public static void main(String args[]) throws Exception { // 参数 String cacert = args[0]; String lfcert = args[1]; // CA "Xu Yingxiao"的证书 CertificateFactory cf = CertificateFactory.getInstance("X.509"); FileInputStream in1 = new FileInputStream(cacert); java.security.cert.Certificate cac = cf.generateCertificate(in1); in1.close(); // 用户"Liu Fang"的签名证书 FileInputStream in2 = new FileInputStream(lfcert); java.security.cert.Certificate lfc = cf.generateCertificate(in2); in2.close(); PublicKey pbk = cac.getPublicKey(); boolean pass = false; try { lfc.verify(pbk); pass = true; } catch (Exception e) { pass = false; System.out.println(e); } if (pass) { System.out.println("The Certificate is signed by the CA Xu Yingxiao"); } else { System.out.println("!!!The Certificate is not signed by the CA Xu Yingxiao"); } }
/** * Callback method from _scanKeychain. If a trusted certificate is found, this method will be * called. */ private void createTrustedCertEntry( String alias, long keychainItemRef, long creationDate, byte[] derStream) { TrustedCertEntry tce = new TrustedCertEntry(); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream input = new ByteArrayInputStream(derStream); X509Certificate cert = (X509Certificate) cf.generateCertificate(input); input.close(); tce.cert = cert; tce.certRef = keychainItemRef; // Make a creation date. if (creationDate != 0) tce.date = new Date(creationDate); else tce.date = new Date(); int uniqueVal = 1; String originalAlias = alias; while (entries.containsKey(alias.toLowerCase())) { alias = originalAlias + " " + uniqueVal; uniqueVal++; } entries.put(alias.toLowerCase(), tce); } catch (Exception e) { // The certificate will be skipped. System.err.println("KeychainStore Ignored Exception: " + e); } }
/** * Callback method from _scanKeychain. If an identity is found, this method will be called to * create Java certificate and private key objects from the keychain data. */ private void createKeyEntry( String alias, long creationDate, long secKeyRef, long[] secCertificateRefs, byte[][] rawCertData) throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException { KeyEntry ke = new KeyEntry(); // First, store off the private key information. This is the easy part. ke.protectedPrivKey = null; ke.keyRef = secKeyRef; // Make a creation date. if (creationDate != 0) ke.date = new Date(creationDate); else ke.date = new Date(); // Next, create X.509 Certificate objects from the raw data. This is complicated // because a certificate's public key may be too long for Java's default encryption strength. List<CertKeychainItemPair> createdCerts = new ArrayList<>(); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); for (int i = 0; i < rawCertData.length; i++) { try { InputStream input = new ByteArrayInputStream(rawCertData[i]); X509Certificate cert = (X509Certificate) cf.generateCertificate(input); input.close(); // We successfully created the certificate, so track it and its corresponding // SecCertificateRef. createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert)); } catch (CertificateException e) { // The certificate will be skipped. System.err.println("KeychainStore Ignored Exception: " + e); } } } catch (CertificateException e) { e.printStackTrace(); } catch (IOException ioe) { ioe.printStackTrace(); // How would this happen? } // We have our certificates in the List, so now extract them into an array of // Certificates and SecCertificateRefs. CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]); Certificate[] certArray = new Certificate[objArray.length]; long[] certRefArray = new long[objArray.length]; for (int i = 0; i < objArray.length; i++) { CertKeychainItemPair addedItem = objArray[i]; certArray[i] = addedItem.mCert; certRefArray[i] = addedItem.mCertificateRef; } ke.chain = certArray; ke.chainRefs = certRefArray; // If we don't have already have an item with this item's alias // create a new one for it. int uniqueVal = 1; String originalAlias = alias; while (entries.containsKey(alias.toLowerCase())) { alias = originalAlias + " " + uniqueVal; uniqueVal++; } entries.put(alias.toLowerCase(), ke); }
// The X.509 certificate factory public static CertificateFactory X509CertFactory() throws CertificateException { return CertificateFactory.getInstance("X.509"); }
public static void main(String[] args) throws Exception { // Get a CertificateFactory for various tests CF = CertificateFactory.getInstance("X509"); ByteArrayInputStream bais = new ByteArrayInputStream(readFile("int.crt").getBytes()); X509Certificate intCA = (X509Certificate) CF.generateCertificate(bais); System.out.println( "Successfully instantiated CA cert \"" + intCA.getSubjectX500Principal() + "\""); CertId cid0x1500 = new CertId(intCA, new SerialNumber(0x1500)); boolean noFailures = true; OCSPResponse.SingleResponse sr = getSRByFilename("ocsp-good-nonext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); if (sr.getRevocationTime() != null) { throw new RuntimeException("Oops. revocationTime is non-null " + sr.getRevocationTime()); } else if (sr.getRevocationReason() != null) { throw new RuntimeException("Oops. revocationReason is non-null " + sr.getRevocationReason()); } sr = getSRByFilename("ocsp-good-withnext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-good-witharchcut.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nocerts.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nonext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-withnext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-nonext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-withnext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); try { sr = getSRByFilename("ocsp-rev-twonext.resp", cid0x1500); System.out.println("FAIL: Allowed two nextUpdate fields"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-bad-sr-tag.resp", cid0x1500); System.out.println("FAIL: Allowed invalid singleResponse item"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-sr-cont-reverse.resp", cid0x1500); System.out.println("FAIL: Allowed reversed " + "nextUpdate/singleExtensions"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } if (!noFailures) { throw new RuntimeException("One or more tests failed"); } }
/** * Uses the provided PKI method to find the corresponding public key and verify the provided * signature. Returns null if no PKI method was specified in the {@link Protos.PaymentRequest}. */ public @Nullable PkiVerificationData verifyPki() throws PaymentRequestException { try { if (pkiVerificationData != null) return pkiVerificationData; if (paymentRequest.getPkiType().equals("none")) // Nothing to verify. Everything is fine. Move along. return null; String algorithm; if (paymentRequest.getPkiType().equals("x509+sha256")) algorithm = "SHA256withRSA"; else if (paymentRequest.getPkiType().equals("x509+sha1")) algorithm = "SHA1withRSA"; else throw new PaymentRequestException.InvalidPkiType( "Unsupported PKI type: " + paymentRequest.getPkiType()); Protos.X509Certificates protoCerts = Protos.X509Certificates.parseFrom(paymentRequest.getPkiData()); if (protoCerts.getCertificateCount() == 0) throw new PaymentRequestException.InvalidPkiData( "No certificates provided in message: server config error"); // Parse the certs and turn into a certificate chain object. Cert factories can parse both DER // and base64. // The ordering of certificates is defined by the payment protocol spec to be the same as what // the Java // crypto API requires - convenient! CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); List<X509Certificate> certs = Lists.newArrayList(); for (ByteString bytes : protoCerts.getCertificateList()) certs.add((X509Certificate) certificateFactory.generateCertificate(bytes.newInput())); CertPath path = certificateFactory.generateCertPath(certs); // Retrieves the most-trusted CAs from keystore. PKIXParameters params = new PKIXParameters(createKeyStore(trustStorePath)); // Revocation not supported in the current version. params.setRevocationEnabled(false); // Now verify the certificate chain is correct and trusted. This let's us get an identity // linked pubkey. CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params); PublicKey publicKey = result.getPublicKey(); // OK, we got an identity, now check it was used to sign this message. Signature signature = Signature.getInstance(algorithm); // Note that we don't use signature.initVerify(certs.get(0)) here despite it being the most // obvious // way to set it up, because we don't care about the constraints specified on the // certificates: any // cert that links a key to a domain name or other identity will do for us. signature.initVerify(publicKey); Protos.PaymentRequest.Builder reqToCheck = paymentRequest.toBuilder(); reqToCheck.setSignature(ByteString.EMPTY); signature.update(reqToCheck.build().toByteArray()); if (!signature.verify(paymentRequest.getSignature().toByteArray())) throw new PaymentRequestException.PkiVerificationException( "Invalid signature, this payment request is not valid."); // Signature verifies, get the names from the identity we just verified for presentation to // the user. X500Principal principal = certs.get(0).getSubjectX500Principal(); // At this point the Java crypto API falls flat on its face and dies - there's no clean way to // get the // different parts of the certificate name except for parsing the string. That's hard because // of various // custom escaping rules and the usual crap. So, use Bouncy Castle to re-parse the string into // binary form // again and then look for the names we want. Fail! org.spongycastle.asn1.x500.X500Name name = new X500Name(principal.getName()); String entityName = null, orgName = null; for (RDN rdn : name.getRDNs()) { AttributeTypeAndValue pair = rdn.getFirst(); if (pair.getType().equals(RFC4519Style.cn)) entityName = ((ASN1String) pair.getValue()).getString(); else if (pair.getType().equals(RFC4519Style.o)) orgName = ((ASN1String) pair.getValue()).getString(); } if (entityName == null && orgName == null) throw new PaymentRequestException.PkiVerificationException( "Invalid certificate, no CN or O fields"); // Everything is peachy. Return some useful data to the caller. PkiVerificationData data = new PkiVerificationData(entityName, orgName, publicKey, result.getTrustAnchor()); // Cache the result so we don't have to re-verify if this method is called again. pkiVerificationData = data; return data; } catch (InvalidProtocolBufferException e) { // Data structures are malformed. throw new PaymentRequestException.InvalidPkiData(e); } catch (CertificateException e) { // The X.509 certificate data didn't parse correctly. throw new PaymentRequestException.PkiVerificationException(e); } catch (NoSuchAlgorithmException e) { // Should never happen so don't make users have to think about it. PKIX is always present. throw new RuntimeException(e); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException(e); } catch (CertPathValidatorException e) { // The certificate chain isn't known or trusted, probably, the server is using an SSL root we // don't // know about and the user needs to upgrade to a new version of the software (or import a root // cert). throw new PaymentRequestException.PkiVerificationException(e); } catch (InvalidKeyException e) { // Shouldn't happen if the certs verified correctly. throw new PaymentRequestException.PkiVerificationException(e); } catch (SignatureException e) { // Something went wrong during hashing (yes, despite the name, this does not mean the sig was // invalid). throw new PaymentRequestException.PkiVerificationException(e); } catch (IOException e) { throw new PaymentRequestException.PkiVerificationException(e); } catch (KeyStoreException e) { throw new RuntimeException(e); } }