Java Code Examples for org.bouncycastle.asn1.ASN1ObjectIdentifier#fromByteArray()

The following examples show how to use org.bouncycastle.asn1.ASN1ObjectIdentifier#fromByteArray() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SFTrustManager.java    From snowflake-jdbc with Apache License 2.0 5 votes vote down vote up
/**
 * Decodes OCSP Response Cache key from JSON
 *
 * @param elem A JSON element
 * @return OcspResponseCacheKey object
 */
private static SFPair<OcspResponseCacheKey, SFPair<Long, String>>
decodeCacheFromJSON(Map.Entry<String, JsonNode> elem) throws IOException
{
  long currentTimeSecond = new Date().getTime() / 1000;
  byte[] certIdDer = Base64.decodeBase64(elem.getKey());
  DLSequence rawCertId = (DLSequence) ASN1ObjectIdentifier.fromByteArray(certIdDer);
  ASN1Encodable[] rawCertIdArray = rawCertId.toArray();
  byte[] issuerNameHashDer = ((DEROctetString) rawCertIdArray[1]).getEncoded();
  byte[] issuerKeyHashDer = ((DEROctetString) rawCertIdArray[2]).getEncoded();
  BigInteger serialNumber = ((ASN1Integer) rawCertIdArray[3]).getValue();

  OcspResponseCacheKey k = new OcspResponseCacheKey(
      issuerNameHashDer, issuerKeyHashDer, serialNumber);

  JsonNode ocspRespBase64 = elem.getValue();
  if (!ocspRespBase64.isArray() || ocspRespBase64.size() != 2)
  {
    LOGGER.debug("Invalid cache file format. Ignored");
    return null;
  }
  long producedAt = ocspRespBase64.get(0).asLong();
  String ocspResp = ocspRespBase64.get(1).asText();

  if (currentTimeSecond - CACHE_EXPIRATION_IN_SECONDS <= producedAt)
  {
    // add cache
    return SFPair.of(k, SFPair.of(producedAt, ocspResp));
  }
  else
  {
    // delete cache
    return SFPair.of(k, SFPair.of(producedAt, null));
  }
}
 
Example 2
Source File: GPData.java    From GlobalPlatformPro with GNU Lesser General Public License v3.0 5 votes vote down vote up
public static String oid2string(byte[] oid) {
    try {
        // Prepend 0x06 tag, if not present
        // XXX: if ber-tlv allows to fetch constructed data, this is not needed
        if (oid[0] != 0x06) {
            oid = GPUtils.concatenate(new byte[]{0x06, (byte) oid.length}, oid);
        }
        ASN1ObjectIdentifier realoid = (ASN1ObjectIdentifier) ASN1ObjectIdentifier.fromByteArray(oid);
        if (realoid == null)
            throw new IllegalArgumentException("Could not parse OID from " + HexUtils.bin2hex(oid));
        return realoid.toString();
    } catch (IOException e) {
        throw new IllegalArgumentException("Could not handle " + HexUtils.bin2hex(oid));
    }
}
 
Example 3
Source File: SFTrustManager.java    From snowflake-jdbc with Apache License 2.0 4 votes vote down vote up
private boolean processOCSPBypassSSD(String ocsp_ssd, OcspResponseCacheKey cid, String hostname)
{
  try
  {
    /*
     * Get unverified part of the JWT to extract issuer.
     */
    SignedJWT jwt_unverified = SignedJWT.parse(ocsp_ssd);
    String jwt_issuer = (String) jwt_unverified.getHeader().getCustomParam("ssd_iss");
    String ssd_pubKey;

    if (jwt_issuer.equals("dep1"))
    {
      ssd_pubKey = ssdManager.getPubKey("dep1");
    }
    else
    {
      ssd_pubKey = ssdManager.getPubKey("dep2");
    }

    String publicKeyContent =
        ssd_pubKey.replaceAll("\\n", "").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
    KeyFactory kf = KeyFactory.getInstance("RSA");
    X509EncodedKeySpec keySpecX509 = new X509EncodedKeySpec(Base64.decodeBase64(publicKeyContent));
    RSAPublicKey rsaPubKey = (RSAPublicKey) kf.generatePublic(keySpecX509);

    /*
     * Verify signature of the JWT Token
     * Verify time validity of the JWT Token (API does not do this)
     */
    SignedJWT jwt_token_verified = SignedJWT.parse(ocsp_ssd);
    JWSVerifier jwsVerifier = new RSASSAVerifier(rsaPubKey);
    if (jwt_token_verified.verify(jwsVerifier))
    {
      String sfc_endpoint = jwt_token_verified.getJWTClaimsSet().getStringClaim("sfcEndpoint");
      String jwt_certid = jwt_token_verified.getJWTClaimsSet().getStringClaim("certId");
      Date jwt_nbf = jwt_token_verified.getJWTClaimsSet().getNotBeforeTime();
      Date jwt_exp = jwt_token_verified.getJWTClaimsSet().getExpirationTime();

      long current_ts = System.currentTimeMillis();
      if (current_ts < jwt_exp.getTime() && current_ts >= jwt_nbf.getTime())
      {
        if (!sfc_endpoint.equals("*"))
        {
          /*
           * In case there are multiple hostnames
           * associated to the same account. The
           * code expects a space separated list
           * of all hostnames associated with this
           * account in sfcEndpoint field
           */

          String[] splitString = sfc_endpoint.split("\\s+");

          for (String s : splitString)
          {
            if (s.equals(hostname))
            {
              return true;
            }
          }
          return false;
        }
        /*
         * No In Band token can have > 7 days validity
         */
        if (jwt_exp.getTime() - jwt_nbf.getTime() > (7 * 24 * 60 * 60 * 1000))
        {
          return false;
        }
        byte[] jwt_certid_dec = Base64.decodeBase64(jwt_certid);
        DLSequence jwt_rawCertId = (DLSequence) ASN1ObjectIdentifier.fromByteArray(jwt_certid_dec);
        ASN1Encodable[] jwt_rawCertIdArray = jwt_rawCertId.toArray();
        byte[] issuerNameHashDer = ((DEROctetString) jwt_rawCertIdArray[1]).getEncoded();
        byte[] issuerKeyHashDer = ((DEROctetString) jwt_rawCertIdArray[2]).getEncoded();
        BigInteger serialNumber = ((ASN1Integer) jwt_rawCertIdArray[3]).getValue();

        OcspResponseCacheKey k = new OcspResponseCacheKey(
            issuerNameHashDer, issuerKeyHashDer, serialNumber);

        if (k.equals(cid))
        {
          LOGGER.debug("Found a Signed OCSP Bypass SSD for ceri id {}", cid);
          return true;
        }
        LOGGER.debug("Found invalid OCSP bypass for cert id {}", cid);
        return false;
      }
    }
    return false;
  }
  catch (Throwable ex)
  {
    LOGGER.debug("Failed to parse JWT Token, aborting");
    return false;
  }
}