List of usage examples for java.security.cert X509Certificate getPublicKey
public abstract PublicKey getPublicKey();
From source file:org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator.java
private boolean validateSignature(SignedJWT signedJWT, IdentityProvider idp) throws JOSEException, IdentityOAuth2Exception { JWSVerifier verifier = null;// www . ja va 2s .c o m JWSHeader header = signedJWT.getHeader(); X509Certificate x509Certificate = resolveSignerCertificate(header, idp); if (x509Certificate == null) { throw new IdentityOAuth2Exception( "Unable to locate certificate for Identity Provider: " + idp.getDisplayName()); } String alg = signedJWT.getHeader().getAlgorithm().getName(); if (StringUtils.isEmpty(alg)) { throw new IdentityOAuth2Exception("Algorithm must not be null."); } else { if (log.isDebugEnabled()) { log.debug("Signature Algorithm found in the Token Header: " + alg); } if (alg.indexOf(ALGO_PREFIX) == 0) { // At this point 'x509Certificate' will never be null. PublicKey publicKey = x509Certificate.getPublicKey(); if (publicKey instanceof RSAPublicKey) { verifier = new RSASSAVerifier((RSAPublicKey) publicKey); } else { throw new IdentityOAuth2Exception("Public key is not an RSA public key."); } } else { if (log.isDebugEnabled()) { log.debug("Signature Algorithm not supported yet: " + alg); } } if (verifier == null) { throw new IdentityOAuth2Exception( "Could not create a signature verifier for algorithm type: " + alg); } } boolean isValid = signedJWT.verify(verifier); if (log.isDebugEnabled()) { log.debug("Signature verified: " + isValid); } return isValid; }
From source file:org.wso2.carbon.identity.sso.saml.builders.X509CredentialImpl.java
public X509CredentialImpl(X509Certificate cert) { publicKey = cert.getPublicKey(); signingCert = cert; }
From source file:org.wso2.carbon.security.keystore.KeyStoreAdmin.java
private CertData fillCertData(X509Certificate cert, String alise, Format formatter) throws CertificateEncodingException { CertData certData = null;//from w ww. j a v a 2s .c o m if (includeCert) { certData = new CertDataDetail(); } else { certData = new CertData(); } certData.setAlias(alise); certData.setSubjectDN(cert.getSubjectDN().getName()); certData.setIssuerDN(cert.getIssuerDN().getName()); certData.setSerialNumber(cert.getSerialNumber()); certData.setVersion(cert.getVersion()); certData.setNotAfter(formatter.format(cert.getNotAfter())); certData.setNotBefore(formatter.format(cert.getNotBefore())); certData.setPublicKey(Base64.encode(cert.getPublicKey().getEncoded())); if (includeCert) { ((CertDataDetail) certData).setCertificate(cert); } return certData; }
From source file:org.wso2.carbon.security.util.ServerCrypto.java
@Override /**//from ww w . ja v a 2 s. c o m * @see org.apache.ws.security.components.crypto.Crypto#getSKIBytesFromCert(java.security.cert.X509Certificate) */ public byte[] getSKIBytesFromCert(X509Certificate cert) throws WSSecurityException { /* * Gets the DER-encoded OCTET string for the extension value (extnValue) * identified by the passed-in oid String. The oid string is represented * by a set of positive whole numbers separated by periods. */ byte[] derEncodedValue = cert.getExtensionValue(SKI_OID); if (cert.getVersion() < 3 || derEncodedValue == null) { PublicKey key = cert.getPublicKey(); if (!(key instanceof RSAPublicKey)) { throw new WSSecurityException(1, "noSKIHandling", new Object[] { "Support for RSA key only" }); } byte[] encoded = key.getEncoded(); // remove 22-byte algorithm ID and header byte[] value = new byte[encoded.length - 22]; System.arraycopy(encoded, 22, value, 0, value.length); MessageDigest sha; try { sha = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException ex) { throw new WSSecurityException(1, "noSKIHandling", new Object[] { "Wrong certificate version (<3) and no " + "SHA1 message digest availabe" }); } sha.reset(); sha.update(value); return sha.digest(); } /** * Strip away first four bytes from the DerValue (tag and length of * ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING) */ byte abyte0[] = new byte[derEncodedValue.length - 4]; System.arraycopy(derEncodedValue, 4, abyte0, 0, abyte0.length); return abyte0; }
From source file:org.wso2.carbon.webapp.ext.cxf.crypto.CXFServerCrypto.java
/** * @see org.apache.ws.security.components.crypto.Crypto#getSKIBytesFromCert(java.security.cert.X509Certificate) */// www .j a v a 2 s . com public byte[] getSKIBytesFromCert(X509Certificate cert) throws WSSecurityException { /* * Gets the DER-encoded OCTET string for the extension value (extnValue) * identified by the passed-in oid String. The oid string is represented * by a set of positive whole numbers separated by periods. */ byte[] derEncodedValue = cert.getExtensionValue(SKI_OID); if (cert.getVersion() < 3 || derEncodedValue == null) { PublicKey key = cert.getPublicKey(); if (!(key instanceof RSAPublicKey)) { throw new WSSecurityException(1, "noSKIHandling", new Object[] { "Support for RSA key only" }); } byte[] encoded = key.getEncoded(); // remove 22-byte algorithm ID and header byte[] value = new byte[encoded.length - 22]; System.arraycopy(encoded, 22, value, 0, value.length); MessageDigest sha; try { sha = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException ex) { throw new WSSecurityException(1, "noSKIHandling", new Object[] { "Wrong certificate version (<3) and no " + "SHA1 message digest availabe" }); } sha.reset(); sha.update(value); return sha.digest(); } /** * Strip away first four bytes from the DerValue (tag and length of * ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING) */ byte abyte0[] = new byte[derEncodedValue.length - 4]; System.arraycopy(derEncodedValue, 4, abyte0, 0, abyte0.length); return abyte0; }
From source file:org.xdi.oxauth.cert.validation.CRLCertificateVerifier.java
private boolean validateCRL(X509CRL x509crl, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate) {/*from ww w. j av a2 s . c om*/ Principal subjectX500Principal = certificate.getSubjectX500Principal(); if (x509crl == null) { log.error("No CRL found for certificate '" + subjectX500Principal + "'"); return false; } if (log.isTraceEnabled()) { try { log.trace("CRL number: " + getCrlNumber(x509crl)); } catch (IOException ex) { log.error("Failed to get CRL number", ex); } } if (!x509crl.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) { log.error("The CRL must be signed by the issuer '" + subjectX500Principal + "' but instead is signed by '" + x509crl.getIssuerX500Principal() + "'"); return false; } try { x509crl.verify(issuerCertificate.getPublicKey()); } catch (Exception ex) { log.error("The signature verification for CRL cannot be performed", ex); return false; } log.debug("CRL validationDate: " + validationDate); log.debug("CRL nextUpdate: " + x509crl.getThisUpdate()); log.debug("CRL thisUpdate: " + x509crl.getNextUpdate()); if (x509crl.getNextUpdate() != null && validationDate.after(x509crl.getNextUpdate())) { log.error("CRL is too old"); return false; } if (issuerCertificate.getKeyUsage() == null) { log.error("There is no KeyUsage extension for certificate '" + subjectX500Principal + "'"); return false; } if (!issuerCertificate.getKeyUsage()[6]) { log.error("cRLSign bit is not set for CRL certificate'" + subjectX500Principal + "'"); return false; } return true; }
From source file:org.xdi.oxauth.model.util.JwtUtil.java
public static boolean verifySignatureRS256(byte[] signingInput, byte[] sigBytes, X509Certificate cert) throws NoSuchProviderException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException { PublicKey publicKey = cert.getPublicKey(); Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding", "BC"); cipher.init(Cipher.DECRYPT_MODE, publicKey); byte[] decSig = cipher.doFinal(sigBytes); ASN1InputStream aIn = new ASN1InputStream(decSig); try {//from w ww . j a v a 2s . c o m ASN1Sequence seq = (ASN1Sequence) aIn.readObject(); MessageDigest hash = MessageDigest.getInstance("SHA-256", "BC"); hash.update(signingInput); ASN1OctetString sigHash = (ASN1OctetString) seq.getObjectAt(1); return MessageDigest.isEqual(hash.digest(), sigHash.getOctets()); } finally { IOUtils.closeQuietly(aIn); } }
From source file:org.xdi.oxauth.model.util.JwtUtil.java
public static boolean verifySignatureRS384(byte[] signingInput, byte[] sigBytes, X509Certificate cert) throws NoSuchProviderException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException { PublicKey publicKey = cert.getPublicKey(); Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding", "BC"); cipher.init(Cipher.DECRYPT_MODE, publicKey); byte[] decSig = cipher.doFinal(sigBytes); ASN1InputStream aIn = new ASN1InputStream(decSig); try {/*from ww w. j a v a 2 s . c o m*/ ASN1Sequence seq = (ASN1Sequence) aIn.readObject(); MessageDigest hash = MessageDigest.getInstance("SHA-384", "BC"); hash.update(signingInput); ASN1OctetString sigHash = (ASN1OctetString) seq.getObjectAt(1); return MessageDigest.isEqual(hash.digest(), sigHash.getOctets()); } finally { IOUtils.closeQuietly(aIn); } }
From source file:org.xdi.oxauth.model.util.JwtUtil.java
public static boolean verifySignatureRS512(byte[] signingInput, byte[] sigBytes, X509Certificate cert) throws NoSuchProviderException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException { PublicKey publicKey = cert.getPublicKey(); Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding", "BC"); cipher.init(Cipher.DECRYPT_MODE, publicKey); byte[] decSig = cipher.doFinal(sigBytes); ASN1InputStream aIn = new ASN1InputStream(decSig); try {// w w w. j a v a2s. c o m ASN1Sequence seq = (ASN1Sequence) aIn.readObject(); MessageDigest hash = MessageDigest.getInstance("SHA-512", "BC"); hash.update(signingInput); ASN1OctetString sigHash = (ASN1OctetString) seq.getObjectAt(1); return MessageDigest.isEqual(hash.digest(), sigHash.getOctets()); } finally { IOUtils.closeQuietly(aIn); } }
From source file:org.xdi.oxauth.model.util.JwtUtil.java
public static boolean verifySignatureES256(byte[] signingInput, byte[] sigBytes, X509Certificate cert) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { PublicKey publicKey = cert.getPublicKey(); Signature signature = Signature.getInstance("SHA256WITHECDSA", "BC"); signature.initVerify(publicKey);/* w w w . j a va 2 s.co m*/ signature.update(signingInput); return signature.verify(sigBytes); }