下面列出了怎么用java.security.cert.X509Certificate的API类实例代码及写法,或者点击链接到github查看源代码。
private void validateX5c(TPMAttestationStatement attestationStatement, TPMSAttest certInfo, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
X509Certificate aikCert = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
/// Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
String jcaName = getJcaName(attestationStatement.getAlg());
Signature certInfoSignature = SignatureUtil.createSignature(jcaName);
try {
certInfoSignature.initVerify(aikCert.getPublicKey());
certInfoSignature.update(certInfo.getBytes());
if (!certInfoSignature.verify(attestationStatement.getSig())) {
throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
}
} catch (SignatureException | InvalidKeyException e) {
throw new BadAttestationStatementException("Failed to validate the signature.", e);
}
/// Verify that aikCert meets the requirements in §8.3.1 TPM Attestation Statement Certificate Requirements.
validateAikCert(aikCert);
/// If aikCert contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
byte[] aaguidBytes = aikCert.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
if (aaguidBytes != null && !Objects.equals(new AAGUID(aaguidBytes), authenticatorData.getAttestedCredentialData().getAaguid())) {
throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
}
}
protected D obtainCompleteness(X509Certificate certificate, PrivateKey privateKey, C consultRequest) throws TechnicalConnectorException {
if (certificate != null && privateKey != null) {
GenericRequest request = ServiceFactory.getTSConsultService(certificate, privateKey);
request.setPayload(consultRequest);
try {
return be.ehealth.technicalconnector.ws.ServiceFactory.getGenericWsSender().send(request).asObject(this.clazzD);
} catch (SOAPException var6) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, new Object[]{var6.getMessage(), var6});
}
} else {
TechnicalConnectorExceptionValues errorValue = TechnicalConnectorExceptionValues.SECURITY_NO_CERTIFICATE;
LOG.debug("\t## " + errorValue.getMessage());
throw new TechnicalConnectorException(errorValue, (Throwable)null, new Object[0]);
}
}
@Test
public void testAddFingerPrintFailedToWrite() throws CertificateException, IOException {
Path notWritable = Paths.get(tmpDir.getRoot().getPath(), "notWritable");
Files.createFile(notWritable);
Files.setPosixFilePermissions(notWritable, PosixFilePermissions.fromString("r--------"));
trustManager = new TrustOnFirstUseManager(notWritable);
X509Certificate certificate = mock(X509Certificate.class);
when(certificate.getEncoded()).thenReturn("certificate".getBytes(UTF_8));
X500Principal cn = new X500Principal("CN=localhost");
when(certificate.getSubjectX500Principal()).thenReturn(cn);
try {
trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "s");
trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "s");
failBecauseExceptionWasNotThrown(CertificateException.class);
} catch (Exception ex) {
assertThat(ex).isInstanceOf(CertificateException.class);
}
}
private EncryptionToken getEtkBasedOnX509(X509Certificate cert) throws TechnicalConnectorException {
CertificateParser parser = new CertificateParser(cert);
IdentifierType identifierType = parser.getIdentifier();
String identifierValue = parser.getId();
String application = parser.getApplication();
if (identifierType != null && !StringUtils.isEmpty(identifierValue) && StringUtils.isNumeric(identifierValue)) {
try {
return this.getEtk(identifierType, Long.parseLong(identifierValue), application);
} catch (NumberFormatException var7) {
LOG.error(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND.getMessage());
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, var7, new Object[0]);
}
} else {
LOG.error(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND.getMessage());
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, new Object[0]);
}
}
/**
* Initialize the builder with the input parameters.
*
* @param params the parameter set used to build a certification path
*/
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
super(buildParams);
// populate sets of trusted certificates and subject DNs
trustAnchors = buildParams.trustAnchors();
trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
for (TrustAnchor anchor : trustAnchors) {
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert != null) {
trustedCerts.add(trustedCert);
trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
} else {
trustedSubjectDNs.add(anchor.getCA());
}
}
this.searchAllCertStores = searchAllCertStores;
}
/**
* Initialize the builder with the input parameters.
*
* @param params the parameter set used to build a certification path
*/
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
super(buildParams);
// populate sets of trusted certificates and subject DNs
trustAnchors = buildParams.trustAnchors();
trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
for (TrustAnchor anchor : trustAnchors) {
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert != null) {
trustedCerts.add(trustedCert);
trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
} else {
trustedSubjectDNs.add(anchor.getCA());
}
}
this.searchAllCertStores = searchAllCertStores;
}
public String sendCertificateSecured(String url, String payload, X509Certificate certificate, PrivateKey privateKey, String soapAction) throws TechnicalConnectorException {
GenericRequest request = new GenericRequest();
request.setPayload(payload);
request.setEndpoint(url);
if (soapAction != null && soapAction.isEmpty()) {
request.setSoapAction(soapAction);
}
request.setHandlerChain((new HandlerChain()).register(HandlerPosition.SECURITY, new CertificateCallback(certificate, privateKey)).register(HandlerPosition.SECURITY, new SoapActionHandler()));
request.setDefaultHandlerChain();
try {
return this.send(request).asString();
} catch (SOAPException var8) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, var8, new Object[]{var8.getMessage()});
}
}
public CertPath engineGenerateCertPath(
List certificates)
throws CertificateException
{
Iterator iter = certificates.iterator();
Object obj;
while (iter.hasNext())
{
obj = iter.next();
if (obj != null)
{
if (!(obj instanceof X509Certificate))
{
throw new CertificateException("list contains non X509Certificate object while creating CertPath\n" + obj.toString());
}
}
}
return new PKIXCertPath(certificates);
}
@Test
public void testCertificateNotValidForRecognisedAddress() throws CertificateException, IOException {
testAddThumbPrintToKnownHostsList();
when(certificate.getEncoded()).thenReturn("ADifferentCertificate".getBytes(UTF_8));
X500Principal cn = new X500Principal("CN=localhost");
when(certificate.getSubjectX500Principal()).thenReturn(cn);
try {
trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "str");
failBecauseExceptionWasNotThrown(IOException.class);
} catch (Exception ex) {
assertThat(ex)
.isInstanceOf(CertificateException.class)
.hasMessageContaining("This address has been associated with a different certificate");
}
verify(certificate, times(3)).getEncoded();
verify(certificate, times(3)).getSubjectX500Principal();
}
/**
* Returns the X.509 certificate listed in this PKCS7 block
* which has a matching serial number and Issuer name, or
* null if one is not found.
*
* @param serial the serial number of the certificate to retrieve.
* @param issuerName the Distinguished Name of the Issuer.
*/
public X509Certificate getCertificate(BigInteger serial, X500Name issuerName) {
if (certificates != null) {
if (certIssuerNames == null)
populateCertIssuerNames();
for (int i = 0; i < certificates.length; i++) {
X509Certificate cert = certificates[i];
BigInteger thisSerial = cert.getSerialNumber();
if (serial.equals(thisSerial)
&& issuerName.equals(certIssuerNames[i]))
{
return cert;
}
}
}
return null;
}
public static Optional<X509Certificate> readCertificateFile(Path root, AthenzIdentity service) {
try {
Path certificateFile = getCertificateFile(root, service);
if (Files.notExists(certificateFile)) return Optional.empty();
return Optional.of(X509CertificateUtils.fromPem(new String(Files.readAllBytes(certificateFile))));
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
/**
* Generates a PKCS #7 signed data message that includes a signature
* timestamp.
* This method is used when a signature has already been generated.
* The signature, a signature timestamp, the signer's certificate chain,
* and optionally the content that was signed, are packaged into a PKCS #7
* signed data message.
*
* @param params The non-null input parameters.
* @param omitContent true if the content should be omitted from the
* signed data message. Otherwise the content is included.
* @param applyTimestamp true if the signature should be timestamped.
* Otherwise timestamping is not performed.
* @return A PKCS #7 signed data message including a signature timestamp.
* @throws NoSuchAlgorithmException The exception is thrown if the signature
* algorithm is unrecognised.
* @throws CertificateException The exception is thrown if an error occurs
* while processing the signer's certificate or the TSA's
* certificate.
* @throws IOException The exception is thrown if an error occurs while
* generating the signature timestamp or while generating the signed
* data message.
* @throws NullPointerException The exception is thrown if parameters is
* null.
*/
public byte[] generateSignedData(ContentSignerParameters params,
boolean omitContent, boolean applyTimestamp)
throws NoSuchAlgorithmException, CertificateException, IOException {
if (params == null) {
throw new NullPointerException();
}
// Parse the signature algorithm to extract the digest
// algorithm. The expected format is:
// "<digest>with<encryption>"
// or "<digest>with<encryption>and<mgf>"
String signatureAlgorithm = params.getSignatureAlgorithm();
X509Certificate[] signerChain = params.getSignerCertificateChain();
byte[] signature = params.getSignature();
// Include or exclude content
byte[] content = (omitContent == true) ? null : params.getContent();
URI tsaURI = null;
if (applyTimestamp) {
tsaURI = params.getTimestampingAuthority();
if (tsaURI == null) {
// Examine TSA cert
tsaURI = getTimestampingURI(
params.getTimestampingAuthorityCertificate());
if (tsaURI == null) {
throw new CertificateException(
"Subject Information Access extension not found");
}
}
}
return PKCS7.generateSignedData(signature, signerChain, content,
params.getSignatureAlgorithm(), tsaURI,
params.getTSAPolicyID(),
params.getTSADigestAlg());
}
/**
* Constructor XMLX509IssuerSerial
*
* @param doc
* @param x509certificate
*/
public XMLX509IssuerSerial(Document doc, X509Certificate x509certificate) {
this(
doc,
x509certificate.getIssuerX500Principal().getName(),
x509certificate.getSerialNumber()
);
}
static Date getIssueDate() throws Exception {
KeyStore ks = KeyStore.getInstance("jks");
try (FileInputStream fis = new FileInputStream("jks")) {
ks.load(fis, "changeit".toCharArray());
}
X509Certificate cert = (X509Certificate)ks.getCertificate("me");
return cert.getNotBefore();
}
@Override
public void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException {
X509Certificate currCert = (X509Certificate)cert;
// check that this is an EE cert
if (currCert.getBasicConstraints() == -1) {
if (unresolvedCritExts != null &&
!unresolvedCritExts.isEmpty()) {
unresolvedCritExts.remove("1.2.3.4");
}
}
}
private static byte[] getDigest(X509Certificate cert, String algorithm) {
try {
MessageDigest md = MessageDigest.getInstance(algorithm);
return md.digest(cert.getEncoded());
} catch (GeneralSecurityException e) {
throw new ProviderException(e);
}
}
/**
* Retrieves a x509Certificate from the given information
* @param e
* @param baseURI
* @param storage
* @return
* @throws KeyResolverException
*/
private static X509Certificate resolveCertificate(
Element e, String baseURI, StorageResolver storage
) throws KeyResolverException {
if (log.isLoggable(java.util.logging.Level.FINE)) {
log.log(java.util.logging.Level.FINE, "Now we have a {" + e.getNamespaceURI() + "}"
+ e.getLocalName() + " Element");
}
// An element has been provided
if (e != null) {
return KeyResolver.getX509Certificate(e, baseURI, storage);
}
return null;
}
/**
* Returns CRLs described in a X509Certificate's CRLDistributionPoints
* Extension. Only those containing a general name of type URI are read.
*/
public static List<CRL> readCRLsFromCert(X509Certificate cert)
throws Exception {
List<CRL> crls = new ArrayList<>();
CRLDistributionPointsExtension ext =
X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
if (ext == null) return crls;
List<DistributionPoint> distPoints =
ext.get(CRLDistributionPointsExtension.POINTS);
for (DistributionPoint o: distPoints) {
GeneralNames names = o.getFullName();
if (names != null) {
for (GeneralName name: names.names()) {
if (name.getType() == GeneralNameInterface.NAME_URI) {
URIName uriName = (URIName)name.getName();
for (CRL crl: loadCRLs(uriName.getName())) {
if (crl instanceof X509CRL) {
crls.add((X509CRL)crl);
}
}
break; // Different name should point to same CRL
}
}
}
}
return crls;
}
private PrivateKey resolveX509SubjectName(XMLX509SubjectName x509SubjectName) throws KeyStoreException {
log.log(java.util.logging.Level.FINE, "Can I resolve X509SubjectName?");
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (keyStore.isKeyEntry(alias)) {
Certificate cert = keyStore.getCertificate(alias);
if (cert instanceof X509Certificate) {
XMLX509SubjectName certSN =
new XMLX509SubjectName(x509SubjectName.getDocument(), (X509Certificate) cert);
if (certSN.equals(x509SubjectName)) {
log.log(java.util.logging.Level.FINE, "match !!! ");
try {
Key key = keyStore.getKey(alias, password);
if (key instanceof PrivateKey) {
return (PrivateKey) key;
}
} catch (Exception e) {
log.log(java.util.logging.Level.FINE, "Cannot recover the key", e);
// Keep searching
}
}
}
}
}
return null;
}
public boolean contains(List<? extends X509Certificate> key) {
synchronized(map) {
EntryWithAge entry = map.get(key);
if ((entry != null)
&& (timeSource.currentTimeMillis() < entry.expireMillis)) {
return true;
}
return false;
}
}
public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
TrustAnchor anchor = new TrustAnchor
(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
X509CertSelector sel = new X509CertSelector();
sel.setBasicConstraints(-2);
PKIXBuilderParameters params = new PKIXBuilderParameters
(Collections.singleton(anchor), sel);
params.setRevocationEnabled(false);
X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
certs.add(caCert);
certs.add(eeCert);
CollectionCertStoreParameters ccsp =
new CollectionCertStoreParameters(certs);
CertStore cs = CertStore.getInstance("Collection", ccsp);
params.addCertStore(cs);
PKIXCertPathBuilderResult res = CertUtils.build(params);
CertPath cp = res.getCertPath();
// check that first certificate is an EE cert
List<? extends Certificate> certList = cp.getCertificates();
X509Certificate cert = (X509Certificate) certList.get(0);
if (cert.getBasicConstraints() != -1) {
throw new Exception("Target certificate is not an EE certificate");
}
}
/**
* @param args {cacerts keystore, cert chain}
*/
public static void main(String[] args) throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(args[0]), "changeit".toCharArray());
Validator v = Validator.getInstance
(Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks);
X509Certificate[] chain = createPath(args[1]);
System.out.println("Chain: ");
for (X509Certificate c: v.validate(chain)) {
System.out.println(" " + c.getSubjectX500Principal() +
" issued by " + c.getIssuerX500Principal());
}
}
/**
* Method engineResolvePublicKey
*
* @param element
* @param BaseURI
* @param storage
* @return null if no {@link PublicKey} could be obtained
* @throws KeyResolverException
*/
public PublicKey engineLookupAndResolvePublicKey(
Element element, String baseURI, StorageResolver storage
) throws KeyResolverException {
X509Certificate cert =
this.engineLookupResolveX509Certificate(element, baseURI, storage);
if (cert != null) {
return cert.getPublicKey();
}
return null;
}
/**
* Read certificates from a file.
*
* @param filename file name under resources directory
* @return an array of X509Certificate
* @throws Throwable raise if any error occurs
*/
private List<X509Certificate> getX509CertificatesFromFile(String filename) throws Throwable
{
CertificateFactory fact = CertificateFactory.getInstance("X.509");
List<X509Certificate> certList = new ArrayList<>();
for (Certificate cert : fact.generateCertificates(getFile(filename)))
{
certList.add((X509Certificate) cert);
}
return certList;
}
/**
* Method getSKIBytesFromCert
*
* @param cert
* @return ski bytes from the given certificate
*
* @throws XMLSecurityException
* @see java.security.cert.X509Extension#getExtensionValue(java.lang.String)
*/
public static byte[] getSKIBytesFromCert(X509Certificate cert)
throws XMLSecurityException {
if (cert.getVersion() < 3) {
Object exArgs[] = { Integer.valueOf(cert.getVersion()) };
throw new XMLSecurityException("certificate.noSki.lowVersion", exArgs);
}
/*
* Gets the DER-encoded OCTET string for the extension value
* (extnValue) identified by the passed-in oid String. The oid
* string is represented by a set of positive whole numbers
* separated by periods.
*/
byte[] extensionValue = cert.getExtensionValue(XMLX509SKI.SKI_OID);
if (extensionValue == null) {
throw new XMLSecurityException("certificate.noSki.null");
}
/**
* Strip away first four bytes from the extensionValue
* The first two bytes are the tag and length of the extensionValue
* OCTET STRING, and the next two bytes are the tag and length of
* the ski OCTET STRING.
*/
byte skidValue[] = new byte[extensionValue.length - 4];
System.arraycopy(extensionValue, 4, skidValue, 0, skidValue.length);
if (log.isLoggable(java.util.logging.Level.FINE)) {
log.log(java.util.logging.Level.FINE, "Base64 of SKI is " + Base64.encode(skidValue));
}
return skidValue;
}
private VaultResponseData generateKeyPair(Date startDate, long valid) throws Exception {
CertAndKeyGen certGen = new CertAndKeyGen("RSA", "SHA256WithRSA");
certGen.generate(2048);
X500Name x500Name = new X500Name("CN=Test");
X509Certificate cert = certGen.getSelfCertificate(x500Name, startDate, valid);
byte[] encodedPrivateKey = certGen.getPrivateKey().getEncoded();
byte[] encodedPublicKey = cert.getEncoded();
String privateKeySb = "-----BEGIN PRIVATE KEY-----\n" +
Base64.getMimeEncoder().encodeToString(encodedPrivateKey) +
"\n-----END PRIVATE KEY-----";
String publicKey = "-----BEGIN PUBLIC KEY-----\n" +
Base64.getMimeEncoder().encodeToString(encodedPublicKey) +
"\n-----END PUBLIC KEY-----";
privateKeySb = privateKeySb.replaceAll("\\n", "\\\\n");
privateKeySb = privateKeySb.replaceAll("\\r", "");
publicKey = publicKey.replaceAll("\\n", "\\\\n");
publicKey = publicKey.replaceAll("\\r", "");
VaultResponseData vaultResponseData = new VaultResponseData();
vaultResponseData.setPrivate_key(privateKeySb);
vaultResponseData.setCertificate(publicKey);
return vaultResponseData;
}
/**
* Constructor XMLX509Certificate
*
* @param doc
* @param x509certificate
* @throws XMLSecurityException
*/
public XMLX509Certificate(Document doc, X509Certificate x509certificate)
throws XMLSecurityException {
super(doc);
try {
this.addBase64Text(x509certificate.getEncoded());
} catch (java.security.cert.CertificateEncodingException ex) {
throw new XMLSecurityException("empty", ex);
}
}
public static X509Certificate generateX509FromInputStream(InputStream instr) {
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509", "BCFIPS");
return (X509Certificate) certFactory.generateCertificate(instr);
} catch (CertificateException | NoSuchProviderException ex) {
logp(Level.SEVERE, classname, "generateX509FromBytes", "CRYPTO-MSG-1000", printStackTrace(ex));
}
return null;
}
@Override
public QualifyingProperty verify(
CompleteCertificateRefsData propData,
QualifyingPropertyVerificationContext ctx) throws InvalidPropertyException
{
List<X509Certificate> caCerts = ctx.getCertChainData().getCertificateChain();
caCerts = caCerts.subList(1, caCerts.size());
Collection<CertRef> caCertRefs = propData.getCertRefs();
// "Check that there are no references to certificates out of those that
// are part of the certification path."
for (X509Certificate caCert : caCerts)
{
CertRef caRef = CertRefUtils.findCertRef(caCert, caCertRefs, this.dnComparer);
if (null == caRef)
throw new CompleteCertRefsCertNotFoundException(caCert);
try
{
CertRefUtils.checkCertRef(caRef, caCert, messageDigestProvider);
} catch (CertRefUtils.InvalidCertRefException ex)
{
throw new CompleteCertRefsReferenceException(caCert, caRef, ex.getMessage());
}
}
return new CompleteCertificateRefsProperty(Collections.unmodifiableList(caCerts));
}
public List<X509Certificate> certificates()
throws KeyStoreException, NoSuchAlgorithmException, CertificateException {
final List<X509Certificate> results = Lists.newArrayList();
final KeyStore p12 = loadP12KeyStore(pkcs12File, password);
final Enumeration<String> aliases = p12.aliases();
while (aliases.hasMoreElements()) {
results.add((X509Certificate) p12.getCertificate(aliases.nextElement()));
}
return results;
}