public static String buildCertAppliesToString(X509Certificate cert) { List<String> elements = new ArrayList<>(); try { Collection<List<?>> altNames = cert.getSubjectAlternativeNames(); if (altNames != null) { for (List<?> altName : altNames) { Integer altNameType = (Integer) altName.get(0); if (altNameType != 2 && altNameType != 7) // dns or ip continue; elements.add((String) altName.get(1)); } } } catch (CertificateParsingException ignored) { } if (elements.size() == 0) return "none"; return TextUtils.join(",", elements.toArray()); }
private String getCertificateThumbprint(String pfxPath, String password) { try { InputStream inStream = new FileInputStream(pfxPath); KeyStore ks = KeyStore.getInstance("PKCS12"); ks.load(inStream, password.toCharArray()); String alias = ks.aliases().nextElement(); X509Certificate certificate = (X509Certificate) ks.getCertificate(alias); inStream.close(); MessageDigest sha = MessageDigest.getInstance("SHA-1"); return BaseEncoding.base16().encode(sha.digest(certificate.getEncoded())); } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException ex) { throw new RuntimeException(ex); } }
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (!(target instanceof X509Credential)) { log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria"); return Boolean.FALSE; } Boolean result = certSelector.match(entityCert); return result; }
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { sDefaultTrustManager.checkServerTrusted(chain, authType); } catch (Exception e) { try { mManager.checkServerTrusted(chain, authType); } catch (Exception e2) { synchronized (UserOverrideTrustManager.this) { if (mTempTrustedCertificates != null && mTempTrustedCertificates.contains(chain[0])) { Log.i(TAG, "A temporarily trusted certificate is being used - trusting the server"); return; } } Log.i(TAG, "Unrecognized certificate"); try { X509Certificate cert = chain[0]; if (!askUser(cert, R.string.certificate_bad_cert).get()) throw new UserRejectedCertificateException(); } catch (InterruptedException | ExecutionException e3) { throw new CertificateException("Asking user about the certificate failed"); } } } }
/** * Generates a certificate chain from the collection of * certificates and stores the result into a key entry. */ private void generateCertificateChain(String alias, Collection<? extends Certificate> certCollection) { try { X509Certificate[] certChain = new X509Certificate[certCollection.size()]; int i = 0; for (Iterator<? extends Certificate> iter = certCollection.iterator(); iter.hasNext(); i++) { certChain[i] = (X509Certificate) iter.next(); } storeWithUniqueAlias(alias, new KeyEntry(alias, null, certChain)); } catch (Throwable e) { // Ignore the exception and skip this entry // TODO - throw CertificateException? } }
@Test public void testTrustAllManager() throws Exception { TrustAllManager manager = new TrustAllManager(); manager.checkClientTrusted((X509Certificate[]) null, (String) null); manager.checkServerTrusted((X509Certificate[]) null, (String) null); manager.checkClientTrusted((X509Certificate[]) null, (String) null, (Socket) null); manager.checkClientTrusted((X509Certificate[]) null, (String) null, (SSLEngine) null); manager.checkServerTrusted((X509Certificate[]) null, (String) null, (Socket) null); manager.checkServerTrusted((X509Certificate[]) null, (String) null, (SSLEngine) null); Assert.assertEquals(manager.getAcceptedIssuers() == null, true); }
@Override public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { for (final X509TrustManager trustManager : trustManagers) { try { trustManager.checkServerTrusted(chain, authType); return; } catch (final CertificateException e) { LOGGER.debug(e.getMessage(), e); } } throw new CertificateException("None of the TrustManagers trust this certificate chain"); }
@SuppressWarnings("deprecation") static CloseableHttpClient buildClient(boolean ignoreSSL) throws Exception { SSLSocketFactory sslsf = new SSLSocketFactory(new TrustStrategy() { public boolean isTrusted( final X509Certificate[] chain, String authType) throws CertificateException { // Oh, I am easy... return true; } }); if (ignoreSSL) { return HttpClients.custom().setSSLSocketFactory(sslsf).build(); } else { return HttpClients.createDefault(); } }
@Override public X509Certificate[] getCertificateChain(final String s) { return with(new Function<X509Certificate[]>() { @Override public X509Certificate[] apply(X509ExtendedKeyManager delegate) { return delegate.getCertificateChain(s); } }); }
public ExtendedKeyUsageImpl(X509Certificate cert) throws IOException { keyPurposeIds = new ArrayList<>(); byte[] extVal = cert.getExtensionValue(Extension.extendedKeyUsage.getId()); if (extVal == null) return; org.bouncycastle.asn1.x509.ExtendedKeyUsage usage = org.bouncycastle.asn1.x509.ExtendedKeyUsage .getInstance(X509ExtensionUtil.fromExtensionValue(extVal)); KeyPurposeId[] usages = usage.getUsages(); for (int i = 0; i < usages.length; i++) { keyPurposeIds.add(usages[i].getId()); } }
public static String getCommonName(X509Certificate cert) throws InvalidNameException { // use LDAP API to parse the certifiate Subject :) // see http://stackoverflow.com/a/7634755/972463 LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName()); String cn = ""; for (Rdn rdn : ldapDN.getRdns()) { if (rdn.getType().equals("CN")) { cn = rdn.getValue().toString(); } } return cn; }
public BasicConstraintsImpl(X509Certificate cert) throws CertificateException, IOException { byte[] extVal = cert.getExtensionValue(Extension.basicConstraints.getId()); if (extVal == null) return; org.bouncycastle.asn1.x509.BasicConstraints bc = org.bouncycastle.asn1.x509.BasicConstraints .getInstance(X509ExtensionUtil.fromExtensionValue(extVal)); isCA = bc.isCA(); pathLen = bc.getPathLenConstraint(); }
/** * Retrieves a x509Certificate from the given information * @param e * @param baseURI * @param storage * @return * @throws KeyResolverException */ private static X509Certificate resolveCertificate( Element e, String baseURI, StorageResolver storage ) throws KeyResolverException { if (log.isLoggable(java.util.logging.Level.FINE)) { log.log(java.util.logging.Level.FINE, "Now we have a {" + e.getNamespaceURI() + "}" + e.getLocalName() + " Element"); } // An element has been provided if (e != null) { return KeyResolver.getX509Certificate(e, baseURI, storage); } return null; }
/** @inheritDoc */ public PublicKey engineLookupAndResolvePublicKey( Element element, String baseURI, StorageResolver storage ) throws KeyResolverException { X509Certificate cert = this.engineLookupResolveX509Certificate(element, baseURI, storage); if (cert != null) { return cert.getPublicKey(); } return null; }
@Test public void verifyHexPrincipalEven() { final X509SerialNumberPrincipalResolver r = new X509SerialNumberPrincipalResolver(16, true); final X509Certificate mockCert = mock(X509Certificate.class); when(mockCert.getSerialNumber()).thenReturn(BigInteger.valueOf(60300L)); final String principal = r.resolvePrincipalInternal(mockCert); assertEquals("eb8c", principal); }
public boolean match(Object obj) { if (!(obj instanceof X509Certificate)) { return false; } return match((Certificate)obj); }
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC + ", currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
/** * Encode the CertPath using PKIPATH format. * * @return a byte array containing the binary encoding of the PkiPath object * @exception CertificateEncodingException if an exception occurs */ private byte[] encodePKIPATH() throws CertificateEncodingException { ListIterator<X509Certificate> li = certs.listIterator(certs.size()); try { DerOutputStream bytes = new DerOutputStream(); // encode certs in reverse order (trust anchor to target) // according to PkiPath format while (li.hasPrevious()) { X509Certificate cert = li.previous(); // check for duplicate cert if (certs.lastIndexOf(cert) != certs.indexOf(cert)) { throw new CertificateEncodingException ("Duplicate Certificate"); } // get encoded certificates byte[] encoded = cert.getEncoded(); bytes.write(encoded); } // Wrap the data in a SEQUENCE DerOutputStream derout = new DerOutputStream(); derout.write(DerValue.tag_SequenceOf, bytes); return derout.toByteArray(); } catch (IOException ioe) { throw new CertificateEncodingException("IOException encoding " + "PkiPath data: " + ioe, ioe); } }
public static ArrayList<String> getDistributionPointUrls(X509Certificate cert){ ArrayList<String> ret = new ArrayList<String>(); try{ String data = cert.toString(); if(data.indexOf("CRLDistributionPoints") == -1) return ret; data = data.substring(data.indexOf("CRLDistributionPoints")); data = data.substring(0, data.indexOf("]]") + 2); while(data.indexOf("URIName") != -1){ data = data.substring(data.indexOf("URIName") + 9); String url = data.substring(0, data.indexOf("]")); if(url.contains(", URIName: ")){ String[] urlTmpList = url.split(", URIName: "); for(String urlTmp:urlTmpList) ret.add(urlTmp); }else ret.add(url); data = data.substring(data.indexOf("]") + 1); } }catch(Exception ex){ex.printStackTrace();} return ret; }
@Override public X509Certificate[] getAcceptedIssuers() { final List<X509Certificate> certificates = new ArrayList<>(); for (final X509TrustManager trustManager : trustManagers) { final List<X509Certificate> list = Arrays.asList(trustManager.getAcceptedIssuers()); certificates.addAll(list); } return certificates.toArray(new X509Certificate[] {}); }
@Test public void validate_shouldFailACertSignedByAnUnknownRootCACert() throws Exception { final X509Certificate otherChildCertificate = certificateFactory.createCertificate(childSignedByOtherRootCAString); assertExceptionMessage( certificateChainValidator, otherChildCertificate, CertificateChainValidationException.class, "Certificate is not valid: O=other_server, CN=localhost" ); }
/** * 检查证书链 * * @param rootCerts * 根证书 * @param cert * 待验证的证书 * @return */ public static boolean verifyCertificate(X509Certificate cert) { if ( null == cert) { LogUtil.writeErrorLog("cert must Not null"); return false; } try { cert.checkValidity();//验证有效期 // cert.verify(middleCert.getPublicKey()); if(!verifyCertificateChain(cert)){ return false; } } catch (Exception e) { LogUtil.writeErrorLog("verifyCertificate fail", e); return false; } if(SDKConfig.getConfig().isIfValidateCNName()){ // 验证公钥是否属于银联 if(!UNIONPAY_CNNAME.equals(CertUtil.getIdentitiesFromCertficate(cert))) { LogUtil.writeErrorLog("cer owner is not CUP:" + CertUtil.getIdentitiesFromCertficate(cert)); return false; } } else { // 验证公钥是否属于银联 if(!UNIONPAY_CNNAME.equals(CertUtil.getIdentitiesFromCertficate(cert)) && !"00040000:SIGN".equals(CertUtil.getIdentitiesFromCertficate(cert))) { LogUtil.writeErrorLog("cer owner is not CUP:" + CertUtil.getIdentitiesFromCertficate(cert)); return false; } } return true; }
@Override public void checkClientTrusted(X509Certificate certificates[], String authType) throws CertificateException { if (this.certificates == null) { this.certificates = certificates; log.info("init at checkClientTrusted"); } }
public X509Certificate decode(String certStr) { try { byte[] decoded = Base64.getDecoder().decode(certStr); return (X509Certificate)factory.generateCertificate(new ByteArrayInputStream(decoded)); } catch (IllegalArgumentException | CertificateException e) { log.warn("Failed to decode certificate {}.", certStr); return null; } }
public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException { for (X509Certificate certificate : certificates) { certificate.checkValidity(); } }
@Test public void getCrlFromLdapWithNoCaching() throws Exception { for (int i = 0; i < 10; i++) { CacheManager.getInstance().removeAllCaches(); final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10); CacheManager.getInstance().addCache(cache); final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(cache, fetcher); checker.setThrowOnFetchFailure(true); checker.setUnavailableCRLPolicy(new AllowRevocationPolicy()); final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt")); checker.check(cert); } }
private static void loadCertificates(XMLSignatureFactory signatureFactory) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException, NoSuchProviderException, CertificateException, IOException, CertificadoException { Certificado certificado = configuracoesCte.getCertificado(); KeyStore keyStore = CertificadoService.getKeyStore(certificado); KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(certificado.getNome(), new KeyStore.PasswordProtection(certificado.getSenha().toCharArray())); privateKey = pkEntry.getPrivateKey(); KeyInfoFactory keyInfoFactory = signatureFactory.getKeyInfoFactory(); List<X509Certificate> x509Content = new ArrayList<X509Certificate>(); x509Content.add(CertificadoService.getCertificate(certificado, keyStore)); X509Data x509Data = keyInfoFactory.newX509Data(x509Content); keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(x509Data)); }
/** * Build an {@link X509Digest} containing the digest of the specified certificate. * * @param javaCert the Java X509Certificate to digest * @param algorithmURI digest algorithm URI * @return a new X509Digest object * @throws NoSuchAlgorithmException if the algorithm specified cannot be used * @throws CertificateEncodingException if the certificate cannot be encoded */ public static X509Digest buildX509Digest(X509Certificate javaCert, String algorithmURI) throws NoSuchAlgorithmException, CertificateEncodingException { String jceAlg = SecurityHelper.getAlgorithmIDFromURI(algorithmURI); if (jceAlg == null) { throw new NoSuchAlgorithmException("No JCE algorithm found for " + algorithmURI); } MessageDigest md = MessageDigest.getInstance(jceAlg); byte[] hash = md.digest(javaCert.getEncoded()); X509Digest xmlDigest = (X509Digest) Configuration.getBuilderFactory() .getBuilder(X509Digest.DEFAULT_ELEMENT_NAME) .buildObject(X509Digest.DEFAULT_ELEMENT_NAME); xmlDigest.setAlgorithm(algorithmURI); xmlDigest.setValue(Base64.encodeBytes(hash)); return xmlDigest; }
private void validate(final X509Certificate certificate, final KeyStore trustStore) { CertificateValidity certificateValidity = certificateChainValidator.validate(certificate, trustStore); if (!certificateValidity.isValid()) { throw new CertificateChainValidationException( format("Certificate is not valid: {0}", getDnForCertificate(certificate)), certificateValidity.getException().get()); } }
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { // TODO Auto-generated method stub try { defaultTrustManager.checkServerTrusted(arg0, arg1); } catch (CertificateException ce) { localTrustManager.checkServerTrusted(arg0, arg1); } }
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { X509Certificate cert = extractClientCertificate(request); if (cert == null) { return null; } return principalExtractor.extractPrincipal(cert); }
@Override public void onCertificateRequest(final X509Certificate[] certificate) { dismissDialog(); if (certificate == null) { performLogin(); } else { DialogHelper.showSslDialog(LoginActivity.this, certificate, LoginActivity.this); } }
/** * Internal method to check that cert has a valid DN to be next in a chain */ private void verifyNameChaining(X509Certificate cert) throws CertPathValidatorException { if (prevSubject != null) { String msg = "subject/issuer name chaining"; if (debug != null) debug.println("---checking " + msg + "..."); X500Principal currIssuer = cert.getIssuerX500Principal(); // reject null or empty issuer DNs if (X500Name.asX500Name(currIssuer).isEmpty()) { throw new CertPathValidatorException (msg + " check failed: " + "empty/null issuer DN in certificate is invalid", null, null, -1, PKIXReason.NAME_CHAINING); } if (!(currIssuer.equals(prevSubject))) { throw new CertPathValidatorException (msg + " check failed", null, null, -1, PKIXReason.NAME_CHAINING); } if (debug != null) debug.println(msg + " verified."); } }
private static List<X509Certificate> getMatchingCerts (List<X509Certificate> certs, CertSelector selector) { // if selector not specified, all certs match if (selector == null) { return certs; } List<X509Certificate> matchedCerts = new ArrayList<>(certs.size()); for (X509Certificate cert : certs) { if (selector.match(cert)) { matchedCerts.add(cert); } } return matchedCerts; }
@Test public void testTrustedAuth() { X509AuthenticationProvider provider = createProvider(clientCert); MockServerCnxn cnxn = new MockServerCnxn(); cnxn.clientChain = new X509Certificate[] { clientCert }; Assert.assertEquals(KeeperException.Code.OK, provider.handleAuthentication(cnxn, null)); }
/** * Creates a {@link SignedJarBuilder} with a given output stream, and signing information. * <p/>If either <code>key</code> or <code>certificate</code> is <code>null</code> then * the archive will not be signed. * * @param out the {@link OutputStream} where to write the Jar archive. * @param key the {@link PrivateKey} used to sign the archive, or <code>null</code>. * @param certificate the {@link X509Certificate} used to sign the archive, or * <code>null</code>. * @throws IOException * @throws NoSuchAlgorithmException */ public LocalSignedJarBuilder(@NonNull OutputStream out, @Nullable PrivateKey key, @Nullable X509Certificate certificate, @Nullable String builtBy, @Nullable String createdBy, @Nullable String signFile) throws IOException, NoSuchAlgorithmException { mOutputJar = new JarOutputStream(new BufferedOutputStream(out)); mOutputJar.setLevel(9); mKey = key; mCertificate = certificate; mSignFile = signFile; if (mKey != null && mCertificate != null) { mManifest = new Manifest(); Attributes main = mManifest.getMainAttributes(); main.putValue("Manifest-Version", "1.0"); if (builtBy != null) { main.putValue("Built-By", builtBy); } if (createdBy != null) { main.putValue("Created-By", createdBy); } mMessageDigest = MessageDigest.getInstance(DIGEST_ALGORITHM); } }
/** * Constructs a new {@code Builder}. * * @param name signer's name. The name is reflected in the name of files comprising the * JAR signature of the APK. * @param privateKey signing key * @param certificates list of one or more X.509 certificates. The subject public key of * the first certificate must correspond to the {@code privateKey}. */ public Builder( String name, PrivateKey privateKey, List<X509Certificate> certificates) { if (name.isEmpty()) { throw new IllegalArgumentException("Empty name"); } mName = name; mPrivateKey = privateKey; mCertificates = new ArrayList<>(certificates); }
/** * Verify that the signing certificate used to sign {@link #SIGNED_FILE_NAME} * matches the signing stored in the database for this repo. {@link #repo} and * {@code repo.signingCertificate} must be pre-loaded from the database before * running this, if this is an existing repo. If the repo does not exist, * this will run the TOFU process. * <p> * Index V1 works with two copies of the signing certificate: * <li>in the downloaded jar</li> * <li>stored in the local database</li> * <p> * A new repo can be added with or without the fingerprint of the signing * certificate. If no fingerprint is supplied, then do a pure TOFU and just * store the certificate as valid. If there is a fingerprint, then first * check that the signing certificate in the jar matches that fingerprint. * <p> * This is also responsible for adding the {@link Repo} instance to the * database for the first time. * <p> * This is the same as {@link RepoUpdater#verifyCerts(String, X509Certificate)}, * {@link RepoUpdater#verifyAndStoreTOFUCerts(String, X509Certificate)}, and * {@link RepoUpdater#assertSigningCertFromXmlCorrect()} except there is no * embedded copy of the signing certificate in the index data. * * @param rawCertFromJar the {@link X509Certificate} embedded in the downloaded jar * @see RepoUpdater#verifyAndStoreTOFUCerts(String, X509Certificate) * @see RepoUpdater#verifyCerts(String, X509Certificate) * @see RepoUpdater#assertSigningCertFromXmlCorrect() */ private void verifySigningCertificate(X509Certificate rawCertFromJar) throws SigningException { String certFromJar = Hasher.hex(rawCertFromJar); if (TextUtils.isEmpty(certFromJar)) { throw new SigningException(repo, SIGNED_FILE_NAME + " must have an included signing certificate!"); } if (repo.signingCertificate == null) { if (repo.fingerprint != null) { String fingerprintFromJar = Utils.calcFingerprint(rawCertFromJar); if (!repo.fingerprint.equalsIgnoreCase(fingerprintFromJar)) { throw new SigningException(repo, "Supplied certificate fingerprint does not match!"); } } Utils.debugLog(TAG, "Saving new signing certificate to database for " + repo.address); ContentValues values = new ContentValues(2); values.put(Schema.RepoTable.Cols.LAST_UPDATED, Utils.formatDate(new Date(), "")); values.put(Schema.RepoTable.Cols.SIGNING_CERT, Hasher.hex(rawCertFromJar)); RepoProvider.Helper.update(context, repo, values); repo.signingCertificate = certFromJar; } if (TextUtils.isEmpty(repo.signingCertificate)) { throw new SigningException(repo, "A empty repo signing certificate is invalid!"); } if (repo.signingCertificate.equals(certFromJar)) { return; // we have a match! } throw new SigningException(repo, "Signing certificate does not match!"); }
