下面列出了java.security.KeyStore#getCertificateChain ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Test
public void testCreateKeyStoreFromPems() throws Exception {
String athenzPublicCertPem = Resources.toString(
Resources.getResource("rsa_public_x510_w_intermediate.cert"), StandardCharsets.UTF_8);
String athenzPrivateKeyPem = Resources.toString(
Resources.getResource("unit_test_rsa_private.key"), StandardCharsets.UTF_8);
KeyStore keyStore = Utils.createKeyStoreFromPems(athenzPublicCertPem, athenzPrivateKeyPem);
assertNotNull(keyStore);
String alias = null;
for (Enumeration<?> e = keyStore.aliases(); e.hasMoreElements(); ) {
alias = (String) e.nextElement();
assertEquals(ALIAS_NAME, alias);
}
X509Certificate[] chain = (X509Certificate[]) keyStore.getCertificateChain(alias);
assertNotNull(chain);
assertTrue(chain.length == 2);
}
@Test
public void testCertKeyAndChain() throws Exception {
KeyStore truststore = PEMImporter.loadTrustStore(rootCACert);
KeyStore keystore = PEMImporter.loadKeyStore(pemCert, pemkey, "");
assertEquals(1, keystore.size());
assertTrue(keystore.containsAlias("key"));
assertEquals(1, keystore.getCertificateChain("key").length);
assertEquals(1, truststore.size());
Certificate[] certs = keystore.getCertificateChain("key");
PublicKey publicKey = certs[0].getPublicKey();
PrivateKey privateKey = (PrivateKey) keystore.getKey("key", "".toCharArray());
assertTrue(verifyPubAndPrivKey(publicKey, privateKey));
X509Certificate ca = (X509Certificate) truststore.getCertificate("cn=localhost");
X509Certificate cert = (X509Certificate) keystore.getCertificate("key");
assertTrue(verifyChain(cert, ca));
}
private SigningCredential retrieveSigningCredential(String alias, KeyStore keyStore) {
try {
Certificate[] c = keyStore.getCertificateChain(alias);
if (ArrayUtils.isEmpty(c)) {
throw new IllegalArgumentException("The KeyStore doesn't contain the required key with alias [" + alias + "]");
} else {
X509Certificate[] certificateChain = (X509Certificate[])Arrays.copyOf(c, c.length, X509Certificate[].class);
PrivateKey privateKey = (PrivateKey)keyStore.getKey(alias, (char[])null);
return SigningCredential.create(privateKey, Iterables.newList(certificateChain));
}
} catch (KeyStoreException var6) {
throw new IllegalArgumentException("Given keystore hasn't been initialized", var6);
} catch (NoSuchAlgorithmException var7) {
throw new IllegalStateException("There is a problem with the Security configuration... Check if all the required security providers are correctly registered", var7);
} catch (UnrecoverableKeyException var8) {
throw new IllegalStateException("The private key with alias [" + alias + "] could not be recovered from the given keystore", var8);
}
}
private ApkSigner.SignerConfig loadKeyStore(String keyStoreType, String keyStorePassword) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyStore keyStoreEntity = KeyStore.getInstance(keyStoreType == null ? KeyStore.getDefaultType() : keyStoreType);
char[] password = getPassword(keyStorePassword);
keyStoreEntity.load(null, password);
Enumeration<String> aliases = keyStoreEntity.aliases();
String keyAlias = null;
while (aliases != null && aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (keyStoreEntity.isKeyEntry(alias)) {
keyAlias = alias;
break;
}
}
if (keyAlias == null) {
throw new IllegalArgumentException("Keystore has no key entries!");
}
PrivateKey privateKey = (PrivateKey) keyStoreEntity.getKey(keyAlias, password);
Certificate[] certificates = keyStoreEntity.getCertificateChain(keyAlias);
if (certificates == null || certificates.length == 0) {
throw new IllegalArgumentException("Unable to load certificates!");
}
List<X509Certificate> results = new LinkedList<>();
for (Certificate certificate : certificates) {
results.add((X509Certificate)certificate);
}
return new ApkSigner.SignerConfig.Builder("Signal Signer", privateKey, results).build();
}
private void run(KeyStore inputKeyStore, KeyStore outputKeyStore,
String inKeyPass, String outKeyPass) throws Exception {
Enumeration<String> e = inputKeyStore.aliases();
String alias;
while (e.hasMoreElements()) {
alias = e.nextElement();
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
boolean isCertEntry = inputKeyStore.isCertificateEntry(alias);
// Test KeyStore only contain key pair entries.
if (isCertEntry == true) {
throw new RuntimeException(
"inputKeystore should not be certEntry because test"
+ " keystore only contain key pair entries"
+ " for alias:" + alias);
}
boolean isKeyEntry = inputKeyStore.isKeyEntry(alias);
Key key = null;
if (isKeyEntry) {
key = inputKeyStore.getKey(alias, inKeyPass.toCharArray());
} else {
throw new RuntimeException("Entry type unknown for alias:"
+ alias);
}
outputKeyStore.setKeyEntry(alias, key, outKeyPass.toCharArray(),
certs);
}
}
public DefaultTrustStrategy( KeyStore trustStore ) throws Exception {
/** get all certificates from the trust store **/
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (trustStore.isCertificateEntry(alias)) {
/** the alias points to a certificate **/
certificates.add(trustStore.getCertificate(alias));
} else {
/** the alias does not point to a certificate,
* but this may mean that it points to a private-public key pair or a certificate chain
*/
Certificate certificate = trustStore.getCertificate(alias);
if (certificate != null) {
/**
* the certificate was extracted from a private-public key entry
* */
certificates.add(certificate);
} else {
/**
* the alias points to a certificate chain
* */
Certificate[] chain = trustStore.getCertificateChain(alias);
for (Certificate cert : chain) {
certificates.add(cert);
}
}
}
}
}
/**
* Searches a given keystore either for a contract certificate chain or OEM provisioning certificate
* chain, determined by the alias (the alias is associated with the certificate chain and the private
* key).
* However, it may be the case that more than once contract certificate is installed in the EV,
* in which case an OEM specific implementation would need to interact at this point with a HMI in
* order to enable the user to select the certificate which is to be used for contract based charging.
*
* @param evccKeyStore The keystore to check for the respective certificate chain
* @param alias The alias associated with a key entry and certificate chain
* @return The respective certificate chain if present, null otherwise
*/
public static CertificateChainType getCertificateChain(KeyStore evccKeyStore, String alias) {
CertificateChainType certChain = new CertificateChainType();
SubCertificatesType subCertificates = new SubCertificatesType();
try {
Certificate[] certChainArray = evccKeyStore.getCertificateChain(alias);
if (certChainArray == null) {
getLogger().info("No certificate chain found for alias '" + alias + "'");
return null;
}
certChain.setCertificate(certChainArray[0].getEncoded());
for (int i = 1; i < certChainArray.length; i++) {
subCertificates.getCertificate().add(certChainArray[i].getEncoded());
}
certChain.setSubCertificates(subCertificates);
return certChain;
} catch (KeyStoreException | CertificateEncodingException e) {
getLogger().error(e.getClass().getSimpleName() + " occurred while trying to get certificate chain", e);
return null;
}
}
public static Collection<Certificate> getCertificates (KeyStore keyStore) throws KeyStoreException {
Set<Certificate> certs = new HashSet<> ();
for (String alias: Collections.list (keyStore.aliases ())) {
Certificate[] certificateChain = keyStore.getCertificateChain(alias);
if (certificateChain != null) {
certs.addAll(Arrays.asList(certificateChain));
}
certs.add(keyStore.getCertificate(alias));
}
return certs;
}
SunX509KeyManagerImpl(KeyStore ks, char[] password)
throws KeyStoreException,
NoSuchAlgorithmException, UnrecoverableKeyException {
credentialsMap = new HashMap<String,X509Credentials>();
serverAliasCache = Collections.synchronizedMap(
new HashMap<String,String[]>());
if (ks == null) {
return;
}
for (Enumeration<String> aliases = ks.aliases();
aliases.hasMoreElements(); ) {
String alias = aliases.nextElement();
if (!ks.isKeyEntry(alias)) {
continue;
}
Key key = ks.getKey(alias, password);
if (key instanceof PrivateKey == false) {
continue;
}
Certificate[] certs = ks.getCertificateChain(alias);
if ((certs == null) || (certs.length == 0) ||
!(certs[0] instanceof X509Certificate)) {
continue;
}
if (!(certs instanceof X509Certificate[])) {
Certificate[] tmp = new X509Certificate[certs.length];
System.arraycopy(certs, 0, tmp, 0, certs.length);
certs = tmp;
}
X509Credentials cred = new X509Credentials((PrivateKey)key,
(X509Certificate[])certs);
credentialsMap.put(alias, cred);
if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
SSLLogger.fine("found key for : " + alias, (Object[])certs);
}
}
}
/**
* Encrypt a given plain text
*
* @param plainTextBytes The plaintext bytes to be encrypted
* @param cipherTransformation The transformation that need to encrypt. If it is null, RSA is used as default
* @param returnSelfContainedCipherText Create self-contained cipher text if true, return simple encrypted
* ciphertext otherwise.
* @return The cipher text bytes
* @throws org.wso2.micro.core.util.CryptoException On error during encryption
*/
public byte[] encrypt(byte[] plainTextBytes, String cipherTransformation, boolean returnSelfContainedCipherText)
throws org.wso2.micro.core.util.CryptoException {
byte[] encryptedKey;
org.wso2.micro.core.encryption.SymmetricEncryption encryption = org.wso2.micro.core.encryption.SymmetricEncryption
.getInstance();
try {
if (Boolean.valueOf(encryption.getSymmetricKeyEncryptEnabled())) {
encryptedKey = encryption.encryptWithSymmetricKey(plainTextBytes);
} else {
Cipher keyStoreCipher;
KeyStore keyStore;
Certificate[] certs;
org.wso2.micro.core.util.KeyStoreManager keyMan = org.wso2.micro.core.util.KeyStoreManager.getInstance(
Constants.SUPER_TENANT_ID,
this.getServerConfigService());
if (keyMan.getInternalKeyStore() != null) {
keyStore = keyMan.getInternalKeyStore();
certs = keyStore.getCertificateChain(internalKeyStoreAlias);
} else {
keyStore = keyMan.getPrimaryKeyStore();
certs = keyStore.getCertificateChain(primaryKeyStoreAlias);
}
boolean isCipherTransformEnabled = false;
if (cipherTransformation != null) {
if (log.isDebugEnabled()) {
log.debug("Cipher transformation for encryption : " + cipherTransformation);
}
keyStoreCipher = Cipher.getInstance(cipherTransformation, "BC");
isCipherTransformEnabled = true;
} else {
if (log.isDebugEnabled()) {
log.debug("Default Cipher transformation for encryption : RSA");
}
keyStoreCipher = Cipher.getInstance("RSA", "BC");
}
keyStoreCipher.init(Cipher.ENCRYPT_MODE, certs[0].getPublicKey());
if (isCipherTransformEnabled && plainTextBytes.length == 0) {
encryptedKey = "".getBytes();
if (log.isDebugEnabled()) {
log.debug("Empty value for plainTextBytes null will persist to DB");
}
} else {
encryptedKey = keyStoreCipher.doFinal(plainTextBytes);
}
if (isCipherTransformEnabled && returnSelfContainedCipherText) {
encryptedKey = createSelfContainedCiphertext(encryptedKey, cipherTransformation, certs[0]);
}
}
} catch (Exception e) {
throw new org.wso2.micro.core.util.CryptoException("Error during encryption", e);
}
return encryptedKey;
}
private void test(Certificate certs[], String inKeyStorePath,
String userAlias, String outStorePass, String outKeyPass)
throws KeyStoreException, NoSuchProviderException, IOException,
CertificateException, UnrecoverableKeyException,
NoSuchAlgorithmException {
// init output key store
KeyStore outputKeyStore = KeyStore.getInstance("pkcs12", "SunJSSE");
outputKeyStore.load(null, null);
try (FileOutputStream fout = new FileOutputStream(OUT_KEYSTORE)) {
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need
// decode first.
byte[] input = Files.readAllBytes(Paths.get(CERT_PATH,
inKeyStorePath));
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64
.getMimeDecoder().decode(input));
// input key store
KeyStore inputKeyStore = KeyStore.getInstance(IN_KEYSTORE_TYPE,
IN_KEYSTORE_PRV);
inputKeyStore.load(arrayIn, IN_STORE_PASS.toCharArray());
// add key/certificate to output key store
Key key = inputKeyStore
.getKey(userAlias, IN_KEY_PASS.toCharArray());
out.println("Input Key Algorithm " + key.getAlgorithm());
out.println("====Input Certs=====");
if (certs == null) {
certs = new Certificate[] { inputKeyStore
.getCertificate(userAlias) };
}
for (Certificate cert : certs) {
out.println(((X509Certificate) cert).getSubjectDN());
}
outputKeyStore.setKeyEntry(userAlias, key,
outKeyPass.toCharArray(), certs);
Certificate retCerts[] = outputKeyStore
.getCertificateChain(userAlias);
out.println("====Output Certs=====");
for (Certificate retCert : retCerts) {
out.println(((X509Certificate) retCert).getSubjectDN());
}
out.println("====Output Key Algorithm=====");
Key outKey = outputKeyStore.getKey(userAlias,
outKeyPass.toCharArray());
out.println(outKey.getAlgorithm());
if (!key.equals(outKey)) {
throw new RuntimeException("key don't match");
}
if (!Arrays.equals(certs, retCerts)) {
throw new RuntimeException("certs don't match");
}
// save output
outputKeyStore.store(fout, outStorePass.toCharArray());
// test output
testKeyStore(outputKeyStore, outKeyPass.toCharArray());
}
}
private void test(Certificate certs[], String inKeyStorePath,
String userAlias, String outStorePass, String outKeyPass)
throws KeyStoreException, NoSuchProviderException, IOException,
CertificateException, UnrecoverableKeyException,
NoSuchAlgorithmException {
// init output key store
KeyStore outputKeyStore = KeyStore.getInstance("pkcs12", "SunJSSE");
outputKeyStore.load(null, null);
try (FileOutputStream fout = new FileOutputStream(OUT_KEYSTORE)) {
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need
// decode first.
byte[] input = Files.readAllBytes(Paths.get(CERT_PATH,
inKeyStorePath));
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64
.getMimeDecoder().decode(input));
// input key store
KeyStore inputKeyStore = KeyStore.getInstance(IN_KEYSTORE_TYPE,
IN_KEYSTORE_PRV);
inputKeyStore.load(arrayIn, IN_STORE_PASS.toCharArray());
// add key/certificate to output key store
Key key = inputKeyStore
.getKey(userAlias, IN_KEY_PASS.toCharArray());
out.println("Input Key Algorithm " + key.getAlgorithm());
out.println("====Input Certs=====");
if (certs == null) {
certs = new Certificate[] { inputKeyStore
.getCertificate(userAlias) };
}
for (Certificate cert : certs) {
out.println(((X509Certificate) cert).getSubjectDN());
}
outputKeyStore.setKeyEntry(userAlias, key,
outKeyPass.toCharArray(), certs);
Certificate retCerts[] = outputKeyStore
.getCertificateChain(userAlias);
out.println("====Output Certs=====");
for (Certificate retCert : retCerts) {
out.println(((X509Certificate) retCert).getSubjectDN());
}
out.println("====Output Key Algorithm=====");
Key outKey = outputKeyStore.getKey(userAlias,
outKeyPass.toCharArray());
out.println(outKey.getAlgorithm());
if (!key.equals(outKey)) {
throw new RuntimeException("key don't match");
}
if (!Arrays.equals(certs, retCerts)) {
throw new RuntimeException("certs don't match");
}
// save output
outputKeyStore.store(fout, outStorePass.toCharArray());
// test output
testKeyStore(outputKeyStore, outKeyPass.toCharArray());
}
}
private void testKeyStore(KeyStore inputKeyStore, char[] keypass)
throws KeyStoreException, UnrecoverableKeyException,
NoSuchAlgorithmException {
out.println("========== Key Store ==========");
out.println("getProvider : " + inputKeyStore.getProvider());
out.println("getType : " + inputKeyStore.getType());
out.println("getDefaultType : " + KeyStore.getDefaultType());
int idx = 0;
Enumeration<String> e = inputKeyStore.aliases();
String alias;
while (e.hasMoreElements()) {
alias = e.nextElement();
if (!inputKeyStore.containsAlias(alias)) {
throw new RuntimeException("Alias not found");
}
out.println("Alias " + idx + " : " + alias);
out.println("getCreationDate : "
+ inputKeyStore.getCreationDate(alias));
X509Certificate cert = (X509Certificate) inputKeyStore
.getCertificate(alias);
out.println("getCertificate : " + cert.getSubjectDN());
String retAlias = inputKeyStore.getCertificateAlias(cert);
if (!retAlias.equals(alias)) {
throw new RuntimeException("Alias mismatch, actually "
+ retAlias + ", expected " + alias);
}
out.println("getCertificateAlias : " + retAlias);
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
int i = 0;
for (Certificate certification : certs) {
out.println("getCertificateChain " + i
+ ((X509Certificate) certification).getSubjectDN());
i++;
}
if (inputKeyStore.isCertificateEntry(alias)) {
throw new RuntimeException(
"inputKeystore should not be certEntry because this"
+ " keystore only contain key pair entries.");
}
if (!inputKeyStore.isKeyEntry(alias)) {
throw new RuntimeException("Entry type unknown.");
}
idx++;
}
int size = inputKeyStore.size();
if (idx != size) {
throw new RuntimeException("Size not match, actually " + idx
+ ", expected " + size);
}
}
private void testKeyStore(KeyStore inputKeyStore, char[] keypass)
throws KeyStoreException, UnrecoverableKeyException,
NoSuchAlgorithmException {
out.println("========== Key Store ==========");
out.println("getProvider : " + inputKeyStore.getProvider());
out.println("getType : " + inputKeyStore.getType());
out.println("getDefaultType : " + KeyStore.getDefaultType());
int idx = 0;
Enumeration<String> e = inputKeyStore.aliases();
String alias;
while (e.hasMoreElements()) {
alias = e.nextElement();
if (!inputKeyStore.containsAlias(alias)) {
throw new RuntimeException("Alias not found");
}
out.println("Alias " + idx + " : " + alias);
out.println("getCreationDate : "
+ inputKeyStore.getCreationDate(alias));
X509Certificate cert = (X509Certificate) inputKeyStore
.getCertificate(alias);
out.println("getCertificate : " + cert.getSubjectDN());
String retAlias = inputKeyStore.getCertificateAlias(cert);
if (!retAlias.equals(alias)) {
throw new RuntimeException("Alias mismatch, actually "
+ retAlias + ", expected " + alias);
}
out.println("getCertificateAlias : " + retAlias);
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
int i = 0;
for (Certificate certification : certs) {
out.println("getCertificateChain " + i
+ ((X509Certificate) certification).getSubjectDN());
i++;
}
if (inputKeyStore.isCertificateEntry(alias)) {
throw new RuntimeException(
"inputKeystore should not be certEntry because this"
+ " keystore only contain key pair entries.");
}
if (!inputKeyStore.isKeyEntry(alias)) {
throw new RuntimeException("Entry type unknown.");
}
idx++;
}
int size = inputKeyStore.size();
if (idx != size) {
throw new RuntimeException("Size not match, actually " + idx
+ ", expected " + size);
}
}
private static void test(Provider p, PrivateKeyEntry entry) throws Exception {
PrivateKey key = entry.getPrivateKey();
X509Certificate[] chain = (X509Certificate[])entry.getCertificateChain();
PublicKey publicKey = chain[0].getPublicKey();
System.out.println(toString(key));
sign(p, key, publicKey);
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, null);
if (ks.size() != 0) {
throw new Exception("KeyStore not empty");
}
List<String> aliases;
// test 1: add entry
ks.setKeyEntry(ALIAS1, key, null, chain);
aliases = aliases(ks);
if (aliases.size() != 1) {
throw new Exception("size not 1: " + aliases);
}
if (aliases.get(0).equals(ALIAS1) == false) {
throw new Exception("alias mismatch: " + aliases);
}
PrivateKey key2 = (PrivateKey)ks.getKey(ALIAS1, null);
System.out.println(toString(key2));
X509Certificate[] chain2 =
(X509Certificate[]) ks.getCertificateChain(ALIAS1);
if (Arrays.equals(chain, chain2) == false) {
throw new Exception("chain mismatch");
}
sign(p, key2, publicKey);
ks.deleteEntry(ALIAS1);
if (ks.size() != 0) {
throw new Exception("KeyStore not empty");
}
// test 2: translate to session object, then add entry
KeyFactory kf = KeyFactory.getInstance(key.getAlgorithm(), p);
PrivateKey key3 = (PrivateKey)kf.translateKey(key);
System.out.println(toString(key3));
sign(p, key3, publicKey);
ks.setKeyEntry(ALIAS2, key3, null, chain);
aliases = aliases(ks);
if (aliases.size() != 1) {
throw new Exception("size not 1");
}
if (aliases.get(0).equals(ALIAS2) == false) {
throw new Exception("alias mismatch: " + aliases);
}
PrivateKey key4 = (PrivateKey)ks.getKey(ALIAS2, null);
System.out.println(toString(key4));
X509Certificate[] chain4 = (X509Certificate[])
ks.getCertificateChain(ALIAS2);
if (Arrays.equals(chain, chain4) == false) {
throw new Exception("chain mismatch");
}
sign(p, key4, publicKey);
// test 3: change alias
ks.setKeyEntry(ALIAS3, key3, null, chain);
aliases = aliases(ks);
if (aliases.size() != 1) {
throw new Exception("size not 1");
}
if (aliases.get(0).equals(ALIAS3) == false) {
throw new Exception("alias mismatch: " + aliases);
}
PrivateKey key5 = (PrivateKey)ks.getKey(ALIAS3, null);
System.out.println(toString(key5));
X509Certificate[] chain5 = (X509Certificate[])
ks.getCertificateChain(ALIAS3);
if (Arrays.equals(chain, chain5) == false) {
throw new Exception("chain mismatch");
}
sign(p, key5, publicKey);
ks.deleteEntry(ALIAS3);
if (ks.size() != 0) {
throw new Exception("KeyStore not empty");
}
System.out.println("OK");
}
@Override
public void setTrustStore( String truststoreFile, String truststorePassword ) {
try {
KeyStore trustStore = SslUtils.loadKeystore(truststoreFile, truststorePassword);
List<Certificate> certificates = new ArrayList<Certificate>();
/** get all certificates from the trust store **/
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (trustStore.isCertificateEntry(alias)) {
/** the alias points to a certificate **/
certificates.add(trustStore.getCertificate(alias));
} else {
/** the alias does not point to a certificate,
* but this may mean that it points to a private-public key pair or certificate chain
*/
Certificate certificate = trustStore.getCertificate(alias);
if (certificate != null) {
/**
* the certificate was extracted from a private-public key entry
* */
certificates.add(certificate);
} else {
/**
* the alias points to a certificate chain
* */
Certificate[] chain = trustStore.getCertificateChain(alias);
for (Certificate cert : chain) {
certificates.add(cert);
}
}
}
}
trustedServerCertificates = new X509Certificate[certificates.size()];
certificates.toArray(trustedServerCertificates);
} catch (Exception e) {
throw new HttpException("Unable to load all certificates from the trust store", e);
}
}
private static void init() throws Exception {
// first write policy files
PolicyParser pp = new PolicyParser();
pp.read(new StringReader(POLICY_NO_STORE));
pp.write(new FileWriter(NO_STORE_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_URL));
pp.write(new FileWriter(URL_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_URL_T));
pp.write(new FileWriter(URL_T_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_URL_T_P));
pp.write(new FileWriter(URL_T_P_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_URL_PWD));
pp.write(new FileWriter(URL_PWD_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_URL_T_P_PWD));
pp.write(new FileWriter(URL_T_P_PWD_FILE, false));
pp = new PolicyParser();
pp.read(new StringReader(POLICY_BADPASS));
pp.write(new FileWriter(BADPASS_FILE, false));
// next load keystore data to build PD's
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream
(System.getProperty("test.src", ".") +
File.separatorChar +
"TokenStore.keystore"),
storePassword);
NO_STORE_DOMAIN = new ProtectionDomain
(new CodeSource(new URL("file:/foo"),
(java.security.cert.Certificate[]) null),
null, // perms
null, // class loader
null); // principals
Certificate[] chain = (Certificate[])
ks.getCertificateChain("POLICY_URL");
URL_DOMAIN = new ProtectionDomain
(new CodeSource(new URL("file:/foo"), chain),
null, // perms
null, // class loader
null); // principals
chain = (Certificate[])
ks.getCertificateChain("POLICY_URL_T");
URL_T_DOMAIN = new ProtectionDomain
(new CodeSource(new URL("file:/foo"), chain),
null, // perms
null, // class loader
null); // principals
chain = (Certificate[])
ks.getCertificateChain("POLICY_URL_T_P");
URL_T_P_DOMAIN = new ProtectionDomain
(new CodeSource(new URL("file:/foo"), chain),
null, // perms
null, // class loader
null); // principals
}
private void readTest(String inKeyStore) throws Exception {
KeyStore inputKeyStore;
// Initialize KeyStore
String dir = System.getProperty("test.src", ".");
String keystorePath = dir + File.separator + "certs" + File.separator
+ "readP12";
inputKeyStore = KeyStore
.getInstance(IN_KETYSTORE_TYPE, IN_KEYSTORE_PRV);
// KeyStore have encoded by Base64.getMimeEncoder().encode(),need decode
// first.
byte[] input = Files.readAllBytes(Paths.get(keystorePath, inKeyStore));
ByteArrayInputStream arrayIn = new ByteArrayInputStream(Base64
.getMimeDecoder().decode(input));
inputKeyStore.load(arrayIn, IN_STORE_PASS.toCharArray());
out.println("Initialize KeyStore : " + inKeyStore + " success");
out.println("getProvider : " + inputKeyStore.getProvider());
out.println("getType : " + inputKeyStore.getType());
out.println("getDefaultType : " + KeyStore.getDefaultType());
int idx = 0;
Enumeration<String> e = inputKeyStore.aliases();
String alias;
while (e.hasMoreElements()) {
alias = e.nextElement();
out.println("Alias " + idx + " : " + alias);
if (inputKeyStore.containsAlias(alias) == false) {
throw new RuntimeException("Alias not found");
}
out.println("getCreationDate : "
+ inputKeyStore.getCreationDate(alias));
X509Certificate cert = (X509Certificate) inputKeyStore
.getCertificate(alias);
out.println("getCertificate : " + cert.getSubjectDN());
String retAlias = inputKeyStore.getCertificateAlias(cert);
if (!retAlias.equals(alias)) {
throw new RuntimeException("Alias mismatch");
}
out.println("getCertificateAlias : " + retAlias);
Certificate[] certs = inputKeyStore.getCertificateChain(alias);
for (int i = 0; i < certs.length; i++) {
out.println("getCertificateChain " + i + " : "
+ ((X509Certificate) certs[i]).getSubjectDN());
}
boolean isCertEntry = inputKeyStore.isCertificateEntry(alias);
// test KeyStore only contain key pair entries.
if (isCertEntry == true) {
throw new RuntimeException(
"inputKeystore should not be certEntry because test keystore only contain key pair entries.");
}
boolean isKeyEntry = inputKeyStore.isKeyEntry(alias);
if (isKeyEntry) {
Key key = inputKeyStore.getKey(alias,
IN_STORE_PASS.toCharArray());
out.println("Key : " + key.toString());
} else {
throw new RuntimeException("Entry type unknown\n");
}
idx++;
}
int size = inputKeyStore.size();
if (idx != size) {
throw new RuntimeException("Size not match");
}
}
public static void main(String[] args) throws Exception {
// Prepare a JKS keystore with many entries
new File(JKSFILE).delete();
for (int i=0; i<SIZE; i++) {
System.err.print(".");
String cmd = "-keystore " + JKSFILE
+ " -storepass changeit -keypass changeit -keyalg rsa "
+ "-genkeypair -alias p" + i + " -dname CN=" + i;
sun.security.tools.keytool.Main.main(cmd.split(" "));
}
// Prepare EncryptedPrivateKeyInfo parameters, copied from various
// places in PKCS12KeyStore.java
AlgorithmParameters algParams =
AlgorithmParameters.getInstance("PBEWithSHA1AndDESede");
algParams.init(new PBEParameterSpec("12345678".getBytes(), 1024));
AlgorithmId algid = new AlgorithmId(
new ObjectIdentifier("1.2.840.113549.1.12.1.3"), algParams);
PBEKeySpec keySpec = new PBEKeySpec(PASSWORD);
SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
SecretKey skey = skFac.generateSecret(keySpec);
Cipher cipher = Cipher.getInstance("PBEWithSHA1AndDESede");
cipher.init(Cipher.ENCRYPT_MODE, skey, algParams);
// Pre-calculated keys and certs and aliases
byte[][] keys = new byte[SIZE][];
Certificate[][] certChains = new Certificate[SIZE][];
String[] aliases = new String[SIZE];
// Reads from JKS keystore and pre-calculate
KeyStore ks = KeyStore.getInstance("jks");
try (FileInputStream fis = new FileInputStream(JKSFILE)) {
ks.load(fis, PASSWORD);
}
for (int i=0; i<SIZE; i++) {
aliases[i] = "p" + i;
byte[] enckey = cipher.doFinal(
ks.getKey(aliases[i], PASSWORD).getEncoded());
keys[i] = new EncryptedPrivateKeyInfo(algid, enckey).getEncoded();
certChains[i] = ks.getCertificateChain(aliases[i]);
}
// Write into PKCS12 keystore. Use this overloaded version of
// setKeyEntry() to be as fast as possible, so that they would
// have same localKeyId.
KeyStore p12 = KeyStore.getInstance("pkcs12");
p12.load(null, PASSWORD);
for (int i=0; i<SIZE; i++) {
p12.setKeyEntry(aliases[i], keys[i], certChains[i]);
}
try (FileOutputStream fos = new FileOutputStream(P12FILE)) {
p12.store(fos, PASSWORD);
}
// Check private keys still match certs
p12 = KeyStore.getInstance("pkcs12");
try (FileInputStream fis = new FileInputStream(P12FILE)) {
p12.load(fis, PASSWORD);
}
for (int i=0; i<SIZE; i++) {
String a = "p" + i;
X509Certificate x = (X509Certificate)p12.getCertificate(a);
X500Name name = (X500Name)x.getSubjectDN();
if (!name.getCommonName().equals(""+i)) {
throw new Exception(a + "'s cert is " + name);
}
}
}
/**
* Creates a new instance of <CODE>KeyHolder</CODE> using {@link java.security.KeyStore} related parameters.
* @param keyStoreFileName The (absolute) file name of the .keystore file to load the keystore from.
* @param keyStorePassword The (optional) password used to check the integrity of the keystore.
* If given, it is used to check the integrity of the keystore data,
* otherwise, if null, the integrity of the keystore is not checked.
* @param keyAlias The alias name of the key.
* If missing (is null) and if there is only one key in the keystore, will default to it.
* @param keyAliasPassword The password of the alias for recovering the key.
* If missing (is null) will default to <I>keyStorePassword</I>. At least one of the passwords must be provided.
* @param keyStoreType The type of keystore.
* If missing (is null) will default to the keystore type as specified in the Java security properties file,
* or the string "jks" (acronym for "Java keystore") if no such property exists.
* @throws java.security.KeyStoreException Thrown when the <I>keyAlias</I> is specified and not found,
* or is not specified and either no alias is found or more than one is found.
* @see java.security.KeyStore#getDefaultType
* @see java.security.KeyStore#getInstance(String)
* @see java.security.KeyStore#load
* @see java.security.KeyStore#getKey
* @see java.security.KeyStore#getCertificate
*/
public SMIMEKeyHolder(String keyStoreFileName, String keyStorePassword, String keyAlias, String keyAliasPassword, String keyStoreType)
throws KeyStoreException, IOException, NoSuchAlgorithmException, InvalidAlgorithmParameterException,
CertificateException, UnrecoverableKeyException, NoSuchProviderException {
try {
InitJCE.init();
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
NoSuchProviderException ex = new NoSuchProviderException("Error during cryptography provider initialization. Has bcprov-jdkxx-yyy.jar been copied in the lib directory or installed in the system?");
ex.initCause(e);
throw ex;
}
if (keyStoreType == null) {
keyStoreType = KeyStore.getDefaultType();
}
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(new BufferedInputStream(new FileInputStream(keyStoreFileName)), keyStorePassword.toCharArray());
Enumeration<String> aliases = keyStore.aliases();
if (keyAlias == null) {
if (aliases.hasMoreElements()) {
keyAlias = aliases.nextElement();
} else {
throw new KeyStoreException("No alias was found in keystore.");
}
if (aliases.hasMoreElements()) {
throw new KeyStoreException("No <keyAlias> was given and more than one alias was found in keystore.");
}
}
if (keyAliasPassword == null) {
keyAliasPassword = keyStorePassword;
}
this.privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyAliasPassword.toCharArray());
if (this.privateKey == null) {
throw new KeyStoreException("The \"" + keyAlias + "\" PrivateKey alias was not found in keystore.");
}
this.certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
if (this.certificate == null) {
throw new KeyStoreException("The \"" + keyAlias + "\" X509Certificate alias was not found in keystore.");
}
java.security.cert.Certificate[] certificateChain = keyStore.getCertificateChain(keyAlias);
ArrayList<java.security.cert.Certificate> certList = new ArrayList<>();
if (certificateChain == null) {
certList.add(this.certificate);
} else {
Collections.addAll(certList, certificateChain);
}
// create a CertStore containing the certificates we want carried
// in the signature
this.certStore = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certList), "BC");
jcaCertStore = new JcaCertStore(certList);
}