diff options
author | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
commit | 171aaece4f23709d33d180cf36eb3af5e454b0c9 (patch) | |
tree | 1485f9f0a7bd10de4ff25030db575dbb8dafae74 /pki/base/util/src/netscape/security/pkcs/PKCS10.java | |
parent | adad2fcee8a29fdb82376fbce07dedb11fccc182 (diff) | |
download | pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.gz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.xz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.zip |
Revert "Formatting"
This reverts commit 32150d3ee32f8ac27118af7c792794b538c78a2f.
Diffstat (limited to 'pki/base/util/src/netscape/security/pkcs/PKCS10.java')
-rw-r--r-- | pki/base/util/src/netscape/security/pkcs/PKCS10.java | 452 |
1 files changed, 234 insertions, 218 deletions
diff --git a/pki/base/util/src/netscape/security/pkcs/PKCS10.java b/pki/base/util/src/netscape/security/pkcs/PKCS10.java index dcd2e0880..dc28c7e9c 100644 --- a/pki/base/util/src/netscape/security/pkcs/PKCS10.java +++ b/pki/base/util/src/netscape/security/pkcs/PKCS10.java @@ -37,23 +37,22 @@ import netscape.security.x509.X509Key; /** * PKCS #10 certificate requests are created and sent to Certificate - * Authorities, which then create X.509 certificates and return them to the - * entity which created the certificate request. These cert requests basically - * consist of the subject's X.500 name and public key, signed using the - * corresponding private key. - * + * Authorities, which then create X.509 certificates and return them to + * the entity which created the certificate request. These cert requests + * basically consist of the subject's X.500 name and public key, signed + * using the corresponding private key. + * * The ASN.1 syntax for a Certification Request is: - * * <pre> * CertificationRequest ::= SEQUENCE { * certificationRequestInfo CertificationRequestInfo, * signatureAlgorithm SignatureAlgorithmIdentifier, * signature Signature * } - * + * * SignatureAlgorithmIdentifier ::= AlgorithmIdentifier * Signature ::= BIT STRING - * + * * CertificationRequestInfo ::= SEQUENCE { * version Version, * subject Name, @@ -62,281 +61,298 @@ import netscape.security.x509.X509Key; * } * Attributes ::= SET OF Attribute * </pre> - * + * * @author David Brownell * @author Amit Kapoor * @author Hemma Prafullchandra * @version 1.28 */ -public class PKCS10 { +public class PKCS10 +{ /** - * Constructs an unsigned PKCS #10 certificate request. Before this request - * may be used, it must be encoded and signed. Then it must be retrieved in - * some conventional format (e.g. string). + * Constructs an unsigned PKCS #10 certificate request. Before this + * request may be used, it must be encoded and signed. Then it + * must be retrieved in some conventional format (e.g. string). * - * @param publicKey the public key that should be placed into the - * certificate generated by the CA. + * @param publicKey the public key that should be placed + * into the certificate generated by the CA. */ - public PKCS10(X509Key publicKey) { - subjectPublicKeyInfo = publicKey; - attributeSet = new PKCS10Attributes(); + public PKCS10 (X509Key publicKey) + { + subjectPublicKeyInfo = publicKey; + attributeSet = new PKCS10Attributes(); } + /** - * Constructs an unsigned PKCS #10 certificate request. Before this request - * may be used, it must be encoded and signed. Then it must be retrieved in - * some conventional format (e.g. string). + * Constructs an unsigned PKCS #10 certificate request. Before this + * request may be used, it must be encoded and signed. Then it + * must be retrieved in some conventional format (e.g. string). * - * @param publicKey the public key that should be placed into the - * certificate generated by the CA. - * @param attributes additonal set of PKCS10 attributes requested for in the - * certificate. + * @param publicKey the public key that should be placed + * into the certificate generated by the CA. + * @param attributes additonal set of PKCS10 attributes requested + * for in the certificate. */ - public PKCS10(X509Key publicKey, PKCS10Attributes attributes) { - subjectPublicKeyInfo = publicKey; - if (attributes != null) - attributeSet = attributes; - else - attributeSet = new PKCS10Attributes(); + public PKCS10 (X509Key publicKey, PKCS10Attributes attributes) + { + subjectPublicKeyInfo = publicKey; + if (attributes != null) + attributeSet = attributes; + else + attributeSet = new PKCS10Attributes(); } + /** - * Parses an encoded, signed PKCS #10 certificate request, verifying the - * request's signature as it does so. This constructor would typically be - * used by a Certificate Authority, from which a new certificate would then - * be constructed. - * + * Parses an encoded, signed PKCS #10 certificate request, verifying + * the request's signature as it does so. This constructor would + * typically be used by a Certificate Authority, from which a new + * certificate would then be constructed. + * * @param data the DER-encoded PKCS #10 request. * @param sigver boolean specifies signature verification enabled or not * @exception IOException for low level errors reading the data * @exception SignatureException when the signature is invalid - * @exception NoSuchAlgorithmException when the signature algorithm is not - * supported in this environment + * @exception NoSuchAlgorithmException when the signature + * algorithm is not supported in this environment */ - public PKCS10(byte data[], boolean sigver) throws IOException, - SignatureException, NoSuchAlgorithmException, - java.security.NoSuchProviderException { - DerInputStream in; - DerValue seq[]; - AlgorithmId id; - byte sigData[]; - Signature sig; - - certificateRequest = data; - - // - // Outer sequence: request, signature algorithm, signature. - // Parse, and prepare to verify later. - // - in = new DerInputStream(data); - seq = in.getSequence(3); - - if (seq.length != 3) - throw new IllegalArgumentException("not a PKCS #10 request"); - - data = seq[0].toByteArray(); // reusing this variable - certRequestInfo = seq[0].toByteArray(); // make a copy - id = AlgorithmId.parse(seq[1]); - sigData = seq[2].getBitString(); - - // - // Inner sequence: version, name, key, attributes - // - BigInt serial; - DerValue val; - - serial = seq[0].data.getInteger(); - /* - * if (serial.toInt () != 0) throw new IllegalArgumentException - * ("not PKCS #10 v1"); - */ - - subject = new X500Name(seq[0].data); - - byte val1[] = seq[0].data.getDerValue().toByteArray(); - subjectPublicKeyInfo = X509Key.parse(new DerValue(val1)); - PublicKey publicKey = X509Key.parsePublicKey(new DerValue(val1)); - - String keystr = subjectPublicKeyInfo.toString(); - - // Cope with a somewhat common illegal PKCS #10 format - if (seq[0].data.available() != 0) - attributeSet = new PKCS10Attributes(seq[0].data); - else - attributeSet = new PKCS10Attributes(); - - // - // OK, we parsed it all ... validate the signature using the - // key and signature algorithm we found. - // temporary commented out - try { - String idName = id.getName(); - if (idName.equals("MD5withRSA")) - idName = "MD5/RSA"; - else if (idName.equals("MD2withRSA")) - idName = "MD2/RSA"; - else if (idName.equals("SHA1withRSA")) - idName = "SHA1/RSA"; - else if (idName.equals("SHA1withDSA")) - idName = "SHA1/DSA"; - else if (idName.equals("SHA1withEC")) - idName = "SHA1/EC"; - else if (idName.equals("SHA256withEC")) - idName = "SHA256/EC"; - else if (idName.equals("SHA384withEC")) - idName = "SHA384/EC"; - else if (idName.equals("SHA512withEC")) - idName = "SHA512/EC"; - - if (sigver) { - sig = Signature.getInstance(idName, "Mozilla-JSS"); - - sig.initVerify(publicKey); - sig.update(data); - if (!sig.verify(sigData)) - throw new SignatureException("Invalid PKCS #10 signature"); - } - } catch (InvalidKeyException e) { - throw new SignatureException("invalid key"); + public PKCS10 (byte data [], boolean sigver) + throws IOException, SignatureException, NoSuchAlgorithmException,java.security.NoSuchProviderException + { + DerInputStream in; + DerValue seq []; + AlgorithmId id; + byte sigData []; + Signature sig; + + certificateRequest = data; + + // + // Outer sequence: request, signature algorithm, signature. + // Parse, and prepare to verify later. + // + in = new DerInputStream (data); + seq = in.getSequence (3); + + if (seq.length != 3) + throw new IllegalArgumentException ("not a PKCS #10 request"); + + data = seq [0].toByteArray (); // reusing this variable + certRequestInfo = seq[0].toByteArray(); // make a copy + id = AlgorithmId.parse (seq [1]); + sigData = seq [2].getBitString (); + + // + // Inner sequence: version, name, key, attributes + // + BigInt serial; + DerValue val; + + serial = seq [0].data.getInteger (); +/* + if (serial.toInt () != 0) + throw new IllegalArgumentException ("not PKCS #10 v1"); +*/ + + subject = new X500Name (seq [0].data); + + + byte val1[] = seq [0].data.getDerValue ().toByteArray(); + subjectPublicKeyInfo = X509Key.parse (new DerValue(val1)); + PublicKey publicKey = X509Key.parsePublicKey (new DerValue(val1)); + + String keystr = subjectPublicKeyInfo.toString(); + + // Cope with a somewhat common illegal PKCS #10 format + if (seq [0].data.available () != 0) + attributeSet = new PKCS10Attributes(seq [0].data); + else + attributeSet = new PKCS10Attributes(); + + // + // OK, we parsed it all ... validate the signature using the + // key and signature algorithm we found. + // temporary commented out + try { + String idName = id.getName (); + if(idName.equals("MD5withRSA")) + idName = "MD5/RSA"; + else if(idName.equals("MD2withRSA")) + idName = "MD2/RSA"; + else if(idName.equals("SHA1withRSA")) + idName = "SHA1/RSA"; + else if(idName.equals("SHA1withDSA")) + idName = "SHA1/DSA"; + else if(idName.equals("SHA1withEC")) + idName = "SHA1/EC"; + else if(idName.equals("SHA256withEC")) + idName = "SHA256/EC"; + else if(idName.equals("SHA384withEC")) + idName = "SHA384/EC"; + else if(idName.equals("SHA512withEC")) + idName = "SHA512/EC"; + + if (sigver) { + sig = Signature.getInstance(idName,"Mozilla-JSS"); + + sig.initVerify (publicKey); + sig.update (data); + if (!sig.verify (sigData)) + throw new SignatureException ("Invalid PKCS #10 signature"); } + } catch (InvalidKeyException e) { + throw new SignatureException ("invalid key"); + } } - public PKCS10(byte data[]) throws IOException, SignatureException, - NoSuchAlgorithmException, java.security.NoSuchProviderException { + public PKCS10 (byte data []) + throws IOException, SignatureException, NoSuchAlgorithmException,java.security.NoSuchProviderException + { this(data, true); } /** - * Create the signed certificate request. This will later be retrieved in - * either string or binary format. - * - * @param requester identifies the signer (by X.500 name) and provides the - * private key used to sign. + * Create the signed certificate request. This will later be + * retrieved in either string or binary format. + * + * @param requester identifies the signer (by X.500 name) + * and provides the private key used to sign. * @exception IOException on errors. * @exception CertificateException on certificate handling errors. * @exception SignatureException on signature handling errors. */ - public void encodeAndSign(X500Signer requester) - throws CertificateException, IOException, SignatureException { - DerOutputStream out, scratch; - byte certificateRequestInfo[]; - byte sig[]; - - if (certificateRequest != null) - throw new SignatureException("request is already signed"); - - subject = requester.getSigner(); - - /* - * Encode cert request info, wrap in a sequence for signing - */ - scratch = new DerOutputStream(); - scratch.putInteger(new BigInt(0)); // version zero - subject.encode(scratch); // X.500 name - subjectPublicKeyInfo.encode(scratch); // public key - attributeSet.encode(scratch); - - out = new DerOutputStream(); - out.write(DerValue.tag_Sequence, scratch); // wrap it! - certificateRequestInfo = out.toByteArray(); - scratch = out; - - /* - * Sign it ... - */ - requester.update(certificateRequestInfo, 0, - certificateRequestInfo.length); - sig = requester.sign(); - - /* - * Build guts of SIGNED macro - */ - requester.getAlgorithmId().encode(scratch); // sig algorithm - scratch.putBitString(sig); // sig - - /* - * Wrap those guts in a sequence - */ - out = new DerOutputStream(); - out.write(DerValue.tag_Sequence, scratch); - certificateRequest = out.toByteArray(); + public void encodeAndSign (X500Signer requester) + throws CertificateException, IOException, SignatureException + { + DerOutputStream out, scratch; + byte certificateRequestInfo []; + byte sig []; + + if (certificateRequest != null) + throw new SignatureException ("request is already signed"); + + subject = requester.getSigner (); + + /* + * Encode cert request info, wrap in a sequence for signing + */ + scratch = new DerOutputStream (); + scratch.putInteger (new BigInt (0)); // version zero + subject.encode (scratch); // X.500 name + subjectPublicKeyInfo.encode (scratch); // public key + attributeSet.encode (scratch); + + out = new DerOutputStream (); + out.write (DerValue.tag_Sequence, scratch); // wrap it! + certificateRequestInfo = out.toByteArray (); + scratch = out; + + /* + * Sign it ... + */ + requester.update (certificateRequestInfo, 0, + certificateRequestInfo.length); + sig = requester.sign (); + + /* + * Build guts of SIGNED macro + */ + requester.getAlgorithmId ().encode (scratch); // sig algorithm + scratch.putBitString (sig); // sig + + /* + * Wrap those guts in a sequence + */ + out = new DerOutputStream (); + out.write (DerValue.tag_Sequence, scratch); + certificateRequest = out.toByteArray (); } + /** * Returns the subject's name. */ - public X500Name getSubjectName() { - return subject; - } + public X500Name getSubjectName () + { return subject; } + /** * Returns the subject's public key. */ - public X509Key getSubjectPublicKeyInfo() { - return subjectPublicKeyInfo; - } + public X509Key getSubjectPublicKeyInfo () + { return subjectPublicKeyInfo; } + /** * Returns the additional attributes requested. */ - public PKCS10Attributes getAttributes() { - return attributeSet; - } + public PKCS10Attributes getAttributes () + { return attributeSet; } /** - * Returns the encoded and signed certificate request as a DER-encoded byte - * array. - * - * @return the certificate request, or null if encodeAndSign() has not yet - * been called. + * Returns the encoded and signed certificate request as a + * DER-encoded byte array. + * + * @return the certificate request, or null if encodeAndSign() + * has not yet been called. */ - public byte[] toByteArray() { - return certificateRequest; + public byte [] toByteArray () + { + return certificateRequest; } + /** * Prints an E-Mailable version of the certificate request on the print - * stream passed. The format is a common base64 encoded one, supported by - * most Certificate Authorities because Netscape web servers have used this - * for some time. Some certificate authorities expect some more information, - * in particular contact information for the web server administrator. - * - * @param out the print stream where the certificate request will be - * printed. + * stream passed. The format is a common base64 encoded one, supported + * by most Certificate Authorities because Netscape web servers have + * used this for some time. Some certificate authorities expect some + * more information, in particular contact information for the web + * server administrator. + * + * @param out the print stream where the certificate request + * will be printed. * @exception IOException when an output operation failed - * @exception SignatureException when the certificate request was not yet - * signed. + * @exception SignatureException when the certificate request was + * not yet signed. */ - public void print(PrintStream out) throws IOException, SignatureException { - if (certificateRequest == null) - throw new SignatureException("Cert request was not signed"); - - out.println("-----BEGIN NEW CERTIFICATE REQUEST-----"); - out.println(com.netscape.osutil.OSUtil.BtoA(certificateRequest)); - out.println("-----END NEW CERTIFICATE REQUEST-----"); + public void print (PrintStream out) + throws IOException, SignatureException + { + if (certificateRequest == null) + throw new SignatureException ("Cert request was not signed"); + + + out.println ("-----BEGIN NEW CERTIFICATE REQUEST-----"); + out.println (com.netscape.osutil.OSUtil.BtoA(certificateRequest)); + out.println ("-----END NEW CERTIFICATE REQUEST-----"); } /** * Provides a short description of this request. */ - public String toString() { - return "[PKCS #10 certificate request:\n" - + subjectPublicKeyInfo.toString() + " subject: <" + subject - + ">" + "\n" + " attributes: " + attributeSet.toString() - + "\n]"; + public String toString () + { + return "[PKCS #10 certificate request:\n" + + subjectPublicKeyInfo.toString() + + " subject: <" + subject + ">" + "\n" + + " attributes: " + attributeSet.toString() + + "\n]"; } /** * Retrieve the PKCS10 CertificateRequestInfo as a byte array */ - public byte[] getCertRequestInfo() { - return certRequestInfo; + public byte[] getCertRequestInfo() + { + return certRequestInfo; } - private X500Name subject; - private X509Key subjectPublicKeyInfo; - private PKCS10Attributes attributeSet; + private X500Name subject; + private X509Key subjectPublicKeyInfo; + private PKCS10Attributes attributeSet; - private byte certificateRequest[]; // signed - private byte certRequestInfo[]; // inner content signed + private byte certificateRequest []; // signed + private byte certRequestInfo []; // inner content signed } |