Examples of gnu.java.security.x509.X509Certificate

gnu.java.security.x509.ext.BasicConstraints
An implementation of X.509 certificates. @author Casey Marshall (rsdio@metastatic.org)


        try {


            boolean trusted = false;


            X509Certificate chainCert;
            while (in.available() > 0 && !trusted) {
                // The length of the next certificate (we dont need this as rthe
                // DERInputStream does the work
                int certlen = (in.read() & 0xFF) << 16 | (in.read() & 0xFF) << 8 | (in.read() & 0xFF);


                // Now read the certificate
                DERInputStream der = new DERInputStream(in);


                ASN1Sequence certificate = (ASN1Sequence) der.readObject();


                // Get the x509 certificate structure
                chainCert = new X509Certificate(X509CertificateStructure.getInstance(certificate));


                if (x509 == null)
                    x509 = chainCert;


                // Verify if this part of the chain is trusted

View Full Code Here

            DERInputStream der = new DERInputStream(new FileInputStream("c:/exported.cer")); //$NON-NLS-1$


            ASN1Sequence certificate = (ASN1Sequence) der.readObject();


            // Get the x509 certificate structure
            X509Certificate x509 = new X509Certificate(X509CertificateStructure.getInstance(certificate));


            System.out.println(x509.getIssuerDN());
            System.out.println(x509.getSubjectDN());
            ssl.getTrustedCACerts().isTrustedCertificate(x509, true, true);
        } catch (Exception ex) {
            ex.printStackTrace();
        }

View Full Code Here

                    throws SSLException {
        try {
            if (CertificateStore.getInstance().contains(x509.getIssuerDN().toString())) {




                X509Certificate trusted = (X509Certificate) CertificateStore.getInstance().get(x509.getIssuerDN().toString());


                // Verify the signature of the certificate with the trusted
                // certificate
                PublicKey publickey = trusted.getPublicKey();


                if (publickey instanceof RsaPublicKey) {
                    // Verify the signature
                    if (x509.getSigAlgName().equals("MD5WithRSAEncryption")) { //$NON-NLS-1$


                        try {
                            byte[] blob = x509.getSignature();


                            // Check for signed bit
                            if ((blob[0] & 0x80) == 0x80) {
                                blob = new byte[x509.getSignature().length + 1];
                                blob[0] = 0;
                                System.arraycopy(x509.getSignature(), 0, blob, 1, x509.getSignature().length);
                            }


                            BigInteger input = new BigInteger(blob);
                            RsaPublicKey r = (RsaPublicKey) trusted.getPublicKey();
                            BigInteger decoded = Rsa.doPublic(input, r.getModulus(), r.getPublicExponent());
                            BigInteger result = Rsa.removePKCS1(decoded, 0x01);
                            byte[] sig = result.toByteArray();


                            MD5Digest digest = new MD5Digest();
                            digest.update(x509.getTBSCertificate(), 0, x509.getTBSCertificate().length);
                            byte[] hash = new byte[digest.getDigestSize()];
                            digest.doFinal(hash, 0);


                            DERInputStream der = new DERInputStream(new ByteArrayInputStream(sig));


                            ASN1Sequence o = (ASN1Sequence) der.readObject();


                            ASN1Sequence o1 = (ASN1Sequence) o.getObjectAt(0);


                            DERObjectIdentifier o2 = (DERObjectIdentifier) o1.getObjectAt(0);
                            ASN1OctetString o3 = (ASN1OctetString) o.getObjectAt(1);


                            byte[] actual = o3.getOctets();


                            for (int i = 0; i < actual.length; i++) {
                                if (actual[i] != hash[i]) {
                                    return false;
                                }
                            }


                        } catch (IOException ex1) {
                            throw new SSLException(SSLException.INTERNAL_ERROR, ex1.getMessage());
                        }


                    } else if (x509.getSigAlgName().equals("SHA1WithRSAEncryption")) { //$NON-NLS-1$


                        try {
                            byte[] blob = x509.getSignature();


                            // Check for signed bit
                            if ((blob[0] & 0x80) == 0x80) {
                                blob = new byte[x509.getSignature().length + 1];
                                blob[0] = 0;
                                System.arraycopy(x509.getSignature(), 0, blob, 1, x509.getSignature().length);
                            }


                            BigInteger input = new BigInteger(blob);
                            RsaPublicKey r = (RsaPublicKey) trusted.getPublicKey();


                            BigInteger decoded = Rsa.doPublic(input, r.getModulus(), r.getPublicExponent());


                            BigInteger result = Rsa.removePKCS1(decoded, 0x01);
                            byte[] sig = result.toByteArray();


                            SHA1Digest digest = new SHA1Digest();
                            digest.update(x509.getTBSCertificate(), 0, x509.getTBSCertificate().length);
                            byte[] hash = new byte[digest.getDigestSize()];
                            digest.doFinal(hash, 0);


                            DERInputStream der = new DERInputStream(new ByteArrayInputStream(sig));


                            ASN1Sequence o = (ASN1Sequence) der.readObject();


                            ASN1Sequence o1 = (ASN1Sequence) o.getObjectAt(0);


                            DERObjectIdentifier o2 = (DERObjectIdentifier) o1.getObjectAt(0);
                            ASN1OctetString o3 = (ASN1OctetString) o.getObjectAt(1);


                            byte[] actual = o3.getOctets();


                            for (int i = 0; i < actual.length; i++) {
                                if (actual[i] != hash[i]) {
                                    return false;
                                }
                            }


                        } catch (IOException ex1) {
                            throw new SSLException(SSLException.INTERNAL_ERROR, ex1.getMessage());
                        }


                    } else
                        throw new SSLException(SSLException.UNSUPPORTED_CERTIFICATE,
                            MessageFormat.format(Messages.getString("TrustedCACertStore.signatureAlgorithmNotSupported"), new Object[] { x509.getSigAlgName() })); //$NON-NLS-1$


                    // Verify the validity
                    try {
                        trusted.checkValidity();
                        x509.checkValidity();
                    } catch (CertificateException ex2) {
                        if (allowInvalidCertificates) {
                            return true;
                        } else {

View Full Code Here


            der = new DERInputStream(in);


            ASN1Sequence certificate = (ASN1Sequence) der.readObject();


            X509Certificate x509 = new X509Certificate(X509CertificateStructure.getInstance(certificate));


            if (certificates.containsKey(x509.getSubjectDN().toString())) {
                // #ifdef DEBUG
                if (log.isDebugEnabled())
                    log.debug(Messages.getString("CertificateStore.alreadyExists") + x509.getSubjectDN().toString()); //$NON-NLS-1$
                // #endif
            } else {
                // #ifdef DEBUG
                if (log.isDebugEnabled())
                    log.debug(MessageFormat.format(Messages.getString("CertificateStore.addingTrustedCA"), new Object[] { x509.getSubjectDN().toString() })); //$NON-NLS-1$
                // #endif
                certificates.put(x509.getSubjectDN().toString(), x509);
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        } finally {
            try {

View Full Code Here

    // (b) for all x in {1, ..., n}, the certificate was valid at the
    // time in question.
    //
    // Because this is the X.509 algorithm, we also check if all
    // cerificates are of type X509Certificate.
    PolicyNodeImpl rootNode = new PolicyNodeImpl();
    Set initPolicies = ((PKIXParameters) params).getInitialPolicies();
    rootNode.setValidPolicy(ANY_POLICY);
    rootNode.setCritical(false);
    rootNode.setDepth(0);
    if (initPolicies != null)
      rootNode.addAllExpectedPolicies(initPolicies);
    else
      rootNode.addExpectedPolicy(ANY_POLICY);
    List checks = ((PKIXParameters) params).getCertPathCheckers();
    List l = path.getCertificates();
    if (l == null || l.size() == 0)
      throw new CertPathValidatorException();
    X509Certificate[] p = null;
    try
      {
        p = (X509Certificate[]) l.toArray(new X509Certificate[l.size()]);
      }
    catch (ClassCastException cce)
      {
        throw new CertPathValidatorException("invalid certificate path");
      }
    String sigProvider = ((PKIXParameters) params).getSigProvider();
    PublicKey prevKey = null;
    Date now = ((PKIXParameters) params).getDate();
    if (now == null)
      now = new Date();
    LinkedList policyConstraints = new LinkedList();
    for (int i = p.length - 1; i >= 0; i--)
      {
        try
          {
            p[i].checkValidity(now);
          }
        catch (CertificateException ce)
          {
            throw new CertPathValidatorException(ce.toString());
          }
        Set uce = getCritExts(p[i]);
        for (Iterator check = checks.iterator(); check.hasNext();)
          {
            try
              {
                ((PKIXCertPathChecker) check.next()).check(p[i], uce);
              }
            catch (Exception x)
              {
              }
          }
        PolicyConstraint constr = null;
        if (p[i] instanceof GnuPKIExtension)
          {
            Extension pcx = ((GnuPKIExtension) p[i]).getExtension(PolicyConstraint.ID);
            if (pcx != null)
              constr = (PolicyConstraint) pcx.getValue();
          }
        else
          {
            byte[] pcx = p[i].getExtensionValue(PolicyConstraint.ID.toString());
            if (pcx != null)
              {
                try
                  {
                    constr = new PolicyConstraint(pcx);
                  }
                catch (Exception x)
                  {
                  }
              }
          }
        if (constr != null && constr.getRequireExplicitPolicy() >= 0)
          policyConstraints.add(new int[] { p.length - i,
                                            constr.getRequireExplicitPolicy() });
        updatePolicyTree(p[i], rootNode, p.length - i, (PKIXParameters) params,
                         checkExplicitPolicy(p.length - i, policyConstraints));
        // The rest of the tests involve this cert's relationship with the
        // next in the path. If this cert is the end entity, we can stop.
        if (i == 0)
          break;


        basicSanity(p, i);
        PublicKey pubKey = null;
        try
          {
            pubKey = p[i].getPublicKey();
            if (pubKey instanceof DSAPublicKey)
              {
                DSAParams dsa = ((DSAPublicKey) pubKey).getParams();
                // If the DSA public key is missing its parameters, use those
                // from the previous cert's key.
                if (dsa == null || dsa.getP() == null || dsa.getG() == null
                    || dsa.getQ() == null)
                  {
                    if (prevKey == null)
                      throw new InvalidKeyException("DSA keys not chainable");
                    if (! (prevKey instanceof DSAPublicKey))
                      throw new InvalidKeyException("DSA keys not chainable");
                    dsa = ((DSAPublicKey) prevKey).getParams();
                    pubKey = new DSSPublicKey(Registry.X509_ENCODING_ID,
                                              dsa.getP(), dsa.getQ(),
                                              dsa.getG(),
                                              ((DSAPublicKey) pubKey).getY());
                  }
              }
            if (sigProvider == null)
              p[i - 1].verify(pubKey);
            else
              p[i - 1].verify(pubKey, sigProvider);
            prevKey = pubKey;
          }
        catch (Exception e)
          {
            throw new CertPathValidatorException(e.toString());
          }
        if (! p[i].getSubjectDN().equals(p[i - 1].getIssuerDN()))
          throw new CertPathValidatorException("issuer DN mismatch");
        boolean[] issuerUid = p[i - 1].getIssuerUniqueID();
        boolean[] subjectUid = p[i].getSubjectUniqueID();
        if (issuerUid != null && subjectUid != null)
          if (! Arrays.equals(issuerUid, subjectUid))
            throw new CertPathValidatorException("UID mismatch");


        // Check the certificate against the revocation lists.
        if (((PKIXParameters) params).isRevocationEnabled())
          {
            X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
            try
              {
                selector.addIssuerName(p[i].getSubjectDN());
              }
            catch (IOException ioe)
              {
                throw new CertPathValidatorException("error selecting CRLs");
              }
            List certStores = ((PKIXParameters) params).getCertStores();
            List crls = new LinkedList();
            for (Iterator it = certStores.iterator(); it.hasNext();)
              {
                CertStore cs = (CertStore) it.next();
                try
                  {
                    Collection c = cs.getCRLs(selector);
                    crls.addAll(c);
                  }
                catch (CertStoreException cse)
                  {
                  }
              }
            if (crls.isEmpty())
              throw new CertPathValidatorException("no CRLs for issuer");
            boolean certOk = false;
            for (Iterator it = crls.iterator(); it.hasNext();)
              {
                CRL crl = (CRL) it.next();
                if (! (crl instanceof X509CRL))
                  continue;
                X509CRL xcrl = (X509CRL) crl;
                if (! checkCRL(xcrl, p, now, p[i], pubKey, certStores))
                  continue;
                if (xcrl.isRevoked(p[i - 1]))
                  throw new CertPathValidatorException("certificate is revoked");
                else
                  certOk = true;
              }
            if (! certOk)
              throw new CertPathValidatorException(
                  "certificate's validity could not be determined");
          }
      }
    rootNode.setReadOnly();
    // Now ensure that the first certificate in the chain was issued
    // by a trust anchor.
    Exception cause = null;
    Set anchors = ((PKIXParameters) params).getTrustAnchors();
    for (Iterator i = anchors.iterator(); i.hasNext();)

View Full Code Here

    do
      {
        current = (Iterator) stack.removeLast();
        while (current.hasNext())
          {
            PolicyNodeImpl p = (PolicyNodeImpl) current.next();
            if (Configuration.DEBUG)
              log.fine("visiting node == " + p);
            if (p.getDepth() == depth - 1)
              {
                if (Configuration.DEBUG)
                  log.fine("added node");
                nodes.add(p);
              }
            else
              {
                if (Configuration.DEBUG)
                  log.fine("skipped node");
                stack.addLast(current);
                current = p.getChildren();
              }
          }
      }
    while (! stack.isEmpty());


    Extension e = null;
    CertificatePolicies policies = null;
    List qualifierInfos = null;
    if (cert instanceof GnuPKIExtension)
      {
        e = ((GnuPKIExtension) cert).getExtension(CertificatePolicies.ID);
        if (e != null)
          policies = (CertificatePolicies) e.getValue();
      }


    List cp = null;
    if (policies != null)
      cp = policies.getPolicies();
    else
      cp = Collections.EMPTY_LIST;
    boolean match = false;
    if (Configuration.DEBUG)
      {
        log.fine("nodes are == " + nodes);
        log.fine("cert policies are == " + cp);
      }
    for (Iterator it = nodes.iterator(); it.hasNext();)
      {
        PolicyNodeImpl parent = (PolicyNodeImpl) it.next();
        if (Configuration.DEBUG)
          log.fine("adding policies to " + parent);
        for (Iterator it2 = cp.iterator(); it2.hasNext();)
          {
            OID policy = (OID) it2.next();
            if (Configuration.DEBUG)
              log.fine("trying to add policy == " + policy);
            if (policy.toString().equals(ANY_POLICY)
                && params.isAnyPolicyInhibited())
              continue;
            PolicyNodeImpl child = new PolicyNodeImpl();
            child.setValidPolicy(policy.toString());
            child.addExpectedPolicy(policy.toString());
            if (parent.getExpectedPolicies().contains(policy.toString()))
              {
                parent.addChild(child);
                match = true;
              }
            else if (parent.getExpectedPolicies().contains(ANY_POLICY))
              {
                parent.addChild(child);
                match = true;
              }
            else if (ANY_POLICY.equals(policy.toString()))
              {
                parent.addChild(child);
                match = true;
              }
            if (match && policies != null)
              {
                List qualifiers = policies.getPolicyQualifierInfos(policy);
                if (qualifiers != null)
                  child.addAllPolicyQualifiers(qualifiers);
              }
          }
      }
    if (! match && (params.isExplicitPolicyRequired() || explicitPolicy))
      throw new CertPathValidatorException("policy tree building failed");

View Full Code Here

    if (caName == null || caKey == null)
      throw new NullPointerException();
    if (caName.length() == 0)
      throw new IllegalArgumentException();
    trustedCert = null;
    this.caName = new X500DistinguishedName(caName);
    this.caKey = caKey;
    if (nameConstraints != null)
      this.nameConstraints = (byte[]) nameConstraints.clone();
    else
      this.nameConstraints = null;

View Full Code Here

            throw new CertPathValidatorException("UID mismatch");


        // Check the certificate against the revocation lists.
        if (((PKIXParameters) params).isRevocationEnabled())
          {
            X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
            try
              {
                selector.addIssuerName(p[i].getSubjectDN());
              }
            catch (IOException ioe)
              {
                throw new CertPathValidatorException("error selecting CRLs");
              }
            List certStores = ((PKIXParameters) params).getCertStores();
            List crls = new LinkedList();
            for (Iterator it = certStores.iterator(); it.hasNext();)
              {
                CertStore cs = (CertStore) it.next();
                try
                  {
                    Collection c = cs.getCRLs(selector);
                    crls.addAll(c);
                  }
                catch (CertStoreException cse)
                  {
                  }
              }
            if (crls.isEmpty())
              throw new CertPathValidatorException("no CRLs for issuer");
            boolean certOk = false;
            for (Iterator it = crls.iterator(); it.hasNext();)
              {
                CRL crl = (CRL) it.next();
                if (! (crl instanceof X509CRL))
                  continue;
                X509CRL xcrl = (X509CRL) crl;
                if (! checkCRL(xcrl, p, now, p[i], pubKey, certStores))
                  continue;
                if (xcrl.isRevoked(p[i - 1]))
                  throw new CertPathValidatorException("certificate is revoked");
                else
                  certOk = true;
              }
            if (! certOk)
              throw new CertPathValidatorException(
                  "certificate's validity could not be determined");
          }
      }
    rootNode.setReadOnly();
    // Now ensure that the first certificate in the chain was issued
    // by a trust anchor.
    Exception cause = null;
    Set anchors = ((PKIXParameters) params).getTrustAnchors();
    for (Iterator i = anchors.iterator(); i.hasNext();)
      {
        TrustAnchor anchor = (TrustAnchor) i.next();
        X509Certificate anchorCert = null;
        PublicKey anchorKey = null;
        if (anchor.getTrustedCert() != null)
          {
            anchorCert = anchor.getTrustedCert();
            anchorKey = anchorCert.getPublicKey();
          }
        else
          anchorKey = anchor.getCAPublicKey();
        if (anchorKey == null)
          continue;
        try
          {
            if (anchorCert != null)
              anchorCert.checkValidity(now);
            p[p.length - 1].verify(anchorKey);
            if (anchorCert != null && anchorCert.getBasicConstraints() >= 0
                && anchorCert.getBasicConstraints() < p.length)
              continue;


            if (((PKIXParameters) params).isRevocationEnabled())
              {
                X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
                if (anchorCert != null)
                  try
                    {
                      selector.addIssuerName(anchorCert.getSubjectDN());
                    }
                  catch (IOException ioe)
                    {
                    }
                else
                  selector.addIssuerName(anchor.getCAName());
                List certStores = ((PKIXParameters) params).getCertStores();
                List crls = new LinkedList();
                for (Iterator it = certStores.iterator(); it.hasNext();)
                  {
                    CertStore cs = (CertStore) it.next();

View Full Code Here

          {
          }
      }
    try
      {
        X509CertSelectorImpl select = new X509CertSelectorImpl();
        select.addSubjectName(crl.getIssuerDN());
        List certs = new LinkedList();
        for (Iterator it = certStores.iterator(); it.hasNext();)
          {
            CertStore cs = (CertStore) it.next();
            try

View Full Code Here

          {
          }
      }
    if (e == null)
      throw new CertPathValidatorException("no basicConstraints");
    BasicConstraints bc = (BasicConstraints) e.getValue();
    if (! bc.isCA())
      throw new CertPathValidatorException(
          "certificate cannot be used to verify signatures");
    if (bc.getPathLengthConstraint() >= 0
        && bc.getPathLengthConstraint() < pathLen)
      throw new CertPathValidatorException("path is too long");


    boolean[] keyUsage = cert.getKeyUsage();
    if (keyUsage != null)
      {

View Full Code Here

0 1 2 3 4 5

TOP

Related Classes of gnu.java.security.x509.X509Certificate

codec.asn1.ASN1BitString

codec.asn1.ASN1Sequence

codec.asn1.DERDecoder

codec.asn1.DEREncoder

com.maverick.crypto.asn1.ASN1Sequence

com.maverick.crypto.asn1.DERBitString

com.maverick.crypto.asn1.DERInputStream

com.maverick.crypto.asn1.DERObjectIdentifier

com.maverick.crypto.asn1.DEROutputStream

com.maverick.crypto.asn1.misc.NetscapeCertType

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.