/** Test for X.509 Certificate provider */
public void test_toString() throws Exception {
// Regression for HARMONY-3384
CertificateFactory certFact = CertificateFactory.getInstance("X509");
X509Certificate pemCert =
(X509Certificate)
certFact.generateCertificate(
new ByteArrayInputStream(TestUtils.getX509Certificate_v3()));
// extension value is empty sequence
byte[] extnValue = pemCert.getExtensionValue("2.5.29.35");
assertTrue(Arrays.equals(new byte[] {0x04, 0x02, 0x30, 0x00}, extnValue));
assertNotNull(pemCert.toString());
// End regression for HARMONY-3384
}
public String toString() {
return "Signature verification ["
+ "\n signName="
+ signName
+ "\n name="
+ name
+ "\n subject="
+ subject
+ "\n date="
+ date.getTime()
+ "\n reason="
+ reason
+ "\n location="
+ location
+ "\n revision="
+ revision
+ "\n wholeDocument="
+ wholeDocument
+ "\n modified="
+ modified
+ "\n certificationLevel="
+ getCertificationLevel().name()
+ "\n signCertTrustedAndValid="
+ signCertTrustedAndValid
+ "\n ocspPresent="
+ ocspPresent
+ "\n ocspValid="
+ ocspValid
+ "\n crlPresent="
+ crlPresent
+ "\n ocspInCertPresent="
+ ocspInCertPresent
+ "\n ocspInCertValid="
+ ocspInCertValid
+ "\n timeStampTokenPresent="
+ tsTokenPresent
+ "\n timeStampTokenValidationFail="
+ (tsTokenValidationResult == null ? "no" : tsTokenValidationResult.getMessage())
+ "\n fails="
+ (fails == null ? "no" : Arrays.asList(fails))
+ "\n certPath="
+ (certPath == null ? "no" : certPath.getCertificates())
+ "\n signingCertificate="
+ (signingCertificate == null ? "no" : signingCertificate.toString())
+ "\n]";
}
@Function(
doc = "Export the certificate in the key store to another location.",
parameters = {
@Parameter(name = "name", type = "string", doc = "The name of the certificate"),
@Parameter(name = "path", doc = "The export file path", type = "string")
})
public void exportCertificate(String name, String path) throws KeyStoreException, IOException {
X509Certificate cert = (X509Certificate) keystore.getCertificate(name);
if (cert != null) {
File output = new File(path);
if (!output.exists()) {
if (!output.getParentFile().exists()) output.getParentFile().mkdirs();
output.createNewFile();
}
FileWriter writer = new FileWriter(path);
writer.write(cert.toString());
writer.flush();
writer.close();
}
}
@Override
public SecurityKeyData processRegistrationResponse(
RegistrationResponse registrationResponse, long currentTimeInMillis) throws U2FException {
Log.info(">> processRegistrationResponse");
String sessionId = registrationResponse.getSessionId();
String clientDataBase64 = registrationResponse.getClientData();
String rawRegistrationDataBase64 = registrationResponse.getRegistrationData();
Log.info(">> rawRegistrationDataBase64: " + rawRegistrationDataBase64);
EnrollSessionData sessionData = dataStore.getEnrollSessionData(sessionId);
if (sessionData == null) {
throw new U2FException("Unknown session_id");
}
String appId = sessionData.getAppId();
String clientData = new String(Base64.decodeBase64(clientDataBase64));
byte[] rawRegistrationData = Base64.decodeBase64(rawRegistrationDataBase64);
Log.info("-- Input --");
Log.info(" sessionId: " + sessionId);
Log.info(" challenge: " + Hex.encodeHexString(sessionData.getChallenge()));
Log.info(" accountName: " + sessionData.getAccountName());
Log.info(" clientData: " + clientData);
Log.info(" rawRegistrationData: " + Hex.encodeHexString(rawRegistrationData));
RegisterResponse registerResponse = RawMessageCodec.decodeRegisterResponse(rawRegistrationData);
byte[] userPublicKey = registerResponse.getUserPublicKey();
byte[] keyHandle = registerResponse.getKeyHandle();
X509Certificate attestationCertificate = registerResponse.getAttestationCertificate();
byte[] signature = registerResponse.getSignature();
List<Transports> transports = null;
try {
transports = U2fAttestation.Parse(attestationCertificate).getTransports();
} catch (CertificateParsingException e) {
Log.warning("Could not parse transports extension " + e.getMessage());
}
Log.info("-- Parsed rawRegistrationResponse --");
Log.info(" userPublicKey: " + Hex.encodeHexString(userPublicKey));
Log.info(" keyHandle: " + Hex.encodeHexString(keyHandle));
Log.info(" attestationCertificate: " + attestationCertificate.toString());
Log.info(" transports: " + transports);
try {
Log.info(
" attestationCertificate bytes: "
+ Hex.encodeHexString(attestationCertificate.getEncoded()));
} catch (CertificateEncodingException e) {
throw new U2FException("Cannot encode certificate", e);
}
Log.info(" signature: " + Hex.encodeHexString(signature));
byte[] appIdSha256 = cryto.computeSha256(appId.getBytes());
byte[] clientDataSha256 = cryto.computeSha256(clientData.getBytes());
byte[] signedBytes =
RawMessageCodec.encodeRegistrationSignedBytes(
appIdSha256, clientDataSha256, keyHandle, userPublicKey);
Set<X509Certificate> trustedCertificates = dataStore.getTrustedCertificates();
if (!trustedCertificates.contains(attestationCertificate)) {
Log.warning("attestion cert is not trusted");
}
verifyBrowserData(
new JsonParser().parse(clientData), "navigator.id.finishEnrollment", sessionData);
Log.info("Verifying signature of bytes " + Hex.encodeHexString(signedBytes));
if (!cryto.verifySignature(attestationCertificate, signedBytes, signature)) {
throw new U2FException("Signature is invalid");
}
// The first time we create the SecurityKeyData, we set the counter value to 0.
// We don't actually know what the counter value of the real device is - but it will
// be something bigger (or equal) to 0, so subsequent signatures will check out ok.
SecurityKeyData securityKeyData =
new SecurityKeyData(
currentTimeInMillis,
transports,
keyHandle,
userPublicKey,
attestationCertificate, /* initial counter value */
0);
dataStore.addSecurityKeyData(sessionData.getAccountName(), securityKeyData);
Log.info("<< processRegistrationResponse");
return securityKeyData;
}
