should be used with values like tdhOnionHost and * tdhOnionPort * @throws NoSuchAlgorithmException * @throws IOException * @throws UnrecoverableEntryException * @throws KeyStoreException * @throws KeyManagementException */ public ConfigureRequestObjects( String tdhDirectHost, int tdhDirectPort, String tdhOnionHost, int tdhOnionPort, char[] passPhrase, CreateClientBuilder createClientBuilder, Context context, Proxy directProxy, Proxy onionProxy) throws NoSuchAlgorithmException, IOException, UnrecoverableEntryException, KeyStoreException, KeyManagementException { File clientFilesDir = new File(context.getFilesDir(), clientSubDirectory); // We want to start with a new identity if (clientFilesDir.exists()) { FileUtils.deleteDirectory(clientFilesDir); } if (clientFilesDir.mkdirs() == false) { throw new RuntimeException(); } thaliCouchDbInstance = ThaliClientToDeviceHubUtilities.GetLocalCouchDbInstance( clientFilesDir, createClientBuilder, tdhDirectHost, tdhDirectPort, passPhrase, directProxy); thaliCouchDbInstance.deleteDatabase(ThaliTestUtilities.TestDatabaseName); thaliCouchDbInstance.deleteDatabase(ThaliTestEktorpClient.ReplicationTestDatabaseName); testDatabaseConnector = thaliCouchDbInstance.createConnector(ThaliTestUtilities.TestDatabaseName, false); clientKeyStore = ThaliCryptoUtilities.validateThaliKeyStore(clientFilesDir); org.apache.http.client.HttpClient httpClientNoServerValidation = createClientBuilder.CreateApacheClient( tdhDirectHost, tdhDirectPort, null, clientKeyStore, passPhrase, directProxy); serverPublicKey = ThaliClientToDeviceHubUtilities.getServersRootPublicKey(httpClientNoServerValidation); KeyStore.PrivateKeyEntry clientPrivateKeyEntry = ThaliCryptoUtilities.getThaliListenerKeyStoreEntry(clientKeyStore, passPhrase); clientPublicKey = clientPrivateKeyEntry.getCertificate().getPublicKey(); replicationDatabaseConnector = thaliCouchDbInstance.createConnector( ThaliTestEktorpClient.ReplicationTestDatabaseName, false); if (tdhOnionHost != null && tdhOnionHost.isEmpty() == false) { HttpClient torHttpClient = createClientBuilder.CreateEktorpClient( tdhOnionHost, tdhOnionPort, serverPublicKey, clientKeyStore, passPhrase, onionProxy); torThaliCouchDbInstance = new ThaliCouchDbInstance(torHttpClient); torTestDatabaseConnector = torThaliCouchDbInstance.createConnector(ThaliTestUtilities.TestDatabaseName, false); torReplicationDatabaseConnector = torThaliCouchDbInstance.createConnector( ThaliTestEktorpClient.ReplicationTestDatabaseName, false); } else { torThaliCouchDbInstance = null; torTestDatabaseConnector = null; torReplicationDatabaseConnector = null; } }