public X509Certificate[] getCertificateChain(String alias) {
X509Certificate[] certArray = keyManager.getCertificateChain(alias);
if (Debug.verboseOn())
Debug.logVerbose(
"getCertificateChain for alias [" + alias + "] got " + certArray.length + " results",
module);
return certArray;
}
public PrivateKey getPrivateKey(String alias) {
PrivateKey pk = keyManager.getPrivateKey(alias);
if (Debug.verboseOn())
Debug.logVerbose(
"getPrivateKey for alias ["
+ alias
+ "] got "
+ (pk == null
? "[Not Found!]"
: "[alg:" + pk.getAlgorithm() + ";format:" + pk.getFormat() + "]"),
module);
// Debug.logInfo(new Exception(), "Location where getPrivateKey is called", module);
return pk;
}
// this is where the customization comes in
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
for (String keyType : keyTypes) {
String[] aliases = keyManager.getClientAliases(keyType, null); // ignoring the issuers
if (aliases != null && aliases.length > 0) {
for (String alias : aliases) {
if (this.alias.equals(alias)) {
if (Debug.verboseOn())
Debug.logVerbose(
"chooseClientAlias for keyType [" + keyType + "] got alias " + this.alias,
module);
// Debug.logInfo(new Exception(), "Location where chooseClientAlias is called", module);
return this.alias;
}
}
}
}
return null;
}
/**
* Choose an alias to authenticate the client side of a secure socket, given the public key type
* and the list of certificate issuer authorities recognized by the peer (if any).
*
* @param keyType The key algorithm type name(s), ordered with the most-preferred key type first
* @param issuers The list of acceptable CA issuer subject names, or null if it does not matter
* which issuers are used
* @param socket The socket to be used for this connection. This parameter can be null, in which
* case this method will return the most generic alias to use
* @return The alias name for the desired key, or null if there are no matches
*/
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
return delegate.chooseClientAlias(keyType, issuers, socket);
}
public PrivateKey getPrivateKey(String s) {
return wrapped.getPrivateKey(s);
}
/**
* Processes ServerHelloDone: makes verification of the server messages; sends client messages,
* computers masterSecret, sends ChangeCipherSpec
*/
@DSComment("Package priviledge")
@DSBan(DSCat.DEFAULT_MODIFIER)
@DSGenerator(
tool_name = "Doppelganger",
tool_version = "2.0",
generated_on = "2013-12-30 13:01:10.434 -0500",
hash_original_method = "2DDF37E22088D1FE8BC73EB3CA83F3A0",
hash_generated_method = "D2F899ECF0C8F0AF7307958FBF03F0A2")
void processServerHelloDone() {
PrivateKey clientKey = null;
if (serverCert != null) {
if (session.cipherSuite.isAnonymous()) {
unexpectedMessage();
return;
}
verifyServerCert();
} else {
if (!session.cipherSuite.isAnonymous()) {
unexpectedMessage();
return;
}
}
// Client certificate
if (certificateRequest != null) {
X509Certificate[] certs = null;
// obtain certificates from key manager
String alias = null;
String[] certTypes = certificateRequest.getTypesAsString();
X500Principal[] issuers = certificateRequest.certificate_authorities;
X509KeyManager km = parameters.getKeyManager();
if (km instanceof X509ExtendedKeyManager) {
X509ExtendedKeyManager ekm = (X509ExtendedKeyManager) km;
if (this.socketOwner != null) {
alias = ekm.chooseClientAlias(certTypes, issuers, this.socketOwner);
} else {
alias = ekm.chooseEngineClientAlias(certTypes, issuers, this.engineOwner);
}
if (alias != null) {
certs = ekm.getCertificateChain(alias);
}
} else {
alias = km.chooseClientAlias(certTypes, issuers, this.socketOwner);
if (alias != null) {
certs = km.getCertificateChain(alias);
}
}
session.localCertificates = certs;
clientCert = new CertificateMessage(certs);
clientKey = km.getPrivateKey(alias);
send(clientCert);
}
// Client key exchange
if (session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA
|| session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
// RSA encrypted premaster secret message
Cipher c;
try {
c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
if (serverKeyExchange != null) {
c.init(Cipher.ENCRYPT_MODE, serverKeyExchange.getRSAPublicKey());
} else {
c.init(Cipher.ENCRYPT_MODE, serverCert.certs[0]);
}
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
preMasterSecret = new byte[48];
parameters.getSecureRandom().nextBytes(preMasterSecret);
System.arraycopy(clientHello.client_version, 0, preMasterSecret, 0, 2);
try {
clientKeyExchange =
new ClientKeyExchange(c.doFinal(preMasterSecret), serverHello.server_version[1] == 1);
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
} else {
try {
KeyFactory kf = KeyFactory.getInstance("DH");
KeyAgreement agreement = KeyAgreement.getInstance("DH");
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
PublicKey serverPublic;
DHParameterSpec spec;
if (serverKeyExchange != null) {
serverPublic =
kf.generatePublic(
new DHPublicKeySpec(
serverKeyExchange.par3, serverKeyExchange.par1, serverKeyExchange.par2));
spec = new DHParameterSpec(serverKeyExchange.par1, serverKeyExchange.par2);
} else {
serverPublic = serverCert.certs[0].getPublicKey();
spec = ((DHPublicKey) serverPublic).getParams();
}
kpg.initialize(spec);
KeyPair kp = kpg.generateKeyPair();
Key key = kp.getPublic();
if (clientCert != null
&& serverCert != null
&& (session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_RSA
|| session.cipherSuite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_DSS)) {
PublicKey client_pk = clientCert.certs[0].getPublicKey();
PublicKey server_pk = serverCert.certs[0].getPublicKey();
if (client_pk instanceof DHKey && server_pk instanceof DHKey) {
if (((DHKey) client_pk)
.getParams()
.getG()
.equals(((DHKey) server_pk).getParams().getG())
&& ((DHKey) client_pk)
.getParams()
.getP()
.equals(((DHKey) server_pk).getParams().getG())) {
// client cert message DH public key parameters
// matched those specified by the
// server in its certificate,
clientKeyExchange = new ClientKeyExchange(); // empty
}
}
} else {
clientKeyExchange = new ClientKeyExchange(((DHPublicKey) key).getY());
}
key = kp.getPrivate();
agreement.init(key);
agreement.doPhase(serverPublic, true);
preMasterSecret = agreement.generateSecret();
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "Unexpected exception", e);
return;
}
}
if (clientKeyExchange != null) {
send(clientKeyExchange);
}
computerMasterSecret();
// send certificate verify for all certificates except those containing
// fixed DH parameters
if (clientCert != null && !clientKeyExchange.isEmpty()) {
// Certificate verify
String authType = clientKey.getAlgorithm();
DigitalSignature ds = new DigitalSignature(authType);
ds.init(clientKey);
if ("RSA".equals(authType)) {
ds.setMD5(io_stream.getDigestMD5());
ds.setSHA(io_stream.getDigestSHA());
} else if ("DSA".equals(authType)) {
ds.setSHA(io_stream.getDigestSHA());
// The Signature should be empty in case of anonymous signature algorithm:
// } else if ("DH".equals(authType)) {
}
certificateVerify = new CertificateVerify(ds.sign());
send(certificateVerify);
}
sendChangeCipherSpec();
}
public String[] getServerAliases(String s, Principal[] principals) {
return wrapped.getServerAliases(s, principals);
}
public X509Certificate[] getCertificateChain(String s) {
return wrapped.getCertificateChain(s);
}
/**
* Returns the key associated with the given alias.
*
* @param alias The alias name
* @return The requested key, or null if the alias can't be found
*/
public PrivateKey getPrivateKey(String alias) {
return delegate.getPrivateKey(alias);
}
public String[] getServerAliases(String keyType, Principal[] issuers) {
System.out.println("Calling from X509KeyManager");
return km.getServerAliases(keyType, issuers);
}
/** @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String) */
public X509Certificate[] getCertificateChain(String alias) {
return _keyManager.getCertificateChain(alias);
}
// these just pass through the keyManager
public String chooseServerAlias(String keyType, Socket socket, Principal... issuers) {
return keyManager.chooseServerAlias(keyType, issuers, socket);
}
/**
* @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String,
* java.security.Principal[], java.net.Socket)
*/
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
return _keyAlias == null ? _keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
}
/**
* @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
*/
public String[] getClientAliases(String keyType, Principal[] issuers) {
return _keyManager.getClientAliases(keyType, issuers);
}
public PrivateKey getPrivateKey(String alias) {
System.out.println("Calling from X509KeyManager");
return km.getPrivateKey(alias);
}
public X509Certificate[] getCertificateChain(String alias) {
System.out.println("Calling from X509KeyManager");
return km.getCertificateChain(alias);
}
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
System.out.println("Calling from X509KeyManager");
return km.chooseServerAlias(keyType, issuers, socket);
}
/**
* Returns the certificate chain associated with the given alias.
*
* @param alias The alias name
* @return Certificate chain (ordered with the user's certificate first and the root certificate
* authority last), or null if the alias can't be found
*/
public X509Certificate[] getCertificateChain(String alias) {
return delegate.getCertificateChain(alias);
}
public String[] getServerAliases(String arg0, Principal[] arg1) {
return pkixKeyManager.getServerAliases(arg0, arg1);
}
/**
* Get the matching aliases for authenticating the server side of a secure socket, given the
* public key type and the list of certificate issuer authorities recognized by the peer (if any).
*
* @param keyType The key algorithm type name
* @param issuers The list of acceptable CA issuer subject names, or null if it does not matter
* which issuers are used
* @return Array of the matching alias names, or null if there were no matches
*/
public String[] getServerAliases(String keyType, Principal[] issuers) {
return delegate.getServerAliases(keyType, issuers);
}
public X509Certificate[] getCertificateChain(String arg0) {
return pkixKeyManager.getCertificateChain(arg0);
}
/** @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String) */
public PrivateKey getPrivateKey(String alias) {
return _keyManager.getPrivateKey(alias);
}
public String chooseServerAlias(String arg0, Principal[] arg1, Socket arg2) {
return pkixKeyManager.chooseServerAlias(arg0, arg1, arg2);
}
public String[] getClientAliases(String s, Principal[] principals) {
return wrapped.getClientAliases(s, principals);
}
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return wrapped.chooseClientAlias(strings, principals, socket);
}
public String[] getServerAliases(String keyType, Principal[] issuers) {
return keyManager.getServerAliases(keyType, issuers);
}
public PrivateKey getPrivateKey(String arg0) {
return pkixKeyManager.getPrivateKey(arg0);
}