diff options
| author | andrew <devnull@localhost> | 2010-10-19 17:55:59 +0100 |
|---|---|---|
| committer | andrew <devnull@localhost> | 2010-10-19 17:55:59 +0100 |
| commit | 7603e948d7a0a7eb2e72358cb4a40ae6779f95da (patch) | |
| tree | c6441f7d14eafe8119d890cddd09b05b8f88c52a /netx/net/sourceforge/jnlp/tools/KeyTool.java | |
Initial import from IcedTea6.
2010-10-19 Andrew John Hughes <[email protected]>
* .hgignore,
* Makefile.am,
* acinclude.m4,
* autogen.sh,
* configure.ac,
* extra/net/sourceforge/jnlp/about/HTMLPanel.java,
* extra/net/sourceforge/jnlp/about/Main.java,
* extra/net/sourceforge/jnlp/about/resources/about.html,
* extra/net/sourceforge/jnlp/about/resources/applications.html,
* extra/net/sourceforge/jnlp/about/resources/notes.html,
* javac.in,
* javaws.desktop: Imported from IcedTea6.
* launcher/java.c,
* launcher/java.h,
* launcher/java_md.c,
* launcher/java_md.h,
* launcher/jli_util.h,
* launcher/jni.h,
* launcher/jvm.h,
* launcher/jvm_md.h,
* launcher/manifest_info.h,
* launcher/splashscreen.h,
* launcher/splashscreen_stubs.c,
* launcher/version_comp.h,
* launcher/wildcard.h: Imported from OpenJDK.
* netx/javaws.1,
* netx/javax/jnlp/BasicService.java,
* netx/javax/jnlp/ClipboardService.java,
* netx/javax/jnlp/DownloadService.java,
* netx/javax/jnlp/DownloadServiceListener.java,
* netx/javax/jnlp/ExtendedService.java,
* netx/javax/jnlp/ExtensionInstallerService.java,
* netx/javax/jnlp/FileContents.java,
* netx/javax/jnlp/FileOpenService.java,
* netx/javax/jnlp/FileSaveService.java,
* netx/javax/jnlp/JNLPRandomAccessFile.java,
* netx/javax/jnlp/PersistenceService.java,
* netx/javax/jnlp/PrintService.java,
* netx/javax/jnlp/ServiceManager.java,
* netx/javax/jnlp/ServiceManagerStub.java,
* netx/javax/jnlp/SingleInstanceListener.java,
* netx/javax/jnlp/SingleInstanceService.java,
* netx/javax/jnlp/UnavailableServiceException.java,
* netx/net/sourceforge/jnlp/AppletDesc.java,
* netx/net/sourceforge/jnlp/ApplicationDesc.java,
* netx/net/sourceforge/jnlp/AssociationDesc.java,
* netx/net/sourceforge/jnlp/ComponentDesc.java,
* netx/net/sourceforge/jnlp/DefaultLaunchHandler.java,
* netx/net/sourceforge/jnlp/ExtensionDesc.java,
* netx/net/sourceforge/jnlp/IconDesc.java,
* netx/net/sourceforge/jnlp/InformationDesc.java,
* netx/net/sourceforge/jnlp/InstallerDesc.java,
* netx/net/sourceforge/jnlp/JARDesc.java,
* netx/net/sourceforge/jnlp/JNLPFile.java,
* netx/net/sourceforge/jnlp/JNLPSplashScreen.java,
* netx/net/sourceforge/jnlp/JREDesc.java,
* netx/net/sourceforge/jnlp/LaunchException.java,
* netx/net/sourceforge/jnlp/LaunchHandler.java,
* netx/net/sourceforge/jnlp/Launcher.java,
* netx/net/sourceforge/jnlp/MenuDesc.java,
* netx/net/sourceforge/jnlp/NetxPanel.java,
* netx/net/sourceforge/jnlp/Node.java,
* netx/net/sourceforge/jnlp/PackageDesc.java,
* netx/net/sourceforge/jnlp/ParseException.java,
* netx/net/sourceforge/jnlp/Parser.java,
* netx/net/sourceforge/jnlp/PluginBridge.java,
* netx/net/sourceforge/jnlp/PropertyDesc.java,
* netx/net/sourceforge/jnlp/RelatedContentDesc.java,
* netx/net/sourceforge/jnlp/ResourcesDesc.java,
* netx/net/sourceforge/jnlp/SecurityDesc.java,
* netx/net/sourceforge/jnlp/ShortcutDesc.java,
* netx/net/sourceforge/jnlp/StreamEater.java,
* netx/net/sourceforge/jnlp/UpdateDesc.java,
* netx/net/sourceforge/jnlp/Version.java,
* netx/net/sourceforge/jnlp/cache/CacheEntry.java,
* netx/net/sourceforge/jnlp/cache/CacheUtil.java,
* netx/net/sourceforge/jnlp/cache/DefaultDownloadIndicator.java,
* netx/net/sourceforge/jnlp/cache/DownloadIndicator.java,
* netx/net/sourceforge/jnlp/cache/Resource.java,
* netx/net/sourceforge/jnlp/cache/ResourceTracker.java,
* netx/net/sourceforge/jnlp/cache/UpdatePolicy.java,
* netx/net/sourceforge/jnlp/cache/package.html,
* netx/net/sourceforge/jnlp/event/ApplicationEvent.java,
* netx/net/sourceforge/jnlp/event/ApplicationListener.java,
* netx/net/sourceforge/jnlp/event/DownloadEvent.java,
* netx/net/sourceforge/jnlp/event/DownloadListener.java,
* netx/net/sourceforge/jnlp/event/package.html,
* netx/net/sourceforge/jnlp/package.html,
* netx/net/sourceforge/jnlp/resources/Manifest.mf,
* netx/net/sourceforge/jnlp/resources/Messages.properties,
* netx/net/sourceforge/jnlp/resources/about.jnlp,
* netx/net/sourceforge/jnlp/resources/default.jnlp,
* netx/net/sourceforge/jnlp/runtime/AppThreadGroup.java,
* netx/net/sourceforge/jnlp/runtime/AppletAudioClip.java,
* netx/net/sourceforge/jnlp/runtime/AppletEnvironment.java,
* netx/net/sourceforge/jnlp/runtime/AppletInstance.java,
* netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java,
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/Boot13.java,
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java,
* netx/net/sourceforge/jnlp/runtime/JNLPPolicy.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java,
* netx/net/sourceforge/jnlp/runtime/package.html,
* netx/net/sourceforge/jnlp/security/AccessWarningPane.java,
* netx/net/sourceforge/jnlp/security/AppletWarningPane.java,
* netx/net/sourceforge/jnlp/security/CertVerifier.java,
* netx/net/sourceforge/jnlp/security/CertWarningPane.java,
* netx/net/sourceforge/jnlp/security/CertsInfoPane.java,
* netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java,
* netx/net/sourceforge/jnlp/security/MoreInfoPane.java,
* netx/net/sourceforge/jnlp/security/NotAllSignedWarningPane.java,
* netx/net/sourceforge/jnlp/security/SecurityDialogPanel.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/security/SecurityWarningDialog.java,
* netx/net/sourceforge/jnlp/security/SingleCertInfoPane.java,
* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java,
* netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java,
* netx/net/sourceforge/jnlp/security/viewer/CertificateViewer.java,
* netx/net/sourceforge/jnlp/services/ExtendedSingleInstanceService.java,
* netx/net/sourceforge/jnlp/services/InstanceExistsException.java,
* netx/net/sourceforge/jnlp/services/ServiceUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/services/XBasicService.java,
* netx/net/sourceforge/jnlp/services/XClipboardService.java,
* netx/net/sourceforge/jnlp/services/XDownloadService.java,
* netx/net/sourceforge/jnlp/services/XExtendedService.java,
* netx/net/sourceforge/jnlp/services/XExtensionInstallerService.java,
* netx/net/sourceforge/jnlp/services/XFileContents.java,
* netx/net/sourceforge/jnlp/services/XFileOpenService.java,
* netx/net/sourceforge/jnlp/services/XFileSaveService.java,
* netx/net/sourceforge/jnlp/services/XJNLPRandomAccessFile.java,
* netx/net/sourceforge/jnlp/services/XPersistenceService.java,
* netx/net/sourceforge/jnlp/services/XPrintService.java,
* netx/net/sourceforge/jnlp/services/XServiceManagerStub.java,
* netx/net/sourceforge/jnlp/services/XSingleInstanceService.java,
* netx/net/sourceforge/jnlp/services/package.html,
* netx/net/sourceforge/jnlp/tools/CharacterEncoder.java,
* netx/net/sourceforge/jnlp/tools/HexDumpEncoder.java,
* netx/net/sourceforge/jnlp/tools/JarRunner.java,
* netx/net/sourceforge/jnlp/tools/JarSigner.java,
* netx/net/sourceforge/jnlp/tools/JarSignerResources.java,
* netx/net/sourceforge/jnlp/tools/KeyStoreUtil.java,
* netx/net/sourceforge/jnlp/tools/KeyTool.java,
* netx/net/sourceforge/jnlp/util/FileUtils.java,
* netx/net/sourceforge/jnlp/util/PropertiesFile.java,
* netx/net/sourceforge/jnlp/util/Reflect.java,
* netx/net/sourceforge/jnlp/util/WeakList.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* netx/net/sourceforge/nanoxml/XMLElement.java,
* netx/net/sourceforge/nanoxml/XMLParseException.java,
* plugin/icedteanp/IcedTeaJavaRequestProcessor.cc,
* plugin/icedteanp/IcedTeaJavaRequestProcessor.h,
* plugin/icedteanp/IcedTeaNPPlugin.cc,
* plugin/icedteanp/IcedTeaNPPlugin.h,
* plugin/icedteanp/IcedTeaPluginRequestProcessor.cc,
* plugin/icedteanp/IcedTeaPluginRequestProcessor.h,
* plugin/icedteanp/IcedTeaPluginUtils.cc,
* plugin/icedteanp/IcedTeaPluginUtils.h,
* plugin/icedteanp/IcedTeaRunnable.cc,
* plugin/icedteanp/IcedTeaRunnable.h,
* plugin/icedteanp/IcedTeaScriptablePluginObject.cc,
* plugin/icedteanp/IcedTeaScriptablePluginObject.h,
* plugin/icedteanp/java/netscape/javascript/JSException.java,
* plugin/icedteanp/java/netscape/javascript/JSObject.java,
* plugin/icedteanp/java/netscape/javascript/JSObjectCreatePermission.java,
* plugin/icedteanp/java/netscape/javascript/JSProxy.java,
* plugin/icedteanp/java/netscape/javascript/JSRunnable.java,
* plugin/icedteanp/java/netscape/javascript/JSUtil.java,
* plugin/icedteanp/java/netscape/security/ForbiddenTargetException.java,
* plugin/icedteanp/java/sun/applet/AppletSecurityContextManager.java,
* plugin/icedteanp/java/sun/applet/GetMemberPluginCallRequest.java,
* plugin/icedteanp/java/sun/applet/GetWindowPluginCallRequest.java,
* plugin/icedteanp/java/sun/applet/JavaConsole.java,
* plugin/icedteanp/java/sun/applet/MethodOverloadResolver.java,
* plugin/icedteanp/java/sun/applet/PasswordAuthenticationDialog.java,
* plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java,
* plugin/icedteanp/java/sun/applet/PluginAppletViewer.java,
* plugin/icedteanp/java/sun/applet/PluginCallRequest.java,
* plugin/icedteanp/java/sun/applet/PluginCallRequestFactory.java,
* plugin/icedteanp/java/sun/applet/PluginClassLoader.java,
* plugin/icedteanp/java/sun/applet/PluginCookieInfoRequest.java,
* plugin/icedteanp/java/sun/applet/PluginCookieManager.java,
* plugin/icedteanp/java/sun/applet/PluginDebug.java,
* plugin/icedteanp/java/sun/applet/PluginException.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java,
* plugin/icedteanp/java/sun/applet/PluginMessageConsumer.java,
* plugin/icedteanp/java/sun/applet/PluginMessageHandlerWorker.java,
* plugin/icedteanp/java/sun/applet/PluginObjectStore.java,
* plugin/icedteanp/java/sun/applet/PluginProxyInfoRequest.java,
* plugin/icedteanp/java/sun/applet/PluginProxySelector.java,
* plugin/icedteanp/java/sun/applet/PluginStreamHandler.java,
* plugin/icedteanp/java/sun/applet/RequestQueue.java,
* plugin/icedteanp/java/sun/applet/TestEnv.java,
* plugin/icedteanp/java/sun/applet/VoidPluginCallRequest.java,
* plugin/tests/LiveConnect/DummyObject.java,
* plugin/tests/LiveConnect/OverloadTestHelper1.java,
* plugin/tests/LiveConnect/OverloadTestHelper2.java,
* plugin/tests/LiveConnect/OverloadTestHelper3.java,
* plugin/tests/LiveConnect/PluginTest.java,
* plugin/tests/LiveConnect/build,
* plugin/tests/LiveConnect/common.js,
* plugin/tests/LiveConnect/index.html,
* plugin/tests/LiveConnect/jjs_eval_test.js,
* plugin/tests/LiveConnect/jjs_func_parameters_tests.js,
* plugin/tests/LiveConnect/jjs_func_rettype_tests.js,
* plugin/tests/LiveConnect/jjs_get_tests.js,
* plugin/tests/LiveConnect/jjs_set_tests.js,
* plugin/tests/LiveConnect/jsj_func_overload_tests.js,
* plugin/tests/LiveConnect/jsj_func_parameters_tests.js,
* plugin/tests/LiveConnect/jsj_func_rettype_tests.js,
* plugin/tests/LiveConnect/jsj_get_tests.js,
* plugin/tests/LiveConnect/jsj_set_tests.js,
* plugin/tests/LiveConnect/jsj_type_casting_tests.js,
* plugin/tests/LiveConnect/jsj_type_conversion_tests.js:
Initial import from IcedTea6.
* AUTHORS,
* COPYING
* INSTALL,
* NEWS,
* README: New documentation.
Diffstat (limited to 'netx/net/sourceforge/jnlp/tools/KeyTool.java')
| -rw-r--r-- | netx/net/sourceforge/jnlp/tools/KeyTool.java | 461 |
1 files changed, 461 insertions, 0 deletions
diff --git a/netx/net/sourceforge/jnlp/tools/KeyTool.java b/netx/net/sourceforge/jnlp/tools/KeyTool.java new file mode 100644 index 0000000..f7780c4 --- /dev/null +++ b/netx/net/sourceforge/jnlp/tools/KeyTool.java @@ -0,0 +1,461 @@ +/* + * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Sun designates this + * particular file as subject to the "Classpath" exception as provided + * by Sun in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +package net.sourceforge.jnlp.tools; + +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.PrintStream; +import java.security.KeyStore; +import java.security.MessageDigest; +import java.security.PublicKey; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.Principal; +import java.util.Enumeration; +import java.util.Random; +import java.util.Hashtable; +import java.util.Vector; + +import net.sourceforge.jnlp.security.SecurityUtil; + +import sun.misc.BASE64Encoder; +import sun.security.provider.X509Factory; + +/** + * This tool manages the user's trusted certificates + * + * @author Jan Luehe + * @author Joshua Sumali + */ +public class KeyTool { + + // The user's keystore. + private KeyStore usercerts = null; + // JDK cacerts + private KeyStore cacerts = null; + // System ca-bundle.crt + private KeyStore systemcerts = null; + + private String fullCertPath = SecurityUtil.getTrustedCertsFilename(); + + private FileOutputStream fos = null; + + /** + * Whether we trust the system cacerts file. + */ + private boolean trustcacerts = true; + + /** + * Whether we print certificates in rfc, base64 encoding. + */ + private boolean rfc = true; + + private final char[] password = "changeit".toCharArray(); + + /** + * Whether we prompt for user input. + */ + private boolean noprompt = true; + + public KeyTool() throws Exception { + + // Initialize all the keystores. + usercerts = SecurityUtil.getUserKeyStore(); + cacerts = SecurityUtil.getCacertsKeyStore(); + systemcerts = SecurityUtil.getSystemCertStore(); + } + + /** + * Adds a trusted certificate to the user's keystore. + * @return true if the add was successful, false otherwise. + */ + public boolean importCert(File file) throws Exception { + + BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file)); + CertificateFactory cf = CertificateFactory.getInstance("X509"); + X509Certificate cert = null; + + if (bis.available() >= 1) { + try { + cert = (X509Certificate)cf.generateCertificate(bis); + } catch (ClassCastException cce) { + throw new Exception("Input file is not an X509 Certificate"); + } catch (CertificateException ce) { + throw new Exception("Input file is not an X509 Certificate"); + } + } + + return importCert((Certificate)cert); + } + + /** + * Adds a trusted certificate to the user's keystore. + * @return true if the add was successful, false otherwise. + */ + public boolean importCert(Certificate cert) throws Exception { + + String alias = usercerts.getCertificateAlias(cert); + + if (alias != null) { //cert already exists + return true; + } else { + String newAlias = getRandomAlias(); + //check to make sure this alias doesn't exist + while (usercerts.getCertificate(newAlias) != null) + newAlias = getRandomAlias(); + return addTrustedCert(newAlias, cert); + } + } + + /** + * Generates a random alias for storing a trusted Certificate. + */ + private String getRandomAlias() { + Random r = new Random(); + String token = Long.toString(Math.abs(r.nextLong()), 36); + return "trustedCert-" + token; + } + + /** + * Prints all keystore entries. + */ + private void doPrintEntries(PrintStream out) throws Exception { + + out.println("KeyStore type: " + usercerts.getType()); + out.println("KeyStore provider: " + usercerts.getProvider().toString()); + out.println(); + + for (Enumeration<String> e = usercerts.aliases(); e.hasMoreElements();) { + String alias = e.nextElement(); + doPrintEntry(alias, out, false); + } + } + + /** + * Prints a single keystore entry. + */ + private void doPrintEntry(String alias, PrintStream out, + boolean printWarning) throws Exception { + + if (usercerts.containsAlias(alias) == false) { + throw new Exception("Alias does not exist"); + } + + if (usercerts.entryInstanceOf(alias, + KeyStore.TrustedCertificateEntry.class)) { + Certificate cert = usercerts.getCertificate(alias); + + out.println("Alias: " + alias); + out.println("Date Created: " + usercerts.getCreationDate(alias)); + out.println("Subject: " + SecurityUtil.getCN(((X509Certificate)usercerts + .getCertificate(alias)).getSubjectX500Principal().getName())); + out.println("Certificate fingerprint (MD5): " + + getCertFingerPrint("MD5", cert)); + out.println(); + } + } + + /** + * Gets the requested finger print of the certificate. + */ + private String getCertFingerPrint(String mdAlg, Certificate cert) + throws Exception { + byte[] encCertInfo = cert.getEncoded(); + MessageDigest md = MessageDigest.getInstance(mdAlg); + byte[] digest = md.digest(encCertInfo); + return toHexString(digest); + } + + /** + * Converts a byte to hex digit and writes to the supplied buffer + */ + private void byte2hex(byte b, StringBuffer buf) { + char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', + '9', 'A', 'B', 'C', 'D', 'E', 'F' }; + int high = ((b & 0xf0) >> 4); + int low = (b & 0x0f); + buf.append(hexChars[high]); + buf.append(hexChars[low]); + } + + /** + * Converts a byte array to hex string + */ + private String toHexString(byte[] block) { + StringBuffer buf = new StringBuffer(); + int len = block.length; + for (int i = 0; i < len; i++) { + byte2hex(block[i], buf); + if (i < len-1) { + buf.append(":"); + } + } + return buf.toString(); + } + + /** + * Adds a certificate to the keystore, and writes new keystore to disk. + */ + private boolean addTrustedCert(String alias, Certificate cert) + throws Exception { + + if (isSelfSigned((X509Certificate)cert)) { + //will throw exception if this fails + cert.verify(cert.getPublicKey()); + } + + if (noprompt) { + usercerts.setCertificateEntry(alias, cert); + fos = new FileOutputStream(fullCertPath); + usercerts.store(fos, password); + fos.close(); + return true; + } + + return false; + } + + /** + * Returns true if the given certificate is trusted, false otherwise. + */ + public boolean isTrusted(Certificate cert) throws Exception { + if (cert != null) { + if (usercerts.getCertificateAlias(cert) != null) { + return true; // found in own keystore + } + return false; + } else { + return false; + } + } + + /** + * Returns true if the certificate is self-signed, false otherwise. + */ + private boolean isSelfSigned(X509Certificate cert) { + return cert.getSubjectDN().equals(cert.getIssuerDN()); + } + + /** + * Checks if a given certificate is part of the user's cacerts + * keystore. + * @param c the certificate to check + * @returns true if the certificate is in the user's cacerts and + * false otherwise + */ + public boolean checkCacertsForCertificate(Certificate c) throws Exception { + if (c != null) { + + String alias = null; + + //first try jdk cacerts. + if (cacerts != null) { + alias = cacerts.getCertificateAlias(c); + + //if we can't find it here, try the system certs. + if (alias == null && systemcerts != null) + alias = systemcerts.getCertificateAlias(c); + } + //otherwise try the system certs if you can't use the jdk certs. + else if (systemcerts != null) + alias = systemcerts.getCertificateAlias(c); + + return (alias != null); + } else + return false; + } + + /** + * Establishes a certificate chain (using trusted certificates in the + * keystore), starting with the user certificate + * and ending at a self-signed certificate found in the keystore. + * + * @param userCert the user certificate of the alias + * @param certToVerify the single certificate provided in the reply + */ + public boolean establishCertChain(Certificate userCert, + Certificate certToVerify) + throws Exception + { + if (userCert != null) { + // Make sure that the public key of the certificate reply matches + // the original public key in the keystore + PublicKey origPubKey = userCert.getPublicKey(); + PublicKey replyPubKey = certToVerify.getPublicKey(); + if (!origPubKey.equals(replyPubKey)) { + // TODO: something went wrong -- throw exception + throw new Exception( + "Public keys in reply and keystore don't match"); + } + + // If the two certs are identical, we're done: no need to import + // anything + if (certToVerify.equals(userCert)) { + throw new Exception( + "Certificate reply and certificate in keystore are identical"); + } + } + + // Build a hash table of all certificates in the keystore. + // Use the subject distinguished name as the key into the hash table. + // All certificates associated with the same subject distinguished + // name are stored in the same hash table entry as a vector. + Hashtable<Principal, Vector<Certificate>> certs = null; + if (usercerts.size() > 0) { + certs = new Hashtable<Principal, Vector<Certificate>>(11); + keystorecerts2Hashtable(usercerts, certs); + } + if (trustcacerts) { //if we're trusting the cacerts + KeyStore caks = SecurityUtil.getCacertsKeyStore(); + if (caks!=null && caks.size()>0) { + if (certs == null) { + certs = new Hashtable<Principal, Vector<Certificate>>(11); + } + keystorecerts2Hashtable(caks, certs); + } + } + + // start building chain + Vector<Certificate> chain = new Vector<Certificate>(2); + if (buildChain((X509Certificate)certToVerify, chain, certs)) { + Certificate[] newChain = new Certificate[chain.size()]; + // buildChain() returns chain with self-signed root-cert first and + // user-cert last, so we need to invert the chain before we store + // it + int j=0; + for (int i=chain.size()-1; i>=0; i--) { + newChain[j] = chain.elementAt(i); + j++; + } + //return newChain; + return newChain != null; + } else { + throw new Exception("Failed to establish chain from reply"); + } + } + + /** + * Stores the (leaf) certificates of a keystore in a hashtable. + * All certs belonging to the same CA are stored in a vector that + * in turn is stored in the hashtable, keyed by the CA's subject DN + */ + private void keystorecerts2Hashtable(KeyStore ks, + Hashtable<Principal, Vector<Certificate>> hash) + throws Exception { + + for (Enumeration<String> aliases = ks.aliases(); + aliases.hasMoreElements(); ) { + String alias = aliases.nextElement(); + Certificate cert = ks.getCertificate(alias); + if (cert != null) { + Principal subjectDN = ((X509Certificate)cert).getSubjectDN(); + Vector<Certificate> vec = hash.get(subjectDN); + if (vec == null) { + vec = new Vector<Certificate>(); + vec.addElement(cert); + } else { + if (!vec.contains(cert)) { + vec.addElement(cert); + } + } + hash.put(subjectDN, vec); + } + } + } + + /** + * Recursively tries to establish chain from pool of trusted certs. + * + * @param certToVerify the cert that needs to be verified. + * @param chain the chain that's being built. + * @param certs the pool of trusted certs + * + * @return true if successful, false otherwise. + */ + private boolean buildChain(X509Certificate certToVerify, + Vector<Certificate> chain, + Hashtable<Principal, Vector<Certificate>> certs) { + Principal subject = certToVerify.getSubjectDN(); + Principal issuer = certToVerify.getIssuerDN(); + if (subject.equals(issuer)) { + // reached self-signed root cert; + // no verification needed because it's trusted. + chain.addElement(certToVerify); + return true; + } + + // Get the issuer's certificate(s) + Vector<Certificate> vec = certs.get(issuer); + if (vec == null) { + return false; + } + + // Try out each certificate in the vector, until we find one + // whose public key verifies the signature of the certificate + // in question. + for (Enumeration<Certificate> issuerCerts = vec.elements(); + issuerCerts.hasMoreElements(); ) { + X509Certificate issuerCert + = (X509Certificate)issuerCerts.nextElement(); + PublicKey issuerPubKey = issuerCert.getPublicKey(); + try { + certToVerify.verify(issuerPubKey); + } catch (Exception e) { + continue; + } + if (buildChain(issuerCert, chain, certs)) { + chain.addElement(certToVerify); + return true; + } + } + return false; + } + + public static void dumpCert(Certificate cert, PrintStream out) + throws IOException, CertificateException { + + boolean printRfc = true; + if (printRfc) { + BASE64Encoder encoder = new BASE64Encoder(); + out.println(X509Factory.BEGIN_CERT); + encoder.encodeBuffer(cert.getEncoded(), out); + out.println(X509Factory.END_CERT); + } else { + out.write(cert.getEncoded()); // binary + } + } + + public static void main(String[] args) throws Exception { + KeyTool kt = new KeyTool(); + kt.doPrintEntries(System.out); + } +} |