public void putSignerInfo(ProtocolSignerInfo protobuf) throws SignatureException { SignerInfo signerInfo = new SignerInfo(protobuf); map.put(ByteBuffer.wrap(signerInfo.getSignerId()), signerInfo); } }
public void testGetCertificates() throws Exception { signerInfo = new SignerInfo(HashAlgorithm.SHA256, certChain, DOMAIN); assertEquals(certChain, signerInfo.getCertificates()); }
public void testGetHashAlgorithm() throws Exception { signerInfo = new SignerInfo(HashAlgorithm.SHA256, certChain, DOMAIN); assertEquals(HashAlgorithm.SHA256, signerInfo.getHashAlgorithm()); }
/** * Public constructor from a protobuf. * * @param protobuf * @throws SignatureException */ public SignerInfo(ProtocolSignerInfo protobuf) throws SignatureException { this.protobuf = protobuf; this.certChain = getCertificatesFromListOfByteArrays( protobuf.getCertificateList()); this.signerId = calculateSignerId(this.certChain); }
private byte[] storeSignerInfo(ImmutableList<X509Certificate> certs) throws Exception { SignerInfo info = new SignerInfo(HashAlgorithm.SHA256, certs, DOMAIN); store.putSignerInfo(info.toProtoBuf()); return info.getSignerId(); }
@Override public synchronized ProtocolSignerInfo retrieveSignerInfo(ByteString signerId) { SignerInfo signerInfo; try { signerInfo = certPathStore.getSignerInfo(signerId.toByteArray()); // null is acceptable for retrieveSignerInfo. The user of the certificate manager should call // prefetchDeltaSignerInfo for the mechanism to actually populate the certificate manager. return signerInfo == null ? null : signerInfo.toProtoBuf(); } catch (SignatureException e) { /* * TODO: This may result in the server endlessly requesting the signer info from the * remote server, a more graceful failure needs to be implemented. */ LOG.severe("Failed to retreive signer info for " + new String(Hex.encodeHex(signerId.toByteArray())), e); return null; } }
/** * Returns {@link SignerInfo} for the (example.com) certificate chain. * @throws Exception if the certificates fail to be resolved properly */ public static SignerInfo getExampleSignerInfo() throws Exception { CertificateFactory factory = CertificateFactory.getInstance("X.509"); X509Certificate exampleCert = (X509Certificate) factory.generateCertificate( new ByteArrayInputStream(EXAMPLE_CERTIFICATE.getBytes())); return new SignerInfo(HashAlgorithm.SHA256, ImmutableList.of(exampleCert), EXAMPLE_DOMAIN); } }
/** * Checks whether for the given {@link SignerInfo} the certificates retrieved * from the {@link CertPathStore} match up. * * @param signerInfo the {@link SignerInfo} to get the certificates from the * {@link CertPathStore} for * @param certPathStore the {@link CertPathStore} to retrieve the certificates * from. */ private void checkCertificateExists(SignerInfo signerInfo, CertPathStore certPathStore) throws SignatureException { List<X509Certificate> retrievedCerts = certPathStore.getSignerInfo(signerInfo.getSignerId()).getCertificates(); assertEquals(signerInfo.getCertificates(), retrievedCerts); } }
/** * Signs a payload and returns a {@link ProtocolSignature} object * representing the signature. * @param payload the bits that are to be signed. * @return the {@link SignerInfo} object. */ public ProtocolSignature sign(byte[] payload) { try { Signature signer = Signature.getInstance( AlgorithmUtil.getJceName(algorithm)); signer.initSign(signingKey); signer.update(payload); return ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(signer.sign())) .setSignerId(ByteString.copyFrom(signerInfo.getSignerId())) .setSignatureAlgorithm(algorithm) .build(); } catch (java.security.SignatureException e) { // This is thrown if the signer object isn't properly initialized. // Since we just made that object from scratch and initialized it, this // really shouldn't happen throw new IllegalStateException(e); } catch (InvalidKeyException e) { // we checked for this in the constructor - this really shouldn't happen throw new IllegalStateException(e); } catch (NoSuchAlgorithmException e) { // we checked for this in the constructor - this really shouldn't happen throw new IllegalStateException(e); } }
/** * Verifies that the {@link SignerInfo} (i.e., the cerificate chain) checks * out, i.e., chains up to a trusted CA, and has certificates that aren't * expired. * * @throws SignatureException if the certificate chain in the * {@link SignerInfo} does't verify. */ public void verifySignerInfo(SignerInfo signer) throws SignatureException { pathValidator.validate(signer.getCertificates()); }
private byte[] calculateSignerId(List<? extends X509Certificate> certs) throws SignatureException { try { CertificateFactory certFactory = CertificateFactory.getInstance(X509); CertPath path = certFactory.generateCertPath(certs); byte[] encodedCertPath = path.getEncoded(PKI_PATH_ENCODING); MessageDigest digest = MessageDigest.getInstance( AlgorithmUtil.getJceName(getHashAlgorithm())); return digest.digest(encodedCertPath); } catch (CertificateException e) { throw new SignatureException("could not parse certificate chain", e); } catch (NoSuchAlgorithmException e) { throw new SignatureException("could not calculate hash of cert chain", e); } } }
/** * Public constructor. * @param hashAlg The hash algorithm to use to calculate the signer id (which * is the base-64-encoding of the hash of the PkiPath-encoding of the cert * chain). * @param certs the cert chain used by this signer. Cert of the signer is * first, and cert of the CA is last. * @param domain the domain that the certificates are issued to. This should * match the CN in the target certificate. * @throws SignatureException if the certs couldn't be parsed into a cert * chain, or if the hash couldn't be calculated. */ public SignerInfo(HashAlgorithm hashAlg, List<X509Certificate> certs, String domain) throws SignatureException { Preconditions.checkArgument(certs.size() > 0, "need at least one" + "cert in the chain"); try { this.protobuf = ProtocolSignerInfo.newBuilder() .setHashAlgorithm(hashAlg) .setDomain(domain) .addAllCertificate(getCertificatesAsListOfByteArrays(certs)) .build(); } catch (CertificateEncodingException e) { throw new SignatureException("couldn't parse certificates", e); } this.certChain = ImmutableList.copyOf(certs); this.signerId = calculateSignerId(this.certChain); }
@Override public String getDomain() { return signer.getSignerInfo().getDomain(); }
@Override public void getDeltaSignerInfo(ByteString signerId, WaveletName waveletName, ProtocolHashedVersion deltaEndVersion, DeltaSignerInfoResponseListener listener) { try { listener.onSuccess(Certificates.getRealSignerInfo().toProtoBuf()); } catch (Exception e) { throw new RuntimeException(e); } } };
private byte[] storeSignerInfo(ImmutableList<X509Certificate> certs) throws Exception { SignerInfo info = new SignerInfo(HashAlgorithm.SHA256, certs, DOMAIN); store.putSignerInfo(info.toProtoBuf()); return info.getSignerId(); }
/** * Returns {@link SignerInfo} for the (realcert, startcom) certificate chain. * @throws Exception if the certificates fail to be resolved properly */ public static SignerInfo getRealSignerInfo() throws Exception { CertificateFactory factory = CertificateFactory.getInstance("X.509"); X509Certificate realCert = (X509Certificate) factory.generateCertificate( new ByteArrayInputStream(REAL_CERTIFICATE.getBytes())); X509Certificate startCom = (X509Certificate) factory.generateCertificate( new ByteArrayInputStream(STARTCOM_CERT.getBytes())); return new SignerInfo(HashAlgorithm.SHA256, ImmutableList.of(realCert, startCom), REAL_DOMAIN); }
/** * Checks whether for the given {@link SignerInfo} the certificates retrieved * from the {@link CertPathStore} match up. * * @param signerInfo the {@link SignerInfo} to get the certificates from the * {@link CertPathStore} for * @param certPathStore the {@link CertPathStore} to retrieve the certificates * from. */ private void checkCertificateExists(SignerInfo signerInfo, CertPathStore certPathStore) throws SignatureException { List<X509Certificate> retrievedCerts = certPathStore.getSignerInfo(signerInfo.getSignerId()).getCertificates(); assertEquals(signerInfo.getCertificates(), retrievedCerts); } }
private ByteString getRealSignerId() throws Exception { return ByteString.copyFrom(Certificates.getRealSignerInfo().getSignerId()); }
@Override public Collection<X509Certificate> getTrustRoots() { try { return getSigner().getSignerInfo().getCertificates(); } catch (Exception e) { throw new RuntimeException(e); } } };
@Override public void putSignerInfo(ProtocolSignerInfo protoSignerInfo) throws SignatureException { synchronized(certPathStore) { SignerInfo signerInfo = new SignerInfo(protoSignerInfo); File signerFile = new File(signerIdToFileName(signerInfo.getSignerId())); FileOutputStream file = null; try { file = new FileOutputStream(signerFile); file.write(protoSignerInfo.toByteArray()); file.flush(); certPathStore.putSignerInfo(protoSignerInfo); } catch (IOException e) { throw new SignatureException("Failed to write signer info to file: " + signerFile.getAbsolutePath(), e); } finally { FileUtils.closeAndIgnoreException(file, signerFile, LOG); } } } }