/** * Check if the certificate allows use of the given DNS name. * * <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as * the identity. Otherwise, the (most specific) Common Name field in the Subject field of the * certificate MUST be used. Although the use of the Common Name is existing practice, it is * deprecated and Certification Authorities are encouraged to use the dNSName instead. * * <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one * identity of a given type is present in the certificate (e.g., more than one dNSName name, a * match in any one of the set is considered acceptable.) */ private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException { Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames(); if (subjAltNames != null) { boolean foundDNS = false; for (List<?> next : subjAltNames) { if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) { foundDNS = true; String dnsName = (String) next.get(1); if (isMatched(expectedName, dnsName)) { return; } } } if (foundDNS) { // if certificate contains any subject alt names of type DNS // but none match, reject throw new CertificateException( "No subject alternative DNS " + "name matching " + expectedName + " found."); } } X500Name subjectName = getSubjectX500Name(cert); DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid); if (derValue != null) { try { if (isMatched(expectedName, derValue.getAsString())) { return; } } catch (IOException e) { // ignore } } String msg = "No name matching " + expectedName + " found"; throw new CertificateException(msg); }
/** * Returns the encoded SPNEGO token Note: inserts the required CHOICE tags * * @return the encoded token * @exception GSSException */ byte[] getEncoded() throws IOException, GSSException { // get the token encoded value DerOutputStream token = new DerOutputStream(); token.write(encode()); // now insert the CHOICE switch (tokenType) { case NEG_TOKEN_INIT_ID: // Insert CHOICE of Negotiation Token DerOutputStream initToken = new DerOutputStream(); initToken.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_INIT_ID), token); return initToken.toByteArray(); case NEG_TOKEN_TARG_ID: // Insert CHOICE of Negotiation Token DerOutputStream targToken = new DerOutputStream(); targToken.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_TARG_ID), token); return targToken.toByteArray(); default: return token.toByteArray(); } }
@SuppressWarnings("deprecation") private byte[] extractKeyData(DerInputStream stream) throws IOException, NoSuchAlgorithmException, CertificateException { byte[] returnValue = null; DerValue[] safeBags = stream.getSequence(2); int count = safeBags.length; /* * Spin over the SafeBags. */ for (int i = 0; i < count; i++) { ObjectIdentifier bagId; DerInputStream sbi; DerValue bagValue; Object bagItem = null; sbi = safeBags[i].toDerInputStream(); bagId = sbi.getOID(); bagValue = sbi.getDerValue(); if (!bagValue.isContextSpecific((byte) 0)) { throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag); } bagValue = bagValue.data.getDerValue(); if (bagId.equals(PKCS8ShroudedKeyBag_OID)) { // got what we were looking for. Return it. returnValue = bagValue.toByteArray(); } else { // log error message for "unsupported PKCS12 bag type" System.out.println("Unsupported bag type '" + bagId + "'"); } } return returnValue; }
@SuppressWarnings("deprecation") private byte[] fetchPrivateKeyFromBag(byte[] privateKeyInfo) throws IOException, NoSuchAlgorithmException, CertificateException { byte[] returnValue = null; DerValue val = new DerValue(new ByteArrayInputStream(privateKeyInfo)); DerInputStream s = val.toDerInputStream(); int version = s.getInteger(); if (version != 3) { throw new IOException("PKCS12 keystore not in version 3 format"); } /* * Read the authSafe. */ byte[] authSafeData; ContentInfo authSafe = new ContentInfo(s); ObjectIdentifier contentType = authSafe.getContentType(); if (contentType.equals(ContentInfo.DATA_OID)) { authSafeData = authSafe.getData(); } else /* signed data */ { throw new IOException("public key protected PKCS12 not supported"); } DerInputStream as = new DerInputStream(authSafeData); DerValue[] safeContentsArray = as.getSequence(2); int count = safeContentsArray.length; /* * Spin over the ContentInfos. */ for (int i = 0; i < count; i++) { byte[] safeContentsData; ContentInfo safeContents; DerInputStream sci; byte[] eAlgId = null; sci = new DerInputStream(safeContentsArray[i].toByteArray()); safeContents = new ContentInfo(sci); contentType = safeContents.getContentType(); safeContentsData = null; if (contentType.equals(ContentInfo.DATA_OID)) { safeContentsData = safeContents.getData(); } else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) { // The password was used to export the private key from the keychain. // The Keychain won't export the key with encrypted data, so we don't need // to worry about it. continue; } else { throw new IOException("public key protected PKCS12" + " not supported"); } DerInputStream sc = new DerInputStream(safeContentsData); returnValue = extractKeyData(sc); } return returnValue; }
/** * Encodes an LastReqEntry object. * * @return the byte array of encoded LastReqEntry object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream temp = new DerOutputStream(); temp.putInteger(lrType); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), lrValue.asn1Encode()); temp = new DerOutputStream(); temp.write(DerValue.tag_Sequence, bytes); return temp.toByteArray(); }
/** * Parse (unmarshal) a realm from a DER input stream. This form parsing might be used when * expanding a value which is part of a constructed sequence and uses explicitly tagged type. * * @exception Asn1Exception on error. * @param data the Der input stream value, which contains one or more marshaled value. * @param explicitTag tag number. * @param optional indicate if this data field is optional * @return an instance of Realm. */ public static Realm parse(DerInputStream data, byte explicitTag, boolean optional) throws Asn1Exception, IOException, RealmException { if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) { return null; } DerValue der = data.getDerValue(); if (explicitTag != (der.getTag() & (byte) 0x1F)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } else { DerValue subDer = der.getData().getDerValue(); return new Realm(subDer); } }
/** * Encodes an APRep object. * * @return byte array of encoded APRep object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream temp = new DerOutputStream(); temp.putInteger(BigInteger.valueOf(pvno)); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp); temp = new DerOutputStream(); temp.putInteger(BigInteger.valueOf(msgType)); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), encPart.asn1Encode()); temp = new DerOutputStream(); temp.write(DerValue.tag_Sequence, bytes); DerOutputStream aprep = new DerOutputStream(); aprep.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x0F), temp); return aprep.toByteArray(); }
/** * Encodes an MethodData object. * * @return the byte array of encoded MethodData object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream temp = new DerOutputStream(); temp.putInteger(BigInteger.valueOf(methodType)); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp); if (methodData != null) { temp = new DerOutputStream(); temp.putOctetString(methodData); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp); } temp = new DerOutputStream(); temp.write(DerValue.tag_Sequence, bytes); return temp.toByteArray(); }
/** * Parse (unmarshal) a <code>PrincipalName</code> from a DER input stream. This form parsing might * be used when expanding a value which is part of a constructed sequence and uses explicitly * tagged type. * * @exception Asn1Exception on error. * @param data the Der input stream value, which contains one or more marshaled value. * @param explicitTag tag number. * @param optional indicate if this data field is optional * @param realm the realm for the name * @return an instance of <code>PrincipalName</code>, or null if the field is optional and * missing. */ public static PrincipalName parse( DerInputStream data, byte explicitTag, boolean optional, Realm realm) throws Asn1Exception, IOException, RealmException { if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) return null; DerValue der = data.getDerValue(); if (explicitTag != (der.getTag() & (byte) 0x1F)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } else { DerValue subDer = der.getData().getDerValue(); if (realm == null) { realm = Realm.getDefault(); } return new PrincipalName(subDer, realm); } }
/** Creates the extension (also called by the subclass). */ protected CRLNumberExtension( ObjectIdentifier extensionId, Boolean critical, Object value, String extensionName, String extensionLabel) throws IOException { this.extensionId = extensionId; this.critical = critical.booleanValue(); this.extensionValue = (byte[]) value; DerValue val = new DerValue(this.extensionValue); this.crlNumber = val.getBigInteger(); this.extensionName = extensionName; this.extensionLabel = extensionLabel; }
/** Construct a key from its components. Used by the KeyFactory. */ ECPrivateKeyImpl(BigInteger s, ECParameterSpec params) throws InvalidKeyException { this.s = s; this.params = params; // generate the encoding algid = new AlgorithmId(AlgorithmId.EC_oid, ECParameters.getAlgorithmParameters(params)); try { DerOutputStream out = new DerOutputStream(); out.putInteger(1); // version 1 byte[] privBytes = ECUtil.trimZeroes(s.toByteArray()); out.putOctetString(privBytes); DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray()); key = val.toByteArray(); } catch (IOException exc) { // should never occur throw new InvalidKeyException(exc); } }
/** * Encodes a <code>PrincipalName</code> object. Note that only the type and names are encoded. To * encode the realm, call getRealm().asn1Encode(). * * @return the byte array of the encoded PrncipalName object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream temp = new DerOutputStream(); BigInteger bint = BigInteger.valueOf(this.nameType); temp.putInteger(bint); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp); temp = new DerOutputStream(); DerValue der[] = new DerValue[nameStrings.length]; for (int i = 0; i < nameStrings.length; i++) { der[i] = new KerberosString(nameStrings[i]).toDerValue(); } temp.putSequence(der); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp); temp = new DerOutputStream(); temp.write(DerValue.tag_Sequence, bytes); return temp.toByteArray(); }
/* Verify that the DER object is correct */ private static void verifyDER(String type, DerValue der, byte tag, byte[] data) throws Exception { if (der.tag != tag) throw new Exception("Problem with tag for " + type); if (!equalBytes(der.data.toByteArray(), data)) throw new Exception("Problem with data for " + type); System.out.println(type + " checks out OK"); System.out.println("Calling toString on it: " + der.toString() + "\n"); }
/** * Constructs a MethodData object. * * @param encoding a Der-encoded data. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public MethodData(DerValue encoding) throws Asn1Exception, IOException { DerValue der; if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x00) { BigInteger bint = der.getData().getBigInteger(); methodType = bint.intValue(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); if (encoding.getData().available() > 0) { der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x01) { methodData = der.getData().getOctetString(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); } if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID); }
/** * Constructs an instance of Checksum from an ASN.1 encoded representation. * * @param encoding a single DER-encoded value. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ private Checksum(DerValue encoding) throws Asn1Exception, IOException { DerValue der; if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & (byte) 0x1F) == (byte) 0x00) { cksumType = der.getData().getBigInteger().intValue(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); der = encoding.getData().getDerValue(); if ((der.getTag() & (byte) 0x1F) == (byte) 0x01) { checksum = der.getData().getOctetString(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); if (encoding.getData().available() > 0) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } }
/** Construct a key from its components. Used by the RSAKeyFactory and the RSAKeyPairGenerator. */ RSAPrivateCrtKeyImpl( BigInteger n, BigInteger e, BigInteger d, BigInteger p, BigInteger q, BigInteger pe, BigInteger qe, BigInteger coeff) throws InvalidKeyException { this.n = n; this.e = e; this.d = d; this.p = p; this.q = q; this.pe = pe; this.qe = qe; this.coeff = coeff; RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e); // generate the encoding algid = rsaId; try { DerOutputStream out = new DerOutputStream(); out.putInteger(0); // version must be 0 out.putInteger(n); out.putInteger(e); out.putInteger(d); out.putInteger(p); out.putInteger(q); out.putInteger(pe); out.putInteger(qe); out.putInteger(coeff); DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray()); key = val.toByteArray(); } catch (IOException exc) { // should never occur throw new InvalidKeyException(exc); } }
/* * parse Algorithm Parameters */ private AlgorithmParameters parseAlgParameters(DerInputStream in) throws IOException { AlgorithmParameters algParams = null; try { DerValue params; if (in.available() == 0) { params = null; } else { params = in.getDerValue(); if (params.tag == DerValue.tag_Null) { params = null; } } if (params != null) { algParams = AlgorithmParameters.getInstance("PBE"); algParams.init(params.toByteArray()); } } catch (Exception e) { IOException ioe = new IOException("parseAlgParameters failed: " + e.getMessage()); ioe.initCause(e); throw ioe; } return algParams; }
/** * Constructs a LastReqEntry object. * * @param encoding a Der-encoded data. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public LastReqEntry(DerValue encoding) throws Asn1Exception, IOException { if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } DerValue der; der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x00) { lrType = der.getData().getBigInteger().intValue(); } else throw new Asn1Exception(Krb5.ASN1_BAD_ID); lrValue = KerberosTime.parse(encoding.getData(), (byte) 0x01, false); if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID); }
/** Parse the key. Called by PKCS8Key. */ protected void parseKeyBits() throws InvalidKeyException { try { DerInputStream in = new DerInputStream(key); DerValue derValue = in.getDerValue(); if (derValue.tag != DerValue.tag_Sequence) { throw new IOException("Not a SEQUENCE"); } DerInputStream data = derValue.data; int version = data.getInteger(); if (version != 1) { throw new IOException("Version must be 1"); } byte[] privData = data.getOctetString(); s = new BigInteger(1, privData); while (data.available() != 0) { DerValue value = data.getDerValue(); if (value.isContextSpecific((byte) 0)) { // ignore for now } else if (value.isContextSpecific((byte) 1)) { // ignore for now } else { throw new InvalidKeyException("Unexpected value: " + value); } } AlgorithmParameters algParams = this.algid.getParameters(); if (algParams == null) { throw new InvalidKeyException( "EC domain parameters must be " + "encoded in the algorithm identifier"); } params = algParams.getParameterSpec(ECParameterSpec.class); } catch (IOException e) { throw new InvalidKeyException("Invalid EC private key", e); } catch (InvalidParameterSpecException e) { throw new InvalidKeyException("Invalid EC private key", e); } }
private void init(DerValue encoding) throws Asn1Exception, IOException, RealmException { DerValue der, subDer; renewTill = null; caddr = null; authorizationData = null; if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x03) || (encoding.isApplication() != true) || (encoding.isConstructed() != true)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if (der.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } flags = TicketFlags.parse(der.getData(), (byte) 0x00, false); key = EncryptionKey.parse(der.getData(), (byte) 0x01, false); Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false); cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm); transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false); authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false); starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true); endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false); if (der.getData().available() > 0) { renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true); } if (der.getData().available() > 0) { caddr = HostAddresses.parse(der.getData(), (byte) 0x09, true); } if (der.getData().available() > 0) { authorizationData = AuthorizationData.parse(der.getData(), (byte) 0x0A, true); } if (der.getData().available() > 0) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } }
/* * Create an OCSP response from its ASN.1 DER encoding. */ OCSPResponse(byte[] bytes) throws IOException { if (dump) { HexDumpEncoder hexEnc = new HexDumpEncoder(); System.out.println("OCSPResponse bytes are..."); System.out.println(hexEnc.encode(bytes)); } DerValue der = new DerValue(bytes); if (der.tag != DerValue.tag_Sequence) { throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag."); } DerInputStream derIn = der.getData(); // responseStatus int status = derIn.getEnumerated(); if (status >= 0 && status < rsvalues.length) { responseStatus = rsvalues[status]; } else { // unspecified responseStatus throw new IOException("Unknown OCSPResponse status: " + status); } if (debug != null) { debug.println("OCSP response status: " + responseStatus); } if (responseStatus != ResponseStatus.SUCCESSFUL) { // no need to continue, responseBytes are not set. singleResponseMap = Collections.emptyMap(); certs = Collections.<X509CertImpl>emptyList(); sigAlgId = null; signature = null; tbsResponseData = null; responseNonce = null; return; } // responseBytes der = derIn.getDerValue(); if (!der.isContextSpecific((byte) 0)) { throw new IOException( "Bad encoding in responseBytes element " + "of OCSP response: expected ASN.1 context specific tag 0."); } DerValue tmp = der.data.getDerValue(); if (tmp.tag != DerValue.tag_Sequence) { throw new IOException( "Bad encoding in responseBytes element " + "of OCSP response: expected ASN.1 SEQUENCE tag."); } // responseType derIn = tmp.data; ObjectIdentifier responseType = derIn.getOID(); if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) { if (debug != null) { debug.println("OCSP response type: basic"); } } else { if (debug != null) { debug.println("OCSP response type: " + responseType); } throw new IOException("Unsupported OCSP response type: " + responseType); } // BasicOCSPResponse DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString()); DerValue[] seqTmp = basicOCSPResponse.getSequence(2); if (seqTmp.length < 3) { throw new IOException("Unexpected BasicOCSPResponse value"); } DerValue responseData = seqTmp[0]; // Need the DER encoded ResponseData to verify the signature later tbsResponseData = seqTmp[0].toByteArray(); // tbsResponseData if (responseData.tag != DerValue.tag_Sequence) { throw new IOException( "Bad encoding in tbsResponseData " + "element of OCSP response: expected ASN.1 SEQUENCE tag."); } DerInputStream seqDerIn = responseData.data; DerValue seq = seqDerIn.getDerValue(); // version if (seq.isContextSpecific((byte) 0)) { // seq[0] is version if (seq.isConstructed() && seq.isContextSpecific()) { // System.out.println ("version is available"); seq = seq.data.getDerValue(); int version = seq.getInteger(); if (seq.data.available() != 0) { throw new IOException( "Bad encoding in version " + " element of OCSP response: bad format"); } seq = seqDerIn.getDerValue(); } } // responderID short tag = (byte) (seq.tag & 0x1f); if (tag == NAME_TAG) { if (debug != null) { X500Principal responderName = new X500Principal(seq.getData().toByteArray()); debug.println("OCSP Responder name: " + responderName); } } else if (tag == KEY_TAG) { if (debug != null) { byte[] responderKey = seq.getData().getOctetString(); debug.println("OCSP Responder key: " + Debug.toString(responderKey)); } } else { throw new IOException( "Bad encoding in responderID element of " + "OCSP response: expected ASN.1 context specific tag 0 or 1"); } // producedAt seq = seqDerIn.getDerValue(); if (debug != null) { Date producedAtDate = seq.getGeneralizedTime(); debug.println("OCSP response produced at: " + producedAtDate); } // responses DerValue[] singleResponseDer = seqDerIn.getSequence(1); singleResponseMap = new HashMap<>(singleResponseDer.length); if (debug != null) { debug.println("OCSP number of SingleResponses: " + singleResponseDer.length); } for (int i = 0; i < singleResponseDer.length; i++) { SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]); singleResponseMap.put(singleResponse.getCertId(), singleResponse); } // responseExtensions byte[] nonce = null; if (seqDerIn.available() > 0) { seq = seqDerIn.getDerValue(); if (seq.isContextSpecific((byte) 1)) { DerValue[] responseExtDer = seq.data.getSequence(3); for (int i = 0; i < responseExtDer.length; i++) { Extension ext = new Extension(responseExtDer[i]); if (debug != null) { debug.println("OCSP extension: " + ext); } // Only the NONCE extension is recognized if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) { nonce = ext.getExtensionValue(); } else if (ext.isCritical()) { throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId()); } } } } responseNonce = nonce; // signatureAlgorithmId sigAlgId = AlgorithmId.parse(seqTmp[1]); // signature signature = seqTmp[2].getBitString(); // if seq[3] is available , then it is a sequence of certificates if (seqTmp.length > 3) { // certs are available DerValue seqCert = seqTmp[3]; if (!seqCert.isContextSpecific((byte) 0)) { throw new IOException( "Bad encoding in certs element of " + "OCSP response: expected ASN.1 context specific tag 0."); } DerValue[] derCerts = seqCert.getData().getSequence(3); certs = new ArrayList<X509CertImpl>(derCerts.length); try { for (int i = 0; i < derCerts.length; i++) { certs.add(new X509CertImpl(derCerts[i].toByteArray())); } } catch (CertificateException ce) { throw new IOException("Bad encoding in X509 Certificate", ce); } } else { certs = Collections.<X509CertImpl>emptyList(); } }
/** * Encodes an EncTicketPart object. * * @return byte array of encoded EncTicketPart object. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. */ public byte[] asn1Encode() throws Asn1Exception, IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream temp = new DerOutputStream(); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), flags.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode()); bytes.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.getRealm().asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode()); bytes.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), transited.asn1Encode()); bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x05), authtime.asn1Encode()); if (starttime != null) { bytes.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x06), starttime.asn1Encode()); } bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x07), endtime.asn1Encode()); if (renewTill != null) { bytes.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x08), renewTill.asn1Encode()); } if (caddr != null) { bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x09), caddr.asn1Encode()); } if (authorizationData != null) { bytes.write( DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A), authorizationData.asn1Encode()); } temp.write(DerValue.tag_Sequence, bytes); bytes = new DerOutputStream(); bytes.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x03), temp); return bytes.toByteArray(); }
/** * Initializes an APRep object. * * @param encoding a single DER-encoded value. * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception IOException if an I/O error occurs while reading encoded data. * @exception KrbApErrException if the value read from the DER-encoded data stream does not match * the pre-defined value. */ private void init(DerValue encoding) throws Asn1Exception, KrbApErrException, IOException { if (((encoding.getTag() & (byte) (0x1F)) != Krb5.KRB_AP_REP) || (encoding.isApplication() != true) || (encoding.isConstructed() != true)) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } DerValue der = encoding.getData().getDerValue(); if (der.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } DerValue subDer = der.getData().getDerValue(); if ((subDer.getTag() & (byte) 0x1F) != (byte) 0x00) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } pvno = subDer.getData().getBigInteger().intValue(); if (pvno != Krb5.PVNO) { throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION); } subDer = der.getData().getDerValue(); if ((subDer.getTag() & (byte) 0x1F) != (byte) 0x01) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } msgType = subDer.getData().getBigInteger().intValue(); if (msgType != Krb5.KRB_AP_REP) { throw new KrbApErrException(Krb5.KRB_AP_ERR_MSG_TYPE); } encPart = EncryptedData.parse(der.getData(), (byte) 0x02, false); if (der.getData().available() > 0) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } }
/** * Returns the ASN.1 encoding of the <xmp> PrincipalName ::= SEQUENCE { name-type [0] Int32, * name-string [1] SEQUENCE OF KerberosString } * * <p>KerberosString ::= GeneralString (IA5String) </xmp> * * <p>This definition reflects the Network Working Group RFC 4120 specification available at <a * href="http://www.ietf.org/rfc/rfc4120.txt">http://www.ietf.org/rfc/rfc4120.txt</a>. * * @param encoding a Der-encoded data. * @param realm the realm for this name * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. * @exception Asn1Exception if there is an ASN1 encoding error * @exception IOException if an I/O error occurs * @exception IllegalArgumentException if encoding is null reading encoded data. */ public PrincipalName(DerValue encoding, Realm realm) throws Asn1Exception, IOException { if (realm == null) { throw new IllegalArgumentException("Null realm not allowed"); } nameRealm = realm; DerValue der; if (encoding == null) { throw new IllegalArgumentException("Null encoding not allowed"); } if (encoding.getTag() != DerValue.tag_Sequence) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x1F) == 0x00) { BigInteger bint = der.getData().getBigInteger(); nameType = bint.intValue(); } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } der = encoding.getData().getDerValue(); if ((der.getTag() & 0x01F) == 0x01) { DerValue subDer = der.getData().getDerValue(); if (subDer.getTag() != DerValue.tag_SequenceOf) { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } Vector<String> v = new Vector<>(); DerValue subSubDer; while (subDer.getData().available() > 0) { subSubDer = subDer.getData().getDerValue(); String namePart = new KerberosString(subSubDer).toString(); v.addElement(namePart); } nameStrings = new String[v.size()]; v.copyInto(nameStrings); validateNameStrings(nameStrings); } else { throw new Asn1Exception(Krb5.ASN1_BAD_ID); } }
/** * Returns the key associated with the given alias, using the given password to recover it. * * @param alias the alias name * @param password the password for recovering the key. This password is used internally as the * key is exported in a PKCS12 format. * @return the requested key, or null if the given alias does not exist or does not identify a * <i>key entry</i>. * @exception NoSuchAlgorithmException if the algorithm for recovering the key cannot be found * @exception UnrecoverableKeyException if the key cannot be recovered (e.g., the given password * is wrong). */ public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException { permissionCheck(); // An empty password is rejected by MacOS API, no private key data // is exported. If no password is passed (as is the case when // this implementation is used as browser keystore in various // deployment scenarios like Webstart, JFX and applets), create // a dummy password so MacOS API is happy. if (password == null || password.length == 0) { // Must not be a char array with only a 0, as this is an empty // string. if (random == null) { random = new SecureRandom(); } password = Long.toString(random.nextLong()).toCharArray(); } Object entry = entries.get(alias.toLowerCase()); if (entry == null || !(entry instanceof KeyEntry)) { return null; } // This call gives us a PKCS12 bag, with the key inside it. byte[] exportedKeyInfo = _getEncodedKeyData(((KeyEntry) entry).keyRef, password); if (exportedKeyInfo == null) { return null; } PrivateKey returnValue = null; try { byte[] pkcs8KeyData = fetchPrivateKeyFromBag(exportedKeyInfo); byte[] encryptedKey; AlgorithmParameters algParams; ObjectIdentifier algOid; try { // get the encrypted private key EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(pkcs8KeyData); encryptedKey = encrInfo.getEncryptedData(); // parse Algorithm parameters DerValue val = new DerValue(encrInfo.getAlgorithm().encode()); DerInputStream in = val.toDerInputStream(); algOid = in.getOID(); algParams = parseAlgParameters(in); } catch (IOException ioe) { UnrecoverableKeyException uke = new UnrecoverableKeyException( "Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe); uke.initCause(ioe); throw uke; } // Use JCE to decrypt the data using the supplied password. SecretKey skey = getPBEKey(password); Cipher cipher = Cipher.getInstance(algOid.toString()); cipher.init(Cipher.DECRYPT_MODE, skey, algParams); byte[] decryptedPrivateKey = cipher.doFinal(encryptedKey); PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(decryptedPrivateKey); // Parse the key algorithm and then use a JCA key factory to create the private key. DerValue val = new DerValue(decryptedPrivateKey); DerInputStream in = val.toDerInputStream(); // Ignore this -- version should be 0. int i = in.getInteger(); // Get the Algorithm ID next DerValue[] value = in.getSequence(2); AlgorithmId algId = new AlgorithmId(value[0].getOID()); String algName = algId.getName(); // Get a key factory for this algorithm. It's likely to be 'RSA'. KeyFactory kfac = KeyFactory.getInstance(algName); returnValue = kfac.generatePrivate(kspec); } catch (Exception e) { UnrecoverableKeyException uke = new UnrecoverableKeyException("Get Key failed: " + e.getMessage()); uke.initCause(e); throw uke; } return returnValue; }
/* */ public void putDerValue(DerValue paramDerValue) /* */ throws IOException /* */ { /* 125 */ paramDerValue.encode(this); /* */ }
private SingleResponse(DerValue der) throws IOException { if (der.tag != DerValue.tag_Sequence) { throw new IOException("Bad ASN.1 encoding in SingleResponse"); } DerInputStream tmp = der.data; certId = new CertId(tmp.getDerValue().data); DerValue derVal = tmp.getDerValue(); short tag = (byte) (derVal.tag & 0x1f); if (tag == CERT_STATUS_REVOKED) { certStatus = CertStatus.REVOKED; revocationTime = derVal.data.getGeneralizedTime(); if (derVal.data.available() != 0) { DerValue dv = derVal.data.getDerValue(); tag = (byte) (dv.tag & 0x1f); if (tag == 0) { int reason = dv.data.getEnumerated(); // if reason out-of-range just leave as UNSPECIFIED if (reason >= 0 && reason < values.length) { revocationReason = values[reason]; } else { revocationReason = CRLReason.UNSPECIFIED; } } else { revocationReason = CRLReason.UNSPECIFIED; } } else { revocationReason = CRLReason.UNSPECIFIED; } // RevokedInfo if (debug != null) { debug.println("Revocation time: " + revocationTime); debug.println("Revocation reason: " + revocationReason); } } else { revocationTime = null; revocationReason = CRLReason.UNSPECIFIED; if (tag == CERT_STATUS_GOOD) { certStatus = CertStatus.GOOD; } else if (tag == CERT_STATUS_UNKNOWN) { certStatus = CertStatus.UNKNOWN; } else { throw new IOException("Invalid certificate status"); } } thisUpdate = tmp.getGeneralizedTime(); if (tmp.available() == 0) { // we are done nextUpdate = null; } else { derVal = tmp.getDerValue(); tag = (byte) (derVal.tag & 0x1f); if (tag == 0) { // next update nextUpdate = derVal.data.getGeneralizedTime(); if (tmp.available() == 0) { // we are done } else { derVal = tmp.getDerValue(); tag = (byte) (derVal.tag & 0x1f); } } else { nextUpdate = null; } } // singleExtensions if (tmp.available() > 0) { derVal = tmp.getDerValue(); if (derVal.isContextSpecific((byte) 1)) { DerValue[] singleExtDer = derVal.data.getSequence(3); singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length); for (int i = 0; i < singleExtDer.length; i++) { Extension ext = new Extension(singleExtDer[i]); if (debug != null) { debug.println("OCSP single extension: " + ext); } // We don't support any extensions yet. Therefore, if it // is critical we must throw an exception because we // don't know how to process it. if (ext.isCritical()) { throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId()); } singleExtensions.put(ext.getId(), ext); } } else { singleExtensions = Collections.emptyMap(); } } else { singleExtensions = Collections.emptyMap(); } }
/** * Make a DH public key from its DER encoding (X.509). * * @param encodedKey the encoded key * @exception InvalidKeyException if the encoded key does not represent a Diffie-Hellman public * key */ DHPublicKey(byte[] encodedKey) throws InvalidKeyException { InputStream inStream = new ByteArrayInputStream(encodedKey); try { DerValue derKeyVal = new DerValue(inStream); if (derKeyVal.tag != DerValue.tag_Sequence) { throw new InvalidKeyException("Invalid key format"); } /* * Parse the algorithm identifier */ DerValue algid = derKeyVal.data.getDerValue(); if (algid.tag != DerValue.tag_Sequence) { throw new InvalidKeyException("AlgId is not a SEQUENCE"); } DerInputStream derInStream = algid.toDerInputStream(); ObjectIdentifier oid = derInStream.getOID(); if (oid == null) { throw new InvalidKeyException("Null OID"); } if (derInStream.available() == 0) { throw new InvalidKeyException("Parameters missing"); } /* * Parse the parameters */ DerValue params = derInStream.getDerValue(); if (params.tag == DerValue.tag_Null) { throw new InvalidKeyException("Null parameters"); } if (params.tag != DerValue.tag_Sequence) { throw new InvalidKeyException("Parameters not a SEQUENCE"); } params.data.reset(); this.p = params.data.getBigInteger(); this.g = params.data.getBigInteger(); // Private-value length is OPTIONAL if (params.data.available() != 0) { this.l = params.data.getInteger(); } if (params.data.available() != 0) { throw new InvalidKeyException("Extra parameter data"); } /* * Parse the key */ this.key = derKeyVal.data.getBitString(); parseKeyBits(); if (derKeyVal.data.available() != 0) { throw new InvalidKeyException("Excess key data"); } this.encodedKey = (byte[]) encodedKey.clone(); } catch (NumberFormatException e) { throw new InvalidKeyException("Private-value length too big"); } catch (IOException e) { throw new InvalidKeyException("Error parsing key encoding: " + e.toString()); } }