public PatchBuilder(File outFile, File dexFile, PrivateKeyEntry key, PrintStream verboseStream) { try { if (null != key) { mBuilder = new SignedJarBuilder( new FileOutputStream(outFile, false), key.getPrivateKey(), (X509Certificate) key.getCertificate()); } else { mBuilder = new SignedJarBuilder( new FileOutputStream(outFile, false), null, null); } mBuilder.writeFile(dexFile, "classes.dex"); } catch (Exception e) { e.printStackTrace(); } }
public void addSelfSignedCertificate(String certificateAlias, String dn, String password) { try { KeyPair keys = generateKeyPair(); Calendar start = Calendar.getInstance(); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.YEAR, 1); X500Name name = new X500Name(dn); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(name, BigInteger.ONE, start.getTime(), expiry.getTime(), name, SubjectPublicKeyInfo.getInstance(keys.getPublic().getEncoded())); ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(new BouncyCastleProvider()).build(keys.getPrivate()); X509CertificateHolder holder = certificateBuilder.build(signer); Certificate cert = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(holder); Entry entry = new PrivateKeyEntry(keys.getPrivate(), new Certificate[]{ cert }); keystore.setEntry(certificateAlias, entry, new PasswordProtection(password.toCharArray())); } catch (GeneralSecurityException | OperatorCreationException ex) { throw new RuntimeException("Unable to generate self-signed certificate", ex); } }
/** * Asymmetric cryptography - only the private key from generated pair is used. * Pre-condition: #certificateAlias refers to existing certificate * * @throws {@link NullPointerException} when #certificateAlias is @code{null} */ public void addPrivateKey(String keyAlias, String certificateAlias, String password) { keyAlias = String.format("%s (%s)", keyAlias, certificateAlias); try { Certificate[] certChain = keystore.getCertificateChain(certificateAlias); if (certChain == null) { LoggerFactory.getLogger(getClass()).warn("Could not find certificate"); certChain = new Certificate[0]; } Entry entry = new PrivateKeyEntry(generateKeyPair().getPrivate(), certChain); ProtectionParameter protParam = new KeyStore.PasswordProtection(password.toCharArray()); keystore.setEntry(keyAlias, entry, protParam); } catch (KeyStoreException | NoSuchAlgorithmException ex) { throw new RuntimeException("Unable to add new private key", ex); } }
/** {@inheritDoc} */ @Override public KeyStore.Entry engineGetEntry(final String alias, final ProtectionParameter protParam) { if (protParam instanceof KeyStore.PasswordProtection) { final PasswordCallback pwc = new CachePasswordCallback(((KeyStore.PasswordProtection)protParam).getPassword()); this.cryptoCard.setPasswordCallback(pwc); } if (!engineContainsAlias(alias)) { return null; } final PrivateKey key = (PrivateKey) engineGetKey( alias, null // Le pasamos null porque ya hemos establecido el PasswordCallback o el CallbackHander antes ); return new PrivateKeyEntry(key, engineGetCertificateChain(alias)); }
private static SslContext newNettyServerContext( io.netty.handler.ssl.SslProvider sslProvider, boolean useAlpn) { try { PrivateKeyEntry server = TestKeyStore.getServer().getPrivateKey("RSA", "RSA"); SslContextBuilder ctx = SslContextBuilder .forServer(server.getPrivateKey(), (X509Certificate[]) server.getCertificateChain()) .sslProvider(sslProvider); if (useAlpn) { ctx.applicationProtocolConfig(OpenJdkEngineFactoryConfig.NETTY_ALPN_CONFIG); } return ctx.build(); } catch (SSLException e) { throw new RuntimeException(e); } }
@Test public void testGetEntry() throws Exception { Security.addProvider(new BeIDProvider()); final KeyStore keyStore = KeyStore.getInstance("BeID"); keyStore.load(null); PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry("Authentication", null); assertNotNull(privateKeyEntry); assertTrue(privateKeyEntry.getPrivateKey() instanceof BeIDPrivateKey); TrustedCertificateEntry caEntry = (TrustedCertificateEntry) keyStore.getEntry("CA", null); assertNotNull(caEntry); LOGGER.debug("CA entry: {}", ((X509Certificate) caEntry.getTrustedCertificate()).getSubjectX500Principal()); TrustedCertificateEntry rootEntry = (TrustedCertificateEntry) keyStore.getEntry("Root", null); assertNotNull(rootEntry); LOGGER.debug("root entry: {}", ((X509Certificate) rootEntry.getTrustedCertificate()).getSubjectX500Principal()); }
@Override public Entry engineGetEntry(String alias, ProtectionParameter protParam) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException { LOGGER.debug("engineGetEntry: {}", alias); if ("Authentication".equals(alias) || "Signature".equals(alias)) { PrivateKey privateKey = (PrivateKey) engineGetKey(alias, null); Certificate[] chain = engineGetCertificateChain(alias); PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(privateKey, chain); return privateKeyEntry; } if ("CA".equals(alias) || "Root".equals(alias) || "RRN".equals(alias)) { Certificate certificate = engineGetCertificate(alias); TrustedCertificateEntry trustedCertificateEntry = new TrustedCertificateEntry(certificate); return trustedCertificateEntry; } return super.engineGetEntry(alias, protParam); }
private void test_X509KeyManager_alias(X509KeyManager km, String alias, String keyType) { if (alias == null) { assertNull(km.getCertificateChain(alias)); assertNull(km.getPrivateKey(alias)); return; } X509Certificate[] certificateChain = km.getCertificateChain(alias); PrivateKey privateKey = km.getPrivateKey(alias); if (keyType == null) { keyType = privateKey.getAlgorithm(); } else { assertEquals(keyType, certificateChain[0].getPublicKey().getAlgorithm()); assertEquals(keyType, privateKey.getAlgorithm()); } PrivateKeyEntry privateKeyEntry = TestKeyStore.privateKey(TEST_KEY_STORE.keyStore, TEST_KEY_STORE.storePassword, keyType); assertEquals(Arrays.asList(privateKeyEntry.getCertificateChain()), Arrays.asList(certificateChain)); assertEquals(privateKeyEntry.getPrivateKey(), privateKey); }
public boolean isCertificateExists(String paramString) { if (this.context == null) return false; try { KeyStore.PrivateKeyEntry localPrivateKeyEntry = getPrivateKeyEntry(paramString); int i = 0; if (localPrivateKeyEntry != null) i = 1; return i; } catch (Exception localException) { WLUtils.error("Failed to determine the existence of certificate for device authentication with " + localException.getMessage(), localException); } return false; }
public String signDeviceAuth(String paramString1, String paramString2, boolean paramBoolean) throws Exception { if ((paramBoolean) && (isCertificateExists(paramString2))) { JSONObject localJSONObject = new JSONObject(); localJSONObject.put("alg", "RS256"); KeyStore.PrivateKeyEntry localPrivateKeyEntry = getPrivateKeyEntry(paramString2); localJSONObject.put("x5c", Base64.encodeUrlSafe(localPrivateKeyEntry.getCertificate().getEncoded(), "UTF-8")); String str1 = localJSONObject.toString(); String str2 = Base64.encodeUrlSafe(str1.getBytes(), "UTF-8") + "." + Base64.encodeUrlSafe(paramString1.getBytes(), "UTF-8"); String str3 = Base64.encodeUrlSafe(signData(str2, localPrivateKeyEntry.getPrivateKey()), "UTF-8"); return str2 + "." + str3; } return paramString1; }
private static KeyPair entry2Pair(Entry entry) { PublicKey pub = null; PrivateKey priv = null; if (entry instanceof PrivateKeyEntry) { PrivateKeyEntry pk = (PrivateKeyEntry) entry; if (pk.getCertificate() != null) { pub = pk.getCertificate().getPublicKey(); } priv = pk.getPrivateKey(); } else if (entry instanceof TrustedCertificateEntry) { TrustedCertificateEntry tc = (TrustedCertificateEntry) entry; pub = tc.getTrustedCertificate().getPublicKey(); } else { throw new IllegalArgumentException( "Only entry types PrivateKeyEntry and TrustedCertificateEntry are supported."); } return new KeyPair(pub, priv); }
@Test public void testBuildClientWithCertificateAndPasswordProtectedKey() throws Exception { // We're happy here as long as nothing throws an exception try (final InputStream p12InputStream = this.getClass().getResourceAsStream(SINGLE_TOPIC_CLIENT_KEYSTORE_FILENAME)) { final PrivateKeyEntry privateKeyEntry = P12Util.getFirstPrivateKeyEntryFromP12InputStream(p12InputStream, KEYSTORE_PASSWORD); final ApnsClient client = new ApnsClientBuilder() .setApnsServer(ApnsClientBuilder.PRODUCTION_APNS_HOST) .setEventLoopGroup(EVENT_LOOP_GROUP) .setClientCredentials((X509Certificate) privateKeyEntry.getCertificate(), privateKeyEntry.getPrivateKey(), KEYSTORE_PASSWORD) .build(); client.close().await(); } }
@Test public void testBuildClientWithCertificateAndUnprotectedKey() throws Exception { // We DO need a password to unlock the keystore, but the key itself should be unprotected try (final InputStream p12InputStream = this.getClass().getResourceAsStream(SINGLE_TOPIC_CLIENT_KEYSTORE_UNPROTECTED_FILENAME)) { final PrivateKeyEntry privateKeyEntry = P12Util.getFirstPrivateKeyEntryFromP12InputStream(p12InputStream, KEYSTORE_PASSWORD); final ApnsClient client = new ApnsClientBuilder() .setApnsServer(ApnsClientBuilder.PRODUCTION_APNS_HOST) .setEventLoopGroup(EVENT_LOOP_GROUP) .setClientCredentials((X509Certificate) privateKeyEntry.getCertificate(), privateKeyEntry.getPrivateKey(), null) .build(); client.close().await(); } }
@Test(expected = IllegalStateException.class) public void testBuildWithClientCredentialsAndSigningCertificate() throws Exception { try (final InputStream p12InputStream = this.getClass().getResourceAsStream(SINGLE_TOPIC_CLIENT_KEYSTORE_UNPROTECTED_FILENAME)) { final PrivateKeyEntry privateKeyEntry = P12Util.getFirstPrivateKeyEntryFromP12InputStream(p12InputStream, KEYSTORE_PASSWORD); try (final InputStream p8InputStream = this.getClass().getResourceAsStream(SIGNING_KEY_FILENAME)) { final ApnsSigningKey signingKey = ApnsSigningKey.loadFromInputStream(p8InputStream, "TEAM_ID", "KEY_ID"); new ApnsClientBuilder() .setEventLoopGroup(EVENT_LOOP_GROUP) .setClientCredentials((X509Certificate) privateKeyEntry.getCertificate(), privateKeyEntry.getPrivateKey(), null) .setSigningKey(signingKey) .build(); } } }
public static boolean storeOwnAsymmetric(KeyPair pair) { X509Certificate cert = generateSelfSignedCertificate(pair); KeyStore.PrivateKeyEntry privEntry = new PrivateKeyEntry(pair.getPrivate(), new java.security.cert.Certificate[] {cert}); try { // KeyStore ks = load(c); ks.setEntry("ownPrivate", privEntry, pp); ks.setCertificateEntry("ownCert", cert); // closeStore(); return true; } catch (KeyStoreException e) { e.printStackTrace(); } return false; }
private PrivateKeyEntry loadCAKeyEntry() throws IOException, GeneralSecurityException { final KeyStore keystore = loadKeyStore(); final Entry entry = keystore.getEntry(this.alias, new PasswordProtection(this.password.toCharArray())); return (PrivateKeyEntry) entry; }
private void loadPrivateKeyEntry() throws GeneralSecurityException { rootPrivateKeyEntry = (PrivateKeyEntry) rootCaKeystore.getEntry( rootCaAlias, new PasswordProtection(rootCaPassword.toCharArray())); if (rootPrivateKeyEntry == null) { throw new RuntimeException( "Could not read private key entry from rootca keystore with alias " + rootCaAlias); } }
public void addSignedCertificate(final XTFKeyStore signerKeyStore, final String signerAlias, final String signerPassword, final String dn, final String certificateAlias, final String password) { try { final X509Certificate caCert = (X509Certificate) signerKeyStore.keystore.getCertificate(signerAlias); final PrivateKey caKey = (PrivateKey) signerKeyStore.keystore.getKey(signerAlias, signerPassword.toCharArray()); final Calendar start = Calendar.getInstance(); final Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.YEAR, 1); final KeyPair keyPair = generateKeyPair(); final X500Name certName = new X500Name(dn); final X500Name issuerName = new X500Name(caCert.getSubjectDN().getName()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( issuerName, BigInteger.valueOf(System.nanoTime()), start.getTime(), expiry.getTime(), certName, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); final JcaX509ExtensionUtils u = new JcaX509ExtensionUtils(); certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, u.createAuthorityKeyIdentifier(caCert)); certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, u.createSubjectKeyIdentifier(keyPair.getPublic())); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").setProvider(new BouncyCastleProvider()).build(caKey); X509CertificateHolder holder = certificateBuilder.build(signer); Certificate cert = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(holder); Entry entry = new PrivateKeyEntry(keyPair.getPrivate(), new Certificate[] {cert, caCert}); keystore.setEntry(certificateAlias, entry, new PasswordProtection(password.toCharArray())); } catch (GeneralSecurityException | OperatorCreationException | CertIOException ex) { throw new RuntimeException("Unable to generate signed certificate", ex); } }
/** Construye la tarea encargada de realizar la operación criptográfica. * @param context Contexto de la aplicación. * @param pke Clave privada para la firma. * @param extraParams Parámetros adicionales para la configuración de la firma.*/ public SignTask(final Activity context, final PrivateKeyEntry pke, final Properties extraParams, final ProgressDialog progDialog) throws IOException { this.context = context; this.pke = pke; this.extraParams = extraParams != null ? extraParams : new Properties(); this.progDailog = progDialog; final Properties p = new Properties(); AssetManager assetManager = context.getAssets(); InputStream inputStream = assetManager.open(Utils.CONFIG_FILE); p.load(inputStream); final String urlProp = p.getProperty(Utils.CONFIG_FILE_KEY_PROPOSALS); if (urlProp == null) { throw new IOException( "El fichero de configuracion no contiene la URL: " + Utils.CONFIG_FILE_KEY_PROPOSALS //$NON-NLS-1$ ); } urlSign = p.getProperty(Utils.CONFIG_FILE_KEY_SIGNATURE); if (urlSign == null) { throw new IOException( "El fichero de configuracion no contiene la URL: " + Utils.CONFIG_FILE_KEY_PROPOSALS //$NON-NLS-1$ ); } }
/** Obtiene la entrada que apunta a una clave privada asociada al evento. * @return Entrada que apunta a una clave privada asiciada al evento * @throws Throwable Si la obtención de la clave privada produjo algun error */ PrivateKeyEntry getPrivateKeyEntry() throws Throwable { if (this.e != null) { throw this.e; } return this.pke; }
/** {@inheritDoc} */ @Override public boolean engineEntryInstanceOf(final String alias, final Class<? extends KeyStore.Entry> entryClass) { if (!engineContainsAlias(alias)) { return false; } return entryClass.equals(PrivateKeyEntry.class); }
/** {@inheritDoc} */ @Override public KeyStore.Entry engineGetEntry(final String alias, final ProtectionParameter protParam) { if(protParam instanceof KeyStore.CallbackHandlerProtection) { // Establecemos el CallbackHandler final CallbackHandler chp = ((KeyStore.CallbackHandlerProtection) protParam).getCallbackHandler(); if(chp != null) { this.cryptoCard.setCallbackHandler(chp); } } else if (protParam instanceof KeyStore.PasswordProtection) { // Establecemos el PasswordCallback final PasswordCallback pwc = new CachePasswordCallback(((KeyStore.PasswordProtection)protParam).getPassword()); this.cryptoCard.setPasswordCallback(pwc); } else { LOGGER.warning( "Se ha proporcionado un ProtectionParameter de tipo no soportado, se ignorara: " + (protParam != null ? protParam.getClass().getName() : "NULO") //$NON-NLS-1$ //$NON-NLS-2$ ); } if (!engineContainsAlias(alias)) { return null; } final PrivateKey key = (PrivateKey) engineGetKey( alias, null // Le pasamos null porque ya hemos establecido el PasswordCallback o el CallbackHander antes ); return new PrivateKeyEntry(key, engineGetCertificateChain(alias)); }
public static KeyStore createAndLoadDynamicKeystore(RSAPrivateKey rsaPrivateKey, Certificate certificate) throws KeyManagementException { logger.debug("Generating Keystore from RSA private key and X509 certificate"); Certificate[] certificateChain = { certificate }; PrivateKeyEntry privateKeyEntry = new KeyStore.PrivateKeyEntry(rsaPrivateKey, certificateChain); ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(KEY_PASSWORD); KeyStore keystore = null; try { keystore = KeyStore.getInstance(KEYSTORE_INSTANCE_TYPE); keystore.load(null, null); keystore.setEntry(KEYSTORE_ALIAS, privateKeyEntry, protectionParameter); } catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException ex) { throw new KeyManagementException(ex); } return keystore; }
/** * Lazily create shared test certificates. */ private static synchronized void initCerts() { if (SERVER_PRIVATE_KEY != null) { return; } try { PrivateKeyEntry serverPrivateKeyEntry = TestKeyStore.getServer().getPrivateKey("RSA", "RSA"); SERVER_PRIVATE_KEY = OpenSSLKey.fromPrivateKey(serverPrivateKeyEntry.getPrivateKey()); SERVER_CERTIFICATES_HOLDER = encodeCertificateList(serverPrivateKeyEntry.getCertificateChain()); SERVER_CERTIFICATE_REFS = getCertificateReferences(SERVER_CERTIFICATES_HOLDER); ENCODED_SERVER_CERTIFICATES = getEncodedCertificates(SERVER_CERTIFICATES_HOLDER); PrivateKeyEntry clientPrivateKeyEntry = TestKeyStore.getClientCertificate().getPrivateKey("RSA", "RSA"); CLIENT_PRIVATE_KEY = OpenSSLKey.fromPrivateKey(clientPrivateKeyEntry.getPrivateKey()); CLIENT_CERTIFICATES_HOLDER = encodeCertificateList(clientPrivateKeyEntry.getCertificateChain()); CLIENT_CERTIFICATE_REFS = getCertificateReferences(CLIENT_CERTIFICATES_HOLDER); ENCODED_CLIENT_CERTIFICATES = getEncodedCertificates(CLIENT_CERTIFICATES_HOLDER); KeyStore ks = TestKeyStore.getClient().keyStore; String caCertAlias = ks.aliases().nextElement(); X509Certificate certificate = (X509Certificate) ks.getCertificate(caCertAlias); X500Principal principal = certificate.getIssuerX500Principal(); CA_PRINCIPALS = new byte[][] {principal.getEncoded()}; initChannelIdKey(); } catch (Exception e) { throw new RuntimeException(e); } }
private static OCSPResp generateOCSPResponse(PrivateKeyEntry server, PrivateKeyEntry issuer, CertificateStatus status) throws CertificateException { try { X509Certificate serverCertJca = (X509Certificate) server.getCertificate(); X509Certificate caCertJca = (X509Certificate) issuer.getCertificate(); X509CertificateHolder caCert = new JcaX509CertificateHolder(caCertJca); DigestCalculatorProvider digCalcProv = new BcDigestCalculatorProvider(); BasicOCSPRespBuilder basicBuilder = new BasicOCSPRespBuilder( SubjectPublicKeyInfo.getInstance(caCertJca.getPublicKey().getEncoded()), digCalcProv.get(CertificateID.HASH_SHA1)); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), caCert, serverCertJca.getSerialNumber()); basicBuilder.addResponse(certId, status); BasicOCSPResp resp = basicBuilder.build( new JcaContentSignerBuilder("SHA256withRSA").build(issuer.getPrivateKey()), null, new Date()); OCSPRespBuilder builder = new OCSPRespBuilder(); return builder.build(OCSPRespBuilder.SUCCESSFUL, resp); } catch (Exception e) { throw new CertificateException("cannot generate OCSP response", e); } }
public static byte[] getOCSPResponseForGood(PrivateKeyEntry server, PrivateKeyEntry issuer) throws CertificateException { try { return generateOCSPResponse(server, issuer, CertificateStatus.GOOD).getEncoded(); } catch (IOException e) { throw new CertificateException(e); } }
public static byte[] getOCSPResponseForRevoked(PrivateKeyEntry server, PrivateKeyEntry issuer) throws CertificateException { try { return generateOCSPResponse( server, issuer, new RevokedStatus(new Date(), CRLReason.keyCompromise)) .getEncoded(); } catch (IOException e) { throw new CertificateException(e); } }
@Test public void test_TrustManagerFactory_intermediate() throws Exception { // chain should be server/intermediate/root PrivateKeyEntry pke = TestKeyStore.getServer().getPrivateKey("RSA", "RSA"); X509Certificate[] chain = (X509Certificate[]) pke.getCertificateChain(); assertEquals(3, chain.length); // keyStore should contain only the intermediate CA so we can // test proper validation even if there are extra certs after // the trusted one (in this case the original root is "extra") KeyStore keyStore = TestKeyStore.createKeyStore(); keyStore.setCertificateEntry("alias", chain[1]); Provider[] providers = Security.getProviders(); for (Provider provider : providers) { Set<Provider.Service> services = provider.getServices(); for (Provider.Service service : services) { String type = service.getType(); if (!type.equals("TrustManagerFactory")) { continue; } String algorithm = service.getAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); tmf.init(keyStore); TrustManager[] trustManagers = tmf.getTrustManagers(); for (TrustManager trustManager : trustManagers) { if (!(trustManager instanceof X509TrustManager)) { continue; } X509TrustManager tm = (X509TrustManager) trustManager; tm.checkClientTrusted(chain, "RSA"); tm.checkServerTrusted(chain, "RSA"); } } } }
@Test public void test_TrustManagerFactory_keyOnly() throws Exception { // create a KeyStore containing only a private key with chain. // unlike PKIXParameters(KeyStore), the cert chain of the key should be trusted. KeyStore ks = TestKeyStore.createKeyStore(); KeyStore.PrivateKeyEntry pke = getTestKeyStore().getPrivateKey("RSA", "RSA"); ks.setKeyEntry("key", pke.getPrivateKey(), "pw".toCharArray(), pke.getCertificateChain()); String algorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); tmf.init(ks); X509TrustManager trustManager = (X509TrustManager) tmf.getTrustManagers()[0]; trustManager.checkServerTrusted((X509Certificate[]) pke.getCertificateChain(), "RSA"); }
private void test_X509KeyManager_alias(X509KeyManager km, String alias, String keyType, boolean many, boolean empty) throws Exception { if (empty || (!many && (keyType == null || keyType.isEmpty()))) { assertNull(keyType, alias); assertNull(keyType, km.getCertificateChain(alias)); assertNull(keyType, km.getPrivateKey(alias)); return; } assertNotNull(keyType, alias); X509Certificate[] certificateChain = km.getCertificateChain(alias); PrivateKey privateKey = km.getPrivateKey(alias); String keyAlgName = privateKey.getAlgorithm(); X509Certificate certificate = certificateChain[0]; assertEquals(keyType, keyAlgName, certificate.getPublicKey().getAlgorithm()); String sigAlgName = certificate.getSigAlgName(); PrivateKeyEntry privateKeyEntry = getTestKeyStore().getPrivateKey(keyAlgName, sigAlgName); assertEquals(keyType, Arrays.asList(privateKeyEntry.getCertificateChain()), Arrays.<Certificate>asList(certificateChain)); assertEquals(keyType, privateKeyEntry.getPrivateKey(), privateKey); if (keyType != null) { assertEquals(TestKeyStore.keyAlgorithm(keyType), keyAlgName); // Skip this when we're given only "DH" or "EC" instead of "DH_DSA", // "EC_RSA", etc. since we don't know what the expected // algorithm was. if (!keyType.equals("DH") && !keyType.equals("EC")) { assertTrue(sigAlgName.contains(TestKeyStore.signatureAlgorithm(keyType))); } } }
private JceMasterKey internalGetMasterKey(final String provider, final String keyId) { final Entry entry; try { entry = keystore_.getEntry(keyId, keystore_.isKeyEntry(keyId) ? protection_ : null); } catch (NoSuchAlgorithmException | UnrecoverableEntryException | KeyStoreException e) { throw new UnsupportedProviderException(e); } if (entry == null) { throw new NoSuchMasterKeyException(); } if (entry instanceof SecretKeyEntry) { final SecretKeyEntry skEntry = (SecretKeyEntry) entry; if (!skEntry.getSecretKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(skEntry.getSecretKey(), provider, keyId, wrappingAlgorithm_); } else if (entry instanceof PrivateKeyEntry) { final PrivateKeyEntry pkEntry = (PrivateKeyEntry) entry; if (!pkEntry.getPrivateKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(pkEntry.getCertificate().getPublicKey(), pkEntry.getPrivateKey(), provider, keyId, wrappingAlgorithm_); } else if (entry instanceof TrustedCertificateEntry) { final TrustedCertificateEntry certEntry = (TrustedCertificateEntry) entry; if (!certEntry.getTrustedCertificate().getPublicKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(certEntry.getTrustedCertificate().getPublicKey(), null, provider, keyId, wrappingAlgorithm_); } else { throw new NoSuchMasterKeyException(); } }
@Test public void testPKCS1viaPKCS11() throws Exception { File tmpConfigFile = File.createTempFile("pkcs11-", "conf"); tmpConfigFile.deleteOnExit(); PrintWriter configWriter = new PrintWriter(new FileOutputStream(tmpConfigFile), true); configWriter.println("name=SmartCard"); configWriter.println("library=/usr/lib/libbeidpkcs11.so.0"); configWriter.println("slotListIndex=2"); SunPKCS11 provider = new SunPKCS11(tmpConfigFile.getAbsolutePath()); Security.addProvider(provider); KeyStore keyStore = KeyStore.getInstance("PKCS11", provider); keyStore.load(null, null); PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry("Authentication", null); PrivateKey privateKey = privateKeyEntry.getPrivateKey(); Signature signature = Signature.getInstance("SHA1withRSA"); signature.initSign(privateKey); byte[] toBeSigned = "hello world".getBytes(); signature.update(toBeSigned); byte[] signatureValue = signature.sign(); X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificate(); RSAPublicKey publicKey = (RSAPublicKey) certificate.getPublicKey(); BigInteger signatureValueBigInteger = new BigInteger(signatureValue); BigInteger messageBigInteger = signatureValueBigInteger.modPow(publicKey.getPublicExponent(), publicKey.getModulus()); LOG.debug("original message: " + new String(Hex.encodeHex(messageBigInteger.toByteArray()))); // LOG.debug("ASN.1 signature: " + ASN1Dump.dumpAsString(obj) }
private KSPrivateKeyEntry getKSPrivateKeyEntry(final String alias, ProtectionParameter passwordProtection) { KeyStore keyStore = getKeyStore(); try { if (keyStore.isKeyEntry(alias)) { final PrivateKeyEntry entry = (PrivateKeyEntry) keyStore.getEntry(alias, passwordProtection); return new KSPrivateKeyEntry(alias, entry); } } catch (GeneralSecurityException e) { throw new DSSException("Unable to retrieve key for alias '" + alias + "'", e); } return null; }
private String[] chooseAlias(String[] keyType, Principal[] issuers) { if (keyType == null || keyType.length == 0) { return null; } Vector<String> found = new Vector<String>(); for (Enumeration<String> aliases = hash.keys(); aliases.hasMoreElements();) { final String alias = aliases.nextElement(); final KeyStore.PrivateKeyEntry entry = hash.get(alias); final Certificate[] certs = entry.getCertificateChain(); final String alg = certs[0].getPublicKey().getAlgorithm(); for (int i = 0; i < keyType.length; i++) { if (alg.equals(keyType[i])) { if (issuers != null && issuers.length != 0) { // check that certificate was issued by specified issuer loop: for (int ii = 0; ii < certs.length; ii++) { if (certs[ii] instanceof X509Certificate) { X500Principal issuer = ((X509Certificate) certs[ii]) .getIssuerX500Principal(); for (int iii = 0; iii < issuers.length; iii++) { if (issuer.equals(issuers[iii])) { found.add(alias); break loop; } } } } } else { found.add(alias); } } } } if (!found.isEmpty()) { return found.toArray(new String[found.size()]); } return null; }
public static void setPrivateKey(KeyStore ks, String alias, PrivateKeyEntry privateKey) throws Exception { ks.setKeyEntry(alias, privateKey.getPrivateKey(), PASSWORD_KEY, privateKey.getCertificateChain()); }
