List of usage examples for org.bouncycastle.asn1.x509 SubjectKeyIdentifier getInstance
public static SubjectKeyIdentifier getInstance(Object obj)
From source file:org.codice.ddf.security.saml.assertion.validator.impl.SamlAssertionValidatorImpl.java
License:Open Source License
private void validateHolderOfKeyConfirmation(SamlAssertionWrapper assertion, X509Certificate[] x509Certs) throws SecurityServiceException { List<String> confirmationMethods = assertion.getConfirmationMethods(); boolean hasHokMethod = false; for (String method : confirmationMethods) { if (OpenSAMLUtil.isMethodHolderOfKey(method)) { hasHokMethod = true;/*from w ww . j av a 2 s . c o m*/ } } if (hasHokMethod) { if (x509Certs != null && x509Certs.length > 0) { List<SubjectConfirmation> subjectConfirmations = assertion.getSaml2().getSubject() .getSubjectConfirmations(); for (SubjectConfirmation subjectConfirmation : subjectConfirmations) { if (OpenSAMLUtil.isMethodHolderOfKey(subjectConfirmation.getMethod())) { Element dom = subjectConfirmation.getSubjectConfirmationData().getDOM(); Node keyInfo = dom.getFirstChild(); Node x509Data = keyInfo.getFirstChild(); Node dataNode = x509Data.getFirstChild(); Node dataText = dataNode.getFirstChild(); X509Certificate tlsCertificate = x509Certs[0]; if (dataNode.getLocalName().equals("X509Certificate")) { String textContent = dataText.getTextContent(); byte[] byteValue = Base64.getMimeDecoder().decode(textContent); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf .generateCertificate(new ByteArrayInputStream(byteValue)); // check that the certificate is still valid cert.checkValidity(); // HoK spec section 2.5: // relying party MUST ensure that the certificate bound to the assertion matches the // X.509 certificate in its possession. // Matching is done by comparing the base64-decoded certificates, or the hash values // of the base64-decoded certificates, byte-for-byte. // if the certs aren't the same, verify if (!tlsCertificate.equals(cert)) { // verify that the cert was signed by the same private key as the TLS cert cert.verify(tlsCertificate.getPublicKey()); } } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) { throw new SecurityServiceException( "Unable to validate Holder of Key assertion with certificate."); } } else if (dataNode.getLocalName().equals("X509SubjectName")) { String textContent = dataText.getTextContent(); // HoK spec section 2.5: // relying party MUST ensure that the subject distinguished name (DN) bound to the // assertion matches the DN bound to the X.509 certificate. // If, however, the relying party does not trust the certificate issuer to issue such // a DN, the attesting entity is not confirmed and the relying party SHOULD disregard // the assertion. if (!tlsCertificate.getSubjectDN().getName().equals(textContent)) { throw new SecurityServiceException( "Unable to validate Holder of Key assertion with subject DN."); } } else if (dataNode.getLocalName().equals("X509IssuerSerial")) { // we have no way to support this confirmation type so we have to throw an error throw new SecurityServiceException( "Unable to validate Holder of Key assertion with issuer serial. NOT SUPPORTED"); } else if (dataNode.getLocalName().equals("X509SKI")) { String textContent = dataText.getTextContent(); byte[] tlsSKI = tlsCertificate.getExtensionValue("2.5.29.14"); byte[] assertionSKI = Base64.getMimeDecoder().decode(textContent); if (tlsSKI != null && tlsSKI.length > 0) { ASN1OctetString tlsOs = ASN1OctetString.getInstance(tlsSKI); ASN1OctetString assertionOs = ASN1OctetString.getInstance(assertionSKI); SubjectKeyIdentifier tlsSubjectKeyIdentifier = SubjectKeyIdentifier .getInstance(tlsOs.getOctets()); SubjectKeyIdentifier assertSubjectKeyIdentifier = SubjectKeyIdentifier .getInstance(assertionOs.getOctets()); // HoK spec section 2.5: // relying party MUST ensure that the value bound to the assertion matches the // Subject Key Identifier (SKI) extension bound to the X.509 certificate. // Matching is done by comparing the base64-decoded SKI values byte-for-byte. If the // X.509 certificate does not contain an SKI extension, // the attesting entity is not confirmed and the relying party SHOULD disregard the // assertion. if (!Arrays.equals(tlsSubjectKeyIdentifier.getKeyIdentifier(), assertSubjectKeyIdentifier.getKeyIdentifier())) { throw new SecurityServiceException( "Unable to validate Holder of Key assertion with subject key identifier."); } } else { throw new SecurityServiceException( "Unable to validate Holder of Key assertion with subject key identifier."); } } } } } else { throw new SecurityServiceException("Holder of Key assertion, must be used with 2-way TLS."); } } }
From source file:org.cryptacular.x509.ExtensionReader.java
License:Open Source License
/** * Reads the value of the <code>SubjectKeyIdentifier</code> extension field of * the certificate.//w ww .ja v a2s . c o m * * @return Subject key identifier. */ public SubjectKeyIdentifier readSubjectKeyIdentifier() { return SubjectKeyIdentifier.getInstance(read(ExtensionType.SubjectKeyIdentifier)); }
From source file:org.ejbca.util.CertTools.java
License:Open Source License
/** * Get the subject key identifier from a certificate extensions * * @param cert certificate containing the extension * @return byte[] containing the subject key identifier, or null if it does not exist * @throws IOException if extension can not be parsed *///from ww w . j av a2 s . c om public static byte[] getSubjectKeyId(Certificate cert) throws IOException { if (cert == null) { return null; } if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; byte[] extvalue = x509cert.getExtensionValue("2.5.29.14"); if (extvalue == null) { return null; } ASN1OctetString str = ASN1OctetString .getInstance(new ASN1InputStream(new ByteArrayInputStream(extvalue)).readObject()); SubjectKeyIdentifier keyId = SubjectKeyIdentifier .getInstance(new ASN1InputStream(new ByteArrayInputStream(str.getOctets())).readObject()); return keyId.getKeyIdentifier(); } return null; }
From source file:org.glite.voms.PKIUtils.java
License:Open Source License
/** * Gets the SubjectKeyIdentifier extension form the passed certificate. * * @param cert The certificate from which to get the extension. * * @return the extension if present, or null if not present. *///from w w w . ja va 2 s . c o m static public SubjectKeyIdentifier getSKID(X509Certificate cert) { if (cert != null) { byte[] akid = cert.getExtensionValue(SUBJECT_KEY_IDENTIFIER); if (akid != null) { ASN1Primitive dobj = null; try { dobj = new ASN1InputStream(new ByteArrayInputStream(akid)).readObject(); dobj = new ASN1InputStream(new ByteArrayInputStream(((DEROctetString) dobj).getOctets())) .readObject(); } catch (Exception e) { throw new IllegalArgumentException("While extracting Subject Key Identifier " + e.getMessage()); } // System.out.println("SKID CLASS IS: " + dobj.getClass()); return SubjectKeyIdentifier.getInstance(dobj); // return SubjectKeyIdentifier(dobj.getDEREncoded()); } } return null; }
From source file:org.jruby.ext.openssl.x509store.X509Utils.java
License:LGPL
/** * c: X509_check_issued//from www.ja v a 2 s . co m */ public static int checkIfIssuedBy(X509AuxCertificate issuer, X509AuxCertificate subject) throws Exception { if (!issuer.getSubjectX500Principal().equals(subject.getIssuerX500Principal())) { return V_ERR_SUBJECT_ISSUER_MISMATCH; } if (subject.getExtensionValue("2.5.29.35") != null) { //authorityKeyID // I hate ASN1 and DER Object key = get(subject.getExtensionValue("2.5.29.35")); if (!(key instanceof ASN1Sequence)) { key = get(key); } ASN1Sequence seq = (ASN1Sequence) key; AuthorityKeyIdentifier sakid = null; if (seq.size() == 1 && (seq.getObjectAt(0) instanceof ASN1OctetString)) { sakid = AuthorityKeyIdentifier .getInstance(new DLSequence(new DERTaggedObject(0, seq.getObjectAt(0)))); } else { sakid = AuthorityKeyIdentifier.getInstance(seq); } if (sakid.getKeyIdentifier() != null) { if (issuer.getExtensionValue("2.5.29.14") != null) { DEROctetString der = (DEROctetString) get(issuer.getExtensionValue("2.5.29.14")); if (der.getOctets().length > 20) { der = (DEROctetString) get(der.getOctets()); } SubjectKeyIdentifier iskid = SubjectKeyIdentifier.getInstance(der); if (iskid.getKeyIdentifier() != null) { if (!Arrays.equals(sakid.getKeyIdentifier(), iskid.getKeyIdentifier())) { return V_ERR_AKID_SKID_MISMATCH; } } } } if (sakid.getAuthorityCertSerialNumber() != null && !sakid.getAuthorityCertSerialNumber().equals(issuer.getSerialNumber())) { return V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } if (sakid.getAuthorityCertIssuer() != null) { GeneralName[] gens = sakid.getAuthorityCertIssuer().getNames(); X500Name nm = null; for (int i = 0; i < gens.length; i++) { if (gens[i].getTagNo() == GeneralName.directoryName) { ASN1Encodable nameTmp = gens[i].getName(); if (nameTmp instanceof X500Name) { nm = (X500Name) nameTmp; } else if (nameTmp instanceof ASN1Sequence) { nm = X500Name.getInstance((ASN1Sequence) nameTmp); } else { throw new RuntimeException("unknown name type in X509Utils: " + nameTmp); } break; } } if (nm != null) { if (!(new Name(nm).isEqual(issuer.getIssuerX500Principal()))) { return V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } } } if (subject.getExtensionValue("1.3.6.1.5.5.7.1.14") != null) { if (issuer.getKeyUsage() != null && !issuer.getKeyUsage()[0]) { // KU_DIGITAL_SIGNATURE return V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; } } else if (issuer.getKeyUsage() != null && !issuer.getKeyUsage()[5]) { // KU_KEY_CERT_SIGN return V_ERR_KEYUSAGE_NO_CERTSIGN; } return V_OK; }
From source file:org.kse.gui.KeyStoreTableModel.java
License:Open Source License
private String getCertificateSKI(String alias, KeyStore keyStore) throws CryptoException, KeyStoreException { X509Certificate x509Cert = getCertificate(alias, keyStore); try {//from w w w. j a va 2 s . c o m byte[] skiValue = x509Cert.getExtensionValue(Extension.subjectKeyIdentifier.getId()); byte[] octets = DEROctetString.getInstance(skiValue).getOctets(); byte[] skiBytes = SubjectKeyIdentifier.getInstance(octets).getKeyIdentifier(); return HexUtil.getHexString(skiBytes); } catch (Exception e) { return "-"; } }
From source file:org.objectweb.proactive.core.security.CertTools.java
License:Open Source License
/** * Get the subject key identifier from a certificate extensions * * @param cert certificate containing the extension * @return byte[] containing the subject key identifier * @throws IOException if extension can not be parsed *//*from w ww . j av a2 s .co m*/ public static byte[] getSubjectKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue("2.5.29.14"); if (extvalue == null) { return null; } ASN1OctetString str = ASN1OctetString .getInstance(new ASN1InputStream(new ByteArrayInputStream(extvalue)).readObject()); SubjectKeyIdentifier keyId = SubjectKeyIdentifier .getInstance(new ASN1InputStream(new ByteArrayInputStream(str.getOctets())).readObject()); return keyId.getKeyIdentifier(); }
From source file:org.qipki.crypto.x509.X509ExtensionsReaderImpl.java
License:Open Source License
@Override public byte[] getSubjectKeyIdentifier(X509Certificate cert) { try {/*from w w w .j av a 2s .c o m*/ byte[] value = cert.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId()); if (value == null) { return null; } byte[] octets = ((ASN1OctetString) ASN1Object.fromByteArray(value)).getOctets(); return SubjectKeyIdentifier.getInstance(ASN1Object.fromByteArray(octets)).getKeyIdentifier(); } catch (IOException ex) { throw new CryptoFailure("Unable to extract SubjectKeyIdentifier from X509Certificate extensions", ex); } }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionSubjectKeyIdentifier(final StringBuilder failureMsg, final byte[] extensionValue, final SubjectPublicKeyInfo subjectPublicKeyInfo) { // subjectKeyIdentifier SubjectKeyIdentifier asn1 = SubjectKeyIdentifier.getInstance(extensionValue); byte[] ski = asn1.getKeyIdentifier(); byte[] pkData = subjectPublicKeyInfo.getPublicKeyData().getBytes(); byte[] expectedSki = HashCalculator.hash(HashAlgoType.SHA1, pkData); if (Arrays.equals(expectedSki, ski) == false) { failureMsg.append("SKI is '" + hex(ski) + "' but expected is '" + hex(expectedSki) + "'"); failureMsg.append("; "); }/*www .j a va 2s . c o m*/ }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionSubjectKeyIdentifier(final StringBuilder failureMsg, final byte[] extensionValue, final SubjectPublicKeyInfo subjectPublicKeyInfo) { // subjectKeyIdentifier SubjectKeyIdentifier asn1 = SubjectKeyIdentifier.getInstance(extensionValue); byte[] ski = asn1.getKeyIdentifier(); byte[] pkData = subjectPublicKeyInfo.getPublicKeyData().getBytes(); byte[] expectedSki = HashAlgoType.SHA1.hash(pkData); if (!Arrays.equals(expectedSki, ski)) { addViolation(failureMsg, "SKI", hex(ski), hex(expectedSki)); }// w w w . j ava 2 s .co m }