예제 #1
0
 /**
  * Returns the hash code value for this code signer. The hash code is generated using the signer's
  * certificate path and the timestamp, if present.
  *
  * @return a hash code value for this code signer.
  */
 public int hashCode() {
   if (myhash == -1) {
     if (timestamp == null) {
       myhash = signerCertPath.hashCode();
     } else {
       myhash = signerCertPath.hashCode() + timestamp.hashCode();
     }
   }
   return myhash;
 }
예제 #2
0
 /**
  * Returns a string describing this code signer.
  *
  * @return A string comprising the signer's certificate and a timestamp, if present.
  */
 public String toString() {
   StringBuffer sb = new StringBuffer();
   sb.append("(");
   sb.append("Signer: " + signerCertPath.getCertificates().get(0));
   if (timestamp != null) {
     sb.append("timestamp: " + timestamp);
   }
   sb.append(")");
   return sb.toString();
 }
  /**
   * Validates an attribute certificate with the given certificate path.
   *
   * <p><code>params</code> must be an instance of <code>ExtendedPKIXParameters</code>.
   *
   * <p>The target constraints in the <code>params</code> must be an <code>
   * X509AttributeCertStoreSelector</code> with at least the attribute certificate criterion set.
   * Obey that also target informations may be necessary to correctly validate this attribute
   * certificate.
   *
   * <p>The attribute certificate issuer must be added to the trusted attribute issuers with {@link
   * ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
   *
   * @param certPath The certificate path which belongs to the attribute certificate issuer public
   *     key certificate.
   * @param params The PKIX parameters.
   * @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the <code>
   *     certPath</code>.
   * @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
   *     validator.
   * @throws CertPathValidatorException if the verification fails.
   */
  public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params)
      throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof ExtendedPKIXParameters)) {
      throw new InvalidAlgorithmParameterException(
          "Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    ExtendedPKIXParameters pkixParams = (ExtendedPKIXParameters) params;

    Selector certSelect = pkixParams.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
      throw new InvalidAlgorithmParameterException(
          "TargetConstraints must be an instance of "
              + X509AttributeCertStoreSelector.class.getName()
              + " for "
              + this.getClass().getName()
              + " class.");
    }
    X509AttributeCertificate attrCert =
        ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();

    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, pkixParams);
    CertPathValidatorResult result =
        RFC3281CertPathUtilities.processAttrCert2(certPath, pkixParams);
    X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, pkixParams);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, pkixParams);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, pkixParams);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, pkixParams);
    RFC3281CertPathUtilities.additionalChecks(attrCert, pkixParams);
    Date date = null;
    try {
      date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(pkixParams, null, -1);
    } catch (AnnotatedException e) {
      throw new ExtCertPathValidatorException(
          "Could not get validity date from attribute certificate.", e);
    }
    RFC3281CertPathUtilities.checkCRLs(
        attrCert, pkixParams, issuerCert, date, certPath.getCertificates());
    return result;
  }
예제 #4
0
 private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
     throws CertificateException {
   List list = path.getCertificates();
   X509Certificate[] chain = new X509Certificate[list.size() + 1];
   list.toArray(chain);
   X509Certificate trustedCert = anchor.getTrustedCert();
   if (trustedCert == null) {
     throw new ValidatorException("TrustAnchor must be specified as certificate");
   }
   chain[chain.length - 1] = trustedCert;
   return chain;
 }
 protected static Date getValidCertDateFromValidityModel(
     ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) throws AnnotatedException {
   if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
     // if end cert use given signing/encryption/... time
     if (index <= 0) {
       return CertPathValidatorUtilities.getValidDate(paramsPKIX);
       // else use time when previous cert was created
     } else {
       if (index - 1 == 0) {
         DERGeneralizedTime dateOfCertgen = null;
         try {
           byte[] extBytes =
               ((X509Certificate) certPath.getCertificates().get(index - 1))
                   .getExtensionValue(
                       ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId());
           if (extBytes != null) {
             dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes));
           }
         } catch (IOException e) {
           throw new AnnotatedException("Date of cert gen extension could not be read.");
         } catch (IllegalArgumentException e) {
           throw new AnnotatedException("Date of cert gen extension could not be read.");
         }
         if (dateOfCertgen != null) {
           try {
             return dateOfCertgen.getDate();
           } catch (ParseException e) {
             throw new AnnotatedException(
                 "Date from date of cert gen extension could not be parsed.", e);
           }
         }
         return ((X509Certificate) certPath.getCertificates().get(index - 1)).getNotBefore();
       } else {
         return ((X509Certificate) certPath.getCertificates().get(index - 1)).getNotBefore();
       }
     }
   } else {
     return getValidDate(paramsPKIX);
   }
 }
예제 #6
0
 public String toString() {
   return "Signature verification ["
       + "\n signName="
       + signName
       + "\n name="
       + name
       + "\n subject="
       + subject
       + "\n date="
       + date.getTime()
       + "\n reason="
       + reason
       + "\n location="
       + location
       + "\n revision="
       + revision
       + "\n wholeDocument="
       + wholeDocument
       + "\n modified="
       + modified
       + "\n certificationLevel="
       + getCertificationLevel().name()
       + "\n signCertTrustedAndValid="
       + signCertTrustedAndValid
       + "\n ocspPresent="
       + ocspPresent
       + "\n ocspValid="
       + ocspValid
       + "\n crlPresent="
       + crlPresent
       + "\n ocspInCertPresent="
       + ocspInCertPresent
       + "\n ocspInCertValid="
       + ocspInCertValid
       + "\n timeStampTokenPresent="
       + tsTokenPresent
       + "\n timeStampTokenValidationFail="
       + (tsTokenValidationResult == null ? "no" : tsTokenValidationResult.getMessage())
       + "\n fails="
       + (fails == null ? "no" : Arrays.asList(fails))
       + "\n certPath="
       + (certPath == null ? "no" : certPath.getCertificates())
       + "\n signingCertificate="
       + (signingCertificate == null ? "no" : signingCertificate.toString())
       + "\n]";
 }
예제 #7
0
  /**
   * Tests for equality between the specified object and this code signer. Two code signers are
   * considered equal if their signer certificate paths are equal and if their timestamps are equal,
   * if present in both.
   *
   * @param obj the object to test for equality with this object.
   * @return true if the objects are considered equal, false otherwise.
   */
  public boolean equals(Object obj) {
    if (obj == null || (!(obj instanceof CodeSigner))) {
      return false;
    }
    CodeSigner that = (CodeSigner) obj;

    if (this == that) {
      return true;
    }
    Timestamp thatTimestamp = that.getTimestamp();
    if (timestamp == null) {
      if (thatTimestamp != null) {
        return false;
      }
    } else {
      if (thatTimestamp == null || (!timestamp.equals(thatTimestamp))) {
        return false;
      }
    }
    return signerCertPath.equals(that.getSignerCertPath());
  }
예제 #8
0
  /** 读取指定路径下APK文件签名 */
  @SuppressWarnings({"unchecked"})
  public static String getJarSignature(String filePath) throws Exception {
    if (null == filePath) {
      return null;
    }
    String resultSign = "";
    String resultKey = "";
    List<ZipEntry> names = new ArrayList<ZipEntry>();
    ZipFile zf = new ZipFile(filePath);
    Enumeration<ZipEntry> zi = (Enumeration<ZipEntry>) zf.entries();
    while (zi.hasMoreElements()) {
      ZipEntry ze = zi.nextElement();
      String name = ze.getName();
      if (name.startsWith("META-INF/") && (name.endsWith(".RSA") || name.endsWith(".DSA"))) {
        names.add(ze);
      }
    }
    Collections.sort(
        names,
        new Comparator<ZipEntry>() {
          @Override
          public int compare(ZipEntry obj1, ZipEntry obj2) {
            if (obj1 != null && obj2 != null) {
              return obj1.getName().compareToIgnoreCase(obj2.getName());
            }
            return 0;
          }
        });
    for (ZipEntry ze : names) {
      InputStream is = zf.getInputStream(ze);
      try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        CertPath cp = cf.generateCertPath(is, "PKCS7");
        List<?> list = cp.getCertificates();
        for (Object obj : list) {
          if (!(obj instanceof X509Certificate)) continue;
          X509Certificate cert = (X509Certificate) obj;
          StringBuilder builder = new StringBuilder();
          builder.setLength(0);
          byte[] key = getPKBytes(cert.getPublicKey());
          for (byte aKey : key) {
            builder.append(String.format("%02X", aKey));
          }
          resultKey += builder.toString();
          builder.setLength(0);
          byte[] signature = cert.getSignature();

          for (byte aSignature : signature) {
            builder.append(String.format("%02X", aSignature));
          }
          resultSign += builder.toString();
        }
      } catch (CertificateException e) {
        Logger.i(e.toString());
      }
      is.close();
    }
    if (!TextUtils.isEmpty(resultKey) && !TextUtils.isEmpty(resultSign)) {
      return hashCode(resultKey) + "," + hashCode(resultSign);
    }
    return null;
  }
예제 #9
0
  public void performTest() throws Exception {
    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");

    X509Certificate rootCert =
        (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(rootCertBin));
    X509Certificate interCert =
        (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(interCertBin));
    X509Certificate finalCert =
        (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(finalCertBin));

    // Testing CertPath generation from List
    List list = new ArrayList();
    list.add(interCert);
    CertPath certPath1 = cf.generateCertPath(list);

    // Testing CertPath encoding as PkiPath
    byte[] encoded = certPath1.getEncoded("PkiPath");

    // Testing CertPath generation from InputStream
    ByteArrayInputStream inStream = new ByteArrayInputStream(encoded);
    CertPath certPath2 = cf.generateCertPath(inStream, "PkiPath");

    // Comparing both CertPathes
    if (!certPath2.equals(certPath1)) {
      fail("CertPath differ after encoding and decoding.");
    }

    encoded = certPath1.getEncoded("PKCS7");

    // Testing CertPath generation from InputStream
    inStream = new ByteArrayInputStream(encoded);
    certPath2 = cf.generateCertPath(inStream, "PKCS7");

    // Comparing both CertPathes
    if (!certPath2.equals(certPath1)) {
      fail("CertPath differ after encoding and decoding.");
    }

    encoded = certPath1.getEncoded("PEM");

    // Testing CertPath generation from InputStream
    inStream = new ByteArrayInputStream(encoded);
    certPath2 = cf.generateCertPath(inStream, "PEM");

    // Comparing both CertPathes
    if (!certPath2.equals(certPath1)) {
      fail("CertPath differ after encoding and decoding.");
    }

    //
    // empty list test
    //
    list = new ArrayList();

    CertPath certPath = CertificateFactory.getInstance("X.509", "BC").generateCertPath(list);
    if (certPath.getCertificates().size() != 0) {
      fail("list wrong size.");
    }

    //
    // exception tests
    //
    testExceptions();
  }
예제 #10
0
파일: CertPaths.java 프로젝트: tiggi/dcache
 public static X509Certificate[] getX509Certificates(CertPath certPath) {
   Preconditions.checkArgument(certPath.getType().equals(CertificateFactories.X_509));
   List<X509Certificate> certificates = (List<X509Certificate>) certPath.getCertificates();
   return certificates.toArray(new X509Certificate[certificates.size()]);
 }
 /*     */ public CertPathValidatorResult engineValidate(
     CertPath paramCertPath, CertPathParameters paramCertPathParameters)
     /*     */ throws CertPathValidatorException, InvalidAlgorithmParameterException
       /*     */ {
   /*  98 */ if (debug != null) {
     /*  99 */ debug.println("PKIXCertPathValidator.engineValidate()...");
     /*     */ }
   /* 101 */ if (!(paramCertPathParameters instanceof PKIXParameters)) {
     /* 102 */ throw new InvalidAlgorithmParameterException(
         "inappropriate parameters, must be an instance of PKIXParameters");
     /*     */ }
   /*     */
   /* 106 */ if ((!paramCertPath.getType().equals("X.509"))
       && (!paramCertPath.getType().equals("X509"))) {
     /* 107 */ throw new InvalidAlgorithmParameterException(
         "inappropriate certification path type specified, must be X.509 or X509");
     /*     */ }
   /*     */
   /* 111 */ PKIXParameters localPKIXParameters = (PKIXParameters) paramCertPathParameters;
   /*     */
   /* 115 */ Set localSet = localPKIXParameters.getTrustAnchors();
   /* 116 */ for (Object localObject1 = localSet.iterator();
       ((Iterator) localObject1).hasNext(); ) {
     localObject2 = (TrustAnchor) ((Iterator) localObject1).next();
     /* 117 */ if (((TrustAnchor) localObject2).getNameConstraints() != null) {
       /* 118 */ throw new InvalidAlgorithmParameterException(
           "name constraints in trust anchor not supported");
       /*     */ }
     /*     */
     /*     */ }
   /*     */
   /* 133 */ localObject1 = new ArrayList(paramCertPath.getCertificates());
   /*     */
   /* 135 */ if (debug != null) {
     /* 136 */ if (((ArrayList) localObject1).isEmpty()) {
       /* 137 */ debug.println("PKIXCertPathValidator.engineValidate() certList is empty");
       /*     */ }
     /*     */
     /* 140 */ debug.println("PKIXCertPathValidator.engineValidate() reversing certpath...");
     /*     */ }
   /*     */
   /* 143 */ Collections.reverse((List) localObject1);
   /*     */
   /* 148 */ populateVariables(localPKIXParameters);
   /*     */
   /* 152 */ Object localObject2 = null;
   /* 153 */ if (!((ArrayList) localObject1).isEmpty()) {
     /* 154 */ localObject2 = (X509Certificate) ((ArrayList) localObject1).get(0);
     /*     */ }
   /*     */
   /* 157 */ Object localObject3 = null;
   /*     */
   /* 161 */ for (TrustAnchor localTrustAnchor : localSet) {
     /* 162 */ X509Certificate localX509Certificate = localTrustAnchor.getTrustedCert();
     /* 163 */ if (localX509Certificate != null) {
       /* 164 */ if (debug != null) {
         /* 165 */ debug.println(
             "PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null");
         /*     */ }
       /*     */
       /* 171 */ if (isWorthTrying(localX509Certificate, (X509Certificate) localObject2))
       /*     */ {
         /* 175 */ if (debug != null)
           /* 176 */ debug.println(
               "anchor.getTrustedCert().getSubjectX500Principal() = "
                   + localX509Certificate.getSubjectX500Principal());
         /*     */ }
       /*     */ }
     /*     */ else
     /*     */ {
       /* 181 */ if (debug != null) {
         /* 182 */ debug.println(
             "PKIXCertPathValidator.engineValidate(): anchor.getTrustedCert() == null");
         /*     */ }
       /*     */
       /*     */ try
       /*     */ {
         /* 188 */ PolicyNodeImpl localPolicyNodeImpl =
             new PolicyNodeImpl(
                 null, "2.5.29.32.0", null, false, Collections.singleton("2.5.29.32.0"), false);
         /*     */
         /* 191 */ PolicyNode localPolicyNode =
             doValidate(
                 localTrustAnchor,
                 paramCertPath,
                 (ArrayList) localObject1,
                 localPKIXParameters,
                 localPolicyNodeImpl);
         /*     */
         /* 194 */ return new PKIXCertPathValidatorResult(
             localTrustAnchor, localPolicyNode, this.basicChecker.getPublicKey());
         /*     */ }
       /*     */ catch (CertPathValidatorException localCertPathValidatorException)
       /*     */ {
         /* 198 */ localObject3 = localCertPathValidatorException;
         /*     */ }
       /*     */ }
     /*     */
     /*     */ }
   /*     */
   /* 204 */ if (localObject3 != null) {
     /* 205 */ throw localObject3;
     /*     */ }
   /*     */
   /* 208 */ throw new CertPathValidatorException(
       "Path does not chain with any of the trust anchors",
       null,
       null,
       -1,
       PKIXReason.NO_TRUST_ANCHOR);
   /*     */ }