You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/10 06:58:44 UTC
directory-kerby git commit: DIRKRB-453 Update bouncycastle version
and fix the compile issues.
Repository: directory-kerby
Updated Branches:
refs/heads/pkinit-support f93049323 -> 4d41c5288
DIRKRB-453 Update bouncycastle version and fix the compile issues.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/4d41c528
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/4d41c528
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/4d41c528
Branch: refs/heads/pkinit-support
Commit: 4d41c5288bea4d1b8ae52d6c1fb95a95fd9f5127
Parents: f930493
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Nov 10 14:04:51 2015 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Tue Nov 10 14:04:51 2015 +0800
----------------------------------------------------------------------
3rdparty/not-yet-commons-ssl/pom.xml | 2 +-
kerby-kerb/kerb-client-api-all/pom.xml | 4 +-
kerby-kerb/kerb-client/pom.xml | 9 +-
.../preauth/pkinit/EnvelopedDataEngine.java | 64 ++++-------
.../client/preauth/pkinit/SignedDataEngine.java | 111 +++++++++++--------
.../pkinit/certs/EndEntityGenerator.java | 35 ++++--
.../pkinit/certs/IntermediateCaGenerator.java | 21 +++-
.../pkinit/certs/TrustAnchorGenerator.java | 22 +++-
.../preauth/pkinit/EnvelopedDataEngineTest.java | 11 +-
9 files changed, 159 insertions(+), 120 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/3rdparty/not-yet-commons-ssl/pom.xml
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/pom.xml b/3rdparty/not-yet-commons-ssl/pom.xml
index d11c2e2..401aaf3 100644
--- a/3rdparty/not-yet-commons-ssl/pom.xml
+++ b/3rdparty/not-yet-commons-ssl/pom.xml
@@ -75,7 +75,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
- <version>1.51</version>
+ <version>1.52</version>
<scope>test</scope>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client-api-all/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client-api-all/pom.xml b/kerby-kerb/kerb-client-api-all/pom.xml
index 0ac4115..30bd6f6 100644
--- a/kerby-kerb/kerb-client-api-all/pom.xml
+++ b/kerby-kerb/kerb-client-api-all/pom.xml
@@ -56,8 +56,8 @@
<exclude>org.slf4j:slf4j-api</exclude>
<exclude>org.slf4j:slf4j-log4j12</exclude>
<exclude>org.apache.kerby:kerby-asn1</exclude>
- <exclude>org.bouncycastle:bcprov-jdk15</exclude>
- <exclude>org.bouncycastle:bcmail-jdk15</exclude>
+ <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
+ <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
</excludes>
</artifactSet>
</configuration>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/pom.xml b/kerby-kerb/kerb-client/pom.xml
index 7834211..5bbc680 100644
--- a/kerby-kerb/kerb-client/pom.xml
+++ b/kerby-kerb/kerb-client/pom.xml
@@ -48,13 +48,8 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15</artifactId>
- <version>1.45</version>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcmail-jdk15</artifactId>
- <version>1.38</version>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ <version>1.52</version>
</dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
index 1daa6a5..2ace97b 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
@@ -19,30 +19,27 @@
*/
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
-
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.KeyTransRecipientInformation;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.bc.BcCMSContentEncryptorBuilder;
+import org.bouncycastle.cms.bc.BcRSAKeyTransEnvelopedRecipient;
+import org.bouncycastle.cms.bc.BcRSAKeyTransRecipientInfoGenerator;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
import java.security.PrivateKey;
-import java.security.cert.CertStore;
-import java.security.cert.CertStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
-import java.util.Collections;
import java.util.Iterator;
-
/**
* Encapsulates working with PKINIT enveloped data structures.
*
@@ -62,19 +59,19 @@ public class EnvelopedDataEngine {
* @param dataToEnvelope
* @param certificate
* @return The EnvelopedData bytes.
- * @throws NoSuchAlgorithmException
* @throws IOException
* @throws CMSException
- * @throws NoSuchProviderException
+ * @throws CertificateEncodingException
*/
public static byte[] getEnvelopedReplyKeyPack(byte[] dataToEnvelope, X509Certificate certificate)
- throws NoSuchAlgorithmException, IOException, CMSException, NoSuchProviderException {
+ throws IOException, CMSException, CertificateEncodingException {
CMSProcessableByteArray content = new CMSProcessableByteArray(dataToEnvelope);
- String algorithm = CMSEnvelopedDataGenerator.DES_EDE3_CBC;
CMSEnvelopedDataGenerator envelopeGenerator = new CMSEnvelopedDataGenerator();
- envelopeGenerator.addKeyTransRecipient(certificate);
- CMSEnvelopedData envdata = envelopeGenerator.generate(content, algorithm, "BC");
+ envelopeGenerator.addRecipientInfoGenerator(new BcRSAKeyTransRecipientInfoGenerator(
+ new JcaX509CertificateHolder(certificate)));
+ CMSEnvelopedData envdata = envelopeGenerator.generate(content,
+ new BcCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).build());
return envdata.getEncoded();
}
@@ -85,41 +82,28 @@ public class EnvelopedDataEngine {
* returns the recovered (decrypted) data bytes.
*
* @param envelopedDataBytes
- * @param certificate
* @param privateKey
* @return The recovered (decrypted) data bytes.
- * @throws NoSuchProviderException
- * @throws InvalidAlgorithmParameterException
+ * @throws IOException
* @throws CMSException
- * @throws NoSuchAlgorithmException
- * @throws CertStoreException
*/
@SuppressWarnings("unchecked")
- public static byte[] getUnenvelopedData(byte[] envelopedDataBytes, X509Certificate certificate,
- PrivateKey privateKey)
- throws NoSuchProviderException, InvalidAlgorithmParameterException, CMSException,
- NoSuchAlgorithmException, CertStoreException {
+ public static byte[] getUnenvelopedData(byte[] envelopedDataBytes,
+ PrivateKey privateKey) throws CMSException, IOException {
CMSEnvelopedData envelopedData = new CMSEnvelopedData(envelopedDataBytes);
// Set up to iterate through the recipients.
RecipientInformationStore recipients = envelopedData.getRecipientInfos();
- CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections
- .singleton(certificate)), "BC");
- Iterator<RecipientInformation> it = recipients.getRecipients().iterator();
+ Collection c = recipients.getRecipients();
+ Iterator it = c.iterator();
+ byte[] recData = new byte[0];
while (it.hasNext()) {
- RecipientInformation recipient = it.next();
- if (recipient instanceof KeyTransRecipientInformation) {
- // Match the recipient ID.
- Collection<? extends Certificate> matches = certStore.getCertificates(recipient.getRID());
+ RecipientInformation recipient = (RecipientInformation) it.next();
- if (!matches.isEmpty()) {
- // Decrypt the data.
- return recipient.getContent(privateKey, "BC");
- }
- }
+ recData = recipient.getContent(new BcRSAKeyTransEnvelopedRecipient(
+ PrivateKeyFactory.createKey(PrivateKeyInfo.getInstance(privateKey.getEncoded()))));
}
-
- return new byte[0];
+ return recData;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
index 15fa6ec..c245579 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
@@ -19,31 +19,39 @@
*/
package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
-
import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.AuthPack;
import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.KdcDHKeyInfo;
import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.ReplyKeyPack;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
-import org.bouncycastle.cms.CMSSignedGenerator;
+import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
+import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.bouncycastle.util.Store;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
-import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.Iterator;
+import java.util.List;
/**
@@ -81,7 +89,7 @@ public class SignedDataEngine {
*/
public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate, AuthPack authPack)
throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException,
- CertStoreException, CMSException, IOException {
+ CertStoreException, CMSException, IOException, OperatorCreationException, CertificateEncodingException {
return getSignedData(privateKey, certificate, authPack.encode(), ID_PKINIT_AUTHDATA);
}
@@ -111,7 +119,8 @@ public class SignedDataEngine {
public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate,
KdcDHKeyInfo kdcDhKeyInfo)
throws NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException {
+ InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+ OperatorCreationException, CertificateEncodingException {
return getSignedData(privateKey, certificate, kdcDhKeyInfo.encode(), ID_PKINIT_DHKEYDATA);
}
@@ -140,66 +149,72 @@ public class SignedDataEngine {
public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate,
ReplyKeyPack replyKeyPack)
throws NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException {
+ InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+ OperatorCreationException, CertificateEncodingException {
return getSignedData(privateKey, certificate, replyKeyPack.encode(), ID_PKINIT_RKEYDATA);
}
static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign,
String eContentType) throws NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException {
- CMSSignedDataGenerator signedGenerator = new CMSSignedDataGenerator();
- signedGenerator.addSigner(privateKey, certificate, CMSSignedGenerator.DIGEST_SHA1);
-
- Collection<X509Certificate> certList = Collections.singletonList(certificate);
-
- CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
- signedGenerator.addCertificatesAndCRLs(certStore);
-
- CMSProcessableByteArray cmsByteArray = new CMSProcessableByteArray(dataToSign);
- CMSSignedData signedData = signedGenerator.generate(eContentType, cmsByteArray, true, "BC");
-
- return signedData.getEncoded();
+ InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+ CertificateEncodingException, OperatorCreationException {
+
+ List certList = new ArrayList();
+ certList.add(certificate);
+ Store certs = new JcaCertStore(certList);
+
+ CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
+ ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC")
+ .build(privateKey);
+ gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(
+ new JcaDigestCalculatorProviderBuilder().setProvider("BC").build())
+ .build(contentSigner, certificate));
+ gen.addCertificates(certs);
+
+ ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType);
+ CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign);
+ CMSSignedData s = gen.generate(msg, true);
+
+ return s.getEncoded();
}
-
/**
* Validates a CMS SignedData using the public key corresponding to the private
* key used to sign the structure.
*
- * @param signedData
+ * @param s
* @return true if the signature is valid.
* @throws Exception
*/
- @SuppressWarnings("unchecked")
- public static boolean validateSignedData(CMSSignedData signedData) throws Exception {
- CertStore certs = signedData.getCertificatesAndCRLs("Collection", "BC");
+ public static boolean validateSignedData(CMSSignedData s) throws Exception {
- SignerInformationStore signers = signedData.getSignerInfos();
- Collection<SignerInformation> c = signers.getSigners();
- Iterator<SignerInformation> it = c.iterator();
+ Store certStore = s.getCertificates();
+ Store crlStore = s.getCRLs();
+ SignerInformationStore signers = s.getSignerInfos();
+
+ Collection c = signers.getSigners();
+ Iterator it = c.iterator();
while (it.hasNext()) {
- final SignerInformation signer = it.next();
-
- Collection<? extends Certificate> certCollection = certs.getCertificates(signer.getSID());
- /*Collection<? extends Certificate> certCollection = certs
- .getCertificates(new CertSelector() {
- @Override
- public boolean match(Certificate cert) {
- return false; // check cert and signer
- }
- });
- */
- Iterator<? extends Certificate> certIt = certCollection.iterator();
-
- X509Certificate cert = (X509Certificate) certIt.next();
-
- if (signer.verify(cert.getPublicKey(), "BC")) {
- return true;
+ SignerInformation signer = (SignerInformation) it.next();
+ Collection certCollection = certStore.getMatches(signer.getSID());
+
+ Iterator certIt = certCollection.iterator();
+ X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
+
+ if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) {
+ return false;
}
}
- return false;
+ Collection certColl = certStore.getMatches(null);
+ Collection crlColl = crlStore.getMatches(null);
+
+ if (certColl.size() != s.getCertificates().getMatches(null).size()
+ || crlColl.size() != s.getCRLs().getMatches(null).size()) {
+ return false;
+ }
+ return true;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
index e51b8d7..2d6d8d7 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
@@ -28,16 +28,20 @@ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import java.math.BigInteger;
import java.security.InvalidKeyException;
@@ -129,7 +133,7 @@ public class EndEntityGenerator {
certGen
.addExtension(X509Extensions.SubjectKeyIdentifier, false,
- new SubjectKeyIdentifierStructure(publicKey));
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
// MAY set BasicConstraints=false or not at all.
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
@@ -155,12 +159,15 @@ public class EndEntityGenerator {
String dnsName = "localhost";
- ASN1EncodableVector sanVector = new ASN1EncodableVector();
- sanVector.add(new GeneralName(GeneralName.otherName, pkinitSan));
- sanVector.add(new GeneralName(GeneralName.dNSName, dnsName));
- DERSequence san = new DERSequence(sanVector);
+ GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan);
+ GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName);
- GeneralNames sanGeneralNames = new GeneralNames(san);
+ GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder();
+
+ genNamesBuilder.addName(name1);
+ genNamesBuilder.addName(name2);
+
+ GeneralNames sanGeneralNames = genNamesBuilder.build();
certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames);
@@ -247,9 +254,19 @@ public class EndEntityGenerator {
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
- publicKey));
+ bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
return cert;
}
+
+ private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+ Digest digest = new SHA1Digest();
+ byte[] resBuf = new byte[digest.getDigestSize()];
+
+ byte[] bytes = spki.getPublicKeyData().getBytes();
+ digest.update(bytes, 0, bytes.length);
+ digest.doFinal(resBuf, 0);
+ return resBuf;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
index 27c8c9e..bd8ba2e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
@@ -24,14 +24,17 @@ import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import java.math.BigInteger;
import java.security.InvalidKeyException;
@@ -94,7 +97,7 @@ public class IntermediateCaGenerator {
certGen
.addExtension(X509Extensions.SubjectKeyIdentifier, false,
- new SubjectKeyIdentifierStructure(publicKey));
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
@@ -109,9 +112,19 @@ public class IntermediateCaGenerator {
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
- publicKey));
+ bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
return cert;
}
+
+ private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+ Digest digest = new SHA1Digest();
+ byte[] resBuf = new byte[digest.getDigestSize()];
+
+ byte[] bytes = spki.getPublicKeyData().getBytes();
+ digest.update(bytes, 0, bytes.length);
+ digest.doFinal(resBuf, 0);
+ return resBuf;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
index 80ce1ef..5e8bbc7 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
@@ -23,12 +23,15 @@ import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.x509.X509V3CertificateGenerator;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import java.math.BigInteger;
import java.security.InvalidKeyException;
@@ -89,7 +92,8 @@ public class TrustAnchorGenerator {
certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
certGen
- .addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
+ .addExtension(X509Extensions.SubjectKeyIdentifier, false,
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(1));
@@ -101,9 +105,19 @@ public class TrustAnchorGenerator {
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
- publicKey));
+ bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+ new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
return cert;
}
+
+ private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+ Digest digest = new SHA1Digest();
+ byte[] resBuf = new byte[digest.getDigestSize()];
+
+ byte[] bytes = spki.getPublicKeyData().getBytes();
+ digest.update(bytes, 0, bytes.length);
+ digest.doFinal(resBuf, 0);
+ return resBuf;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
index e1a8083..7913058 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
+++ b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
@@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileInputStream;
-import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
@@ -78,8 +77,10 @@ public class EnvelopedDataEngineTest extends TestCase {
public void testEnvelopedData() throws Exception {
byte[] dataToEnvelope = "Hello".getBytes();
- byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack(dataToEnvelope, certificate);
- byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData(envelopedDataBytes, certificate, privateKey);
+ byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack(
+ dataToEnvelope, certificate);
+ byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData(
+ envelopedDataBytes, privateKey);
assertTrue(Arrays.equals(dataToEnvelope, unenvelopedData));
}
@@ -94,8 +95,8 @@ public class EnvelopedDataEngineTest extends TestCase {
void getCaFromFile(String caFile, String caPassword, String caAlias) throws KeyStoreException,
- NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException,
- UnrecoverableKeyException, InvalidKeyException, SignatureException, NoSuchProviderException {
+ UnrecoverableKeyException, NoSuchAlgorithmException, IOException, CertificateException,
+ NoSuchProviderException, InvalidKeyException, SignatureException {
// Open the keystore.
KeyStore caKs = KeyStore.getInstance("PKCS12");
caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());