You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/07/06 02:52:03 UTC
[6/7] directory-kerby git commit: Some fixes for certificate
validation for anon PKINIT
Some fixes for certificate validation for anon PKINIT
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/708456f0
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/708456f0
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/708456f0
Branch: refs/heads/kadmin-remote
Commit: 708456f0405e5e21d9b0b28bbef2fb386b3f214e
Parents: 5c76b64
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 14:56:56 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 14:58:28 2016 +0100
----------------------------------------------------------------------
.../client/preauth/pkinit/PkinitPreauth.java | 4 +-
.../kerb/preauth/pkinit/PkinitCrypto.java | 68 ++++++++++++--------
2 files changed, 43 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/708456f0/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index b47a46f..df4af89 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -372,8 +372,6 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
throw new KrbException("Failed to load PKINIT anchor");
}
- Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
-
CertificateSet certificateSet = signedData.getCertificates();
List<Certificate> certificates = new ArrayList<>();
if (certificateSet != null) {
@@ -383,7 +381,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
}
}
try {
- PkinitCrypto.validateChain(certificates, archorCertificate);
+ PkinitCrypto.validateChain(certificates, x509Certificate);
} catch (Exception e) {
throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/708456f0/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index cc09a37..63e3e44 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -18,6 +18,33 @@
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
+
import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.DigestAlgorithmIdentifiers;
@@ -36,25 +63,6 @@ import org.apache.kerby.x509.type.DhParameter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.crypto.interfaces.DHPublicKey;
-import javax.crypto.spec.DHParameterSpec;
-import javax.crypto.spec.DHPublicKeySpec;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* Ref. pkinit_crypto_openssl.c in MIT krb5 project.
*/
@@ -329,16 +337,25 @@ public class PkinitCrypto {
* @throws NoSuchAlgorithmException e
* @throws InvalidAlgorithmParameterException e
* @throws CertPathValidatorException e
+ * @throws IOException
*/
- public static void validateChain(List<Certificate> certificateList, Certificate anchor)
+ public static void validateChain(List<Certificate> certificateList, X509Certificate anchor)
throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertPathValidatorException {
+ InvalidAlgorithmParameterException, CertPathValidatorException, IOException {
- //TODO
- /*
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
- CertPath certPath = certificateFactory.generatertPath(certificateList);
-
+
+ // Convert into a list of X509Certificates
+ List<X509Certificate> certsList = new ArrayList<>(certificateList.size());
+ for (Certificate cert : certificateList) {
+ X509Certificate parsedCert =
+ (X509Certificate) certificateFactory.generateCertificate(
+ new ByteArrayInputStream(cert.encode()));
+ certsList.add(parsedCert);
+ }
+
+ CertPath certPath = certificateFactory.generateCertPath(certsList);
+
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
@@ -347,7 +364,6 @@ public class PkinitCrypto {
parameters.setRevocationEnabled(false);
cpv.validate(certPath, parameters);
- */
}
/**