/**
* Returns certificate type of the given TBS certificate. <br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
* CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
* is marked as CA.<br>
* A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
* <I>"CN=proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
* <I>"CN=limited proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
* CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
* subject DN without the last proxy <I>CN</I> component.<br>
* A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
* component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
* component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
* ProxyCertInfo} critical extension. The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
* CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
* The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
* CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
* CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
* CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
* OID then the above.<br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
* CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
*
* @param crt the TBS certificate to get the type of.
* @return the certificate type. The certificate type is determined by rules described above.
* @throws java.io.IOException if something goes wrong.
* @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
* certificate does not match the subject DN of the certificate without the last <I>CN</I>
* component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
* marked as critical.
*/
public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
throws CertificateException, IOException {
X509Extensions extensions = crt.getExtensions();
X509Extension ext = null;
if (extensions != null) {
ext = extensions.getExtension(X509Extensions.BasicConstraints);
if (ext != null) {
BasicConstraints basicExt = getBasicConstraints(ext);
if (basicExt.isCA()) {
return GSIConstants.CertificateType.CA;
}
}
}
GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
// does not handle multiple AVAs
X509Name subject = crt.getSubject();
ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
if (X509Name.CN.equals(ava.getObjectAt(0))) {
type = processCN(extensions, type, ava);
}
return type;
}
public CVCertificate(byte[] in) throws IllegalArgumentException, IOException {
ASN1StreamParser asn1Parser = new ASN1StreamParser(in);
DERApplicationSpecific cvcert = (DERApplicationSpecific) asn1Parser.readObject();
if (cvcert.getApplicationTag() != 0x21)
throw new IllegalArgumentException("Can't find a CV Certificate");
ASN1Sequence derCert =
(ASN1Sequence) cvcert.getObject(BERTags.SEQUENCE); // Das CV Cerificate ist eine Sequence
DERApplicationSpecific body =
(DERApplicationSpecific)
derCert.getObjectAt(0); // Das erste Objekt des Certificates ist der Cert-Body
if (body.getApplicationTag() != 0x4E)
throw new IllegalArgumentException("Can't find a Body in the CV Certificate");
certBody = new CVCertBody(body);
DERApplicationSpecific signature =
(DERApplicationSpecific)
derCert.getObjectAt(1); // Das zweite Objekt des Certificates ist die Signatur
if (signature.getApplicationTag() != 0x37)
throw new IllegalArgumentException("Can't find a Signature in the CV Certificate");
certSignature = new CVCertSignature(signature.getContents());
}
@Override
public void fromAsn1(ASN1Encodable required, ASN1Encodable optional)
throws IOException, EIDException {
ASN1Sequence params = (ASN1Sequence) required;
int version = ASN1Helper.getCheckedInt((ASN1Integer) params.getObjectAt(0));
// if( doLog ) log.debug( "read version: " + version );
int keyId = ASN1Helper.getCheckedInt((ASN1Integer) params.getObjectAt(1));
// if( doLog ) log.debug( "read keyId: " + keyId );
boolean authorizedOnly = ((ASN1Boolean) params.getObjectAt(2)).isTrue();
// if( doLog ) log.debug( "read authorizedOnly: " + authorizedOnly );
if (1 != version) throw new EIDException("version must be 1");
this.version = version;
this.keyId = keyId;
this.authorizedOnly = authorizedOnly;
if (null != optional) {
maxKeyLen = ASN1Helper.getCheckedInt((ASN1Integer) optional);
// if( doLog ) log.debug( "read maxKeyLen: " + maxKeyLen );
}
}
public GeneralSubtree(ASN1Sequence seq) {
base = GeneralName.getInstance(seq.getObjectAt(0));
switch (seq.size()) {
case 1:
break;
case 2:
ASN1TaggedObject o = ASN1TaggedObject.getInstance(seq.getObjectAt(1));
switch (o.getTagNo()) {
case 0:
minimum = DERInteger.getInstance(o, false);
break;
case 1:
maximum = DERInteger.getInstance(o, false);
break;
default:
throw new IllegalArgumentException("Bad tag number: " + o.getTagNo());
}
break;
case 3:
minimum = DERInteger.getInstance(ASN1TaggedObject.getInstance(seq.getObjectAt(1)));
maximum = DERInteger.getInstance(ASN1TaggedObject.getInstance(seq.getObjectAt(2)));
break;
default:
throw new IllegalArgumentException("Bad sequence size: " + seq.size());
}
}
private SinglePubInfo(ASN1Sequence seq) {
pubMethod = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() == 2) {
pubLocation = GeneralName.getInstance(seq.getObjectAt(1));
}
}
public IDEACBCPar(ASN1Sequence seq) {
if (seq.size() == 1) {
iv = (ASN1OctetString) seq.getObjectAt(0);
} else {
iv = null;
}
}
public EncryptedContentInfo(ASN1Sequence seq) {
contentType = (DERObjectIdentifier) seq.getObjectAt(0);
contentEncryptionAlgorithm = AlgorithmIdentifier.getInstance(seq.getObjectAt(1));
if (seq.size() > 2) {
encryptedContent = ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(2), false);
}
}
/**
* decrypt the content and return an input stream.
*
* @deprecated use getContentStream(Recipient)
*/
public CMSTypedStream getContentStream(Key key, Provider prov) throws CMSException {
try {
CMSEnvelopedHelper helper = CMSEnvelopedHelper.INSTANCE;
AlgorithmIdentifier kekAlg =
AlgorithmIdentifier.getInstance(info.getKeyEncryptionAlgorithm());
ASN1Sequence kekAlgParams = (ASN1Sequence) kekAlg.getParameters();
String kekAlgName = DERObjectIdentifier.getInstance(kekAlgParams.getObjectAt(0)).getId();
String wrapAlgName = helper.getRFC3211WrapperName(kekAlgName);
Cipher keyCipher = helper.createSymmetricCipher(wrapAlgName, prov);
IvParameterSpec ivSpec =
new IvParameterSpec(ASN1OctetString.getInstance(kekAlgParams.getObjectAt(1)).getOctets());
keyCipher.init(
Cipher.UNWRAP_MODE,
new SecretKeySpec(((CMSPBEKey) key).getEncoded(kekAlgName), kekAlgName),
ivSpec);
Key sKey =
keyCipher.unwrap(
info.getEncryptedKey().getOctets(), getContentAlgorithmName(), Cipher.SECRET_KEY);
return getContentFromSessionKey(sKey, prov);
} catch (NoSuchAlgorithmException e) {
throw new CMSException("can't find algorithm.", e);
} catch (InvalidKeyException e) {
throw new CMSException("key invalid in message.", e);
} catch (NoSuchPaddingException e) {
throw new CMSException("required padding not supported.", e);
} catch (InvalidAlgorithmParameterException e) {
throw new CMSException("invalid iv.", e);
}
}
public PaceInfo(ASN1Sequence seq) {
protocol = (ASN1ObjectIdentifier) seq.getObjectAt(0);
version = (ASN1Integer) seq.getObjectAt(1);
if (seq.size() > 2) {
parameterId = (ASN1Integer) seq.getObjectAt(2);
}
}
/**
* Returns the targets in this target information extension.
*
* @return Returns the targets.
*/
public Targets[] getTargetsObjects() {
Targets[] copy = new Targets[targets.size()];
int count = 0;
for (Enumeration e = targets.getObjects(); e.hasMoreElements(); ) {
copy[count++] = Targets.getInstance(e.nextElement());
}
return copy;
}
public BigInteger[] decode(byte[] encoding) throws IOException {
ASN1Sequence s = (ASN1Sequence) ASN1Primitive.fromByteArray(encoding);
BigInteger[] sig = new BigInteger[2];
sig[0] = ((DERInteger) s.getObjectAt(0)).getValue();
sig[1] = ((DERInteger) s.getObjectAt(1)).getValue();
return sig;
}
public CryptEngineImpl(Context ctx) throws Exception {
// Получаем действующее хранилище
IKeyStorage storage = KeyStorageFactory.getKeyStorage(ctx);
Log.v("TFORWARD.CryptEngineImpl", "Decoding public key...");
byte[] publicKey = Base64.decode(storage.getKey(IKeyStorage.PUBLIC_KEY_TYPE), Base64.DEFAULT);
Log.v("TFORWARD.CryptEngineImpl", "Decoding ASN1 Structure");
ASN1InputStream asnStream = new ASN1InputStream(publicKey);
ASN1Sequence sequence = null;
try {
Log.v("TFORWARD.CryptEngineImpl", "Reading ASN1 Sequence");
sequence = (ASN1Sequence) asnStream.readObject();
} finally {
asnStream.close();
}
Log.v("TFORWARD.CryptEngineImpl", "Creating certificate. " + sequence.size());
Certificate certificate = Certificate.getInstance(sequence);
SubjectPublicKeyInfo publicKeyInfo = certificate.getSubjectPublicKeyInfo();
RSAPublicKey publicKeyStructure = RSAPublicKey.getInstance(publicKeyInfo.parsePublicKey());
BigInteger mod = publicKeyStructure.getModulus();
BigInteger pubExp = publicKeyStructure.getPublicExponent();
publicRsaKey = new RSAKeyParameters(false, mod, pubExp);
// ------------------------ PRIVATE KEY --------------------------------
byte[] privateKeyData =
Base64.decode(storage.getKey(IKeyStorage.SECRET_KEY_TYPE), Base64.DEFAULT);
asnStream = new ASN1InputStream(privateKeyData);
ASN1Sequence asnSequence = null;
try {
asnSequence = (ASN1Sequence) asnStream.readObject();
} finally {
asnStream.close();
}
RSAPrivateKey privateKey = RSAPrivateKey.getInstance(asnSequence);
privateRsaKey =
new RSAPrivateCrtKeyParameters(
privateKey.getModulus(),
privateKey.getPublicExponent(),
privateKey.getPrivateExponent(),
privateKey.getPrime1(),
privateKey.getPrime2(),
privateKey.getExponent1(),
privateKey.getExponent2(),
privateKey.getCoefficient());
RSAEngine engine = new RSAEngine();
digest = new MD5Digest();
cipher = new PKCS1Encoding(engine);
}
public X509Attribute[] getAttributes() {
ASN1Sequence seq = cert.getAcinfo().getAttributes();
X509Attribute[] attrs = new X509Attribute[seq.size()];
for (int i = 0; i != seq.size(); i++) {
attrs[i] = new X509Attribute((ASN1Encodable) seq.getObjectAt(i));
}
return attrs;
}
@Override
public void parse(ASN1Primitive derObject) {
ASN1Sequence derSequence = ASN1Object.getDERSequence(derObject);
this.endCertRevReq = new RevReq();
this.endCertRevReq.parse(derSequence.getObjectAt(0).toASN1Primitive());
this.caCerts = new RevReq();
this.caCerts.parse(derSequence.getObjectAt(1).toASN1Primitive());
}
/**
* Return the attributes, if any associated with this request.
*
* @return an array of Attribute, zero length if none present.
*/
public Attribute[] getAttributes() {
ASN1Sequence seq = attrCert.getAcinfo().getAttributes();
Attribute[] attrs = new Attribute[seq.size()];
for (int i = 0; i != seq.size(); i++) {
attrs[i] = Attribute.getInstance(seq.getObjectAt(i));
}
return attrs;
}
/**
* Produces the r,s integer pair of a DSA signature from a DER-encoded byte representation.
*
* @param in DER-encoded concatenation of byte representation of r and s.
* @return DSA signature output parameters (r,s).
* @throws CryptException On cryptographic errors.
*/
protected BigInteger[] decode(final byte[] in) throws CryptException {
ASN1Sequence s;
try {
s = (ASN1Sequence) new ASN1InputStream(in).readObject();
} catch (IOException e) {
throw new CryptException("Error decoding DSA signature.", e);
}
return new BigInteger[] {
((DERInteger) s.getObjectAt(0)).getValue(), ((DERInteger) s.getObjectAt(1)).getValue(),
};
}
public int hashCode() {
ASN1Sequence seq = (ASN1Sequence) this.getDERObject();
Enumeration e = seq.getObjects();
int hashCode = 0;
while (e.hasMoreElements()) {
hashCode ^= e.nextElement().hashCode();
}
return hashCode;
}
protected BigInteger[] derDecode(byte[] encoding) throws IOException {
ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
ASN1InputStream aIn = new ASN1InputStream(bIn);
ASN1Sequence s = (ASN1Sequence) aIn.readObject();
BigInteger[] sig = new BigInteger[2];
sig[0] = ((DERInteger) s.getObjectAt(0)).getValue();
sig[1] = ((DERInteger) s.getObjectAt(1)).getValue();
return sig;
}
public PBES2Parameters(ASN1Sequence obj) {
Enumeration e = obj.getObjects();
ASN1Sequence funcSeq =
ASN1Sequence.getInstance(((DEREncodable) e.nextElement()).getDERObject());
if (funcSeq.getObjectAt(0).equals(id_PBKDF2)) {
func = new KeyDerivationFunc(id_PBKDF2, PBKDF2Params.getInstance(funcSeq.getObjectAt(1)));
} else {
func = new KeyDerivationFunc(funcSeq);
}
scheme = (EncryptionScheme) EncryptionScheme.getInstance(e.nextElement());
}
/**
* Reads the value of the <code>CertificatePolicies</code> extension field of the certificate.
*
* @return List of certificate policies defined on certificate or null if the certificate does not
* define the field.
*/
public List<PolicyInformation> readCertificatePolicies() {
final ASN1Encodable data = read(ExtensionType.CertificatePolicies);
if (data == null) {
return null;
}
final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
final List<PolicyInformation> list = new ArrayList<>(sequence.size());
for (int i = 0; i < sequence.size(); i++) {
list.add(PolicyInformation.getInstance(sequence.getObjectAt(i)));
}
return list;
}
/**
* Reads the value of the <code>ExtendedKeyUsage</code> extension field of the certificate.
*
* @return List of supported extended key usages or null if extension is not defined.
*/
public List<KeyPurposeId> readExtendedKeyUsage() {
final ASN1Encodable data = read(ExtensionType.ExtendedKeyUsage);
if (data == null) {
return null;
}
final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
final List<KeyPurposeId> list = new ArrayList<>(sequence.size());
for (int i = 0; i < sequence.size(); i++) {
list.add(KeyPurposeId.getInstance(sequence.getObjectAt(i)));
}
return list;
}
/**
* Reads the value of the <code>CRLDistributionPoints</code> extension field of the certificate.
*
* @return List of CRL distribution points or null if extension is not defined.
*/
public List<DistributionPoint> readCRLDistributionPoints() {
final ASN1Encodable data = read(ExtensionType.CRLDistributionPoints);
if (data == null) {
return null;
}
final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
final List<DistributionPoint> list = new ArrayList<>(sequence.size());
for (int i = 0; i < sequence.size(); i++) {
list.add(DistributionPoint.getInstance(sequence.getObjectAt(i)));
}
return list;
}
/**
* Reads the value of the <code>AuthorityInformationAccess</code> extension field of the
* certificate.
*
* @return List of access descriptions or null if extension is not defined.
*/
public List<AccessDescription> readAuthorityInformationAccess() {
final ASN1Encodable data = read(ExtensionType.AuthorityInformationAccess);
if (data == null) {
return null;
}
final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
final List<AccessDescription> list = new ArrayList<>(sequence.size());
for (int i = 0; i < sequence.size(); i++) {
list.add(AccessDescription.getInstance(sequence.getObjectAt(i)));
}
return list;
}
public X9Curve(X9FieldID fieldID, ASN1Sequence seq) {
if (fieldID.getIdentifier().equals(prime_field)) {
BigInteger q = ((DERInteger) fieldID.getParameters()).getValue();
X9FieldElement x9A = new X9FieldElement(true, q, (ASN1OctetString) seq.getObjectAt(0));
X9FieldElement x9B = new X9FieldElement(true, q, (ASN1OctetString) seq.getObjectAt(1));
curve = new ECCurve.Fp(q, x9A.getValue().toBigInteger(), x9B.getValue().toBigInteger());
} else {
throw new RuntimeException("not implemented");
}
if (seq.size() == 3) {
seed = ((DERBitString) seq.getObjectAt(2)).getBytes();
}
}
private ECCCMSSharedInfo(ASN1Sequence seq) {
this.keyInfo = AlgorithmIdentifier.getInstance(seq.getObjectAt(0));
if (seq.size() == 2) {
this.entityUInfo = null;
this.suppPubInfo =
ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true).getOctets();
} else {
this.entityUInfo =
ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true).getOctets();
this.suppPubInfo =
ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(2), true).getOctets();
}
}
private ResponseData(ASN1Sequence seq) {
int index = 0;
if (seq.getObjectAt(0) instanceof ASN1TaggedObject) {
ASN1TaggedObject o = (ASN1TaggedObject) seq.getObjectAt(0);
if (o.getTagNo() == 0) {
this.versionPresent = true;
this.version = ASN1Integer.getInstance((ASN1TaggedObject) seq.getObjectAt(0), true);
index++;
} else {
this.version = V1;
}
} else {
this.version = V1;
}
this.responderID = ResponderID.getInstance(seq.getObjectAt(index++));
this.producedAt = (DERGeneralizedTime) seq.getObjectAt(index++);
this.responses = (ASN1Sequence) seq.getObjectAt(index++);
if (seq.size() > index) {
this.responseExtensions =
Extensions.getInstance((ASN1TaggedObject) seq.getObjectAt(index), true);
}
}
public VomsAttributeCertificateInfo(final ASN1Sequence seq) throws ProblemException {
super(seq);
ASN1Sequence attributes = getAttributes();
for (int i = 0; i < attributes.size(); i++) {
ASN1Sequence attribute = (ASN1Sequence) attributes.getObjectAt(i);
DERObjectIdentifier id = (DERObjectIdentifier) attribute.getObjectAt(0);
if (VomsCredentialInfo.VOMS_ATTR_OID.equals(id.getId())) {
DERSet set = (DERSet) attribute.getObjectAt(1);
for (int j = 0; j < set.size(); j++) {
IetfAttrSyntax attr = new IetfAttrSyntax((ASN1Sequence) set.getObjectAt(j));
ASN1Sequence paSeq = (ASN1Sequence) attr.getPolicyAuthority().getDERObject();
GeneralName paGName = GeneralName.getInstance(paSeq.getObjectAt(0));
String paString = ((DERIA5String) paGName.getName()).getString();
int sep = paString.indexOf("://"); // $NON-NLS-1$
if (sep != -1) {
this.voNames.add(paString.substring(0, sep));
}
for (Object attrValue : attr.getValues()) {
String fqanString = new String(((ASN1OctetString) attrValue).getOctets());
this.fqans.add(FullyQualifiedAttributeName.getFqan(fqanString));
}
}
}
}
}
private CscaMasterList(ASN1Sequence seq) {
if (seq == null || seq.size() == 0) {
throw new IllegalArgumentException("null or empty sequence passed.");
}
if (seq.size() != 2) {
throw new IllegalArgumentException("Incorrect sequence size: " + seq.size());
}
version = DERInteger.getInstance(seq.getObjectAt(0));
ASN1Set certSet = ASN1Set.getInstance(seq.getObjectAt(1));
certList = new X509CertificateStructure[certSet.size()];
for (int i = 0; i < certList.length; i++) {
certList[i] = X509CertificateStructure.getInstance(certSet.getObjectAt(i));
}
}
protected static final Set getQualifierSet(ASN1Sequence qualifiers)
throws CertPathValidatorException {
Set pq = new HashSet();
if (qualifiers == null) {
return pq;
}
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
ASN1OutputStream aOut = new ASN1OutputStream(bOut);
Enumeration e = qualifiers.getObjects();
while (e.hasMoreElements()) {
try {
aOut.writeObject((ASN1Encodable) e.nextElement());
pq.add(new PolicyQualifierInfo(bOut.toByteArray()));
} catch (IOException ex) {
throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);
}
bOut.reset();
}
return pq;
}
public SignerInfo(ASN1Sequence seq) {
Enumeration e = seq.getObjects();
version = (DERInteger) e.nextElement();
issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(e.nextElement());
digAlgorithm = AlgorithmIdentifier.getInstance(e.nextElement());
Object obj = e.nextElement();
if (obj instanceof ASN1TaggedObject) {
authenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject) obj, false);
digEncryptionAlgorithm = AlgorithmIdentifier.getInstance(e.nextElement());
} else {
authenticatedAttributes = null;
digEncryptionAlgorithm = AlgorithmIdentifier.getInstance(obj);
}
encryptedDigest = DEROctetString.getInstance(e.nextElement());
if (e.hasMoreElements()) {
unauthenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject) e.nextElement(), false);
} else {
unauthenticatedAttributes = null;
}
}
