List of usage examples for java.security.cert X509Certificate getPublicKey
public abstract PublicKey getPublicKey();
From source file:com.vmware.identity.openidconnect.server.PersonUserAuthenticator.java
public PersonUser authenticateByPersonUserCertificate(String tenant, X509Certificate personUserCertificate, PersonUserAssertion personUserAssertion, long assertionLifetimeMs, URI requestUri, long clockToleranceMS) throws InvalidCredentialsException, ServerException { Validate.notEmpty(tenant, "tenant"); Validate.notNull(personUserCertificate, "personUserCertificate"); Validate.notNull(personUserAssertion, "personUserAssertion"); Validate.isTrue(assertionLifetimeMs > 0, "assertionLifetimeMs > 0"); Validate.notNull(requestUri, "requestUri"); Validate.isTrue(clockToleranceMS >= 0, "clockToleranceMS >= 0"); if (!("RSA").equals(personUserCertificate.getPublicKey().getAlgorithm())) { throw new ServerException(ErrorObject.invalidGrant("certificate should use RSA for signature")); }/*from w w w . ja v a 2 s . c o m*/ try { if (!personUserAssertion.hasValidSignature((RSAPublicKey) personUserCertificate.getPublicKey())) { throw new ServerException( ErrorObject.invalidGrant("person_user_assertion has an invalid signature")); } } catch (JOSEException e) { throw new ServerException( ErrorObject.serverError("error while verifying person_user_assertion signature"), e); } String errorDescription = personUserAssertion.validate(assertionLifetimeMs, requestUri, clockToleranceMS); if (errorDescription != null) { throw new ServerException(ErrorObject.invalidGrant(errorDescription)); } return authenticateByPersonUserCertificate(tenant, Collections.singletonList(personUserCertificate)); }
From source file:org.apache.cxf.fediz.service.idp.protocols.TrustedIdpSAMLProtocolHandler.java
/** * Sign a request according to the redirect binding spec for Web SSO *///from w w w. j a v a2s.c o m private void signRequest(String authnRequest, String relayState, Idp config, UriBuilder ub) throws Exception { Crypto crypto = getCrypto(config.getCertificate()); if (crypto == null) { LOG.error("No crypto instance of properties file configured for signature"); throw new IllegalStateException("Invalid IdP configuration"); } String alias = crypto.getDefaultX509Identifier(); X509Certificate cert = CertsUtils.getX509Certificate(crypto, alias); if (cert == null) { LOG.error("No cert was found to sign the request using alias: " + alias); throw new IllegalStateException("Invalid IdP configuration"); } String sigAlgo = SSOConstants.RSA_SHA1; String pubKeyAlgo = cert.getPublicKey().getAlgorithm(); String jceSigAlgo = "SHA1withRSA"; LOG.debug("automatic sig algo detection: " + pubKeyAlgo); if (pubKeyAlgo.equalsIgnoreCase("DSA")) { sigAlgo = SSOConstants.DSA_SHA1; jceSigAlgo = "SHA1withDSA"; } LOG.debug("Using Signature algorithm " + sigAlgo); ub.queryParam(SSOConstants.SIG_ALG, URLEncoder.encode(sigAlgo, "UTF-8")); // Get the password String password = config.getCertificatePassword(); // Get the private key PrivateKey privateKey = crypto.getPrivateKey(alias, password); // Sign the request Signature signature = Signature.getInstance(jceSigAlgo); signature.initSign(privateKey); String requestToSign = SSOConstants.SAML_REQUEST + "=" + authnRequest + "&" + SSOConstants.RELAY_STATE + "=" + relayState + "&" + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(sigAlgo, "UTF-8"); signature.update(requestToSign.getBytes("UTF-8")); byte[] signBytes = signature.sign(); String encodedSignature = Base64.encode(signBytes); ub.queryParam(SSOConstants.SIGNATURE, URLEncoder.encode(encodedSignature, "UTF-8")); }
From source file:mitm.common.security.smime.handler.SMIMEInfoHandlerImpl.java
private boolean verifySignature(Part part, int signerIndex, SignerInfo signer, X509Certificate signingCertificate, int level) throws MessagingException { boolean valid = false; try {/* w w w . j a v a 2s . c om*/ /* * check if the message can be verified using the public key of the signer. */ if (!signer.verify(signingCertificate.getPublicKey())) { throw new SignerInfoException("Message content cannot be verified with the signers public key."); } setHeader(SMIMESecurityInfoHeader.SIGNER_VERIFIED + signerIndex, "True", level, part); valid = true; } catch (SignerInfoException e) { String info = "Signature could not be verified. Message: " + e.getMessage(); if (logger.isDebugEnabled()) { logger.warn(info, e); } else { logger.warn(info); } setHeader(SMIMESecurityInfoHeader.SIGNER_VERIFIED + signerIndex, "False", level, part); setHeader(SMIMESecurityInfoHeader.SIGNER_VERIFICATION_INFO + signerIndex, info, level, part); } return valid; }
From source file:gov.nih.nci.firebird.service.signing.DigitalSigningHelper.java
/** * Generate intermediate certificate signed by CA. * * @param publicKey/*from ww w . j a v a 2 s .com*/ * Public key. * @param caPrivateKey * Private key. * @param caDistinguishedName * Issuer's Distinguished Name.. * @param distinguishedName * User's Distinguished Name. * @param serialNumber * Unique serial number. * @param validDays * valid Days. * @param friendName * Set a friendly name for the certificate. Can be null. * * @throws DigitalSigningException * Customized exception with error message. * * @return a Certificate. */ @SuppressWarnings({ "PMD.ExcessiveParameterList", "PMD.AvoidCatchingGenericException" }) // This is minimal parameter list. // same handling for multiple exception types Certificate generateUserCert(PublicKey publicKey, PrivateKey caPrivateKey, X509Certificate caCert, DigitalSigningDistinguishedName distinguishedName, long serialNumber, int validDays) throws DigitalSigningException { try { X509V3CertificateGenerator v3CertGen = buildX509V3CertificateGenerator(publicKey, caCert, distinguishedName, serialNumber, validDays); X509Certificate cert = v3CertGen.generate(caPrivateKey, BOUNCY_CASTLE_PROVIDER); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString("User Certificate")); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(publicKey)); return cert; } catch (Exception e) { throw new DigitalSigningException(CERT_GENERATION_ERROR_MESSAGE, e); } }
From source file:be.fedict.eid.applet.service.impl.handler.SignatureDataMessageHandler.java
public Object handleMessage(SignatureDataMessage message, Map<String, String> httpHeaders, HttpServletRequest request, HttpSession session) throws ServletException { LOG.debug("signature data message received"); byte[] signatureValue = message.signatureValue; List<X509Certificate> certificateChain = message.certificateChain; if (certificateChain.isEmpty()) { throw new ServletException("certificate chain is empty"); }/*w ww . jav a 2 s. c o m*/ X509Certificate signingCertificate = certificateChain.get(0); if (null == signingCertificate) { throw new ServletException("non-repudiation certificate missing"); } LOG.debug("non-repudiation signing certificate: " + signingCertificate.getSubjectX500Principal()); for (X509Certificate certificate : certificateChain) { LOG.debug("signing x509 cert: " + certificate.getSubjectX500Principal()); } PublicKey signingPublicKey = signingCertificate.getPublicKey(); /* * Verify the signature. */ String digestAlgo = SignatureDataMessageHandler.getDigestAlgo(session); byte[] expectedDigestValue = SignatureDataMessageHandler.getDigestValue(session); if (digestAlgo.endsWith("-PSS")) { LOG.debug("verifying RSA/PSS signature"); try { Signature signature = Signature.getInstance("RAWRSASSA-PSS", BouncyCastleProvider.PROVIDER_NAME); if ("SHA-256-PSS".equals(digestAlgo)) { LOG.debug("RSA/PSS SHA256"); signature.setParameter( new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 1)); } signature.initVerify(signingPublicKey); signature.update(expectedDigestValue); boolean result = signature.verify(signatureValue); if (false == result) { throw new SecurityException("signature incorrect"); } } catch (Exception e) { LOG.debug("signature verification error: " + e.getMessage(), e); throw new ServletException("signature verification error: " + e.getMessage(), e); } } else { try { Signature signature = Signature.getInstance("RawRSA", BouncyCastleProvider.PROVIDER_NAME); signature.initVerify(signingPublicKey); ByteArrayOutputStream digestInfo = new ByteArrayOutputStream(); if ("SHA-1".equals(digestAlgo) || "SHA1".equals(digestAlgo)) { digestInfo.write(SHA1_DIGEST_INFO_PREFIX); } else if ("SHA-224".equals(digestAlgo)) { digestInfo.write(SHA224_DIGEST_INFO_PREFIX); } else if ("SHA-256".equals(digestAlgo)) { digestInfo.write(SHA256_DIGEST_INFO_PREFIX); } else if ("SHA-384".equals(digestAlgo)) { digestInfo.write(SHA384_DIGEST_INFO_PREFIX); } else if ("SHA-512".equals(digestAlgo)) { digestInfo.write(SHA512_DIGEST_INFO_PREFIX); } else if ("RIPEMD160".equals(digestAlgo)) { digestInfo.write(RIPEMD160_DIGEST_INFO_PREFIX); } else if ("RIPEMD128".equals(digestAlgo)) { digestInfo.write(RIPEMD128_DIGEST_INFO_PREFIX); } else if ("RIPEMD256".equals(digestAlgo)) { digestInfo.write(RIPEMD256_DIGEST_INFO_PREFIX); } digestInfo.write(expectedDigestValue); signature.update(digestInfo.toByteArray()); boolean result = signature.verify(signatureValue); if (false == result) { AuditService auditService = this.auditServiceLocator.locateService(); if (null != auditService) { String remoteAddress = request.getRemoteAddr(); auditService.signatureError(remoteAddress, signingCertificate); } throw new SecurityException("signature incorrect"); } } catch (Exception e) { LOG.debug("signature verification error: " + e.getMessage()); throw new ServletException("signature verification error: " + e.getMessage(), e); } } AuditService auditService = this.auditServiceLocator.locateService(); if (null != auditService) { String userId = UserIdentifierUtil.getUserId(signingCertificate); auditService.signed(userId); } SignatureService signatureService = this.signatureServiceLocator.locateService(); try { signatureService.setHttpSessionObject(request.getSession()); signatureService.postSign(signatureValue, certificateChain); } catch (ExpiredCertificateSecurityException e) { return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED); } catch (RevokedCertificateSecurityException e) { return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED); } catch (TrustCertificateSecurityException e) { return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED); } catch (CertificateSecurityException e) { return new FinishedMessage(ErrorCode.CERTIFICATE); } catch (Exception e) { /* * We don't want to depend on the full JavaEE profile in this * artifact. */ if ("javax.ejb.EJBException".equals(e.getClass().getName())) { Exception exception; try { Method getCausedByExceptionMethod = e.getClass().getMethod("getCausedByException", new Class[] {}); exception = (Exception) getCausedByExceptionMethod.invoke(e, new Object[] {}); } catch (Exception e2) { LOG.debug("error: " + e.getMessage(), e); throw new SecurityException("error retrieving the root cause: " + e2.getMessage()); } if (exception instanceof ExpiredCertificateSecurityException) { return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED); } if (exception instanceof RevokedCertificateSecurityException) { return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED); } if (exception instanceof TrustCertificateSecurityException) { return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED); } if (exception instanceof CertificateSecurityException) { return new FinishedMessage(ErrorCode.CERTIFICATE); } } throw new SecurityException("signature service error: " + e.getMessage(), e); } return new FinishedMessage(); }
From source file:it.cnr.icar.eric.server.security.authentication.AuthenticationServiceImpl.java
private void loadPublicKeyToCertMap() throws RegistryException { try {/* ww w.j a v a 2s . c o m*/ KeyStore store = getKeyStore(); for (Enumeration<String> e = store.aliases(); e.hasMoreElements();) { String alias = e.nextElement(); X509Certificate cert = (X509Certificate) store.getCertificate(alias); PublicKey publicKey = cert.getPublicKey(); publicKeyToCertMap.put(publicKey, cert); } } catch (KeyStoreException e) { throw new RegistryException(e); } }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createClass3RootCert(KeyPair keyPair, PrivateKey ppk, X509Certificate caCert) throws Exception { X500Name idn = CertificateUtil.getSubject(caCert); BigInteger sno = BigInteger.valueOf(5); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X500Name sdn = X500NameUtil.createClass3RootPrincipal(); PublicKey pubKey = keyPair.getPublic(); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);//from ww w. j a v a 2 s. c o m addAuthorityKID(certBuilder, caCert.getPublicKey()); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Boolean.TRUE)); X509Certificate certificate = signCert(certBuilder, ppk); certificate.checkValidity(new Date()); certificate.verify(caCert.getPublicKey()); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createClass1CaCert(KeyPair keyPair, PrivateKey ppk, X509Certificate caCert) throws Exception { X500Name idn = CertificateUtil.getSubject(caCert); BigInteger sno = BigInteger.valueOf(3); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X500Name sdn = X500NameUtil.createClass1RootPrincipal(); PublicKey pubKey = keyPair.getPublic(); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);/*from www .j a v a 2 s . c om*/ addAuthorityKID(certBuilder, caCert.getPublicKey()); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(3)); certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(BASE_EKU)); X509Certificate certificate = signCert(certBuilder, ppk); certificate.checkValidity(new Date()); certificate.verify(caCert.getPublicKey()); setPKCS9Info(certificate); return certificate; }
From source file:edu.duke.cabig.c3pr.web.security.SecureWebServiceHandler.java
/** * @param cert/*from ww w . j a va 2 s . c om*/ * @param crypto * @throws SignatureException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws InvalidKeyException * @throws WSSecurityException */ private void checkCertificateValidity(X509Certificate cert, Crypto crypto) throws InvalidKeyException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, WSSecurityException { //cert.checkValidity(); String subjectdn = cert.getSubjectDN().getName(); String issuerdn = cert.getIssuerDN().getName(); if (subjectdn.equals(issuerdn)) { log.debug("This is a self-signed certificate. Verifying signature..."); cert.verify(cert.getPublicKey()); } else { X509Certificate signingcert = getIssuerCert(cert, crypto); if (signingcert != null) { checkCertificateValidity(signingcert, crypto); cert.verify(signingcert.getPublicKey()); } else { log.warn( "Unable to check the signature of the certificate, because the issuer's certificate is not found. Certificate: " + cert); } } }
From source file:gov.va.med.imaging.proxy.ssl.AuthSSLProtocolSocketFactory.java
private void logCertificateContents(Certificate cert) { if (cert instanceof X509Certificate) { X509Certificate x509Cert = (X509Certificate) cert; Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" X509 Certificate :"); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Subject DN: " + x509Cert.getSubjectDN()); Logger.getLogger(AuthSSLProtocolSocketFactory.class) .debug(" Signature Algorithm: " + x509Cert.getSigAlgName()); Logger.getLogger(AuthSSLProtocolSocketFactory.class) .debug(" Signature: " + x509Cert.getPublicKey().toString()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Valid from: " + x509Cert.getNotBefore()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Valid until: " + x509Cert.getNotAfter()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Issuer: " + x509Cert.getIssuerDN()); } else// ww w . j av a2 s . c o m Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Certificate :" + cert.getType()); }