diff --git a/src/dorkbox/util/crypto/CryptoX509.java b/src/dorkbox/util/crypto/CryptoX509.java index 2bacb0f..13023d0 100644 --- a/src/dorkbox/util/crypto/CryptoX509.java +++ b/src/dorkbox/util/crypto/CryptoX509.java @@ -36,7 +36,7 @@ import java.security.SignatureException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; -import java.security.spec.DSAPublicKeySpec; +import java.security.interfaces.DSAParams; import java.security.spec.InvalidKeySpecException; import java.security.spec.RSAPrivateCrtKeySpec; import java.security.spec.RSAPublicKeySpec; @@ -91,14 +91,11 @@ import org.bouncycastle.crypto.params.ECPublicKeyParameters; import org.bouncycastle.crypto.params.RSAKeyParameters; import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; import org.bouncycastle.jcajce.provider.asymmetric.dsa.BCDSAPublicKey; -import org.bouncycastle.jcajce.provider.asymmetric.dsa.BCDSAPublicKeyAccessor; import org.bouncycastle.jcajce.provider.asymmetric.dsa.DSAUtil; import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey; import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey; -import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKeyAccessor; import org.bouncycastle.jcajce.provider.asymmetric.rsa.RSAUtil; import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory; -import org.bouncycastle.jcajce.provider.asymmetric.x509.X509Accessor; import org.bouncycastle.jce.PrincipalUtil; import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -445,15 +442,18 @@ public class CryptoX509 { } - org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certificateFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); + CertificateFactory certificateFactory = new CertificateFactory(); java.security.cert.Certificate certificate = certificateFactory.engineGenerateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded())); // Note: this requires the BC provider to be loaded! if (certificate == null || certificate.getPublicKey() == null) { return false; } + // TODO: when validating the certificate, it is important to use a date from somewhere other than the host computer! (maybe use google? or something...) + // this will validate the DATES of the certificate, to make sure the cert is valid during the correct time period. + // Verify the TIME/DATE of the certificate - X509Accessor.verifyDate(certificate); + ((X509Certificate) certificate).checkValidity(new Date()); // if we get here, it means that our cert is LEGIT and VALID. return true; @@ -493,22 +493,19 @@ public class CryptoX509 { org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certificateFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); java.security.cert.Certificate engineGenerateCert = certificateFactory.engineGenerateCertificate(newSigIn); - PublicKey publicKey2 = engineGenerateCert.getPublicKey(); + BCDSAPublicKey publicKey2 = (BCDSAPublicKey) engineGenerateCert.getPublicKey(); if (optionalOriginalPublicKey != null) { - // absolutely RETARDED that we have package private constructors .. but fortunately, we can get around that + DSAParams params = publicKey2.getParams(); DSAParameters parameters = optionalOriginalPublicKey.getParameters(); - DSAPublicKeySpec dsaPublicKeySpec = new DSAPublicKeySpec(optionalOriginalPublicKey.getY(), - parameters.getP(), - parameters.getQ(), - parameters.getG()); - BCDSAPublicKey origPublicKey = BCDSAPublicKeyAccessor.newInstance(dsaPublicKeySpec); - boolean equals = origPublicKey.equals(publicKey2); - if (!equals) { + if (!publicKey2.getY().equals(optionalOriginalPublicKey.getY()) || + !params.getP().equals(parameters.getP()) || + !params.getQ().equals(parameters.getQ()) || + !params.getG().equals(parameters.getG())) { + return false; } - publicKey2 = origPublicKey; } engineGenerateCert.verify(publicKey2); @@ -987,15 +984,23 @@ public class CryptoX509 { return false; } - org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certificateFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); - java.security.cert.Certificate certificate = certificateFactory.engineGenerateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded())); + java.security.cert.Certificate certificate = new CertificateFactory().engineGenerateCertificate( + new ByteArrayInputStream(x509CertificateHolder.getEncoded())); + // Note: this requires the BC provider to be loaded! if (certificate == null || certificate.getPublicKey() == null) { return false; } + if (!(certificate instanceof X509Certificate)) { + return false; + } + + // TODO: when validating the certificate, it is important to use a date from somewhere other than the host computer! (maybe use google? or something...) + // this will validate the DATES of the certificate, to make sure the cert is valid during the correct time period. + // Verify the TIME/DATE of the certificate - X509Accessor.verifyDate(certificate); + ((X509Certificate) certificate).checkValidity(new Date()); // if we get here, it means that our cert is LEGIT and VALID. return true; @@ -1034,18 +1039,17 @@ public class CryptoX509 { DERSequence newSigDERElement = (DERSequence) newSigElement; InputStream newSigIn = new ByteArrayInputStream(newSigDERElement.getEncoded()); - org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certificateFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); - java.security.cert.Certificate certificate = certificateFactory.engineGenerateCertificate(newSigIn); + org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); + java.security.cert.Certificate certificate = certFactory.engineGenerateCertificate(newSigIn); - PublicKey publicKey2 = certificate.getPublicKey(); + BCRSAPublicKey publicKey2 = (BCRSAPublicKey) certificate.getPublicKey(); if (publicKey != null) { - BCRSAPublicKey origPublicKey = BCRSAPublicKeyAccessor.newInstance(publicKey); - boolean equals = origPublicKey.equals(publicKey2); - if (!equals) { + if (!publicKey.getModulus().equals(publicKey2.getModulus()) || + !publicKey.getExponent().equals(publicKey2.getPublicExponent())) { + return false; } - publicKey2 = origPublicKey; } certificate.verify(publicKey2); @@ -1143,15 +1147,19 @@ public class CryptoX509 { return false; } - org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certificateFactory = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); - java.security.cert.Certificate certificate = certificateFactory.engineGenerateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded())); + CertificateFactory certFactory = new CertificateFactory(); + java.security.cert.Certificate certificate = certFactory.engineGenerateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded())); + // Note: this requires the BC provider to be loaded! if (certificate == null || certificate.getPublicKey() == null) { return false; } + // TODO: when validating the certificate, it is important to use a date from somewhere other than the host computer! (maybe use google? or something...) + // this will validate the DATES of the certificate, to make sure the cert is valid during the correct time period. + // Verify the TIME/DATE of the certificate - X509Accessor.verifyDate(certificate); + ((X509Certificate) certificate).checkValidity(new Date()); // if we get here, it means that our cert is LEGIT and VALID. return true; diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKeyAccessor.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKeyAccessor.java deleted file mode 100644 index b1baaa7..0000000 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKeyAccessor.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright 2010 dorkbox, llc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.bouncycastle.jcajce.provider.asymmetric.dsa; - -import java.security.spec.DSAPublicKeySpec; - -public class BCDSAPublicKeyAccessor { - public static BCDSAPublicKey newInstance(DSAPublicKeySpec dsaPublicKeySpec) { - return new BCDSAPublicKey(dsaPublicKeySpec); - } -} diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/BCRSAPublicKeyAccessor.java b/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/BCRSAPublicKeyAccessor.java deleted file mode 100644 index cdb16be..0000000 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/BCRSAPublicKeyAccessor.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright 2010 dorkbox, llc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.bouncycastle.jcajce.provider.asymmetric.rsa; - -import org.bouncycastle.crypto.params.RSAKeyParameters; - -public class BCRSAPublicKeyAccessor { - public static BCRSAPublicKey newInstance(RSAKeyParameters publicKey) { - return new BCRSAPublicKey(publicKey); - } -} diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/x509/X509Accessor.java b/src/org/bouncycastle/jcajce/provider/asymmetric/x509/X509Accessor.java deleted file mode 100644 index 65c7eee..0000000 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/x509/X509Accessor.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2010 dorkbox, llc - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.bouncycastle.jcajce.provider.asymmetric.x509; - -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.util.Date; - -public class X509Accessor { - - /** - * Verify the TIME/DATE of the certificate - * Stupid BC is package private, so this will let us access this method. - */ - public static void verifyDate(java.security.cert.Certificate certificate) throws CertificateExpiredException, CertificateNotYetValidException { - // TODO: when checking the validite of the certificate, it is important to use a date from somewhere other than the - // host computer! (maybe use google? or something...) - // this will validate the DATES of the certificate, to make sure the cert is valid during the correct time period. - - org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject cert = (org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject) certificate; - cert.checkValidity(new Date()); - } -}