directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r580194 - in /directory/sandbox/erodriguez/kerberos-pkinit/src: main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
Date Fri, 28 Sep 2007 02:24:43 GMT
Author: erodriguez
Date: Thu Sep 27 19:24:40 2007
New Revision: 580194

URL: http://svn.apache.org/viewvc?rev=580194&view=rev
Log:
Cryptographic Message Syntax (CMS) Enveloped Data support for PKINIT's public key mechanism:
o  Helper class for working with Enveloped Data.
o  Test case for the above.

Added:
    directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java
  (with props)
    directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
  (with props)

Added: directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java
URL: http://svn.apache.org/viewvc/directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java?rev=580194&view=auto
==============================================================================
--- directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java
(added)
+++ directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java
Thu Sep 27 19:24:40 2007
@@ -0,0 +1,130 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.pkinit;
+
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Iterator;
+
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.KeyTransRecipientInformation;
+import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+
+
+/**
+ * Encapsulates working with PKINIT enveloped data structures.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class EnvelopedDataEngine
+{
+    /**
+     * Uses a certificate to encrypt data in a CMS EnvelopedData structure and
+     * returns the encoded EnvelopedData as bytes.
+     * 
+     * 'encKeyPack' contains a CMS type ContentInfo encoded according to [RFC3852].
+     * The contentType field of the type ContentInfo is id-envelopedData (1.2.840.113549.1.7.3).
+     * The content field is an EnvelopedData. The contentType field for the type
+     * EnvelopedData is id-signedData (1.2.840.113549.1.7.2).
+     * 
+     * @param dataToEnvelope
+     * @param certificate
+     * @return The EnvelopedData bytes.
+     * @throws NoSuchAlgorithmException
+     * @throws IOException
+     * @throws CMSException
+     * @throws NoSuchProviderException
+     */
+    public static byte[] getEnvelopedReplyKeyPack( byte[] dataToEnvelope, X509Certificate
certificate )
+        throws NoSuchAlgorithmException, IOException, CMSException, NoSuchProviderException
+    {
+        CMSProcessableByteArray content = new CMSProcessableByteArray( dataToEnvelope );
+        String algorithm = CMSEnvelopedDataGenerator.DES_EDE3_CBC;
+
+        CMSEnvelopedDataGenerator envelopeGenerator = new CMSEnvelopedDataGenerator();
+        envelopeGenerator.addKeyTransRecipient( certificate );
+        CMSEnvelopedData envdata = envelopeGenerator.generate( content, algorithm, "BC" );
+
+        return envdata.getEncoded();
+    }
+
+
+    /**
+     * Uses a private key to decrypt data in a CMS EnvelopedData structure and
+     * returns the recovered (decrypted) data bytes.
+     *
+     * @param envelopedDataBytes
+     * @param certificate
+     * @param privateKey
+     * @return The recovered (decrypted) data bytes.
+     * @throws NoSuchProviderException
+     * @throws InvalidAlgorithmParameterException
+     * @throws CMSException
+     * @throws NoSuchAlgorithmException
+     * @throws CertStoreException
+     */
+    @SuppressWarnings("unchecked")
+    public static byte[] getUnenvelopedData( byte[] envelopedDataBytes, X509Certificate certificate,
+        PrivateKey privateKey ) throws NoSuchProviderException, InvalidAlgorithmParameterException,
CMSException,
+        NoSuchAlgorithmException, CertStoreException
+    {
+        CMSEnvelopedData envelopedData = new CMSEnvelopedData( envelopedDataBytes );
+
+        // Set up to iterate through the recipients.
+        RecipientInformationStore recipients = envelopedData.getRecipientInfos();
+        CertStore certStore = CertStore.getInstance( "Collection", new CollectionCertStoreParameters(
Collections
+            .singleton( certificate ) ), "BC" );
+        Iterator<RecipientInformation> it = recipients.getRecipients().iterator();
+
+        while ( it.hasNext() )
+        {
+            RecipientInformation recipient = it.next();
+            if ( recipient instanceof KeyTransRecipientInformation )
+            {
+                // Match the recipient ID.
+                Collection<? extends Certificate> matches = certStore.getCertificates(
recipient.getRID() );
+
+                if ( !matches.isEmpty() )
+                {
+                    // Decrypt the data.
+                    return recipient.getContent( privateKey, "BC" );
+                }
+            }
+        }
+
+        return new byte[0];
+    }
+}

Propchange: directory/sandbox/erodriguez/kerberos-pkinit/src/main/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngine.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
URL: http://svn.apache.org/viewvc/directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java?rev=580194&view=auto
==============================================================================
--- directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
(added)
+++ directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
Thu Sep 27 19:24:40 2007
@@ -0,0 +1,135 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.pkinit;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.SignatureException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.util.Arrays;
+
+import junit.framework.TestCase;
+
+import org.apache.directory.server.kerberos.pkinit.certs.CertificateChainFactory;
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * Tests the use of {@link CMSEnvelopedData}.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class EnvelopedDataEngineTest extends TestCase
+{
+    /** The log for this class. */
+    private static final Logger log = LoggerFactory.getLogger( EnvelopedDataEngineTest.class
);
+
+    /** Certificate used to encrypt the data. */
+    private X509Certificate certificate;
+
+    /** Private key used to decrypt the data. */
+    private PrivateKey privateKey;
+
+
+    public void setUp() throws Exception
+    {
+        if ( Security.getProvider( BouncyCastleProvider.PROVIDER_NAME ) == null )
+        {
+            Security.addProvider( new BouncyCastleProvider() );
+        }
+
+        //getCaFromFile( "/tmp/testCa.p12", "password", "Test CA" );
+        getCaFromFactory();
+    }
+
+
+    /**
+     * Tests that enveloped data wrapping and unwrapping works.
+     *
+     * @throws Exception
+     */
+    public void testEnvelopedData() throws Exception
+    {
+        byte[] dataToEnvelope = "Hello".getBytes();
+
+        byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack( dataToEnvelope,
certificate );
+        byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData( envelopedDataBytes,
certificate, privateKey );
+
+        assertTrue( Arrays.equals( dataToEnvelope, unenvelopedData ) );
+    }
+
+
+    void getCaFromFactory() throws Exception
+    {
+        X509Certificate[] clientChain = CertificateChainFactory.getClientChain();
+        certificate = clientChain[0];
+
+        privateKey = CertificateChainFactory.getClientPrivateKey();
+    }
+
+
+    void getCaFromFile( String caFile, String caPassword, String caAlias ) throws KeyStoreException,
+        NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException,
UnrecoverableKeyException,
+        InvalidKeyException, SignatureException, NoSuchProviderException
+    {
+        // Open the keystore.
+        KeyStore caKs = KeyStore.getInstance( "PKCS12" );
+        caKs.load( new FileInputStream( new File( caFile ) ), caPassword.toCharArray() );
+
+        // Load the private key from the keystore.
+        privateKey = ( RSAPrivateCrtKey ) caKs.getKey( caAlias, caPassword.toCharArray()
);
+
+        if ( privateKey == null )
+        {
+            throw new IllegalStateException( "Got null key from keystore!" );
+        }
+
+        // Load the certificate from the keystore.
+        certificate = ( X509Certificate ) caKs.getCertificate( caAlias );
+
+        if ( certificate == null )
+        {
+            throw new IllegalStateException( "Got null cert from keystore!" );
+        }
+
+        log.debug( "Successfully loaded key and certificate having DN '{}'.", certificate.getSubjectDN().getName()
);
+
+        // Verify.
+        certificate.verify( certificate.getPublicKey() );
+        log.debug( "Successfully verified CA certificate with its own public key." );
+    }
+}

Propchange: directory/sandbox/erodriguez/kerberos-pkinit/src/test/java/org/apache/directory/server/kerberos/pkinit/EnvelopedDataEngineTest.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message