List of usage examples for java.security.cert X509Certificate checkValidity
public abstract void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException;
From source file:com.eucalyptus.crypto.DefaultCryptoProvider.java
@Override public X509Certificate generateCertificate(PublicKey key, X500Principal subjectDn, X500Principal signer, PrivateKey signingKey, Date notAfter) { if (signingKey == null) { LOG.error("No signing key is provided"); return null; }//from w w w . j a v a 2 s. c om if (signer == null) { LOG.error("No signiner principal is specified"); return null; } if (subjectDn == null) { LOG.error("No subject principal is specified"); return null; } if (key == null) { LOG.error("No requesting key is specified"); return null; } EventRecord.caller(DefaultCryptoProvider.class, EventType.GENERATE_CERTIFICATE, signer.toString(), subjectDn.toString()).info(); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.nanoTime()).shiftLeft(4) .add(BigInteger.valueOf((long) Math.rint(Math.random() * 1000)))); certGen.setIssuerDN(signer); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); try { certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(key)); } catch (InvalidKeyException e) { LOG.error("Error adding subject key identifier extension.", e); } Calendar cal = Calendar.getInstance(); certGen.setNotBefore(cal.getTime()); certGen.setNotAfter(notAfter); certGen.setSubjectDN(subjectDn); certGen.setPublicKey(key); certGen.setSignatureAlgorithm(KEY_SIGNING_ALGORITHM); try { X509Certificate cert = certGen.generate(signingKey, PROVIDER); cert.checkValidity(); return cert; } catch (Exception e) { LOG.fatal(e, e); return null; } }
From source file:mx.bigdata.sat.cfdi.CFDv33.java
@Override public void sellar(PrivateKey key, X509Certificate cert) throws Exception { String nc = new String(cert.getSerialNumber().toByteArray()); cert.checkValidity(); byte[] bytes = cert.getEncoded(); Base64 b64 = new Base64(-1); String certStr = b64.encodeToString(bytes); document.setCertificado(certStr);/*from w ww .j a v a2s. c om*/ document.setNoCertificado(nc); String signature = getSignature(key); document.setSello(signature); }
From source file:eu.peppol.outbound.transmission.As2MessageSender.java
/** * Handles the HTTP 200 POST response (the MDN with status indications) * * @param transmissionId the transmissionId (used in HTTP headers as Message-ID) * @param outboundMic the calculated mic of the payload (should be verified against the one returned in MDN) * @param postResponse the http response to be decoded as MDN * @return//from w ww . ja va 2s . co m */ MimeMessage handleTheHttpResponse(TransmissionId transmissionId, Mic outboundMic, CloseableHttpResponse postResponse, SmpLookupManager.PeppolEndpointData peppolEndpointData) { try { HttpEntity entity = postResponse.getEntity(); // Any textual results? if (entity == null) { throw new IllegalStateException( "No contents in HTTP response with rc=" + postResponse.getStatusLine().getStatusCode()); } String contents = EntityUtils.toString(entity); if (traceEnabled) { log.debug("HTTP-headers:"); Header[] allHeaders = postResponse.getAllHeaders(); for (Header header : allHeaders) { log.debug("" + header.getName() + ": " + header.getValue()); } log.debug("Contents:\n" + contents); log.debug("---------------------------"); } Header contentTypeHeader = postResponse.getFirstHeader("Content-Type"); if (contentTypeHeader == null) { throw new IllegalStateException("No Content-Type header in response, probably a server error"); } String contentType = contentTypeHeader.getValue(); MimeMessage mimeMessage = null; try { mimeMessage = MimeMessageHelper.parseMultipart(contents, new MimeType(contentType)); try { mimeMessage.writeTo(System.out); } catch (MessagingException e) { throw new IllegalStateException("Unable to print mime message"); } } catch (MimeTypeParseException e) { throw new IllegalStateException("Invalid Content-Type header"); } // verify the signature of the MDN, we warn about dodgy signatures try { SignedMimeMessage signedMimeMessage = new SignedMimeMessage(mimeMessage); X509Certificate cert = signedMimeMessage.getSignersX509Certificate(); cert.checkValidity(); // Verify if the certificate used by the receiving Access Point in // the response message does not match its certificate published by the SMP if (peppolEndpointData.getCommonName() == null || !CommonName .valueOf(cert.getSubjectX500Principal()).equals(peppolEndpointData.getCommonName())) { throw new CertificateException( "Common name in certificate from SMP does not match common name in AP certificate"); } log.debug("MDN signature was verfied for : " + cert.getSubjectDN().toString()); } catch (Exception ex) { log.warn("Exception when verifying MDN signature : " + ex.getMessage()); } // Verifies the actual MDN MdnMimeMessageInspector mdnMimeMessageInspector = new MdnMimeMessageInspector(mimeMessage); String msg = mdnMimeMessageInspector.getPlainTextPartAsText(); if (mdnMimeMessageInspector.isOkOrWarning(outboundMic)) { return mimeMessage; } else { log.error("AS2 transmission failed with some error message, msg :" + msg); log.error(contents); throw new IllegalStateException("AS2 transmission failed : " + msg); } } catch (IOException e) { throw new IllegalStateException("Unable to obtain the contents of the response: " + e.getMessage(), e); } finally { try { postResponse.close(); } catch (IOException e) { throw new IllegalStateException("Unable to close http connection: " + e.getMessage(), e); } } }
From source file:com.example.bbbbbb.http.sample.util.SecureSocketFactory.java
/** * Instantiate a new secured factory pertaining to the passed store. Be sure to initialize the * store with the password using {@link KeyStore#load(InputStream, * char[])} method./*from w w w . ja v a 2 s. co m*/ * * @param store The key store holding the certificate details * @param alias The alias of the certificate to use */ public SecureSocketFactory(KeyStore store, String alias) throws CertificateException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { super(store); // Loading the CA certificate from store. final Certificate rootca = store.getCertificate(alias); // Turn it to X509 format. InputStream is = new ByteArrayInputStream(rootca.getEncoded()); X509Certificate x509ca = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is); AsyncHttpClient.silentCloseInputStream(is); if (null == x509ca) { throw new CertificateException("Embedded SSL certificate has expired."); } // Check the CA's validity. x509ca.checkValidity(); // Accepted CA is only the one installed in the store. acceptedIssuers = new X509Certificate[] { x509ca }; sslCtx = SSLContext.getInstance("TLS"); sslCtx.init(null, new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { Exception error = null; if (null == chain || 0 == chain.length) { error = new CertificateException("Certificate chain is invalid."); } else if (null == authType || 0 == authType.length()) { error = new CertificateException("Authentication type is invalid."); } else { Log.i(LOG_TAG, "Chain includes " + chain.length + " certificates."); try { for (X509Certificate cert : chain) { Log.i(LOG_TAG, "Server Certificate Details:"); Log.i(LOG_TAG, "---------------------------"); Log.i(LOG_TAG, "IssuerDN: " + cert.getIssuerDN().toString()); Log.i(LOG_TAG, "SubjectDN: " + cert.getSubjectDN().toString()); Log.i(LOG_TAG, "Serial Number: " + cert.getSerialNumber()); Log.i(LOG_TAG, "Version: " + cert.getVersion()); Log.i(LOG_TAG, "Not before: " + cert.getNotBefore().toString()); Log.i(LOG_TAG, "Not after: " + cert.getNotAfter().toString()); Log.i(LOG_TAG, "---------------------------"); // Make sure that it hasn't expired. cert.checkValidity(); // Verify the certificate's public key chain. cert.verify(rootca.getPublicKey()); } } catch (InvalidKeyException e) { error = e; } catch (NoSuchAlgorithmException e) { error = e; } catch (NoSuchProviderException e) { error = e; } catch (SignatureException e) { error = e; } } if (null != error) { Log.e(LOG_TAG, "Certificate error", error); throw new CertificateException(error); } } @Override public X509Certificate[] getAcceptedIssuers() { return acceptedIssuers; } } }, null); setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); }
From source file:eu.europa.esig.dss.cades.signature.CAdESLevelBTest.java
@Override protected void onDocumentSigned(byte[] byteArray) { try {//from w w w. j a va 2 s . com CAdESSignature signature = new CAdESSignature(byteArray); assertNotNull(signature.getCmsSignedData()); ASN1InputStream asn1sInput = new ASN1InputStream(byteArray); ASN1Sequence asn1Seq = (ASN1Sequence) asn1sInput.readObject(); logger.info("SEQ : " + asn1Seq.toString()); assertEquals(2, asn1Seq.size()); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1Seq.getObjectAt(0)); assertEquals(PKCSObjectIdentifiers.signedData, oid); logger.info("OID : " + oid.toString()); ASN1TaggedObject taggedObj = DERTaggedObject.getInstance(asn1Seq.getObjectAt(1)); logger.info("TAGGED OBJ : " + taggedObj.toString()); ASN1Primitive object = taggedObj.getObject(); logger.info("OBJ : " + object.toString()); SignedData signedData = SignedData.getInstance(object); logger.info("SIGNED DATA : " + signedData.toString()); ASN1Set digestAlgorithms = signedData.getDigestAlgorithms(); logger.info("DIGEST ALGOS : " + digestAlgorithms.toString()); ContentInfo encapContentInfo = signedData.getEncapContentInfo(); logger.info("ENCAPSULATED CONTENT INFO : " + encapContentInfo.getContentType() + " " + encapContentInfo.getContent()); ASN1Set certificates = signedData.getCertificates(); logger.info("CERTIFICATES (" + certificates.size() + ") : " + certificates); List<X509Certificate> foundCertificates = new ArrayList<X509Certificate>(); for (int i = 0; i < certificates.size(); i++) { ASN1Sequence seqCertif = ASN1Sequence.getInstance(certificates.getObjectAt(i)); logger.info("SEQ cert " + i + " : " + seqCertif); X509CertificateHolder certificateHolder = new X509CertificateHolder(seqCertif.getEncoded()); X509Certificate certificate = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder); certificate.checkValidity(); logger.info("Cert " + i + " : " + certificate); foundCertificates.add(certificate); } ASN1Set crLs = signedData.getCRLs(); logger.info("CRLs : " + crLs); ASN1Set signerInfosAsn1 = signedData.getSignerInfos(); logger.info("SIGNER INFO ASN1 : " + signerInfosAsn1.toString()); assertEquals(1, signerInfosAsn1.size()); ASN1Sequence seqSignedInfo = ASN1Sequence.getInstance(signerInfosAsn1.getObjectAt(0)); SignerInfo signedInfo = SignerInfo.getInstance(seqSignedInfo); logger.info("SIGNER INFO : " + signedInfo.toString()); SignerIdentifier sid = signedInfo.getSID(); logger.info("SIGNER IDENTIFIER : " + sid.getId()); IssuerAndSerialNumber issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(signedInfo.getSID()); logger.info("ISSUER AND SN : " + issuerAndSerialNumber.toString()); BigInteger serial = issuerAndSerialNumber.getSerialNumber().getValue(); X509Certificate signerCertificate = null; for (X509Certificate x509Certificate : foundCertificates) { // TODO check issuer name if (serial.equals(x509Certificate.getSerialNumber())) { signerCertificate = x509Certificate; } } assertNotNull(signerCertificate); ASN1OctetString encryptedDigest = signedInfo.getEncryptedDigest(); logger.info("ENCRYPT DIGEST : " + encryptedDigest.toString()); ASN1Sequence seq = ASN1Sequence.getInstance(object); ASN1Integer version = ASN1Integer.getInstance(seq.getObjectAt(0)); logger.info("VERSION : " + version.toString()); ASN1Set digestManualSet = ASN1Set.getInstance(seq.getObjectAt(1)); logger.info("DIGEST SET : " + digestManualSet.toString()); assertEquals(digestAlgorithms, digestManualSet); ASN1Sequence seqDigest = ASN1Sequence.getInstance(digestManualSet.getObjectAt(0)); // assertEquals(1, seqDigest.size()); ASN1ObjectIdentifier oidDigestAlgo = ASN1ObjectIdentifier.getInstance(seqDigest.getObjectAt(0)); assertEquals(new ASN1ObjectIdentifier(DigestAlgorithm.SHA256.getOid()), oidDigestAlgo); ASN1Sequence seqEncapsulatedInfo = ASN1Sequence.getInstance(seq.getObjectAt(2)); logger.info("ENCAPSULATED INFO : " + seqEncapsulatedInfo.toString()); ASN1ObjectIdentifier oidContentType = ASN1ObjectIdentifier .getInstance(seqEncapsulatedInfo.getObjectAt(0)); logger.info("OID CONTENT TYPE : " + oidContentType.toString()); ASN1TaggedObject taggedContent = DERTaggedObject.getInstance(seqEncapsulatedInfo.getObjectAt(1)); ASN1OctetString contentOctetString = ASN1OctetString.getInstance(taggedContent.getObject()); String content = new String(contentOctetString.getOctets()); assertEquals(HELLO_WORLD, content); logger.info("CONTENT : " + content); byte[] digest = DSSUtils.digest(DigestAlgorithm.SHA256, HELLO_WORLD.getBytes()); String encodeHexDigest = Hex.toHexString(digest); logger.info("CONTENT DIGEST COMPUTED : " + encodeHexDigest); ASN1Set authenticatedAttributes = signedInfo.getAuthenticatedAttributes(); logger.info("AUTHENTICATED ATTRIBUTES : " + authenticatedAttributes.toString()); // ASN1Sequence seqAuthAttrib = ASN1Sequence.getInstance(authenticatedAttributes.getObjectAt(0)); logger.info("Nb Auth Attributes : " + authenticatedAttributes.size()); String embeddedDigest = StringUtils.EMPTY; for (int i = 0; i < authenticatedAttributes.size(); i++) { ASN1Sequence authAttrSeq = ASN1Sequence.getInstance(authenticatedAttributes.getObjectAt(i)); logger.info(authAttrSeq.toString()); ASN1ObjectIdentifier attrOid = ASN1ObjectIdentifier.getInstance(authAttrSeq.getObjectAt(0)); if (PKCSObjectIdentifiers.pkcs_9_at_messageDigest.equals(attrOid)) { ASN1Set setMessageDigest = ASN1Set.getInstance(authAttrSeq.getObjectAt(1)); ASN1OctetString asn1ObjString = ASN1OctetString.getInstance(setMessageDigest.getObjectAt(0)); embeddedDigest = Hex.toHexString(asn1ObjString.getOctets()); } } assertEquals(encodeHexDigest, embeddedDigest); ASN1OctetString encryptedInfoOctedString = signedInfo.getEncryptedDigest(); String signatureValue = Hex.toHexString(encryptedInfoOctedString.getOctets()); logger.info("SIGNATURE VALUE : " + signatureValue); Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.DECRYPT_MODE, signerCertificate); byte[] decrypted = cipher.doFinal(encryptedInfoOctedString.getOctets()); ASN1InputStream inputDecrypted = new ASN1InputStream(decrypted); ASN1Sequence seqDecrypt = (ASN1Sequence) inputDecrypted.readObject(); logger.info("Decrypted : " + seqDecrypt); DigestInfo digestInfo = new DigestInfo(seqDecrypt); assertEquals(oidDigestAlgo, digestInfo.getAlgorithmId().getAlgorithm()); String decryptedDigestEncodeBase64 = Base64.encode(digestInfo.getDigest()); logger.info("Decrypted Base64 : " + decryptedDigestEncodeBase64); byte[] encoded = signedInfo.getAuthenticatedAttributes().getEncoded(); MessageDigest messageDigest = MessageDigest.getInstance(DigestAlgorithm.SHA256.getName()); byte[] digestOfAuthenticatedAttributes = messageDigest.digest(encoded); String computedDigestEncodeBase64 = Base64.encode(digestOfAuthenticatedAttributes); logger.info("Computed Base64 : " + computedDigestEncodeBase64); assertEquals(decryptedDigestEncodeBase64, computedDigestEncodeBase64); IOUtils.closeQuietly(asn1sInput); IOUtils.closeQuietly(inputDecrypted); } catch (Exception e) { logger.error(e.getMessage(), e); fail(e.getMessage()); } }
From source file:com.fine47.http.SecureSocketFactory.java
private SecureSocketFactory(String factoryId, KeyStore store, String alias) throws CertificateException, NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { super(store); // Loading the CA certificate from store. Certificate rootca = store.getCertificate(alias); // Turn it to X509 format. InputStream is = new ByteArrayInputStream(rootca.getEncoded()); X509Certificate x509ca = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is); ActivityHttpClient.silentCloseInputStream(is); if (null == x509ca) { throw new CertificateException("Found expired SSL certificate in this store: " + factoryId); }// w w w .j av a 2 s. c o m // Check the CA's validity. x509ca.checkValidity(); // Accepted CA is only the one installed in the store. acceptedIssuers = new X509Certificate[] { x509ca }; // Get the public key. publicKey = rootca.getPublicKey(); sslCtx = SSLContext.getInstance("TLS"); sslCtx.init(null, new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { Exception error = null; if (null == chain || 0 == chain.length) { error = new CertificateException("Certificate chain is invalid"); } else if (null == authType || 0 == authType.length()) { error = new CertificateException("Authentication type is invalid"); } else try { for (X509Certificate cert : chain) { if (ActivityHttpClient.isDebugging()) { Log.d(ActivityHttpClient.LOG_TAG, "Server Certificate Details:"); Log.d(ActivityHttpClient.LOG_TAG, "---------------------------"); Log.d(ActivityHttpClient.LOG_TAG, "IssuerDN: " + cert.getIssuerDN().toString()); Log.d(ActivityHttpClient.LOG_TAG, "SubjectDN: " + cert.getSubjectDN().toString()); Log.d(ActivityHttpClient.LOG_TAG, "Serial Number: " + cert.getSerialNumber()); Log.d(ActivityHttpClient.LOG_TAG, "Version: " + cert.getVersion()); Log.d(ActivityHttpClient.LOG_TAG, "Not before: " + cert.getNotBefore().toString()); Log.d(ActivityHttpClient.LOG_TAG, "Not after: " + cert.getNotAfter().toString()); Log.d(ActivityHttpClient.LOG_TAG, "---------------------------"); } // Make sure that it hasn't expired. cert.checkValidity(); // Verify the certificate's chain. cert.verify(publicKey); } } catch (InvalidKeyException ex) { error = ex; } catch (NoSuchAlgorithmException ex) { error = ex; } catch (NoSuchProviderException ex) { error = ex; } catch (SignatureException ex) { error = ex; } if (null != error && ActivityHttpClient.isDebugging()) { Log.e(ActivityHttpClient.LOG_TAG, "Error while setting up a secure socket factory.", error); throw new CertificateException(error); } } @Override public X509Certificate[] getAcceptedIssuers() { return acceptedIssuers; } } }, null); setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); }
From source file:de.brendamour.jpasskit.signing.PKSigningInformationUtil.java
private PKSigningInformation checkCertsAndReturnSigningInformationObject(PrivateKey signingPrivateKey, X509Certificate signingCert, X509Certificate appleWWDRCACert) throws IOException, CertificateExpiredException, CertificateNotYetValidException { if (signingCert == null || signingPrivateKey == null || appleWWDRCACert == null) { throw new IOException("Couldn't load all the neccessary certificates/keys."); }/* w w w. j ava 2 s . c o m*/ // check the Validity of the Certificate to make sure it isn't expired appleWWDRCACert.checkValidity(); signingCert.checkValidity(); return new PKSigningInformation(signingCert, signingPrivateKey, appleWWDRCACert); }
From source file:com.blackducksoftware.integration.hub.jenkins.site.BlackDuckHubUpdateSite.java
/** * Verifies the signature in the update center data file. *///from www . ja v a 2s . c o m private FormValidation verifySignature(final JSONObject o) throws IOException { try { FormValidation warning = null; final JSONObject signature = o.getJSONObject("signature"); if (signature.isNullObject()) { return FormValidation.error("No signature block found in update center '" + getId() + "'"); } o.remove("signature"); final List<X509Certificate> certs = new ArrayList<X509Certificate>(); {// load and verify certificates final CertificateFactory cf = CertificateFactory.getInstance("X509"); for (final Object cert : signature.getJSONArray("certificates")) { final X509Certificate c = (X509Certificate) cf.generateCertificate( new ByteArrayInputStream(Base64.decode(cert.toString().toCharArray()))); try { c.checkValidity(); } catch (final CertificateExpiredException e) { // even if the certificate isn't valid yet, // we'll proceed it anyway warning = FormValidation.warning(e, String.format( "Certificate %s has expired in update center '%s'", cert.toString(), getId())); } catch (final CertificateNotYetValidException e) { warning = FormValidation.warning(e, String.format( "Certificate %s is not yet valid in update center '%s'", cert.toString(), getId())); } certs.add(c); } // all default root CAs in JVM are trusted, plus certs bundled in Jenkins final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); // CertificateUtil.getDefaultRootCAs(); final ServletContext context = Jenkins.getInstance().servletContext; anchors.add(new TrustAnchor(loadLicenseCaCertificate(), null)); for (final String cert : (Set<String>) context.getResourcePaths("/WEB-INF/update-center-rootCAs")) { if (cert.endsWith(".txt")) { continue; // skip text files that are meant to be documentation } final InputStream stream = context.getResourceAsStream(cert); if (stream != null) { try { anchors.add(new TrustAnchor((X509Certificate) cf.generateCertificate(stream), null)); } finally { IOUtils.closeQuietly(stream); } } } CertificateUtil.validatePath(certs, anchors); } // this is for computing a digest to check sanity final MessageDigest sha1 = MessageDigest.getInstance("SHA1"); final DigestOutputStream dos = new DigestOutputStream(new NullOutputStream(), sha1); // this is for computing a signature final Signature sig = Signature.getInstance("SHA1withRSA"); sig.initVerify(certs.get(0)); final SignatureOutputStream sos = new SignatureOutputStream(sig); // until JENKINS-11110 fix, UC used to serve invalid digest (and therefore unverifiable signature) // that only covers the earlier portion of the file. This was caused by the lack of close() call // in the canonical writing, which apparently leave some bytes somewhere that's not flushed to // the digest output stream. This affects Jenkins [1.424,1,431]. // Jenkins 1.432 shipped with the "fix" (1eb0c64abb3794edce29cbb1de50c93fa03a8229) that made it // compute the correct digest, but it breaks all the existing UC json metadata out there. We then // quickly discovered ourselves in the catch-22 situation. If we generate UC with the correct signature, // it'll cut off [1.424,1.431] from the UC. But if we don't, we'll cut off [1.432,*). // // In 1.433, we revisited 1eb0c64abb3794edce29cbb1de50c93fa03a8229 so that the original "digest"/"signature" // pair continues to be generated in a buggy form, while "correct_digest"/"correct_signature" are generated // correctly. // // Jenkins should ignore "digest"/"signature" pair. Accepting it creates a vulnerability that allows // the attacker to inject a fragment at the end of the json. o.writeCanonical(new OutputStreamWriter(new TeeOutputStream(dos, sos), "UTF-8")).close(); // did the digest match? this is not a part of the signature validation, but if we have a bug in the c14n // (which is more likely than someone tampering with update center), we can tell final String computedDigest = new String(Base64.encode(sha1.digest())); final String providedDigest = signature.optString("correct_digest"); if (providedDigest == null) { return FormValidation.error("No correct_digest parameter in update center '" + getId() + "'. This metadata appears to be old."); } if (!computedDigest.equalsIgnoreCase(providedDigest)) { return FormValidation.error("Digest mismatch: " + computedDigest + " vs " + providedDigest + " in update center '" + getId() + "'"); } final String providedSignature = signature.getString("correct_signature"); if (!sig.verify(Base64.decode(providedSignature.toCharArray()))) { return FormValidation.error( "Signature in the update center doesn't match with the certificate in update center '" + getId() + "'"); } if (warning != null) { return warning; } return FormValidation.ok(); } catch (final GeneralSecurityException e) { return FormValidation.error(e, "Signature verification failed in the update center '" + getId() + "'"); } }
From source file:com.cloudbees.jenkins.plugins.enterpriseplugins.CloudBeesUpdateSite.java
/** * Verifies the signature in the update center data file. *///from ww w . ja v a 2 s . c om private FormValidation verifySignature(JSONObject o) throws IOException { try { FormValidation warning = null; JSONObject signature = o.getJSONObject("signature"); if (signature.isNullObject()) { return FormValidation.error("No signature block found in update center '" + getId() + "'"); } o.remove("signature"); List<X509Certificate> certs = new ArrayList<X509Certificate>(); {// load and verify certificates CertificateFactory cf = CertificateFactory.getInstance("X509"); for (Object cert : signature.getJSONArray("certificates")) { X509Certificate c = (X509Certificate) cf.generateCertificate( new ByteArrayInputStream(Base64.decode(cert.toString().toCharArray()))); try { c.checkValidity(); } catch (CertificateExpiredException e) { // even if the certificate isn't valid yet, // we'll proceed it anyway warning = FormValidation.warning(e, String.format( "Certificate %s has expired in update center '%s'", cert.toString(), getId())); } catch (CertificateNotYetValidException e) { warning = FormValidation.warning(e, String.format( "Certificate %s is not yet valid in update center '%s'", cert.toString(), getId())); } certs.add(c); } // all default root CAs in JVM are trusted, plus certs bundled in Jenkins Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); // CertificateUtil.getDefaultRootCAs(); ServletContext context = Hudson.getInstance().servletContext; anchors.add(new TrustAnchor(loadLicenseCaCertificate(), null)); for (String cert : (Set<String>) context.getResourcePaths("/WEB-INF/update-center-rootCAs")) { if (cert.endsWith(".txt")) { continue; // skip text files that are meant to be documentation } InputStream stream = context.getResourceAsStream(cert); if (stream != null) { try { anchors.add(new TrustAnchor((X509Certificate) cf.generateCertificate(stream), null)); } finally { IOUtils.closeQuietly(stream); } } } CertificateUtil.validatePath(certs, anchors); } // this is for computing a digest to check sanity MessageDigest sha1 = MessageDigest.getInstance("SHA1"); DigestOutputStream dos = new DigestOutputStream(new NullOutputStream(), sha1); // this is for computing a signature Signature sig = Signature.getInstance("SHA1withRSA"); sig.initVerify(certs.get(0)); SignatureOutputStream sos = new SignatureOutputStream(sig); // until JENKINS-11110 fix, UC used to serve invalid digest (and therefore unverifiable signature) // that only covers the earlier portion of the file. This was caused by the lack of close() call // in the canonical writing, which apparently leave some bytes somewhere that's not flushed to // the digest output stream. This affects Jenkins [1.424,1,431]. // Jenkins 1.432 shipped with the "fix" (1eb0c64abb3794edce29cbb1de50c93fa03a8229) that made it // compute the correct digest, but it breaks all the existing UC json metadata out there. We then // quickly discovered ourselves in the catch-22 situation. If we generate UC with the correct signature, // it'll cut off [1.424,1.431] from the UC. But if we don't, we'll cut off [1.432,*). // // In 1.433, we revisited 1eb0c64abb3794edce29cbb1de50c93fa03a8229 so that the original "digest"/"signature" // pair continues to be generated in a buggy form, while "correct_digest"/"correct_signature" are generated // correctly. // // Jenkins should ignore "digest"/"signature" pair. Accepting it creates a vulnerability that allows // the attacker to inject a fragment at the end of the json. o.writeCanonical(new OutputStreamWriter(new TeeOutputStream(dos, sos), "UTF-8")).close(); // did the digest match? this is not a part of the signature validation, but if we have a bug in the c14n // (which is more likely than someone tampering with update center), we can tell String computedDigest = new String(Base64.encode(sha1.digest())); String providedDigest = signature.optString("correct_digest"); if (providedDigest == null) { return FormValidation.error("No correct_digest parameter in update center '" + getId() + "'. This metadata appears to be old."); } if (!computedDigest.equalsIgnoreCase(providedDigest)) { return FormValidation.error("Digest mismatch: " + computedDigest + " vs " + providedDigest + " in update center '" + getId() + "'"); } String providedSignature = signature.getString("correct_signature"); if (!sig.verify(Base64.decode(providedSignature.toCharArray()))) { return FormValidation.error( "Signature in the update center doesn't match with the certificate in update center '" + getId() + "'"); } if (warning != null) { return warning; } return FormValidation.ok(); } catch (GeneralSecurityException e) { return FormValidation.error(e, "Signature verification failed in the update center '" + getId() + "'"); } }
From source file:org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule.java
private boolean isExtraCertValid() { X509Certificate cert = (X509Certificate) extraCert; try {// ww w .java 2 s .c o m cert.checkValidity(); if (log.isDebugEnabled()) { log.debug("The certificate in extraCert is valid"); } } catch (CertificateExpiredException e) { this.errorMessage = "The certificate attached to the PKIMessage in the extraCert field in not valid."; if (log.isDebugEnabled()) { log.debug(this.errorMessage + " SubjectDN=" + CertTools.getSubjectDN(cert) + " - " + e.getLocalizedMessage()); } return false; } catch (CertificateNotYetValidException e) { this.errorMessage = "The certificate attached to the PKIMessage in the extraCert field in not valid."; if (log.isDebugEnabled()) { log.debug(this.errorMessage + " SubjectDN=" + CertTools.getSubjectDN(cert) + " - " + e.getLocalizedMessage()); } return false; } return true; }