/**
* Returns the encoded SPNEGO token Note: inserts the required CHOICE tags
*
* @return the encoded token
* @exception GSSException
*/
byte[] getEncoded() throws IOException, GSSException {
// get the token encoded value
DerOutputStream token = new DerOutputStream();
token.write(encode());
// now insert the CHOICE
switch (tokenType) {
case NEG_TOKEN_INIT_ID:
// Insert CHOICE of Negotiation Token
DerOutputStream initToken = new DerOutputStream();
initToken.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_INIT_ID), token);
return initToken.toByteArray();
case NEG_TOKEN_TARG_ID:
// Insert CHOICE of Negotiation Token
DerOutputStream targToken = new DerOutputStream();
targToken.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) NEG_TOKEN_TARG_ID), token);
return targToken.toByteArray();
default:
return token.toByteArray();
}
}
@SuppressWarnings("deprecation")
private byte[] extractKeyData(DerInputStream stream)
throws IOException, NoSuchAlgorithmException, CertificateException {
byte[] returnValue = null;
DerValue[] safeBags = stream.getSequence(2);
int count = safeBags.length;
/*
* Spin over the SafeBags.
*/
for (int i = 0; i < count; i++) {
ObjectIdentifier bagId;
DerInputStream sbi;
DerValue bagValue;
Object bagItem = null;
sbi = safeBags[i].toDerInputStream();
bagId = sbi.getOID();
bagValue = sbi.getDerValue();
if (!bagValue.isContextSpecific((byte) 0)) {
throw new IOException("unsupported PKCS12 bag value type " + bagValue.tag);
}
bagValue = bagValue.data.getDerValue();
if (bagId.equals(PKCS8ShroudedKeyBag_OID)) {
// got what we were looking for. Return it.
returnValue = bagValue.toByteArray();
} else {
// log error message for "unsupported PKCS12 bag type"
System.out.println("Unsupported bag type '" + bagId + "'");
}
}
return returnValue;
}
@SuppressWarnings("deprecation")
private byte[] fetchPrivateKeyFromBag(byte[] privateKeyInfo)
throws IOException, NoSuchAlgorithmException, CertificateException {
byte[] returnValue = null;
DerValue val = new DerValue(new ByteArrayInputStream(privateKeyInfo));
DerInputStream s = val.toDerInputStream();
int version = s.getInteger();
if (version != 3) {
throw new IOException("PKCS12 keystore not in version 3 format");
}
/*
* Read the authSafe.
*/
byte[] authSafeData;
ContentInfo authSafe = new ContentInfo(s);
ObjectIdentifier contentType = authSafe.getContentType();
if (contentType.equals(ContentInfo.DATA_OID)) {
authSafeData = authSafe.getData();
} else /* signed data */ {
throw new IOException("public key protected PKCS12 not supported");
}
DerInputStream as = new DerInputStream(authSafeData);
DerValue[] safeContentsArray = as.getSequence(2);
int count = safeContentsArray.length;
/*
* Spin over the ContentInfos.
*/
for (int i = 0; i < count; i++) {
byte[] safeContentsData;
ContentInfo safeContents;
DerInputStream sci;
byte[] eAlgId = null;
sci = new DerInputStream(safeContentsArray[i].toByteArray());
safeContents = new ContentInfo(sci);
contentType = safeContents.getContentType();
safeContentsData = null;
if (contentType.equals(ContentInfo.DATA_OID)) {
safeContentsData = safeContents.getData();
} else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) {
// The password was used to export the private key from the keychain.
// The Keychain won't export the key with encrypted data, so we don't need
// to worry about it.
continue;
} else {
throw new IOException("public key protected PKCS12" + " not supported");
}
DerInputStream sc = new DerInputStream(safeContentsData);
returnValue = extractKeyData(sc);
}
return returnValue;
}
/**
* Parse (unmarshal) a realm from a DER input stream. This form parsing might be used when
* expanding a value which is part of a constructed sequence and uses explicitly tagged type.
*
* @exception Asn1Exception on error.
* @param data the Der input stream value, which contains one or more marshaled value.
* @param explicitTag tag number.
* @param optional indicate if this data field is optional
* @return an instance of Realm.
*/
public static Realm parse(DerInputStream data, byte explicitTag, boolean optional)
throws Asn1Exception, IOException, RealmException {
if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) {
return null;
}
DerValue der = data.getDerValue();
if (explicitTag != (der.getTag() & (byte) 0x1F)) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
} else {
DerValue subDer = der.getData().getDerValue();
return new Realm(subDer);
}
}
/* */ public static TicketFlags parse(
DerInputStream paramDerInputStream, byte paramByte, boolean paramBoolean)
/* */ throws Asn1Exception, IOException
/* */ {
/* 92 */ if ((paramBoolean) && (((byte) paramDerInputStream.peekByte() & 0x1F) != paramByte))
/* 93 */ return null;
/* 94 */ DerValue localDerValue1 = paramDerInputStream.getDerValue();
/* 95 */ if (paramByte != (localDerValue1.getTag() & 0x1F)) {
/* 96 */ throw new Asn1Exception(906);
/* */ }
/* */
/* 99 */ DerValue localDerValue2 = localDerValue1.getData().getDerValue();
/* 100 */ return new TicketFlags(localDerValue2);
/* */ }
/**
* Encodes an MethodData object.
*
* @return the byte array of encoded MethodData object.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
*/
public byte[] asn1Encode() throws Asn1Exception, IOException {
DerOutputStream bytes = new DerOutputStream();
DerOutputStream temp = new DerOutputStream();
temp.putInteger(BigInteger.valueOf(methodType));
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
if (methodData != null) {
temp = new DerOutputStream();
temp.putOctetString(methodData);
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
}
temp = new DerOutputStream();
temp.write(DerValue.tag_Sequence, bytes);
return temp.toByteArray();
}
/* */ public byte[] asn1Encode() /* */ throws Asn1Exception, IOException /* */ {
/* 104 */ DerOutputStream localDerOutputStream1 = new DerOutputStream();
/* 105 */ DerOutputStream localDerOutputStream2 = new DerOutputStream();
/* 106 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 0), this.pATimeStamp.asn1Encode());
/* 107 */ if (this.pAUSec != null) {
/* 108 */ localDerOutputStream2 = new DerOutputStream();
/* 109 */ localDerOutputStream2.putInteger(BigInteger.valueOf(this.pAUSec.intValue()));
/* 110 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 1), localDerOutputStream2);
/* */ }
/* 112 */ localDerOutputStream2 = new DerOutputStream();
/* 113 */ localDerOutputStream2.write((byte) 48, localDerOutputStream1);
/* 114 */ return localDerOutputStream2.toByteArray();
/* */ }
/* */ private void construct(DerValue paramDerValue) throws IOException /* */ {
/* 72 */ if (paramDerValue.tag != 48) {
/* 73 */ throw new IOException(
"Invalid encoded CertificateValidity, starting sequence tag missing.");
/* */ }
/* */
/* 77 */ if (paramDerValue.data.available() == 0) {
/* 78 */ throw new IOException("No data encoded for CertificateValidity");
/* */ }
/* 80 */ DerInputStream localDerInputStream = new DerInputStream(paramDerValue.toByteArray());
/* 81 */ DerValue[] arrayOfDerValue = localDerInputStream.getSequence(2);
/* 82 */ if (arrayOfDerValue.length != 2) {
/* 83 */ throw new IOException("Invalid encoding for CertificateValidity");
/* */ }
/* 85 */ if (arrayOfDerValue[0].tag == 23)
/* 86 */ this.notBefore = paramDerValue.data.getUTCTime();
/* 87 */ else if (arrayOfDerValue[0].tag == 24)
/* 88 */ this.notBefore = paramDerValue.data.getGeneralizedTime();
/* */ else {
/* 90 */ throw new IOException("Invalid encoding for CertificateValidity");
/* */ }
/* */
/* 93 */ if (arrayOfDerValue[1].tag == 23)
/* 94 */ this.notAfter = paramDerValue.data.getUTCTime();
/* 95 */ else if (arrayOfDerValue[1].tag == 24)
/* 96 */ this.notAfter = paramDerValue.data.getGeneralizedTime();
/* */ else /* 98 */ throw new IOException("Invalid encoding for CertificateValidity");
/* */ }
/** Creates the extension (also called by the subclass). */
protected CRLNumberExtension(
ObjectIdentifier extensionId,
Boolean critical,
Object value,
String extensionName,
String extensionLabel)
throws IOException {
this.extensionId = extensionId;
this.critical = critical.booleanValue();
this.extensionValue = (byte[]) value;
DerValue val = new DerValue(this.extensionValue);
this.crlNumber = val.getBigInteger();
this.extensionName = extensionName;
this.extensionLabel = extensionLabel;
}
/**
* Parse (unmarshal) a <code>PrincipalName</code> from a DER input stream. This form parsing might
* be used when expanding a value which is part of a constructed sequence and uses explicitly
* tagged type.
*
* @exception Asn1Exception on error.
* @param data the Der input stream value, which contains one or more marshaled value.
* @param explicitTag tag number.
* @param optional indicate if this data field is optional
* @param realm the realm for the name
* @return an instance of <code>PrincipalName</code>, or null if the field is optional and
* missing.
*/
public static PrincipalName parse(
DerInputStream data, byte explicitTag, boolean optional, Realm realm)
throws Asn1Exception, IOException, RealmException {
if ((optional) && (((byte) data.peekByte() & (byte) 0x1F) != explicitTag)) return null;
DerValue der = data.getDerValue();
if (explicitTag != (der.getTag() & (byte) 0x1F)) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
} else {
DerValue subDer = der.getData().getDerValue();
if (realm == null) {
realm = Realm.getDefault();
}
return new PrincipalName(subDer, realm);
}
}
/**
* Encodes a <code>PrincipalName</code> object. Note that only the type and names are encoded. To
* encode the realm, call getRealm().asn1Encode().
*
* @return the byte array of the encoded PrncipalName object.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
*/
public byte[] asn1Encode() throws Asn1Exception, IOException {
DerOutputStream bytes = new DerOutputStream();
DerOutputStream temp = new DerOutputStream();
BigInteger bint = BigInteger.valueOf(this.nameType);
temp.putInteger(bint);
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), temp);
temp = new DerOutputStream();
DerValue der[] = new DerValue[nameStrings.length];
for (int i = 0; i < nameStrings.length; i++) {
der[i] = new KerberosString(nameStrings[i]).toDerValue();
}
temp.putSequence(der);
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), temp);
temp = new DerOutputStream();
temp.write(DerValue.tag_Sequence, bytes);
return temp.toByteArray();
}
/* Translate to encoded bytes */
private void emit(DerOutputStream out) throws IOException, CertificateEncodingException {
DerOutputStream tagged = new DerOutputStream();
if (forward != null) {
DerOutputStream tmp = new DerOutputStream();
tmp.putDerValue(new DerValue(forward.getEncoded()));
tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_FORWARD), tmp);
}
if (reverse != null) {
DerOutputStream tmp = new DerOutputStream();
tmp.putDerValue(new DerValue(reverse.getEncoded()));
tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_REVERSE), tmp);
}
out.write(DerValue.tag_Sequence, tagged);
}
/* Parse the encoded bytes */
private void parse(DerValue val) throws IOException, CertificateException {
if (val.tag != DerValue.tag_Sequence) {
throw new IOException("Sequence tag missing for X509CertificatePair");
}
while (val.data != null && val.data.available() != 0) {
DerValue opt = val.data.getDerValue();
short tag = (byte) (opt.tag & 0x01f);
switch (tag) {
case TAG_FORWARD:
if (opt.isContextSpecific() && opt.isConstructed()) {
if (forward != null) {
throw new IOException("Duplicate forward " + "certificate in X509CertificatePair");
}
opt = opt.data.getDerValue();
forward = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
}
break;
case TAG_REVERSE:
if (opt.isContextSpecific() && opt.isConstructed()) {
if (reverse != null) {
throw new IOException("Duplicate reverse " + "certificate in X509CertificatePair");
}
opt = opt.data.getDerValue();
reverse = X509Factory.intern(new X509CertImpl(opt.toByteArray()));
}
break;
default:
throw new IOException("Invalid encoding of " + "X509CertificatePair");
}
}
if (forward == null && reverse == null) {
throw new CertificateException("at least one of certificate pair " + "must be non-null");
}
}
/* Verify that the DER object is correct */
private static void verifyDER(String type, DerValue der, byte tag, byte[] data) throws Exception {
if (der.tag != tag) throw new Exception("Problem with tag for " + type);
if (!equalBytes(der.data.toByteArray(), data))
throw new Exception("Problem with data for " + type);
System.out.println(type + " checks out OK");
System.out.println("Calling toString on it: " + der.toString() + "\n");
}
/**
* Constructs a MethodData object.
*
* @param encoding a Der-encoded data.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
*/
public MethodData(DerValue encoding) throws Asn1Exception, IOException {
DerValue der;
if (encoding.getTag() != DerValue.tag_Sequence) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if ((der.getTag() & 0x1F) == 0x00) {
BigInteger bint = der.getData().getBigInteger();
methodType = bint.intValue();
} else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
if (encoding.getData().available() > 0) {
der = encoding.getData().getDerValue();
if ((der.getTag() & 0x1F) == 0x01) {
methodData = der.getData().getOctetString();
} else throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
if (encoding.getData().available() > 0) throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
/* */ public PAEncTSEnc(DerValue paramDerValue) /* */ throws Asn1Exception, IOException
/* */ {
/* 81 */ if (paramDerValue.getTag() != 48) {
/* 82 */ throw new Asn1Exception(906);
/* */ }
/* 84 */ this.pATimeStamp = KerberosTime.parse(paramDerValue.getData(), (byte) 0, false);
/* 85 */ if (paramDerValue.getData().available() > 0) {
/* 86 */ DerValue localDerValue = paramDerValue.getData().getDerValue();
/* 87 */ if ((localDerValue.getTag() & 0x1F) == 1)
/* 88 */ this.pAUSec = new Integer(localDerValue.getData().getBigInteger().intValue());
/* */ else /* 90 */ throw new Asn1Exception(906);
/* */ }
/* 92 */ if (paramDerValue.getData().available() > 0) /* 93 */ throw new Asn1Exception(906);
/* */ }
/** Construct a key from its components. Used by the RSAKeyFactory and the RSAKeyPairGenerator. */
RSAPrivateCrtKeyImpl(
BigInteger n,
BigInteger e,
BigInteger d,
BigInteger p,
BigInteger q,
BigInteger pe,
BigInteger qe,
BigInteger coeff)
throws InvalidKeyException {
this.n = n;
this.e = e;
this.d = d;
this.p = p;
this.q = q;
this.pe = pe;
this.qe = qe;
this.coeff = coeff;
RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
// generate the encoding
algid = rsaId;
try {
DerOutputStream out = new DerOutputStream();
out.putInteger(0); // version must be 0
out.putInteger(n);
out.putInteger(e);
out.putInteger(d);
out.putInteger(p);
out.putInteger(q);
out.putInteger(pe);
out.putInteger(qe);
out.putInteger(coeff);
DerValue val = new DerValue(DerValue.tag_Sequence, out.toByteArray());
key = val.toByteArray();
} catch (IOException exc) {
// should never occur
throw new InvalidKeyException(exc);
}
}
/*
* parse Algorithm Parameters
*/
private AlgorithmParameters parseAlgParameters(DerInputStream in) throws IOException {
AlgorithmParameters algParams = null;
try {
DerValue params;
if (in.available() == 0) {
params = null;
} else {
params = in.getDerValue();
if (params.tag == DerValue.tag_Null) {
params = null;
}
}
if (params != null) {
algParams = AlgorithmParameters.getInstance("PBE");
algParams.init(params.toByteArray());
}
} catch (Exception e) {
IOException ioe = new IOException("parseAlgParameters failed: " + e.getMessage());
ioe.initCause(e);
throw ioe;
}
return algParams;
}
/**
* Encodes an EncTicketPart object.
*
* @return byte array of encoded EncTicketPart object.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
*/
public byte[] asn1Encode() throws Asn1Exception, IOException {
DerOutputStream bytes = new DerOutputStream();
DerOutputStream temp = new DerOutputStream();
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), flags.asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), key.asn1Encode());
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cname.getRealm().asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), cname.asn1Encode());
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x04), transited.asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x05), authtime.asn1Encode());
if (starttime != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x06), starttime.asn1Encode());
}
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x07), endtime.asn1Encode());
if (renewTill != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x08), renewTill.asn1Encode());
}
if (caddr != null) {
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x09), caddr.asn1Encode());
}
if (authorizationData != null) {
bytes.write(
DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x0A),
authorizationData.asn1Encode());
}
temp.write(DerValue.tag_Sequence, bytes);
bytes = new DerOutputStream();
bytes.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) 0x03), temp);
return bytes.toByteArray();
}
/* */ public TicketFlags(DerValue paramDerValue) throws IOException, Asn1Exception {
/* 76 */ this(paramDerValue.getUnalignedBitString(true).toBooleanArray());
/* */ }
/**
* Make a DH public key from its DER encoding (X.509).
*
* @param encodedKey the encoded key
* @exception InvalidKeyException if the encoded key does not represent a Diffie-Hellman public
* key
*/
DHPublicKey(byte[] encodedKey) throws InvalidKeyException {
InputStream inStream = new ByteArrayInputStream(encodedKey);
try {
DerValue derKeyVal = new DerValue(inStream);
if (derKeyVal.tag != DerValue.tag_Sequence) {
throw new InvalidKeyException("Invalid key format");
}
/*
* Parse the algorithm identifier
*/
DerValue algid = derKeyVal.data.getDerValue();
if (algid.tag != DerValue.tag_Sequence) {
throw new InvalidKeyException("AlgId is not a SEQUENCE");
}
DerInputStream derInStream = algid.toDerInputStream();
ObjectIdentifier oid = derInStream.getOID();
if (oid == null) {
throw new InvalidKeyException("Null OID");
}
if (derInStream.available() == 0) {
throw new InvalidKeyException("Parameters missing");
}
/*
* Parse the parameters
*/
DerValue params = derInStream.getDerValue();
if (params.tag == DerValue.tag_Null) {
throw new InvalidKeyException("Null parameters");
}
if (params.tag != DerValue.tag_Sequence) {
throw new InvalidKeyException("Parameters not a SEQUENCE");
}
params.data.reset();
this.p = params.data.getBigInteger();
this.g = params.data.getBigInteger();
// Private-value length is OPTIONAL
if (params.data.available() != 0) {
this.l = params.data.getInteger();
}
if (params.data.available() != 0) {
throw new InvalidKeyException("Extra parameter data");
}
/*
* Parse the key
*/
this.key = derKeyVal.data.getBitString();
parseKeyBits();
if (derKeyVal.data.available() != 0) {
throw new InvalidKeyException("Excess key data");
}
this.encodedKey = (byte[]) encodedKey.clone();
} catch (NumberFormatException e) {
throw new InvalidKeyException("Private-value length too big");
} catch (IOException e) {
throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
}
}
private void init(DerValue encoding) throws Asn1Exception, IOException, RealmException {
DerValue der, subDer;
renewTill = null;
caddr = null;
authorizationData = null;
if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x03)
|| (encoding.isApplication() != true)
|| (encoding.isConstructed() != true)) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if (der.getTag() != DerValue.tag_Sequence) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
flags = TicketFlags.parse(der.getData(), (byte) 0x00, false);
key = EncryptionKey.parse(der.getData(), (byte) 0x01, false);
Realm crealm = Realm.parse(der.getData(), (byte) 0x02, false);
cname = PrincipalName.parse(der.getData(), (byte) 0x03, false, crealm);
transited = TransitedEncoding.parse(der.getData(), (byte) 0x04, false);
authtime = KerberosTime.parse(der.getData(), (byte) 0x05, false);
starttime = KerberosTime.parse(der.getData(), (byte) 0x06, true);
endtime = KerberosTime.parse(der.getData(), (byte) 0x07, false);
if (der.getData().available() > 0) {
renewTill = KerberosTime.parse(der.getData(), (byte) 0x08, true);
}
if (der.getData().available() > 0) {
caddr = HostAddresses.parse(der.getData(), (byte) 0x09, true);
}
if (der.getData().available() > 0) {
authorizationData = AuthorizationData.parse(der.getData(), (byte) 0x0A, true);
}
if (der.getData().available() > 0) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
}
/* */ private void init(DerValue paramDerValue)
/* */ throws Asn1Exception, IOException, RealmException
/* */ {
/* 140 */ this.renewTill = null;
/* 141 */ this.caddr = null;
/* 142 */ this.authorizationData = null;
/* 143 */ if (((paramDerValue.getTag() & 0x1F) != 3)
|| (paramDerValue.isApplication() != true)
|| (paramDerValue.isConstructed() != true))
/* */ {
/* 146 */ throw new Asn1Exception(906);
/* */ }
/* 148 */ DerValue localDerValue = paramDerValue.getData().getDerValue();
/* 149 */ if (localDerValue.getTag() != 48) {
/* 150 */ throw new Asn1Exception(906);
/* */ }
/* 152 */ this.flags = TicketFlags.parse(localDerValue.getData(), (byte) 0, false);
/* 153 */ this.key = EncryptionKey.parse(localDerValue.getData(), (byte) 1, false);
/* 154 */ this.crealm = Realm.parse(localDerValue.getData(), (byte) 2, false);
/* 155 */ this.cname = PrincipalName.parse(localDerValue.getData(), (byte) 3, false);
/* 156 */ this.transited = TransitedEncoding.parse(localDerValue.getData(), (byte) 4, false);
/* 157 */ this.authtime = KerberosTime.parse(localDerValue.getData(), (byte) 5, false);
/* 158 */ this.starttime = KerberosTime.parse(localDerValue.getData(), (byte) 6, true);
/* 159 */ this.endtime = KerberosTime.parse(localDerValue.getData(), (byte) 7, false);
/* 160 */ if (localDerValue.getData().available() > 0) {
/* 161 */ this.renewTill = KerberosTime.parse(localDerValue.getData(), (byte) 8, true);
/* */ }
/* 163 */ if (localDerValue.getData().available() > 0) {
/* 164 */ this.caddr = HostAddresses.parse(localDerValue.getData(), (byte) 9, true);
/* */ }
/* 166 */ if (localDerValue.getData().available() > 0) {
/* 167 */ this.authorizationData =
AuthorizationData.parse(localDerValue.getData(), (byte) 10, true);
/* */ }
/* 169 */ if (localDerValue.getData().available() > 0) /* 170 */ throw new Asn1Exception(906);
/* */ }
/* */ public byte[] asn1Encode() /* */ throws Asn1Exception, IOException /* */ {
/* 182 */ DerOutputStream localDerOutputStream1 = new DerOutputStream();
/* 183 */ DerOutputStream localDerOutputStream2 = new DerOutputStream();
/* 184 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 0), this.flags.asn1Encode());
/* */
/* 186 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 1), this.key.asn1Encode());
/* */
/* 188 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 2), this.crealm.asn1Encode());
/* */
/* 190 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 3), this.cname.asn1Encode());
/* */
/* 192 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 4), this.transited.asn1Encode());
/* */
/* 194 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 5), this.authtime.asn1Encode());
/* */
/* 196 */ if (this.starttime != null) {
/* 197 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 6), this.starttime.asn1Encode());
/* */ }
/* */
/* 200 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 7), this.endtime.asn1Encode());
/* */
/* 203 */ if (this.renewTill != null) {
/* 204 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 8), this.renewTill.asn1Encode());
/* */ }
/* */
/* 208 */ if (this.caddr != null) {
/* 209 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 9), this.caddr.asn1Encode());
/* */ }
/* */
/* 213 */ if (this.authorizationData != null) {
/* 214 */ localDerOutputStream1.write(
DerValue.createTag((byte) -128, true, (byte) 10), this.authorizationData.asn1Encode());
/* */ }
/* */
/* 217 */ localDerOutputStream2.write((byte) 48, localDerOutputStream1);
/* 218 */ localDerOutputStream1 = new DerOutputStream();
/* 219 */ localDerOutputStream1.write(
DerValue.createTag((byte) 64, true, (byte) 3), localDerOutputStream2);
/* */
/* 221 */ return localDerOutputStream1.toByteArray();
/* */ }
/**
* Returns the key associated with the given alias, using the given password to recover it.
*
* @param alias the alias name
* @param password the password for recovering the key. This password is used internally as the
* key is exported in a PKCS12 format.
* @return the requested key, or null if the given alias does not exist or does not identify a
* <i>key entry</i>.
* @exception NoSuchAlgorithmException if the algorithm for recovering the key cannot be found
* @exception UnrecoverableKeyException if the key cannot be recovered (e.g., the given password
* is wrong).
*/
public Key engineGetKey(String alias, char[] password)
throws NoSuchAlgorithmException, UnrecoverableKeyException {
permissionCheck();
// An empty password is rejected by MacOS API, no private key data
// is exported. If no password is passed (as is the case when
// this implementation is used as browser keystore in various
// deployment scenarios like Webstart, JFX and applets), create
// a dummy password so MacOS API is happy.
if (password == null || password.length == 0) {
// Must not be a char array with only a 0, as this is an empty
// string.
if (random == null) {
random = new SecureRandom();
}
password = Long.toString(random.nextLong()).toCharArray();
}
Object entry = entries.get(alias.toLowerCase());
if (entry == null || !(entry instanceof KeyEntry)) {
return null;
}
// This call gives us a PKCS12 bag, with the key inside it.
byte[] exportedKeyInfo = _getEncodedKeyData(((KeyEntry) entry).keyRef, password);
if (exportedKeyInfo == null) {
return null;
}
PrivateKey returnValue = null;
try {
byte[] pkcs8KeyData = fetchPrivateKeyFromBag(exportedKeyInfo);
byte[] encryptedKey;
AlgorithmParameters algParams;
ObjectIdentifier algOid;
try {
// get the encrypted private key
EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(pkcs8KeyData);
encryptedKey = encrInfo.getEncryptedData();
// parse Algorithm parameters
DerValue val = new DerValue(encrInfo.getAlgorithm().encode());
DerInputStream in = val.toDerInputStream();
algOid = in.getOID();
algParams = parseAlgParameters(in);
} catch (IOException ioe) {
UnrecoverableKeyException uke =
new UnrecoverableKeyException(
"Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe);
uke.initCause(ioe);
throw uke;
}
// Use JCE to decrypt the data using the supplied password.
SecretKey skey = getPBEKey(password);
Cipher cipher = Cipher.getInstance(algOid.toString());
cipher.init(Cipher.DECRYPT_MODE, skey, algParams);
byte[] decryptedPrivateKey = cipher.doFinal(encryptedKey);
PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(decryptedPrivateKey);
// Parse the key algorithm and then use a JCA key factory to create the private key.
DerValue val = new DerValue(decryptedPrivateKey);
DerInputStream in = val.toDerInputStream();
// Ignore this -- version should be 0.
int i = in.getInteger();
// Get the Algorithm ID next
DerValue[] value = in.getSequence(2);
AlgorithmId algId = new AlgorithmId(value[0].getOID());
String algName = algId.getName();
// Get a key factory for this algorithm. It's likely to be 'RSA'.
KeyFactory kfac = KeyFactory.getInstance(algName);
returnValue = kfac.generatePrivate(kspec);
} catch (Exception e) {
UnrecoverableKeyException uke =
new UnrecoverableKeyException("Get Key failed: " + e.getMessage());
uke.initCause(e);
throw uke;
}
return returnValue;
}
private SingleResponse(DerValue der) throws IOException {
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad ASN.1 encoding in SingleResponse");
}
DerInputStream tmp = der.data;
certId = new CertId(tmp.getDerValue().data);
DerValue derVal = tmp.getDerValue();
short tag = (byte) (derVal.tag & 0x1f);
if (tag == CERT_STATUS_REVOKED) {
certStatus = CertStatus.REVOKED;
revocationTime = derVal.data.getGeneralizedTime();
if (derVal.data.available() != 0) {
DerValue dv = derVal.data.getDerValue();
tag = (byte) (dv.tag & 0x1f);
if (tag == 0) {
int reason = dv.data.getEnumerated();
// if reason out-of-range just leave as UNSPECIFIED
if (reason >= 0 && reason < values.length) {
revocationReason = values[reason];
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
} else {
revocationReason = CRLReason.UNSPECIFIED;
}
// RevokedInfo
if (debug != null) {
debug.println("Revocation time: " + revocationTime);
debug.println("Revocation reason: " + revocationReason);
}
} else {
revocationTime = null;
revocationReason = CRLReason.UNSPECIFIED;
if (tag == CERT_STATUS_GOOD) {
certStatus = CertStatus.GOOD;
} else if (tag == CERT_STATUS_UNKNOWN) {
certStatus = CertStatus.UNKNOWN;
} else {
throw new IOException("Invalid certificate status");
}
}
thisUpdate = tmp.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
nextUpdate = null;
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
if (tag == 0) {
// next update
nextUpdate = derVal.data.getGeneralizedTime();
if (tmp.available() == 0) {
// we are done
} else {
derVal = tmp.getDerValue();
tag = (byte) (derVal.tag & 0x1f);
}
} else {
nextUpdate = null;
}
}
// singleExtensions
if (tmp.available() > 0) {
derVal = tmp.getDerValue();
if (derVal.isContextSpecific((byte) 1)) {
DerValue[] singleExtDer = derVal.data.getSequence(3);
singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
for (int i = 0; i < singleExtDer.length; i++) {
Extension ext = new Extension(singleExtDer[i]);
if (debug != null) {
debug.println("OCSP single extension: " + ext);
}
// We don't support any extensions yet. Therefore, if it
// is critical we must throw an exception because we
// don't know how to process it.
if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
singleExtensions.put(ext.getId(), ext);
}
} else {
singleExtensions = Collections.emptyMap();
}
} else {
singleExtensions = Collections.emptyMap();
}
}
/**
* Returns the ASN.1 encoding of the <xmp> PrincipalName ::= SEQUENCE { name-type [0] Int32,
* name-string [1] SEQUENCE OF KerberosString }
*
* <p>KerberosString ::= GeneralString (IA5String) </xmp>
*
* <p>This definition reflects the Network Working Group RFC 4120 specification available at <a
* href="http://www.ietf.org/rfc/rfc4120.txt">http://www.ietf.org/rfc/rfc4120.txt</a>.
*
* @param encoding a Der-encoded data.
* @param realm the realm for this name
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception Asn1Exception if there is an ASN1 encoding error
* @exception IOException if an I/O error occurs
* @exception IllegalArgumentException if encoding is null reading encoded data.
*/
public PrincipalName(DerValue encoding, Realm realm) throws Asn1Exception, IOException {
if (realm == null) {
throw new IllegalArgumentException("Null realm not allowed");
}
nameRealm = realm;
DerValue der;
if (encoding == null) {
throw new IllegalArgumentException("Null encoding not allowed");
}
if (encoding.getTag() != DerValue.tag_Sequence) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if ((der.getTag() & 0x1F) == 0x00) {
BigInteger bint = der.getData().getBigInteger();
nameType = bint.intValue();
} else {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if ((der.getTag() & 0x01F) == 0x01) {
DerValue subDer = der.getData().getDerValue();
if (subDer.getTag() != DerValue.tag_SequenceOf) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
Vector<String> v = new Vector<>();
DerValue subSubDer;
while (subDer.getData().available() > 0) {
subSubDer = subDer.getData().getDerValue();
String namePart = new KerberosString(subSubDer).toString();
v.addElement(namePart);
}
nameStrings = new String[v.size()];
v.copyInto(nameStrings);
validateNameStrings(nameStrings);
} else {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
}
/*
* Create an OCSP response from its ASN.1 DER encoding.
*/
OCSPResponse(byte[] bytes) throws IOException {
if (dump) {
HexDumpEncoder hexEnc = new HexDumpEncoder();
System.out.println("OCSPResponse bytes are...");
System.out.println(hexEnc.encode(bytes));
}
DerValue der = new DerValue(bytes);
if (der.tag != DerValue.tag_Sequence) {
throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
}
DerInputStream derIn = der.getData();
// responseStatus
int status = derIn.getEnumerated();
if (status >= 0 && status < rsvalues.length) {
responseStatus = rsvalues[status];
} else {
// unspecified responseStatus
throw new IOException("Unknown OCSPResponse status: " + status);
}
if (debug != null) {
debug.println("OCSP response status: " + responseStatus);
}
if (responseStatus != ResponseStatus.SUCCESSFUL) {
// no need to continue, responseBytes are not set.
singleResponseMap = Collections.emptyMap();
certs = Collections.<X509CertImpl>emptyList();
sigAlgId = null;
signature = null;
tbsResponseData = null;
responseNonce = null;
return;
}
// responseBytes
der = derIn.getDerValue();
if (!der.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue tmp = der.data.getDerValue();
if (tmp.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in responseBytes element "
+ "of OCSP response: expected ASN.1 SEQUENCE tag.");
}
// responseType
derIn = tmp.data;
ObjectIdentifier responseType = derIn.getOID();
if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
if (debug != null) {
debug.println("OCSP response type: basic");
}
} else {
if (debug != null) {
debug.println("OCSP response type: " + responseType);
}
throw new IOException("Unsupported OCSP response type: " + responseType);
}
// BasicOCSPResponse
DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());
DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
if (seqTmp.length < 3) {
throw new IOException("Unexpected BasicOCSPResponse value");
}
DerValue responseData = seqTmp[0];
// Need the DER encoded ResponseData to verify the signature later
tbsResponseData = seqTmp[0].toByteArray();
// tbsResponseData
if (responseData.tag != DerValue.tag_Sequence) {
throw new IOException(
"Bad encoding in tbsResponseData "
+ "element of OCSP response: expected ASN.1 SEQUENCE tag.");
}
DerInputStream seqDerIn = responseData.data;
DerValue seq = seqDerIn.getDerValue();
// version
if (seq.isContextSpecific((byte) 0)) {
// seq[0] is version
if (seq.isConstructed() && seq.isContextSpecific()) {
// System.out.println ("version is available");
seq = seq.data.getDerValue();
int version = seq.getInteger();
if (seq.data.available() != 0) {
throw new IOException(
"Bad encoding in version " + " element of OCSP response: bad format");
}
seq = seqDerIn.getDerValue();
}
}
// responderID
short tag = (byte) (seq.tag & 0x1f);
if (tag == NAME_TAG) {
if (debug != null) {
X500Principal responderName = new X500Principal(seq.getData().toByteArray());
debug.println("OCSP Responder name: " + responderName);
}
} else if (tag == KEY_TAG) {
if (debug != null) {
byte[] responderKey = seq.getData().getOctetString();
debug.println("OCSP Responder key: " + Debug.toString(responderKey));
}
} else {
throw new IOException(
"Bad encoding in responderID element of "
+ "OCSP response: expected ASN.1 context specific tag 0 or 1");
}
// producedAt
seq = seqDerIn.getDerValue();
if (debug != null) {
Date producedAtDate = seq.getGeneralizedTime();
debug.println("OCSP response produced at: " + producedAtDate);
}
// responses
DerValue[] singleResponseDer = seqDerIn.getSequence(1);
singleResponseMap = new HashMap<>(singleResponseDer.length);
if (debug != null) {
debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
}
for (int i = 0; i < singleResponseDer.length; i++) {
SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
singleResponseMap.put(singleResponse.getCertId(), singleResponse);
}
// responseExtensions
byte[] nonce = null;
if (seqDerIn.available() > 0) {
seq = seqDerIn.getDerValue();
if (seq.isContextSpecific((byte) 1)) {
DerValue[] responseExtDer = seq.data.getSequence(3);
for (int i = 0; i < responseExtDer.length; i++) {
Extension ext = new Extension(responseExtDer[i]);
if (debug != null) {
debug.println("OCSP extension: " + ext);
}
// Only the NONCE extension is recognized
if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
nonce = ext.getExtensionValue();
} else if (ext.isCritical()) {
throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
}
}
}
}
responseNonce = nonce;
// signatureAlgorithmId
sigAlgId = AlgorithmId.parse(seqTmp[1]);
// signature
signature = seqTmp[2].getBitString();
// if seq[3] is available , then it is a sequence of certificates
if (seqTmp.length > 3) {
// certs are available
DerValue seqCert = seqTmp[3];
if (!seqCert.isContextSpecific((byte) 0)) {
throw new IOException(
"Bad encoding in certs element of "
+ "OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue[] derCerts = seqCert.getData().getSequence(3);
certs = new ArrayList<X509CertImpl>(derCerts.length);
try {
for (int i = 0; i < derCerts.length; i++) {
certs.add(new X509CertImpl(derCerts[i].toByteArray()));
}
} catch (CertificateException ce) {
throw new IOException("Bad encoding in X509 Certificate", ce);
}
} else {
certs = Collections.<X509CertImpl>emptyList();
}
}
