directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: DIRKRB-453 Update bouncycastle version and fix the compile issues.
Date Tue, 10 Nov 2015 05:58:44 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/pkinit-support f93049323 -> 4d41c5288


DIRKRB-453 Update bouncycastle version and fix the compile issues.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/4d41c528
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/4d41c528
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/4d41c528

Branch: refs/heads/pkinit-support
Commit: 4d41c5288bea4d1b8ae52d6c1fb95a95fd9f5127
Parents: f930493
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Tue Nov 10 14:04:51 2015 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Tue Nov 10 14:04:51 2015 +0800

----------------------------------------------------------------------
 3rdparty/not-yet-commons-ssl/pom.xml            |   2 +-
 kerby-kerb/kerb-client-api-all/pom.xml          |   4 +-
 kerby-kerb/kerb-client/pom.xml                  |   9 +-
 .../preauth/pkinit/EnvelopedDataEngine.java     |  64 ++++-------
 .../client/preauth/pkinit/SignedDataEngine.java | 111 +++++++++++--------
 .../pkinit/certs/EndEntityGenerator.java        |  35 ++++--
 .../pkinit/certs/IntermediateCaGenerator.java   |  21 +++-
 .../pkinit/certs/TrustAnchorGenerator.java      |  22 +++-
 .../preauth/pkinit/EnvelopedDataEngineTest.java |  11 +-
 9 files changed, 159 insertions(+), 120 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/3rdparty/not-yet-commons-ssl/pom.xml
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/pom.xml b/3rdparty/not-yet-commons-ssl/pom.xml
index d11c2e2..401aaf3 100644
--- a/3rdparty/not-yet-commons-ssl/pom.xml
+++ b/3rdparty/not-yet-commons-ssl/pom.xml
@@ -75,7 +75,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-ext-jdk15on</artifactId>
-      <version>1.51</version>
+      <version>1.52</version>
       <scope>test</scope>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client-api-all/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client-api-all/pom.xml b/kerby-kerb/kerb-client-api-all/pom.xml
index 0ac4115..30bd6f6 100644
--- a/kerby-kerb/kerb-client-api-all/pom.xml
+++ b/kerby-kerb/kerb-client-api-all/pom.xml
@@ -56,8 +56,8 @@
                       <exclude>org.slf4j:slf4j-api</exclude>
                       <exclude>org.slf4j:slf4j-log4j12</exclude>
                       <exclude>org.apache.kerby:kerby-asn1</exclude>
-                      <exclude>org.bouncycastle:bcprov-jdk15</exclude>
-                      <exclude>org.bouncycastle:bcmail-jdk15</exclude>
+                      <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
+                      <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
                     </excludes>
                   </artifactSet>
                 </configuration>

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/pom.xml b/kerby-kerb/kerb-client/pom.xml
index 7834211..5bbc680 100644
--- a/kerby-kerb/kerb-client/pom.xml
+++ b/kerby-kerb/kerb-client/pom.xml
@@ -48,13 +48,8 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15</artifactId>
-      <version>1.45</version>
-    </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcmail-jdk15</artifactId>
-      <version>1.38</version>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>1.52</version>
     </dependency>
   </dependencies>
 </project>

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
index 1daa6a5..2ace97b 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngine.java
@@ -19,30 +19,27 @@
  */
 package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
 
-
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+import org.bouncycastle.cms.CMSAlgorithm;
 import org.bouncycastle.cms.CMSEnvelopedData;
 import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
 import org.bouncycastle.cms.CMSException;
 import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.KeyTransRecipientInformation;
 import org.bouncycastle.cms.RecipientInformation;
 import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.bc.BcCMSContentEncryptorBuilder;
+import org.bouncycastle.cms.bc.BcRSAKeyTransEnvelopedRecipient;
+import org.bouncycastle.cms.bc.BcRSAKeyTransRecipientInfoGenerator;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
 
 import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
-import java.security.cert.CertStore;
-import java.security.cert.CertStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Iterator;
 
-
 /**
  * Encapsulates working with PKINIT enveloped data structures.
  *
@@ -62,19 +59,19 @@ public class EnvelopedDataEngine {
      * @param dataToEnvelope
      * @param certificate
      * @return The EnvelopedData bytes.
-     * @throws NoSuchAlgorithmException
      * @throws IOException
      * @throws CMSException
-     * @throws NoSuchProviderException
+     * @throws CertificateEncodingException
      */
     public static byte[] getEnvelopedReplyKeyPack(byte[] dataToEnvelope, X509Certificate
certificate)
-            throws NoSuchAlgorithmException, IOException, CMSException, NoSuchProviderException
{
+            throws IOException, CMSException, CertificateEncodingException {
         CMSProcessableByteArray content = new CMSProcessableByteArray(dataToEnvelope);
-        String algorithm = CMSEnvelopedDataGenerator.DES_EDE3_CBC;
 
         CMSEnvelopedDataGenerator envelopeGenerator = new CMSEnvelopedDataGenerator();
-        envelopeGenerator.addKeyTransRecipient(certificate);
-        CMSEnvelopedData envdata = envelopeGenerator.generate(content, algorithm, "BC");
+        envelopeGenerator.addRecipientInfoGenerator(new BcRSAKeyTransRecipientInfoGenerator(
+                new JcaX509CertificateHolder(certificate)));
+        CMSEnvelopedData envdata = envelopeGenerator.generate(content,
+                new BcCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).build());
 
         return envdata.getEncoded();
     }
@@ -85,41 +82,28 @@ public class EnvelopedDataEngine {
      * returns the recovered (decrypted) data bytes.
      *
      * @param envelopedDataBytes
-     * @param certificate
      * @param privateKey
      * @return The recovered (decrypted) data bytes.
-     * @throws NoSuchProviderException
-     * @throws InvalidAlgorithmParameterException
+     * @throws IOException
      * @throws CMSException
-     * @throws NoSuchAlgorithmException
-     * @throws CertStoreException
      */
     @SuppressWarnings("unchecked")
-    public static byte[] getUnenvelopedData(byte[] envelopedDataBytes, X509Certificate certificate,
-                                            PrivateKey privateKey)
-            throws NoSuchProviderException, InvalidAlgorithmParameterException, CMSException,
-            NoSuchAlgorithmException, CertStoreException {
+    public static byte[] getUnenvelopedData(byte[] envelopedDataBytes,
+                                            PrivateKey privateKey) throws CMSException, IOException
{
         CMSEnvelopedData envelopedData = new CMSEnvelopedData(envelopedDataBytes);
 
         // Set up to iterate through the recipients.
         RecipientInformationStore recipients = envelopedData.getRecipientInfos();
-        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections
-                .singleton(certificate)), "BC");
-        Iterator<RecipientInformation> it = recipients.getRecipients().iterator();
+        Collection c = recipients.getRecipients();
+        Iterator it = c.iterator();
 
+        byte[] recData = new byte[0];
         while (it.hasNext()) {
-            RecipientInformation recipient = it.next();
-            if (recipient instanceof KeyTransRecipientInformation) {
-                // Match the recipient ID.
-                Collection<? extends Certificate> matches = certStore.getCertificates(recipient.getRID());
+            RecipientInformation recipient = (RecipientInformation) it.next();
 
-                if (!matches.isEmpty()) {
-                    // Decrypt the data.
-                    return recipient.getContent(privateKey, "BC");
-                }
-            }
+            recData = recipient.getContent(new BcRSAKeyTransEnvelopedRecipient(
+                    PrivateKeyFactory.createKey(PrivateKeyInfo.getInstance(privateKey.getEncoded()))));
         }
-
-        return new byte[0];
+        return recData;
     }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
index 15fa6ec..c245579 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/SignedDataEngine.java
@@ -19,31 +19,39 @@
  */
 package org.apache.kerby.kerberos.kerb.client.preauth.pkinit;
 
-
 import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.AuthPack;
 import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.KdcDHKeyInfo;
 import org.apache.kerby.kerberos.kerb.spec.pa.pkinit.ReplyKeyPack;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
 import org.bouncycastle.cms.CMSException;
 import org.bouncycastle.cms.CMSProcessableByteArray;
 import org.bouncycastle.cms.CMSSignedData;
 import org.bouncycastle.cms.CMSSignedDataGenerator;
-import org.bouncycastle.cms.CMSSignedGenerator;
+import org.bouncycastle.cms.CMSTypedData;
 import org.bouncycastle.cms.SignerInformation;
 import org.bouncycastle.cms.SignerInformationStore;
+import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.bouncycastle.util.Store;
 
 import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
-import java.security.cert.CertStore;
 import java.security.cert.CertStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Iterator;
+import java.util.List;
 
 
 /**
@@ -81,7 +89,7 @@ public class SignedDataEngine {
      */
     public static byte[] getSignedAuthPack(PrivateKey privateKey, X509Certificate certificate,
AuthPack authPack)
             throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException,
-            CertStoreException, CMSException, IOException {
+            CertStoreException, CMSException, IOException, OperatorCreationException, CertificateEncodingException
{
         return getSignedData(privateKey, certificate, authPack.encode(), ID_PKINIT_AUTHDATA);
     }
 
@@ -111,7 +119,8 @@ public class SignedDataEngine {
     public static byte[] getSignedKdcDhKeyInfo(PrivateKey privateKey, X509Certificate certificate,
                                                KdcDHKeyInfo kdcDhKeyInfo)
             throws NoSuchAlgorithmException, NoSuchProviderException,
-            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException
{
+            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+            OperatorCreationException, CertificateEncodingException {
         return getSignedData(privateKey, certificate, kdcDhKeyInfo.encode(), ID_PKINIT_DHKEYDATA);
     }
 
@@ -140,66 +149,72 @@ public class SignedDataEngine {
     public static byte[] getSignedReplyKeyPack(PrivateKey privateKey, X509Certificate certificate,
                                                ReplyKeyPack replyKeyPack)
             throws NoSuchAlgorithmException, NoSuchProviderException,
-            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException
{
+            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+            OperatorCreationException, CertificateEncodingException {
         return getSignedData(privateKey, certificate, replyKeyPack.encode(), ID_PKINIT_RKEYDATA);
     }
 
 
     static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[]
dataToSign,
                                 String eContentType) throws NoSuchAlgorithmException, NoSuchProviderException,
-            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException
{
-        CMSSignedDataGenerator signedGenerator = new CMSSignedDataGenerator();
-        signedGenerator.addSigner(privateKey, certificate, CMSSignedGenerator.DIGEST_SHA1);
-
-        Collection<X509Certificate> certList = Collections.singletonList(certificate);
-
-        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList),
"BC");
-        signedGenerator.addCertificatesAndCRLs(certStore);
-
-        CMSProcessableByteArray cmsByteArray = new CMSProcessableByteArray(dataToSign);
-        CMSSignedData signedData = signedGenerator.generate(eContentType, cmsByteArray, true,
"BC");
-
-        return signedData.getEncoded();
+            InvalidAlgorithmParameterException, CertStoreException, CMSException, IOException,
+            CertificateEncodingException, OperatorCreationException {
+
+        List certList = new ArrayList();
+        certList.add(certificate);
+        Store certs = new JcaCertStore(certList);
+
+        CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
+        ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC")
+                .build(privateKey);
+        gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(
+                new JcaDigestCalculatorProviderBuilder().setProvider("BC").build())
+                .build(contentSigner, certificate));
+        gen.addCertificates(certs);
+
+        ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType);
+        CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign);
+        CMSSignedData s = gen.generate(msg, true);
+
+        return s.getEncoded();
     }
 
-
     /**
      * Validates a CMS SignedData using the public key corresponding to the private
      * key used to sign the structure.
      *
-     * @param signedData
+     * @param s
      * @return true if the signature is valid.
      * @throws Exception
      */
-    @SuppressWarnings("unchecked")
-    public static boolean validateSignedData(CMSSignedData signedData) throws Exception {
-        CertStore certs = signedData.getCertificatesAndCRLs("Collection", "BC");
+    public static boolean validateSignedData(CMSSignedData s) throws Exception {
 
-        SignerInformationStore signers = signedData.getSignerInfos();
-        Collection<SignerInformation> c = signers.getSigners();
-        Iterator<SignerInformation> it = c.iterator();
+        Store certStore = s.getCertificates();
+        Store crlStore = s.getCRLs();
+        SignerInformationStore signers = s.getSignerInfos();
+
+        Collection c = signers.getSigners();
+        Iterator it = c.iterator();
 
         while (it.hasNext()) {
-            final SignerInformation signer = it.next();
-
-            Collection<? extends Certificate> certCollection = certs.getCertificates(signer.getSID());
-            /*Collection<? extends Certificate> certCollection = certs
-                .getCertificates(new CertSelector() {
-                    @Override
-                    public boolean match(Certificate cert) {
-                        return false; // check cert and signer
-                    }
-                });
-            */
-            Iterator<? extends Certificate> certIt = certCollection.iterator();
-
-            X509Certificate cert = (X509Certificate) certIt.next();
-
-            if (signer.verify(cert.getPublicKey(), "BC")) {
-                return true;
+            SignerInformation signer = (SignerInformation) it.next();
+            Collection certCollection = certStore.getMatches(signer.getSID());
+
+            Iterator certIt = certCollection.iterator();
+            X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
+
+            if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)))
{
+                return false;
             }
         }
 
-        return false;
+        Collection certColl = certStore.getMatches(null);
+        Collection crlColl = crlStore.getMatches(null);
+
+        if (certColl.size() != s.getCertificates().getMatches(null).size()
+                || crlColl.size() != s.getCRLs().getMatches(null).size()) {
+            return false;
+        }
+        return true;
     }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
index e51b8d7..2d6d8d7 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/EndEntityGenerator.java
@@ -28,16 +28,20 @@ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.X509Extensions;
 import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
 import org.bouncycastle.jce.PrincipalUtil;
 import org.bouncycastle.jce.X509Principal;
 import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
 import org.bouncycastle.x509.X509V3CertificateGenerator;
 import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
 
 import java.math.BigInteger;
 import java.security.InvalidKeyException;
@@ -129,7 +133,7 @@ public class EndEntityGenerator {
 
         certGen
                 .addExtension(X509Extensions.SubjectKeyIdentifier, false,
-                        new SubjectKeyIdentifierStructure(publicKey));
+                        new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         // MAY set BasicConstraints=false or not at all.
         certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
@@ -155,12 +159,15 @@ public class EndEntityGenerator {
 
         String dnsName = "localhost";
 
-        ASN1EncodableVector sanVector = new ASN1EncodableVector();
-        sanVector.add(new GeneralName(GeneralName.otherName, pkinitSan));
-        sanVector.add(new GeneralName(GeneralName.dNSName, dnsName));
-        DERSequence san = new DERSequence(sanVector);
+        GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan);
+        GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName);
 
-        GeneralNames sanGeneralNames = new GeneralNames(san);
+        GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder();
+
+        genNamesBuilder.addName(name1);
+        genNamesBuilder.addName(name2);
+
+        GeneralNames sanGeneralNames = genNamesBuilder.build();
 
         certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames);
 
@@ -247,9 +254,19 @@ public class EndEntityGenerator {
         PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
 
         bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
-        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
-                publicKey));
+        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+                new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         return cert;
     }
+
+    private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+        Digest digest = new SHA1Digest();
+        byte[] resBuf = new byte[digest.getDigestSize()];
+
+        byte[] bytes = spki.getPublicKeyData().getBytes();
+        digest.update(bytes, 0, bytes.length);
+        digest.doFinal(resBuf, 0);
+        return resBuf;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
index 27c8c9e..bd8ba2e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/IntermediateCaGenerator.java
@@ -24,14 +24,17 @@ import org.bouncycastle.asn1.DERBMPString;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.X509Extensions;
 import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
 import org.bouncycastle.jce.PrincipalUtil;
 import org.bouncycastle.jce.X509Principal;
 import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
 import org.bouncycastle.x509.X509V3CertificateGenerator;
 import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
 
 import java.math.BigInteger;
 import java.security.InvalidKeyException;
@@ -94,7 +97,7 @@ public class IntermediateCaGenerator {
 
         certGen
                 .addExtension(X509Extensions.SubjectKeyIdentifier, false,
-                        new SubjectKeyIdentifierStructure(publicKey));
+                        new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
 
@@ -109,9 +112,19 @@ public class IntermediateCaGenerator {
         PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
 
         bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
-        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
-                publicKey));
+        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+                new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         return cert;
     }
+
+    private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+        Digest digest = new SHA1Digest();
+        byte[] resBuf = new byte[digest.getDigestSize()];
+
+        byte[] bytes = spki.getPublicKeyData().getBytes();
+        digest.update(bytes, 0, bytes.length);
+        digest.doFinal(resBuf, 0);
+        return resBuf;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
index 80ce1ef..5e8bbc7 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/certs/TrustAnchorGenerator.java
@@ -23,12 +23,15 @@ import org.bouncycastle.asn1.DERBMPString;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.X509Extensions;
 import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
 import org.bouncycastle.jce.X509Principal;
 import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
 import org.bouncycastle.x509.X509V3CertificateGenerator;
-import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
 
 import java.math.BigInteger;
 import java.security.InvalidKeyException;
@@ -89,7 +92,8 @@ public class TrustAnchorGenerator {
         certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
 
         certGen
-                .addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
+                .addExtension(X509Extensions.SubjectKeyIdentifier, false,
+                        new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(1));
 
@@ -101,9 +105,19 @@ public class TrustAnchorGenerator {
         PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
 
         bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
-        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(
-                publicKey));
+        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
+                new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
 
         return cert;
     }
+
+    private static byte[] getDigest(SubjectPublicKeyInfo spki) {
+        Digest digest = new SHA1Digest();
+        byte[] resBuf = new byte[digest.getDigestSize()];
+
+        byte[] bytes = spki.getPublicKeyData().getBytes();
+        digest.update(bytes, 0, bytes.length);
+        digest.doFinal(resBuf, 0);
+        return resBuf;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4d41c528/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
index e1a8083..7913058 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
+++ b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/EnvelopedDataEngineTest.java
@@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.KeyStore;
@@ -78,8 +77,10 @@ public class EnvelopedDataEngineTest extends TestCase {
     public void testEnvelopedData() throws Exception {
         byte[] dataToEnvelope = "Hello".getBytes();
 
-        byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack(dataToEnvelope,
certificate);
-        byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData(envelopedDataBytes,
certificate, privateKey);
+        byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack(
+                dataToEnvelope, certificate);
+        byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData(
+                envelopedDataBytes, privateKey);
 
         assertTrue(Arrays.equals(dataToEnvelope, unenvelopedData));
     }
@@ -94,8 +95,8 @@ public class EnvelopedDataEngineTest extends TestCase {
 
 
     void getCaFromFile(String caFile, String caPassword, String caAlias) throws KeyStoreException,
-            NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException,
-            UnrecoverableKeyException, InvalidKeyException, SignatureException, NoSuchProviderException
{
+            UnrecoverableKeyException, NoSuchAlgorithmException, IOException, CertificateException,
+            NoSuchProviderException, InvalidKeyException, SignatureException {
         // Open the keystore.
         KeyStore caKs = KeyStore.getInstance("PKCS12");
         caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());


Mime
View raw message