List of usage examples for java.security.cert X509Certificate getSigAlgName
public abstract String getSigAlgName();
From source file:org.ovirt.engine.core.utils.ssl.AuthSSLProtocolSocketFactory.java
private SSLContext createSSLContext() { try {//from ww w . java 2 s .c o m KeyManager[] keymanagers = null; TrustManager[] trustmanagers = null; if (this.keystoreUrl != null) { KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword); if (LOG.isDebugEnabled()) { Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); Certificate[] certs = keystore.getCertificateChain(alias); if (certs != null) { LOG.debug("Certificate chain '" + alias + "':"); for (int c = 0; c < certs.length; c++) { if (certs[c] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) certs[c]; LOG.debug(" Certificate " + (c + 1) + ":"); LOG.debug(" Subject DN: " + cert.getSubjectDN()); LOG.debug(" Signature Algorithm: " + cert.getSigAlgName()); LOG.debug(" Valid from: " + cert.getNotBefore()); LOG.debug(" Valid until: " + cert.getNotAfter()); LOG.debug(" Issuer: " + cert.getIssuerDN()); } } } } } keymanagers = createKeyManagers(keystore, this.keystorePassword); } if (this.truststoreUrl != null) { KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword); if (LOG.isDebugEnabled()) { Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); LOG.debug("Trusted certificate '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; LOG.debug(" Subject DN: " + cert.getSubjectDN()); LOG.debug(" Signature Algorithm: " + cert.getSigAlgName()); LOG.debug(" Valid from: " + cert.getNotBefore()); LOG.debug(" Valid until: " + cert.getNotAfter()); LOG.debug(" Issuer: " + cert.getIssuerDN()); } } } trustmanagers = createTrustManagers(keystore); } SSLContext sslcontext = SSLContext.getInstance("SSLv3"); sslcontext.init(keymanagers, trustmanagers, null); return sslcontext; } catch (NoSuchAlgorithmException e) { LOG.error(e.getMessage(), e); throw new AuthSSLInitializationException("Unsupported algorithm exception: " + e.getMessage()); } catch (KeyStoreException e) { LOG.error(e.getMessage(), e); throw new AuthSSLInitializationException("Keystore exception: " + e.getMessage()); } catch (GeneralSecurityException e) { LOG.error(e.getMessage(), e); throw new AuthSSLInitializationException("Key management exception: " + e.getMessage()); } catch (IOException e) { LOG.error(e.getMessage(), e); throw new AuthSSLInitializationException( "I/O error reading keystore/truststore file: " + e.getMessage()); } }
From source file:it.greenvulcano.gvesb.http.ssl.AuthSSLProtocolSocketFactory.java
private SSLContext createSSLContext() { try {//from w w w . j av a 2s . c om KeyManager[] keymanagers = null; TrustManager[] trustmanagers = null; if (this.keystoreID != null) { KeyStore keystore = createKeyStore(this.keystoreID); if (logger.isDebugEnabled()) { Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); Certificate[] certs = keystore.getCertificateChain(alias); if (certs != null) { logger.debug("Certificate chain '" + alias + "':"); for (int c = 0; c < certs.length; c++) { if (certs[c] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) certs[c]; logger.debug(" Certificate " + (c + 1) + ":"); logger.debug(" Subject DN: " + cert.getSubjectDN()); logger.debug(" Signature Algorithm: " + cert.getSigAlgName()); logger.debug(" Valid from: " + cert.getNotBefore()); logger.debug(" Valid until: " + cert.getNotAfter()); logger.debug(" Issuer: " + cert.getIssuerDN()); } } } } } keymanagers = createKeyManagers(keystore, this.keyPassword); } if (this.truststoreID != null) { KeyStore keystore = createKeyStore(this.truststoreID); if (logger.isDebugEnabled()) { Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); logger.debug("Trusted certificate '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; logger.debug(" Subject DN: " + cert.getSubjectDN()); logger.debug(" Signature Algorithm: " + cert.getSigAlgName()); logger.debug(" Valid from: " + cert.getNotBefore()); logger.debug(" Valid until: " + cert.getNotAfter()); logger.debug(" Issuer: " + cert.getIssuerDN()); } } } trustmanagers = createTrustManagers(keystore); } SSLContext sslctx = SSLContext.getInstance("SSL"); sslctx.init(keymanagers, trustmanagers, null); return sslctx; } catch (NoSuchAlgorithmException e) { logger.error(e.getMessage(), e); throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage()); } catch (KeyStoreException e) { logger.error(e.getMessage(), e); throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage()); } catch (GeneralSecurityException e) { logger.error(e.getMessage(), e); throw new AuthSSLInitializationError("Key management exception: " + e.getMessage()); } catch (Exception e) { logger.error(e.getMessage(), e); throw new AuthSSLInitializationError("Error reading keystore/truststore file: " + e.getMessage()); } }
From source file:gov.va.med.imaging.proxy.ssl.AuthSSLProtocolSocketFactory.java
private void logCertificateContents(Certificate cert) { if (cert instanceof X509Certificate) { X509Certificate x509Cert = (X509Certificate) cert; Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" X509 Certificate :"); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Subject DN: " + x509Cert.getSubjectDN()); Logger.getLogger(AuthSSLProtocolSocketFactory.class) .debug(" Signature Algorithm: " + x509Cert.getSigAlgName()); Logger.getLogger(AuthSSLProtocolSocketFactory.class) .debug(" Signature: " + x509Cert.getPublicKey().toString()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Valid from: " + x509Cert.getNotBefore()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Valid until: " + x509Cert.getNotAfter()); Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Issuer: " + x509Cert.getIssuerDN()); } else/*from ww w. j a v a 2s . c o m*/ Logger.getLogger(AuthSSLProtocolSocketFactory.class).debug(" Certificate :" + cert.getType()); }
From source file:org.ejbca.ui.cli.HSMKeyTool.java
private static boolean doIt(final String[] orgArgs) throws Exception { // Get and remove optional switches final List<String> argsList = CliTools.getAsModifyableList(orgArgs); final KeyStore.ProtectionParameter protectionParameter; final String password = CliTools.getAndRemoveParameter("-password", argsList); if (password != null) { protectionParameter = new KeyStore.PasswordProtection(password.toCharArray()); } else {/*from w ww. ja v a 2s .c om*/ protectionParameter = null; } final String[] args = CliTools.getAsArgs(argsList); if (args[1].toLowerCase().trim().contains(GENERATE_BATCH_SWITCH)) { if (args.length < 4) { printCommandString(args, "<name of batch file> [", TOKEN_ID_PARAM, "]"); printTokenIdDescription(); sunConfigFileUseDescription(); System.err.println( "The batch file is a file which specifies alias and key specification for each key to be generated."); System.err .println("Each row is starting with a key alias then the key specification is following."); System.err.println("The specification of the key is done like this: " + KEY_SPEC_DESC); tooFewArguments(args); } final String storeId; final Pkcs11SlotLabelType slotType; if (args.length > 4) { storeId = trimStoreId(args[4]); slotType = getTokenLabelType(args[4]); } else { storeId = null; slotType = Pkcs11SlotLabelType.SUN_FILE; } final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter, "batch-" + new Date().getTime()); generateBatch(args[3], store); return true; } if (args[1].toLowerCase().trim().contains(GENERATE_SWITCH)) { if (args.length < 4) { printCommandString(args, Character.valueOf('<'), KEY_SPEC_DESC, "> <key entry name> [", TOKEN_ID_PARAM, "]"); printTokenIdDescription(); sunConfigFileUseDescription(); tooFewArguments(args); } final String keyEntryName = args.length > 4 ? args[4] : "myKey"; final String storeId; final Pkcs11SlotLabelType slotType; if (args.length > 5) { storeId = trimStoreId(args[5]); slotType = getTokenLabelType(args[5]); } else { storeId = null; slotType = Pkcs11SlotLabelType.SUN_FILE; } System.out.println("Using Slot Reference Type: " + slotType + '.'); final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter, "priv-" + keyEntryName); store.generateKeyPair(args[3], keyEntryName); System.out.println("Created certificate with entry " + keyEntryName + '.'); return true; } if (args[1].toLowerCase().trim().equals(DELETE_SWITCH)) { if (args.length < 4) { printCommandString(args, TOKEN_ID_PARAM, " [<key entry name>]"); printTokenIdDescription(); tooFewArguments(args); } final String alias = args.length > 4 ? args[4] : null; System.out.println("Deleting certificate with alias " + alias + '.'); final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter) .deleteEntry(alias); return true; } if (args[1].toLowerCase().trim().equals(CERT_REQ)) { // First we check if we have a switch for "-explicitecc" for explicit ecc parameters used in ICAO epassports. final List<String> argsListLocal = CliTools.getAsModifyableList(args); final boolean explicitEccParameters = argsListLocal.remove("-explicitecc"); final boolean forAllKeys = argsListLocal.remove("-all"); final String modArgs[] = argsListLocal.toArray(new String[argsListLocal.size()]); if (modArgs.length < 4 || (modArgs.length < 5 && !forAllKeys)) { printCommandString(args, TOKEN_ID_PARAM, " <key entry name> [<CN>] [-explicitecc]"); printCommandString(args, TOKEN_ID_PARAM, " [-all] [-explicitecc]"); printTokenIdDescription(); tooFewArguments(modArgs); } final String storeId = trimStoreId(modArgs[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(modArgs[3]); final KeyStoreTools container = KeyStoreToolsFactory.getInstance(modArgs[2], storeId, slotType, null, protectionParameter); final List<String> entries; if (forAllKeys) { entries = new LinkedList<>(); final CachingKeyStoreWrapper ks = container.getKeyStore(); final Enumeration<String> aliases = ks.aliases(); while (aliases.hasMoreElements()) { final String alias = aliases.nextElement(); if (ks.isKeyEntry(alias)) { entries.add(alias); } } } else { entries = Collections.singletonList(modArgs[4]); } for (String entry : entries) { container.generateCertReq(entry, modArgs.length > 5 ? modArgs[5] : null, explicitEccParameters); } return true; } if (args[1].toLowerCase().trim().equals(INSTALL_CERT)) { if (args.length < 5) { printCommandString(args, TOKEN_ID_PARAM, " <certificate chain files in PEM format (one chain per file)>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools container = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); boolean failure = false; for (int i = 4; i < args.length; i++) { try { container.installCertificate(args[i]); } catch (Exception ex) { failure = true; log.error("File " + args[i] + " failed.", ex); } } if (failure) { throw new Exception("At least one certificate could not be installed. See the log for more info."); } return true; } if (args[1].toLowerCase().trim().equals(INSTALL_TRUSTED_ROOT)) { if (args.length < 5) { printCommandString(args, TOKEN_ID_PARAM, " <trusted root certificate in PEM format>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter) .installTrustedRoot(args[4]); return true; } if (args[1].toLowerCase().trim().equals(ENCRYPT_SWITCH)) { String symmAlgOid = CMSEnvelopedGenerator.AES128_CBC; if (args.length < 5) { System.err.println("There are two ways of doing the encryption:"); printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias> [optional symm algorithm oid]"); printCommandStringNoSharedLib(args, "<input file> <output file> <file with certificate with public key to use> [optional symm algorithm oid]"); printTokenIdDescription(); System.err.println( "Optional symmetric encryption algorithm OID can be for example 2.16.840.1.101.3.4.1.42 (AES256_CBC) or 1.2.392.200011.61.1.1.1.4 (CAMELLIA256_CBC). Default is to use AES256_CBC."); tooFewArguments(args); } if (args.length < 7) { Security.addProvider(new BouncyCastleProvider()); if (args.length > 5) { // We have a symmAlg as last parameter symmAlgOid = args[5]; } System.out.println("Using symmetric encryption algorithm: " + symmAlgOid); try (final InputStream certIS = new FileInputStream(args[4]); final InputStream is = new FileInputStream(args[2]); final OutputStream os = new FileOutputStream(args[3])) { final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509") .generateCertificate(new BufferedInputStream(certIS)); CMS.encrypt(is, os, cert, symmAlgOid); } } else { if (args.length > 7) { // We have a symmAlg as last parameter symmAlgOid = args[7]; } System.out.println("Using symmstric encryption algorithm: " + symmAlgOid); final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5]);) { final Certificate cert = KeyStoreToolsFactory .getInstance(args[2], storeId, slotType, null, protectionParameter).getKeyStore() .getCertificate(args[6]); CMS.encrypt(is, os, (X509Certificate) cert, symmAlgOid); } } return true; } if (args[1].toLowerCase().trim().equals(DECRYPT_SWITCH)) { if (args.length < 7) { printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5])) { final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); CMS.decrypt(is, os, (PrivateKey) keyStore.getKeyStore().getKey(args[6], null), keyStore.getProviderName()); } return true; } if (args[1].toLowerCase().trim().equals(SIGN_SWITCH)) { if (args.length < 7) { printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final String alias = args[6]; final PrivateKey key = (PrivateKey) keyStore.getKeyStore().getKey(alias, null); final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(alias); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5]);) { CMS.sign(is, os, key, keyStore.getProviderName(), cert); } return true; } if (args[1].toLowerCase().trim().equals(LINKCERT_SWITCH)) { if (args.length < 8) { printCommandString(args, TOKEN_ID_PARAM, " <old ca-cert> <new ca-cert> <output link-cert> <key alias> [<sig alg override>]"); printTokenIdDescription(); System.err.println(); System.err.println("Creates a link certificate that links the old and new certificate files."); System.err.println("You should use this command with the old HSM key. It does not need any"); System.err.println("access to the new key."); System.err.println(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools ksc = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final String alias = args[7]; final String oldCertPath = args[4]; final String newCertPath = args[5]; final String outputPath = args[6]; final String signProviderName = ksc.getProviderName(); final String sigAlgOverride = (args.length > 8 ? args[8] : "null"); // Parse certificates final byte[] oldCertBytes; try (final InputStream is = new FileInputStream(oldCertPath)) { oldCertBytes = IOUtils.toByteArray(is); } final byte[] newCertBytes; try (final InputStream is = new FileInputStream(newCertPath)) { newCertBytes = IOUtils.toByteArray(is); } final Certificate oldCert = CertTools.getCertfromByteArray(oldCertBytes, BouncyCastleProvider.PROVIDER_NAME, Certificate.class); final Certificate newCert = CertTools.getCertfromByteArray(newCertBytes, BouncyCastleProvider.PROVIDER_NAME, Certificate.class); final boolean isCVCA = (oldCert instanceof CardVerifiableCertificate); if (isCVCA != (newCert instanceof CardVerifiableCertificate)) { log.error("Error: Old and new certificates are not of the same type (X509 / CVC)"); return true; // = valid command-line syntax } System.out.println("Type of certificates: " + (isCVCA ? "CVC" : "X509")); // Detect name change final String oldDN = CertTools.getSubjectDN(oldCert); final String newDN = CertTools.getSubjectDN(newCert); System.out.println("Old DN: " + oldDN); System.out.println("New DN: " + newDN); final boolean nameChange; if (!oldDN.equals(newDN)) { if (isCVCA) { System.out.println("Name change detected."); } else { System.out.println("Name change detected. Will add Name Change extension."); } nameChange = true; } else { System.out.println("No name change detected."); nameChange = false; } final ByteArrayOutputStream baos = new ByteArrayOutputStream(); // Get new and old key final PublicKey newPubKey = newCert.getPublicKey(); if (newPubKey == null) { System.err.println("Error: Failed to extract public key from new certificate"); return true; } final Key oldKey = ksc.getKeyStore().getKey(alias, null); if (oldKey == null) { System.err.println("Error: Could not find the key named " + alias); return true; } final PrivateKey oldPrivKey = (PrivateKey) oldKey; if (isCVCA) { final CVCertificate oldCertCVC = ((CardVerifiableCertificate) oldCert).getCVCertificate(); final CVCertificate newCertCVC = ((CardVerifiableCertificate) newCert).getCVCertificate(); final String linkSigAlg; if (sigAlgOverride.equalsIgnoreCase("null")) { final OIDField oldKeyTypeOid = oldCertCVC.getCertificateBody().getPublicKey() .getObjectIdentifier(); linkSigAlg = AlgorithmUtil.getAlgorithmName(oldKeyTypeOid); } else { System.err.println("Error: Overriding the signature algorithm is not supported for CVC"); return true; } System.out.println("Using signature algorithm " + linkSigAlg); final HolderReferenceField caHolder = oldCertCVC.getCertificateBody().getHolderReference(); final CAReferenceField caRef = new CAReferenceField(caHolder.getCountry(), caHolder.getMnemonic(), caHolder.getSequence()); final HolderReferenceField certHolder = newCertCVC.getCertificateBody().getHolderReference(); final AuthorizationRole authRole = newCertCVC.getCertificateBody().getAuthorizationTemplate() .getAuthorizationField().getAuthRole(); final AccessRights rights = newCertCVC.getCertificateBody().getAuthorizationTemplate() .getAuthorizationField().getAccessRights(); final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew final Date validTo = oldCertCVC.getCertificateBody().getValidTo(); final CVCertificate linkCert = CertificateGenerator.createCertificate(newPubKey, oldPrivKey, linkSigAlg, caRef, certHolder, authRole, rights, validFrom, validTo, signProviderName); try (final DataOutputStream dos = new DataOutputStream(baos)) { linkCert.encode(dos); } } else { // X509 CA final X509Certificate oldCertX509 = (X509Certificate) oldCert; final X509Certificate newCertX509 = (X509Certificate) newCert; final String linkSigAlg; if (sigAlgOverride.equalsIgnoreCase("null")) { // Actually, we should use signature algorithm of new cert if the old key allows that. // Instead of doing that we allow the user to manually override the signature algorithm if needed. linkSigAlg = oldCertX509.getSigAlgName(); } else { System.err.println("Warning: Signature algorithm manually overridden!"); linkSigAlg = sigAlgOverride; } System.out.println("Using signature algorithm " + linkSigAlg); final BigInteger serno = SernoGeneratorRandom.instance().getSerno(); final SubjectPublicKeyInfo pkinfo = SubjectPublicKeyInfo.getInstance(newPubKey.getEncoded()); final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew final Date validTo = oldCertX509.getNotAfter(); final X500Name oldDNName = X500Name.getInstance(oldCertX509.getSubjectX500Principal().getEncoded()); final X500Name newDNName = X500Name.getInstance(newCertX509.getSubjectX500Principal().getEncoded()); final X509v3CertificateBuilder certbuilder = new X509v3CertificateBuilder(oldDNName, serno, validFrom, validTo, newDNName, pkinfo); // Copy all extensions except AKID final ExtensionsGenerator extgen = new ExtensionsGenerator(); final Set<String> oids = new LinkedHashSet<>(); final Set<String> criticalOids = newCertX509.getCriticalExtensionOIDs(); oids.addAll(criticalOids); oids.addAll(newCertX509.getNonCriticalExtensionOIDs()); for (final String extOidStr : oids) { final ASN1ObjectIdentifier extoid = new ASN1ObjectIdentifier(extOidStr); if (!extoid.equals(Extension.authorityKeyIdentifier)) { final byte[] extbytes = newCertX509.getExtensionValue(extOidStr); final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(extbytes); extgen.addExtension(extoid, criticalOids.contains(extOidStr), ASN1Primitive.fromByteArray(str.getOctets())); } } if (nameChange) { // id-icao-mrtd-security-extensions-nameChange = 2.23.136.1.1.6.1 extgen.addExtension(ICAOObjectIdentifiers.id_icao_extensions_namechangekeyrollover, false, DERNull.INSTANCE); } // Some checks if (newCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId()) == null) { System.err.println( "Warning: Certificate of new CSCA is missing the Subject Key Identifier extension, which is mandatory."); } if (newCertX509.getExtensionValue(Extension.authorityKeyIdentifier.getId()) == null) { System.err.println( "Warning: Certificate of new CSCA is missing the Authority Key Identifier extension, which is mandatory."); } // If the new cert has an AKID, then add that extension but with the key id value of the old cert final byte[] oldSKIDBytes = oldCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId()); if (oldSKIDBytes != null) { final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(oldSKIDBytes); final ASN1OctetString innerStr = (ASN1OctetString) ASN1Primitive.fromByteArray(str.getOctets()); final AuthorityKeyIdentifier akidExt = new AuthorityKeyIdentifier(innerStr.getOctets()); extgen.addExtension(Extension.authorityKeyIdentifier, false, akidExt); } else { System.err.println( "Warning: The old certificate doesn't have any SubjectKeyIdentifier. The link certificate will not have any AuthorityKeyIdentifier."); } // Add extensions to the certificate final Extensions exts = extgen.generate(); for (final ASN1ObjectIdentifier extoid : exts.getExtensionOIDs()) { final Extension ext = exts.getExtension(extoid); certbuilder.addExtension(extoid, ext.isCritical(), ext.getParsedValue()); } // Sign the certificate final ContentSigner signer = new BufferingContentSigner( new JcaContentSignerBuilder(linkSigAlg).setProvider(signProviderName).build(oldPrivKey), 20480); final X509CertificateHolder certHolder = certbuilder.build(signer); baos.write(certHolder.getEncoded()); // Save to output file try (final FileOutputStream fos = new FileOutputStream(outputPath)) { baos.writeTo(fos); } } return true; } if (args[1].toLowerCase().trim().equals(VERIFY_SWITCH)) { final CMS.VerifyResult verifyResult; if (args.length < 5) { System.err.println("There are two ways of doing the encryption:"); printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); printCommandStringNoSharedLib(args, "<input file> <output file> <file with certificate with public key to use>"); tooFewArguments(args); } if (args.length < 7) { Security.addProvider(new BouncyCastleProvider()); try (final InputStream certIS = new FileInputStream(args[4]); final InputStream is = new FileInputStream(args[2]); final OutputStream os = new FileOutputStream(args[3]);) { final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509") .generateCertificate(new BufferedInputStream(certIS)); verifyResult = CMS.verify(is, os, cert); } } else { final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(args[6]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5])) { verifyResult = CMS.verify(is, os, cert); } } if (verifyResult == null) { System.err.println("Not possible to parse signed file."); System.exit(4); // Not verifying // NOPMD, it's not a JEE app return false;//will never be executes. just to avoid warning. } System.out.println( "The signature of the input " + (verifyResult.isVerifying ? "has been" : "could not be") + " verified. The file was signed on '" + verifyResult.signDate + "'. The public part of the signing key is in a certificate with serial number " + verifyResult.signerId.getSerialNumber() + " issued by '" + verifyResult.signerId.getIssuer() + "'."); if (!verifyResult.isVerifying) { System.exit(4); // Not verifying // NOPMD, it's not a JEE app } return true; } if (args[1].toLowerCase().trim().equals(TEST_SWITCH)) { if (args.length < 4) { printCommandString(args, TOKEN_ID_PARAM, " [<'m:n' m # of threads, n # of tests>] [<alias for stress test>] [<type of stress test>]"); printTokenIdDescription(); System.err.println( " If a file named \"./testData\" exists then the data that is signed, is read from this file."); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final NrOfThreadsAndNrOfTests notanot = new NrOfThreadsAndNrOfTests(args.length > 4 ? args[4] : null); KeyStoreContainerTest.test(args[2], storeId, slotType, notanot.threads, notanot.tests, args.length > 5 ? args[5].trim() : null, args.length > 6 ? args[6].trim() : null, protectionParameter); return true; } if (args[1].toLowerCase().trim().equals(RENAME)) { if (args.length < 6) { printCommandString(args, TOKEN_ID_PARAM, " <old key alias> <new key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); keyStore.renameEntry(args[4], args[5]); return true; } if (args[1].toLowerCase().trim().equals(MOVE_SWITCH)) { if (args.length < 5) { printCommandString(args, "<from PKCS#11 token identifier> <to PKCS#11 token identifier>"); printTokenIdDescription(); tooFewArguments(args); } final KeyStoreTools fromKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[3]), getTokenLabelType(args[3]), null, protectionParameter); final KeyStoreTools toKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[4]), getTokenLabelType(args[4]), null, protectionParameter); System.out.println("Moving entry with alias '" + args[3] + "' to alias '" + args[4] + '.'); final Enumeration<String> e = fromKS.getKeyStore().aliases(); while (e.hasMoreElements()) { final String alias = e.nextElement(); if (fromKS.getKeyStore().isKeyEntry(alias)) { final Key key = fromKS.getKeyStore().getKey(alias, null); final Certificate chain[] = fromKS.getKeyStore().getCertificateChain(alias); toKS.setKeyEntry(alias, key, chain); } fromKS.getKeyStore().deleteEntry(alias); } fromKS.getKeyStore().store(null, null); toKS.getKeyStore().store(null, null); return true; } return false; }
From source file:be.fedict.trust.TrustValidator.java
/** * Validates whether the certificate path was valid at the given validation * date.// w ww . ja va2s. co m * * @param certificatePath * the X509 certificate path to be validated. * @param validationDate * the date at which the certificate path validation should be * verified. * @throws CertPathValidatorException * in case of an invalid certificate path. * @see #isTrusted(List) */ public void isTrusted(List<X509Certificate> certificatePath, Date validationDate) throws CertPathValidatorException { if (certificatePath.isEmpty()) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate path is empty"); throw new CertPathValidatorException(this.result.getMessage()); } int certIdx = certificatePath.size() - 1; X509Certificate certificate = certificatePath.get(certIdx); LOG.debug("verifying root certificate: " + certificate.getSubjectX500Principal()); this.result = getSelfSignedResult(certificate); if (!this.result.isValid()) { LOG.debug("result: " + this.result.getMessage()); throw new CertPathValidatorException(this.result.getMessage()); } // check certificate signature this.result = checkSignatureAlgorithm(certificate.getSigAlgName()); if (!this.result.isValid()) { LOG.debug("result: " + this.result.getMessage()); throw new CertPathValidatorException(this.result.getMessage()); } checkSelfSignedTrust(certificate, validationDate); certIdx--; while (certIdx >= 0) { X509Certificate childCertificate = certificatePath.get(certIdx); LOG.debug("verifying certificate: " + childCertificate.getSubjectX500Principal()); certIdx--; checkTrustLink(childCertificate, certificate, validationDate); certificate = childCertificate; } for (CertificateConstraint certificateConstraint : this.certificateConstraints) { String certificateConstraintName = certificateConstraint.getClass().getSimpleName(); LOG.debug("certificate constraint check: " + certificateConstraintName); if (false == certificateConstraint.check(certificate)) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate constraint failure: " + certificateConstraintName); throw new CertPathValidatorException(this.result.getMessage()); } } this.result = new TrustLinkerResult(true); }
From source file:nl.nn.adapterframework.webcontrol.api.ShowConfigurationStatus.java
private ArrayList<Object> getCertificateInfo(final URL url, final String password, String keyStoreType, String prefix) {// w w w . j av a 2 s . com ArrayList<Object> certificateList = new ArrayList<Object>(); try { KeyStore keystore = KeyStore.getInstance(keyStoreType); keystore.load(url.openStream(), password != null ? password.toCharArray() : null); if (log.isInfoEnabled()) { Enumeration<String> aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); ArrayList<Object> infoElem = new ArrayList<Object>(); infoElem.add(prefix + " '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; infoElem.add("Subject DN: " + cert.getSubjectDN()); infoElem.add("Signature Algorithm: " + cert.getSigAlgName()); infoElem.add("Valid from: " + cert.getNotBefore()); infoElem.add("Valid until: " + cert.getNotAfter()); infoElem.add("Issuer: " + cert.getIssuerDN()); } certificateList.add(infoElem); } } } catch (Exception e) { certificateList.add("*** ERROR ***"); } return certificateList; }
From source file:nl.nn.adapterframework.webcontrol.action.ShowSecurityItems.java
private void addCertificateInfo(XmlBuilder certElem, final URL url, final String password, String keyStoreType, String prefix) {// ww w . j a v a2 s .c om try { KeyStore keystore = KeyStore.getInstance(keyStoreType); keystore.load(url.openStream(), password != null ? password.toCharArray() : null); if (log.isInfoEnabled()) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); XmlBuilder infoElem = new XmlBuilder("info"); infoElem.setCdataValue(prefix + " '" + alias + "':"); certElem.addSubElement(infoElem); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Subject DN: " + cert.getSubjectDN()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Signature Algorithm: " + cert.getSigAlgName()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Valid from: " + cert.getNotBefore()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Valid until: " + cert.getNotAfter()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Issuer: " + cert.getIssuerDN()); certElem.addSubElement(infoElem); } } } } catch (Exception e) { XmlBuilder infoElem = new XmlBuilder("info"); infoElem.setCdataValue("*** ERROR ***"); certElem.addSubElement(infoElem); } }
From source file:info.guardianproject.onionkit.trust.StrongTrustManager.java
private void checkStrongCrypto(X509Certificate cert) throws CertificateException { String algo = cert.getSigAlgName().toLowerCase(); if (algo.contains("md5")) { debug("cert uses weak crypto: " + algo); if (mNotifyVerificationFail) showCertMessage(mContext.getString(R.string.warning_weak_crypto), cert.getIssuerDN().getName(), cert, null);/*from w w w. ja v a2s .co m*/ throw new CertificateException("issuer uses weak crypto: " + algo); } }
From source file:com.stargame.ad.util.http.ssl.AuthSSLProtocolSocketFactory.java
private SSLContext createSSLContext() { try {/*from w w w .j a v a2 s . c om*/ KeyManager[] keymanagers = null; TrustManager[] trustmanagers = null; if (this.keystoreUrl != null) { KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword); if (LogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); Certificate[] certs = keystore.getCertificateChain(alias); if (certs != null) { LogUtil.d(AuthSSLProtocolSocketFactory.class, "Certificate chain '" + alias + "':"); for (int c = 0; c < certs.length; c++) { if (certs[c] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) certs[c]; LogUtil.d(AuthSSLProtocolSocketFactory.class, " Certificate " + (c + 1) + ":"); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } } } keymanagers = createKeyManagers(keystore, this.keystorePassword); } if (this.truststoreUrl != null) { KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword); if (LogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); LogUtil.d(AuthSSLProtocolSocketFactory.class, "Trusted certificate '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; LogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } trustmanagers = createTrustManagers(keystore); } SSLContext sslcontext = SSLContext.getInstance("SSL"); sslcontext.init(keymanagers, trustmanagers, null); return sslcontext; } catch (NoSuchAlgorithmException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage()); } catch (KeyStoreException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage()); } catch (GeneralSecurityException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Key management exception: " + e.getMessage()); } catch (IOException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("I/O error reading keystore/truststore file: " + e.getMessage()); } }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelperTest.java
@Test public void testGenerateSelfSignedCert() throws GeneralSecurityException, IOException, OperatorCreationException { String dn = "CN=testDN,O=testOrg"; X509Certificate x509Certificate = CertificateUtils.generateSelfSignedX509Certificate( TlsHelper.generateKeyPair(keyPairAlgorithm, keySize), dn, signingAlgorithm, days); Date notAfter = x509Certificate.getNotAfter(); assertTrue(notAfter.after(inFuture(days - 1))); assertTrue(notAfter.before(inFuture(days + 1))); Date notBefore = x509Certificate.getNotBefore(); assertTrue(notBefore.after(inFuture(-1))); assertTrue(notBefore.before(inFuture(1))); assertEquals(dn, x509Certificate.getIssuerX500Principal().getName()); assertEquals(signingAlgorithm, x509Certificate.getSigAlgName()); assertEquals(keyPairAlgorithm, x509Certificate.getPublicKey().getAlgorithm()); x509Certificate.checkValidity(); }