/** * Construct a new X.509 asymmetric keys authentication data instance from the provided JSON * object. * * @param x509AuthJO the authentication data JSON object. * @throws MslCryptoException if the X.509 certificate data cannot be parsed. * @throws MslEncodingException if the X.509 certificate cannot be found. */ X509AuthenticationData(final JSONObject x509AuthJO) throws MslCryptoException, MslEncodingException { super(EntityAuthenticationScheme.X509); // Extract X.509 certificate representation. final String x509; try { x509 = x509AuthJO.getString(KEY_X509_CERT); } catch (final JSONException e) { throw new MslEncodingException( MslError.JSON_PARSE_ERROR, "X.509 authdata " + x509AuthJO.toString(), e); } // Get the X.509 certificate factory. final CertificateFactory factory; try { factory = CertificateFactory.getInstance("X.509"); } catch (final CertificateException e) { throw new MslInternalException("No certificate X.509 certificate factory.", e); } // Create X.509 cert. final byte[] x509bytes; try { x509bytes = Base64.decode(x509); } catch (final IllegalArgumentException e) { throw new MslCryptoException(MslError.X509CERT_INVALID, x509, e); } try { final ByteArrayInputStream bais = new ByteArrayInputStream(x509bytes); x509cert = (X509Certificate) factory.generateCertificate(bais); identity = x509cert.getSubjectX500Principal().getName(); } catch (final CertificateException e) { throw new MslCryptoException(MslError.X509CERT_PARSE_ERROR, x509, e); } }
/** * @param localIdentity local entity identity. * @param remoteIdentity remote entity identity. * @param remoteRsaPubkeyB64 base64-encoded remote entity public key in X.509 format. * @param email user email address. May be {@code null}. * @param password user password. May be {@code null}. * @throws NoSuchAlgorithmException if the RSA algorithm is not supported. * @throws InvalidKeySpecException if the public key is invalid. */ public Oneshot( final String localIdentity, final String remoteIdentity, final String remoteRsaPubkeyB64, final String email, final String password) throws NoSuchAlgorithmException, InvalidKeySpecException { // Create MSL control. this.ctrl = new MslControl(0); // Setup remote entity public key. final byte[] pubkeyBytes = Base64.decode(remoteRsaPubkeyB64); final X509EncodedKeySpec pubkeySpec = new X509EncodedKeySpec(pubkeyBytes); final KeyFactory factory = KeyFactory.getInstance("RSA"); final PublicKey pubkey = factory.generatePublic(pubkeySpec); final OneshotRsaStore rsaStore = new OneshotRsaStore(remoteIdentity, pubkey); // Create MSL context. this.ctx = new OneshotMslContext(localIdentity, rsaStore); // Save user account information. this.email = email; this.password = password; }
/** * Create a new user ID token from the provided JSON object. The associated master token must be * provided to verify the user ID token. * * @param ctx MSL context. * @param userIdTokenJO user ID token JSON object. * @param masterToken the master token. * @throws MslEncodingException if there is an error parsing the JSON, the token data is missing * or invalid, or the signature is invalid. * @throws MslCryptoException if there is an error verifying the token data. * @throws MslException if the user ID token master token serial number does not match the master * token serial number, or the expiration timestamp occurs before the renewal window, or the * user data is missing or invalid, or the user ID token master token serial number is out of * range, or the user ID token serial number is out of range. */ public UserIdToken( final MslContext ctx, final JSONObject userIdTokenJO, final MasterToken masterToken) throws MslEncodingException, MslCryptoException, MslException { this.ctx = ctx; // Grab the crypto context. final ICryptoContext cryptoContext = ctx.getMslCryptoContext(); // Verify the JSON representation. try { try { tokendata = Base64.decode(userIdTokenJO.getString(KEY_TOKENDATA)); } catch (final IllegalArgumentException e) { throw new MslEncodingException( MslError.USERIDTOKEN_TOKENDATA_INVALID, "useridtoken " + userIdTokenJO.toString(), e) .setMasterToken(masterToken); } if (tokendata == null || tokendata.length == 0) throw new MslEncodingException( MslError.USERIDTOKEN_TOKENDATA_MISSING, "useridtoken " + userIdTokenJO.toString()) .setMasterToken(masterToken); try { signature = Base64.decode(userIdTokenJO.getString(KEY_SIGNATURE)); } catch (final IllegalArgumentException e) { throw new MslEncodingException( MslError.USERIDTOKEN_SIGNATURE_INVALID, "useridtoken " + userIdTokenJO.toString(), e) .setMasterToken(masterToken); } verified = cryptoContext.verify(tokendata, signature); } catch (final JSONException e) { throw new MslEncodingException( MslError.JSON_PARSE_ERROR, "useridtoken " + userIdTokenJO.toString(), e) .setMasterToken(masterToken); } // Pull the token data. final String tokenDataJson = new String(tokendata, MslConstants.DEFAULT_CHARSET); try { final JSONObject tokenDataJO = new JSONObject(tokenDataJson); renewalWindow = tokenDataJO.getLong(KEY_RENEWAL_WINDOW); expiration = tokenDataJO.getLong(KEY_EXPIRATION); if (expiration < renewalWindow) throw new MslException( MslError.USERIDTOKEN_EXPIRES_BEFORE_RENEWAL, "usertokendata " + tokenDataJson) .setMasterToken(masterToken); mtSerialNumber = tokenDataJO.getLong(KEY_MASTER_TOKEN_SERIAL_NUMBER); if (mtSerialNumber < 0 || mtSerialNumber > MslConstants.MAX_LONG_VALUE) throw new MslException( MslError.USERIDTOKEN_MASTERTOKEN_SERIAL_NUMBER_OUT_OF_RANGE, "usertokendata " + tokenDataJson) .setMasterToken(masterToken); serialNumber = tokenDataJO.getLong(KEY_SERIAL_NUMBER); if (serialNumber < 0 || serialNumber > MslConstants.MAX_LONG_VALUE) throw new MslException( MslError.USERIDTOKEN_SERIAL_NUMBER_OUT_OF_RANGE, "usertokendata " + tokenDataJson) .setMasterToken(masterToken); final byte[] ciphertext; try { ciphertext = Base64.decode(tokenDataJO.getString(KEY_USERDATA)); } catch (final IllegalArgumentException e) { throw new MslException( MslError.USERIDTOKEN_USERDATA_INVALID, tokenDataJO.getString(KEY_USERDATA)) .setMasterToken(masterToken); } if (ciphertext == null || ciphertext.length == 0) throw new MslException( MslError.USERIDTOKEN_USERDATA_MISSING, tokenDataJO.getString(KEY_USERDATA)) .setMasterToken(masterToken); userdata = (verified) ? cryptoContext.decrypt(ciphertext) : null; } catch (final JSONException e) { throw new MslEncodingException( MslError.USERIDTOKEN_TOKENDATA_PARSE_ERROR, "usertokendata " + tokenDataJson, e) .setMasterToken(masterToken); } catch (final MslCryptoException e) { e.setMasterToken(masterToken); throw e; } // Pull the user data. if (userdata != null) { final String userDataJson = new String(userdata, MslConstants.DEFAULT_CHARSET); try { final JSONObject userDataJO = new JSONObject(userDataJson); issuerData = (userDataJO.has(KEY_ISSUER_DATA)) ? userDataJO.getJSONObject(KEY_ISSUER_DATA) : null; final String identity = userDataJO.getString(KEY_IDENTITY); if (identity == null || identity.length() == 0) throw new MslException(MslError.USERIDTOKEN_IDENTITY_INVALID, "userdata " + userDataJson) .setMasterToken(masterToken); final TokenFactory factory = ctx.getTokenFactory(); user = factory.createUser(ctx, identity); if (user == null) throw new MslInternalException( "TokenFactory.createUser() returned null in violation of the interface contract."); } catch (final JSONException e) { throw new MslEncodingException( MslError.USERIDTOKEN_USERDATA_PARSE_ERROR, "userdata " + userDataJson, e) .setMasterToken(masterToken); } } else { issuerData = null; user = null; } // Verify serial numbers. if (masterToken == null || this.mtSerialNumber != masterToken.getSerialNumber()) throw new MslException( MslError.USERIDTOKEN_MASTERTOKEN_MISMATCH, "uit mtserialnumber " + this.mtSerialNumber + "; mt " + masterToken) .setMasterToken(masterToken); }