001: package com.sun.portal.cli.cert;
002:
003: import java.util.*;
004: import com.sun.portal.log.common.PortalLogger;
005: import org.mozilla.jss.crypto.*;
006: import org.mozilla.jss.crypto.KeyPairGenerator;
007: import org.mozilla.jss.crypto.X509Certificate;
008: import org.mozilla.jss.util.*;
009: import org.mozilla.jss.ssl.*;
010: import org.mozilla.jss.*;
011: import org.mozilla.jss.pkcs11.*;
012: import java.security.cert.*;
013: import java.security.interfaces.*;
014: import java.security.*;
015: import java.security.PrivateKey;
016: import org.mozilla.jss.pkix.primitive.*;
017: import org.mozilla.jss.pkix.cert.*;
018: import org.mozilla.jss.pkix.cert.Certificate;
019: import org.mozilla.jss.asn1.*;
020: import org.mozilla.jss.pkcs7.*;
021: import java.io.*;
022:
023: public class JSSUtil {
024:
025: private static SRADecoder defPassDecoder = null;
026:
027: public static void setDefaultDecoder(String certdir)
028: throws SRADecoderException {
029: if (defPassDecoder == null) {
030: defPassDecoder = new SRAPBEImpl(certdir);
031: defPassDecoder.init();
032: }
033: }
034:
035: public static SRADecoder getDefaultDecoder() {
036: return defPassDecoder;
037: }
038:
039: /**
040: * Checks if the specifed certificate exists in the certificate database.
041: */
042: public static boolean certExist(JSSContext cntx, String nickname) {
043: try {
044: cntx.getCryptoManager().findCertByNickname(nickname);
045: return true;
046: } catch (Exception ex) {
047: return false;
048: }
049: }
050:
051: /**
052: * Retrieve the specifed certificate from the certificate database.
053: */
054: public static X509Certificate getCertByNickname(JSSContext cntx,
055: String nickname) throws Exception {
056: return cntx.getCryptoManager().findCertByNickname(nickname);
057: }
058:
059: //Add certiticate from the encoded file
060: public static X509Certificate addCertificate(JSSContext cntx,
061: File certfile, String nick, boolean isCACert)
062: throws Exception {
063: FileInputStream fis = new FileInputStream(certfile);
064: CertificateFactory cf = CertificateFactory.getInstance("X.509");
065: java.security.cert.Certificate jcert = cf
066: .generateCertificate(fis);
067: byte[] dercert = jcert.getEncoded();
068: if (isCACert)
069: return cntx.getCryptoManager().importCACertPackage(dercert);
070: else
071: return cntx.getCryptoManager().importCertPackage(dercert,
072: nick);
073: }
074:
075: /**
076: * Verifies the validity of the certificate.
077: */
078:
079: public static void verifyCertificate(Certificate cert) {
080: try {
081: cert.verify();
082: } catch (Exception ex) {
083: ex.printStackTrace();
084: CertAdminUtil.println(CertAdminLocale.getPFString("m49",
085: CertAdminConstants.m49)
086: + CertAdminConstants.newline + ex);
087: }
088: }
089:
090: /**
091: * Change the Trust attributes of the specified certificate
092: */
093: public static X509Certificate changeCertificateTrust(
094: X509Certificate cert, String ssl, String email,
095: String objsign) throws Exception {
096: int ssltrust = getTrust(ssl);
097: int emailtrust = getTrust(email);
098: int objtrust = getTrust(objsign);
099: try {
100: InternalCertificate ic = (InternalCertificate) cert;
101: ic.setSSLTrust(ssltrust);
102: ic.setEmailTrust(emailtrust);
103: ic.setObjectSigningTrust(objtrust);
104: return ic;
105: } catch (Exception ex) {
106: return cert;
107: }
108: }
109:
110: /**
111: * Get the Trust String of the specified certificate.
112: */
113: public static String getTrust(
114: org.mozilla.jss.crypto.X509Certificate cert) {
115: try {
116: InternalCertificate ic = (InternalCertificate) cert;
117: return (getTrustStr(ic.getSSLTrust(), true) + ","
118: + getTrustStr(ic.getEmailTrust()) + "," + getTrustStr(ic
119: .getObjectSigningTrust()));
120: } catch (Exception ex) {
121: return "";
122: }
123: }
124:
125: /**
126: * Get the Certificate Trust value based on the Trust type.
127: */
128: public static int getTrust(String trusttype) {
129: char[] trusttokens = new char[trusttype.length()];
130: trusttype.getChars(0, trusttype.length(), trusttokens, 0);
131: int trustval = 0;
132: String truststr = "";
133:
134: for (int i = 0; i < trusttokens.length; i++) {
135: truststr = new Character(trusttokens[i]).toString();
136: int trust;
137: if (truststr.equals(CertAdminConstants.VALID_PEER)) {
138: trust = PK11InternalCert.VALID_PEER;
139: } else if (truststr.equals(CertAdminConstants.TRUSTED_PEER)) {
140: trust = PK11InternalCert.TRUSTED_PEER;
141: } else if (truststr.equals(CertAdminConstants.VALID_CA)) {
142: trust = PK11InternalCert.VALID_CA;
143: } else if (truststr
144: .equals(CertAdminConstants.TRUSTED_CLIENT_CA)) {
145: trust = PK11InternalCert.TRUSTED_CLIENT_CA
146: | PK11InternalCert.VALID_CA;
147: } else if (truststr.equals(CertAdminConstants.TRUSTED_CA)) {
148: trust = PK11InternalCert.TRUSTED_CA
149: | PK11InternalCert.VALID_CA;
150: } else if (truststr.equals(CertAdminConstants.USER)) {
151: trust = PK11InternalCert.USER;
152: } else if (truststr.equals(CertAdminConstants.NO_TRUST)) {
153: trust = 0;
154: } else {
155: continue;
156: }
157: if (i == 0) {
158: trustval = trust;
159: } else {
160: trustval = trustval | trust;
161: }
162:
163: }
164: return trustval;
165: }
166:
167: /**
168: * Get the Trust String based on the trust value..
169: */
170:
171: public static String getTrustStr(int trust) {
172: return getTrustStr(trust, false);
173: }
174:
175: /**
176: * Get the Trust String based on the trust value.
177: */
178: public static String getTrustStr(int trust, boolean isSSLTrust) {
179: boolean isTrustedCA = false;
180: boolean isTrustedClientCA = false;
181: boolean isTrustedPeer = false;
182:
183: String truststr = "";
184: if ((PK11InternalCert.TRUSTED_CA & trust) == PK11InternalCert.TRUSTED_CA) {
185: truststr = truststr + CertAdminConstants.TRUSTED_CA;
186: isTrustedCA = true;
187: }
188: if ((PK11InternalCert.TRUSTED_CLIENT_CA & trust) == PK11InternalCert.TRUSTED_CLIENT_CA) {
189: truststr = truststr + CertAdminConstants.TRUSTED_CLIENT_CA;
190: if (isSSLTrust) {
191: isTrustedClientCA = true;
192: }
193: }
194: if ((PK11InternalCert.TRUSTED_PEER & trust) == PK11InternalCert.TRUSTED_PEER) {
195: truststr = truststr + CertAdminConstants.TRUSTED_PEER;
196: isTrustedPeer = false;
197: }
198: if ((PK11InternalCert.USER & trust) == PK11InternalCert.USER) {
199: truststr = truststr + CertAdminConstants.USER;
200: }
201: if ((PK11InternalCert.VALID_CA & trust) == PK11InternalCert.VALID_CA) {
202: if (!isTrustedCA && !isTrustedClientCA) {
203: truststr = truststr + CertAdminConstants.VALID_CA;
204: }
205: }
206: if ((PK11InternalCert.VALID_PEER & trust) == PK11InternalCert.VALID_PEER) {
207: if (!isTrustedPeer) {
208: truststr = truststr + CertAdminConstants.VALID_PEER;
209: }
210: }
211: return truststr;
212: }
213:
214: /**
215: *Construct the datastructure to hold the issuername info.
216: */
217: public static String[][] getNameDS(String issuerName) {
218:
219: StringTokenizer fields, field;
220: fields = new StringTokenizer(issuerName, ",");
221: int tokens = fields.countTokens();
222: String[][] nameDataStructure = new String[tokens][2];
223: int i = 0;
224: while (fields.hasMoreTokens()) {
225:
226: field = new StringTokenizer(fields.nextToken(), "=");
227: if (field.countTokens() == 2) {
228: nameDataStructure[i][0] = field.nextToken().trim();
229: nameDataStructure[i][1] = field.nextToken().trim();
230: }
231: i = i + 1;
232: }
233: return nameDataStructure;
234: }
235:
236: /**
237: *Construct the ASN1 obbject Name
238: * Let us say the issuername is "C=IN, CN=Sun-Melody-CA, O=Sun, OU=IPS"
239: * ASN1 object Name is a sequence of the attributes C,CN,O,OU.
240: * JSS requires one to create the Name sequence in the reverse order.
241: * i.e. OU,O,CN,C
242: */
243: public static Name getIssuer(String issuerName) throws Exception {
244: String[][] nameDS = getNameDS(issuerName);
245: String type;
246: String val;
247: Name issuer = new Name();
248: for (int i = nameDS.length - 1; i >= 0; i--) {
249: type = nameDS[i][0];
250: val = nameDS[i][1];
251: if (type.equals(CertAdminConstants.COUNTRY)) {
252: issuer.addCountryName(val);
253: } else if (type.equals(CertAdminConstants.LOCALITY)) {
254: issuer.addLocalityName(val);
255: } else if (type
256: .equals(CertAdminConstants.STATE_OR_PROVINCE)) {
257: issuer.addStateOrProvinceName(val);
258: } else if (type.equals(CertAdminConstants.ORGANIZATION)) {
259: issuer.addOrganizationName(val);
260: } else if (type
261: .equals(CertAdminConstants.ORGANIZATION_UNIT)) {
262: issuer.addOrganizationalUnitName(val);
263: } else if (type.equals(CertAdminConstants.COMMON_NAME)) {
264: issuer.addCommonName(val);
265: }
266: }
267: return issuer;
268: }
269:
270: public static String getCertWithSubject(CryptoToken tok,
271: Name subject) throws Exception {
272:
273: String sub = subject.getRFC1485();
274: X509Certificate[] certs = tok.getCryptoStore()
275: .getCertificates();
276: for (int i = 0; i < certs.length; i++) {
277: X509Certificate x509Cert = certs[i];
278: org.mozilla.jss.pkix.cert.Certificate certificate = (org.mozilla.jss.pkix.cert.Certificate) ASN1Util
279: .decode(org.mozilla.jss.pkix.cert.Certificate
280: .getTemplate(), x509Cert.getEncoded());
281: org.mozilla.jss.pkix.cert.CertificateInfo cert = certificate
282: .getInfo();
283: Name certSubject = cert.getSubject();
284: if (sub.equalsIgnoreCase(certSubject.getRFC1485())) {
285: return x509Cert.getNickname();
286: }
287: }
288: return null;
289: }
290:
291: public static Password decryptPassword(String password)
292: throws SRADecoderException {
293: return decryptPassword(getDefaultDecoder(), password);
294: }
295:
296: public static String encryptPassword(String password)
297: throws SRADecoderException {
298: return encryptPassword(getDefaultDecoder(), password);
299: }
300:
301: public static boolean isPasswordEncrypted(String password) {
302: return isPasswordEncrypted(getDefaultDecoder(), password);
303: }
304:
305: public static Password decryptPassword(SRADecoder passDecoder,
306: String password) throws SRADecoderException {
307: if (password == null)
308: return null;
309: Password pass = new com.sun.portal.cli.cert.Password();
310: pass.setEncrypted(false);
311: pass.setPassword(password);
312: StringTokenizer st = new StringTokenizer(password, " ");
313: if (st.countTokens() == 2) {
314: String oldDigest = st.nextToken();
315: String encryptedData = st.nextToken();
316: String decryptedData = passDecoder.decrypt(encryptedData);
317: String newDigest = passDecoder.digest(decryptedData);
318: if (oldDigest.equals(newDigest)) {
319: pass.setEncrypted(true);
320: pass.setPassword(decryptedData);
321: return pass;
322: }
323: }
324: return pass;
325: }
326:
327: public static String encryptPassword(SRADecoder passDecoder,
328: String password) throws SRADecoderException {
329: if (password == null)
330: return null;
331: StringBuffer sb = new StringBuffer();
332: String encryptedData = passDecoder.encrypt(password);
333: String digest = passDecoder.digest(password);
334: sb.append(digest);
335: sb.append(" ");
336: sb.append(encryptedData);
337: return sb.toString();
338: }
339:
340: public static boolean isPasswordEncrypted(SRADecoder passDecoder,
341: String password) {
342: if (password == null)
343: return false;
344: try {
345: StringTokenizer st = new StringTokenizer(password, " ");
346: if (st.countTokens() == 2) {
347: String oldDigest = st.nextToken();
348: String encryptedData = st.nextToken();
349: String decryptedData = passDecoder
350: .decrypt(encryptedData);
351: String newDigest = passDecoder.digest(decryptedData);
352: if (oldDigest.equals(newDigest)) {
353: return true;
354: }
355: }
356: } catch (Exception ex) {
357: return false;
358: }
359: return false;
360: }
361: }
|