Example #1
Source File: From webauthn4j with Apache License 2.0 | 7 votes |
private void validateX5c(TPMAttestationStatement attestationStatement, TPMSAttest certInfo, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
X509Certificate aikCert = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
/// Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
String jcaName = getJcaName(attestationStatement.getAlg());
Signature certInfoSignature = SignatureUtil.createSignature(jcaName);
try {
if (!certInfoSignature.verify(attestationStatement.getSig())) {
throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
} catch (SignatureException | InvalidKeyException e) {
throw new BadAttestationStatementException("Failed to validate the signature.", e);
/// Verify that aikCert meets the requirements in ยง8.3.1 TPM Attestation Statement Certificate Requirements.
/// If aikCert contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
byte[] aaguidBytes = aikCert.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
if (aaguidBytes != null && !Objects.equals(new AAGUID(aaguidBytes), authenticatorData.getAttestedCredentialData().getAaguid())) {
throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
Example #2
Source File: From tessera with Apache License 2.0 | 6 votes |
@Test public void testAddFingerPrintFailedToWrite() throws CertificateException, IOException { Path notWritable = Paths.get(tmpDir.getRoot().getPath(), "notWritable"); Files.createFile(notWritable); Files.setPosixFilePermissions(notWritable, PosixFilePermissions.fromString("r--------")); trustManager = new TrustOnFirstUseManager(notWritable); X509Certificate certificate = mock(X509Certificate.class); when(certificate.getEncoded()).thenReturn("certificate".getBytes(UTF_8)); X500Principal cn = new X500Principal("CN=localhost"); when(certificate.getSubjectX500Principal()).thenReturn(cn); try { trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "s"); trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "s"); failBecauseExceptionWasNotThrown(CertificateException.class); } catch (Exception ex) { assertThat(ex).isInstanceOf(CertificateException.class); } }
Example #3
Source File: From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
private EncryptionToken getEtkBasedOnX509(X509Certificate cert) throws TechnicalConnectorException {
CertificateParser parser = new CertificateParser(cert);
IdentifierType identifierType = parser.getIdentifier();
String identifierValue = parser.getId();
String application = parser.getApplication();
if (identifierType != null && !StringUtils.isEmpty(identifierValue) && StringUtils.isNumeric(identifierValue)) {
try {
return this.getEtk(identifierType, Long.parseLong(identifierValue), application);
} catch (NumberFormatException var7) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, var7, new Object[0]);
} else {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, new Object[0]);
Example #4
Source File: From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
protected D obtainCompleteness(X509Certificate certificate, PrivateKey privateKey, C consultRequest) throws TechnicalConnectorException {
if (certificate != null && privateKey != null) {
GenericRequest request = ServiceFactory.getTSConsultService(certificate, privateKey);
try {
} catch (SOAPException var6) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, new Object[]{var6.getMessage(), var6});
} else {
TechnicalConnectorExceptionValues errorValue = TechnicalConnectorExceptionValues.SECURITY_NO_CERTIFICATE;
LOG.debug("\t## " + errorValue.getMessage());
throw new TechnicalConnectorException(errorValue, (Throwable)null, new Object[0]);
Example #5
Source File: From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { super(buildParams); // populate sets of trusted certificates and subject DNs trustAnchors = buildParams.trustAnchors(); trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); for (TrustAnchor anchor : trustAnchors) { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert != null) { trustedCerts.add(trustedCert); trustedSubjectDNs.add(trustedCert.getSubjectX500Principal()); } else { trustedSubjectDNs.add(anchor.getCA()); } } this.searchAllCertStores = searchAllCertStores; }
Example #6
Source File: From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { super(buildParams); // populate sets of trusted certificates and subject DNs trustAnchors = buildParams.trustAnchors(); trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); for (TrustAnchor anchor : trustAnchors) { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert != null) { trustedCerts.add(trustedCert); trustedSubjectDNs.add(trustedCert.getSubjectX500Principal()); } else { trustedSubjectDNs.add(anchor.getCA()); } } this.searchAllCertStores = searchAllCertStores; }
Example #7
Source File: From RipplePower with Apache License 2.0 | 6 votes |
public CertPath engineGenerateCertPath( List certificates) throws CertificateException { Iterator iter = certificates.iterator(); Object obj; while (iter.hasNext()) { obj =; if (obj != null) { if (!(obj instanceof X509Certificate)) { throw new CertificateException("list contains non X509Certificate object while creating CertPath\n" + obj.toString()); } } } return new PKIXCertPath(certificates); }
Example #8
Source File: From tessera with Apache License 2.0 | 6 votes |
public void testCertificateNotValidForRecognisedAddress() throws CertificateException, IOException {
X500Principal cn = new X500Principal("CN=localhost");
try {
trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "str");
} catch (Exception ex) {
.hasMessageContaining("This address has been associated with a different certificate");
verify(certificate, times(3)).getEncoded();
verify(certificate, times(3)).getSubjectX500Principal();
Example #9
Source File: From freehealth-connector with GNU Affero General Public License v3.0 | 6 votes |
public String sendCertificateSecured(String url, String payload, X509Certificate certificate, PrivateKey privateKey, String soapAction) throws TechnicalConnectorException {
GenericRequest request = new GenericRequest();
if (soapAction != null && soapAction.isEmpty()) {
request.setHandlerChain((new HandlerChain()).register(HandlerPosition.SECURITY, new CertificateCallback(certificate, privateKey)).register(HandlerPosition.SECURITY, new SoapActionHandler()));
try {
return this.send(request).asString();
} catch (SOAPException var8) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, var8, new Object[]{var8.getMessage()});
Example #10
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
/** * Returns the X.509 certificate listed in this PKCS7 block * which has a matching serial number and Issuer name, or * null if one is not found. * * @param serial the serial number of the certificate to retrieve. * @param issuerName the Distinguished Name of the Issuer. */ public X509Certificate getCertificate(BigInteger serial, X500Name issuerName) { if (certificates != null) { if (certIssuerNames == null) populateCertIssuerNames(); for (int i = 0; i < certificates.length; i++) { X509Certificate cert = certificates[i]; BigInteger thisSerial = cert.getSerialNumber(); if (serial.equals(thisSerial) && issuerName.equals(certIssuerNames[i])) { return cert; } } } return null; }
Example #11
Source File: From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
* Generates a PKCS #7 signed data message that includes a signature
* timestamp.
* This method is used when a signature has already been generated.
* The signature, a signature timestamp, the signer's certificate chain,
* and optionally the content that was signed, are packaged into a PKCS #7
* signed data message.
* @param params The non-null input parameters.
* @param omitContent true if the content should be omitted from the
* signed data message. Otherwise the content is included.
* @param applyTimestamp true if the signature should be timestamped.
* Otherwise timestamping is not performed.
* @return A PKCS #7 signed data message including a signature timestamp.
* @throws NoSuchAlgorithmException The exception is thrown if the signature
* algorithm is unrecognised.
* @throws CertificateException The exception is thrown if an error occurs
* while processing the signer's certificate or the TSA's
* certificate.
* @throws IOException The exception is thrown if an error occurs while
* generating the signature timestamp or while generating the signed
* data message.
* @throws NullPointerException The exception is thrown if parameters is
* null.
public byte[] generateSignedData(ContentSignerParameters params,
boolean omitContent, boolean applyTimestamp)
throws NoSuchAlgorithmException, CertificateException, IOException {
if (params == null) {
throw new NullPointerException();
// Parse the signature algorithm to extract the digest
// algorithm. The expected format is:
// "<digest>with<encryption>"
// or "<digest>with<encryption>and<mgf>"
String signatureAlgorithm = params.getSignatureAlgorithm();
X509Certificate[] signerChain = params.getSignerCertificateChain();
byte[] signature = params.getSignature();
// Include or exclude content
byte[] content = (omitContent == true) ? null : params.getContent();
URI tsaURI = null;
if (applyTimestamp) {
tsaURI = params.getTimestampingAuthority();
if (tsaURI == null) {
// Examine TSA cert
tsaURI = getTimestampingURI(
if (tsaURI == null) {
throw new CertificateException(
"Subject Information Access extension not found");
return PKCS7.generateSignedData(signature, signerChain, content,
params.getSignatureAlgorithm(), tsaURI,
Example #12
Source File: From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
* Examine the certificate for a Subject Information Access extension
* (<a href="">RFC 5280</a>).
* The extension's {@code accessMethod} field should contain the object
* identifier defined for timestamping: and its
* {@code accessLocation} field should contain an HTTP or HTTPS URL.
* @param tsaCertificate An X.509 certificate for the TSA.
* @return An HTTP or HTTPS URI or null if none was found.
public static URI getTimestampingURI(X509Certificate tsaCertificate) {
if (tsaCertificate == null) {
return null;
// Parse the extensions
try {
byte[] extensionValue =
if (extensionValue == null) {
return null;
DerInputStream der = new DerInputStream(extensionValue);
der = new DerInputStream(der.getOctetString());
DerValue[] derValue = der.getSequence(5);
AccessDescription description;
GeneralName location;
URIName uri;
for (int i = 0; i < derValue.length; i++) {
description = new AccessDescription(derValue[i]);
if (description.getAccessMethod()
.equals((Object)AD_TIMESTAMPING_Id)) {
location = description.getAccessLocation();
if (location.getType() == GeneralNameInterface.NAME_URI) {
uri = (URIName) location.getName();
if (uri.getScheme().equalsIgnoreCase("http") ||
uri.getScheme().equalsIgnoreCase("https")) {
return uri.getURI();
} catch (IOException ioe) {
// ignore
return null;
Example #13
Source File: From j2objc with Apache License 2.0 | 5 votes |
/** * Creates an <code>X509CertPath</code> from a <code>List</code> of * <code>X509Certificate</code>s. * <p> * The certificates are copied out of the supplied <code>List</code> * object. * * @param certs a <code>List</code> of <code>X509Certificate</code>s * @exception CertificateException if <code>certs</code> contains an element * that is not an <code>X509Certificate</code> */ @SuppressWarnings("unchecked") public X509CertPath(List<? extends Certificate> certs) throws CertificateException { super("X.509"); // Ensure that the List contains only X509Certificates // // Note; The certs parameter is not necessarily to be of Certificate // for some old code. For compatibility, to make sure the exception // is CertificateException, rather than ClassCastException, please // don't use // for (Certificate obj : certs) for (Object obj : certs) { if (obj instanceof X509Certificate == false) { throw new CertificateException ("List is not all X509Certificates: " + obj.getClass().getName()); } } // Assumes that the resulting List is thread-safe. This is true // because we ensure that it cannot be modified after construction // and the methods in the Sun JDK 1.4 implementation of ArrayList that // allow read-only access are thread-safe. this.certs = Collections.unmodifiableList( new ArrayList<X509Certificate>((List<X509Certificate>)certs)); }
Example #14
Source File: From openjdk-8 with GNU General Public License v2.0 | 5 votes |
private void storeChain(String alias, X509Certificate[] chain)
throws PKCS11Exception, CertificateException {
// add new chain
// end cert has CKA_LABEL and CKA_ID set to alias.
// other certs in chain have neither set.
storeCert(alias, chain[0]);
storeCaCerts(chain, 1);
Example #15
Source File: From AndroidHttpCapture with MIT License | 5 votes |
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
try {
DEFAULT_EXTENDED_TRUST_MANAGER.checkClientTrusted(x509Certificates, s, socket);
} catch (CertificateException e) {
log.debug("Accepting an untrusted client certificate: {}", x509Certificates[0].getSubjectDN(), e);
Example #16
Source File: From MiBandDecompiled with Apache License 2.0 | 5 votes |
public void checkServerTrusted(X509Certificate ax509certificate[], String s)
if (a == null)
a = ax509certificate;
Log.v("openauth", "init at checkServerTrusted");
Example #17
Source File: From brooklyn-server with Apache License 2.0 | 5 votes |
@Test public void testInjectCertificateAuthority() throws Exception { KeyPair caKey = SecureKeys.newKeyPair(); X509Certificate caCert = new FluentKeySigner("the-root", caKey).ca(0).selfsign().getAuthorityCertificate(); FluentKeySigner signer = new FluentKeySigner(caCert, caKey); Assert.assertEquals("the-root", signer.getCommonName()); KeyPair aKey = SecureKeys.newKeyPair(); X509Certificate aCert = signer.newCertificateFor("A", aKey); Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(aCert, caCert, false)); }
Example #18
Source File: From xades4j with GNU Lesser General Public License v3.0 | 5 votes |
@Override public QualifyingProperty verify( CompleteCertificateRefsData propData, QualifyingPropertyVerificationContext ctx) throws InvalidPropertyException { List<X509Certificate> caCerts = ctx.getCertChainData().getCertificateChain(); caCerts = caCerts.subList(1, caCerts.size()); Collection<CertRef> caCertRefs = propData.getCertRefs(); // "Check that there are no references to certificates out of those that // are part of the certification path." for (X509Certificate caCert : caCerts) { CertRef caRef = CertRefUtils.findCertRef(caCert, caCertRefs, this.dnComparer); if (null == caRef) throw new CompleteCertRefsCertNotFoundException(caCert); try { CertRefUtils.checkCertRef(caRef, caCert, messageDigestProvider); } catch (CertRefUtils.InvalidCertRefException ex) { throw new CompleteCertRefsReferenceException(caCert, caRef, ex.getMessage()); } } return new CompleteCertificateRefsProperty(Collections.unmodifiableList(caCerts)); }
Example #19
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
* Constructor XMLX509Certificate
* @param doc
* @param x509certificate
* @throws XMLSecurityException
public XMLX509Certificate(Document doc, X509Certificate x509certificate)
throws XMLSecurityException {
try {
} catch ( ex) {
throw new XMLSecurityException("empty", ex);
Example #20
Source File: From fido2 with GNU Lesser General Public License v2.1 | 5 votes |
public static X509Certificate generateX509FromInputStream(InputStream instr) { try { CertificateFactory certFactory = CertificateFactory.getInstance("X.509", "BCFIPS"); return (X509Certificate) certFactory.generateCertificate(instr); } catch (CertificateException | NoSuchProviderException ex) { logp(Level.SEVERE, classname, "generateX509FromBytes", "CRYPTO-MSG-1000", printStackTrace(ex)); } return null; }
Example #21
Source File: From jdk8u60 with GNU General Public License v2.0 | 5 votes |
* Method getSKIBytesFromCert
* @param cert
* @return ski bytes from the given certificate
* @throws XMLSecurityException
* @see
public static byte[] getSKIBytesFromCert(X509Certificate cert)
throws XMLSecurityException {
if (cert.getVersion() < 3) {
Object exArgs[] = { Integer.valueOf(cert.getVersion()) };
throw new XMLSecurityException("certificate.noSki.lowVersion", exArgs);
* Gets the DER-encoded OCTET string for the extension value
* (extnValue) identified by the passed-in oid String. The oid
* string is represented by a set of positive whole numbers
* separated by periods.
byte[] extensionValue = cert.getExtensionValue(XMLX509SKI.SKI_OID);
if (extensionValue == null) {
throw new XMLSecurityException("certificate.noSki.null");
* Strip away first four bytes from the extensionValue
* The first two bytes are the tag and length of the extensionValue
* OCTET STRING, and the next two bytes are the tag and length of
* the ski OCTET STRING.
byte skidValue[] = new byte[extensionValue.length - 4];
System.arraycopy(extensionValue, 4, skidValue, 0, skidValue.length);
if (log.isLoggable(java.util.logging.Level.FINE)) {
log.log(java.util.logging.Level.FINE, "Base64 of SKI is " + Base64.encode(skidValue));
return skidValue;
Example #22
Source File: From snowflake-jdbc with Apache License 2.0 | 5 votes |
/** * Read certificates from a file. * * @param filename file name under resources directory * @return an array of X509Certificate * @throws Throwable raise if any error occurs */ private List<X509Certificate> getX509CertificatesFromFile(String filename) throws Throwable { CertificateFactory fact = CertificateFactory.getInstance("X.509"); List<X509Certificate> certList = new ArrayList<>(); for (Certificate cert : fact.generateCertificates(getFile(filename))) { certList.add((X509Certificate) cert); } return certList; }
Example #23
Source File: From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
/** * Read a bunch of certs from files and create a CertPath from them. * * @param relPath relative path containing certs (must end in * file.separator) * @param fileNames an array of <code>String</code>s that are file names * @throws Exception on error */ public static CertPath buildPath(String relPath, String [] fileNames) throws Exception { List<X509Certificate> list = new ArrayList<X509Certificate>(); for (int i = 0; i < fileNames.length; i++) { list.add(0, getCertFromFile(relPath + fileNames[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); return(cf.generateCertPath(list)); }
Example #24
Source File: From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
* Method engineResolvePublicKey
* @param element
* @param BaseURI
* @param storage
* @return null if no {@link PublicKey} could be obtained
* @throws KeyResolverException
public PublicKey engineLookupAndResolvePublicKey(
Element element, String baseURI, StorageResolver storage
) throws KeyResolverException {
X509Certificate cert =
this.engineLookupResolveX509Certificate(element, baseURI, storage);
if (cert != null) {
return cert.getPublicKey();
return null;
Example #25
Source File: From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
/** * @param args {cacerts keystore, cert chain} */ public static void main(String[] args) throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(args[0]), "changeit".toCharArray()); Validator v = Validator.getInstance (Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks); X509Certificate[] chain = createPath(args[1]); System.out.println("Chain: "); for (X509Certificate c: v.validate(chain)) { System.out.println(" " + c.getSubjectX500Principal() + " issued by " + c.getIssuerX500Principal()); } }
Example #26
Source File: From mariadb-connector-j with GNU Lesser General Public License v2.1 | 5 votes |
@Override public void verify(String host, SSLSession session, Options options, long serverThreadId) throws SSLException { HostnameVerifierImpl hostnameVerifier = new HostnameVerifierImpl(); if (!hostnameVerifier.verify(host, session, serverThreadId)) { // Use proprietary verify method in order to have an exception with a better description // of error. Certificate[] certs = session.getPeerCertificates(); X509Certificate cert = (X509Certificate) certs[0]; hostnameVerifier.verify(host, cert, serverThreadId); } }
Example #27
Source File: From android_9.0.0_r45 with Apache License 2.0 | 5 votes |
@Override public X509Certificate findBySubjectAndPublicKey(X509Certificate cert) { ensureInitialized(); anchor = mIndex.findBySubjectAndPublicKey(cert); if (anchor == null) { return null; } return anchor.getTrustedCert(); }
Example #28
Source File: From jdk8u60 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res =; CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example #29
Source File: From baratine with GNU General Public License v2.0 | 5 votes |
* Returns any client certificates.
* @throws CertificateException
public X509Certificate []clientCertificates()
throws CertificateException
return _socket.getClientCertificates();
Example #30
Source File: From vault-crd with Apache License 2.0 | 5 votes |
private VaultResponseData generateKeyPair(Date startDate, long valid) throws Exception {
CertAndKeyGen certGen = new CertAndKeyGen("RSA", "SHA256WithRSA");
X500Name x500Name = new X500Name("CN=Test");
X509Certificate cert = certGen.getSelfCertificate(x500Name, startDate, valid);
byte[] encodedPrivateKey = certGen.getPrivateKey().getEncoded();
byte[] encodedPublicKey = cert.getEncoded();
String privateKeySb = "-----BEGIN PRIVATE KEY-----\n" +
Base64.getMimeEncoder().encodeToString(encodedPrivateKey) +
"\n-----END PRIVATE KEY-----";
String publicKey = "-----BEGIN PUBLIC KEY-----\n" +
Base64.getMimeEncoder().encodeToString(encodedPublicKey) +
"\n-----END PUBLIC KEY-----";
privateKeySb = privateKeySb.replaceAll("\\n", "\\\\n");
privateKeySb = privateKeySb.replaceAll("\\r", "");
publicKey = publicKey.replaceAll("\\n", "\\\\n");
publicKey = publicKey.replaceAll("\\r", "");
VaultResponseData vaultResponseData = new VaultResponseData();
return vaultResponseData;