org.apache.kerby.kerberos.kerb.preauth.pkinit

Class PkinitCrypto

java.lang.Object

org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto

public class PkinitCrypto
extends Object

Ref. pkinit_crypto_openssl.c in MIT krb5 project.

Constructor Summary

Constructors

Constructor and Description
PkinitCrypto()

Method Summary

Methods

Modifier and Type	Method and Description
static org.apache.kerby.x509.type.Certificate	changeToCertificate(X509Certificate x509Certificate) Change the X509Certificate to Certificate
static boolean	checkDHWellknown(PkinitPlgCryptoContext cryptoctx, org.apache.kerby.x509.type.DhParameter dhParameter, int dhPrimeBits) Check DH wellknown
static byte[]	cmsSignedDataCreate(byte[] data, String oid, int version, org.apache.kerby.cms.type.DigestAlgorithmIdentifiers digestAlgorithmIdentifiers, org.apache.kerby.cms.type.CertificateSet certificateSet, org.apache.kerby.cms.type.RevocationInfoChoices crls, org.apache.kerby.cms.type.SignerInfos signerInfos) RFC4556: The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), and the content field is a SignedData.
static X509Certificate[]	createCertChain(PkinitPlgCryptoContext cryptoContext)
static DHPublicKey	createDHPublicKey(BigInteger p, BigInteger g, BigInteger y) Create DH public key
static org.apache.kerby.asn1.type.Asn1ObjectIdentifier	createOid(String content) Create oid
static List<org.apache.kerby.kerberos.kerb.type.base.PrincipalName>	cryptoRetrieveCertSans(List<org.apache.kerby.x509.type.Certificate> certificates)
static List<org.apache.kerby.kerberos.kerb.type.base.PrincipalName>	cryptoRetrieveX509Sans(List<org.apache.kerby.x509.type.Certificate> certificates)
static byte[]	eContentInfoCreate(byte[] data, String oid)
static boolean	pkinitCheckDhParams(DHParameterSpec dh1, org.apache.kerby.x509.type.DhParameter dh2) Check parameters against a well-known DH group
static String	pkinitType2OID(CmsMessageType cmsMsgType) Change the CMS message type to oid
static void	serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, org.apache.kerby.x509.type.DhParameter dhParameter) KDC check the key parameter
static void	validateChain(List<org.apache.kerby.x509.type.Certificate> certificateList, X509Certificate anchor) Validates a chain of X509Certificates.
static void	verifyCmsSignedData(CmsMessageType cmsMsgType, org.apache.kerby.cms.type.SignedData signedData) Verify CMS Signed Data
static boolean	verifyKdcSan(String hostname, org.apache.kerby.kerberos.kerb.type.base.PrincipalName kdcPrincipal, List<org.apache.kerby.x509.type.Certificate> certificates)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PkinitCrypto

public PkinitCrypto()

Method Detail

verifyCmsSignedData

public static void verifyCmsSignedData(CmsMessageType cmsMsgType,
                       org.apache.kerby.cms.type.SignedData signedData)
                                throws org.apache.kerby.kerberos.kerb.KrbException

Verify CMS Signed Data

Parameters:

cmsMsgType - The CMS message type

signedData - The signed data

Throws:

org.apache.kerby.kerberos.kerb.KrbException - e

pkinitType2OID

public static String pkinitType2OID(CmsMessageType cmsMsgType)

Change the CMS message type to oid

Parameters:

cmsMsgType - The CMS message type

Returns:

oid

serverCheckDH

public static void serverCheckDH(PluginOpts pluginOpts,
                 PkinitPlgCryptoContext cryptoctx,
                 org.apache.kerby.x509.type.DhParameter dhParameter)
                          throws org.apache.kerby.kerberos.kerb.KrbException

KDC check the key parameter

Parameters:

pluginOpts - The PluginOpts

cryptoctx - The PkinitPlgCryptoContext

dhParameter - The DhParameter

Throws:

org.apache.kerby.kerberos.kerb.KrbException - e

checkDHWellknown

public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx,
                       org.apache.kerby.x509.type.DhParameter dhParameter,
                       int dhPrimeBits)
                                throws org.apache.kerby.kerberos.kerb.KrbException

Check DH wellknown

Parameters:

cryptoctx - The PkinitPlgCryptoContext

dhParameter - The DhParameter

dhPrimeBits - The dh prime bits

Returns:

boolean

Throws:

org.apache.kerby.kerberos.kerb.KrbException - e

pkinitCheckDhParams

public static boolean pkinitCheckDhParams(DHParameterSpec dh1,
                          org.apache.kerby.x509.type.DhParameter dh2)

Check parameters against a well-known DH group

Parameters:

dh1 - The DHParameterSpec

dh2 - The DhParameter

createDHPublicKey

public static DHPublicKey createDHPublicKey(BigInteger p,
                            BigInteger g,
                            BigInteger y)

Create DH public key

Parameters:

p - The prime modulus

g - The base generator

y - The public value

Returns:

DHPublicKey

cmsSignedDataCreate

public static byte[] cmsSignedDataCreate(byte[] data,
                         String oid,
                         int version,
                         org.apache.kerby.cms.type.DigestAlgorithmIdentifiers digestAlgorithmIdentifiers,
                         org.apache.kerby.cms.type.CertificateSet certificateSet,
                         org.apache.kerby.cms.type.RevocationInfoChoices crls,
                         org.apache.kerby.cms.type.SignerInfos signerInfos)
                                  throws org.apache.kerby.kerberos.kerb.KrbException

RFC4556: The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), and the content field is a SignedData. The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1), and the eContent field contains the DER encoding of the type AuthPack.

Parameters:

data - The data

oid - The oid for eContentType

version - The SignedData version

digestAlgorithmIdentifiers - The digest algorithmIdentifiers

certificateSet - The certificate set

crls - The revocation info choices

signerInfos - The signerInfos

Returns:

The encoded signed data bytes

Throws:

org.apache.kerby.kerberos.kerb.KrbException - e

eContentInfoCreate

public static byte[] eContentInfoCreate(byte[] data,
                        String oid)
                                 throws org.apache.kerby.kerberos.kerb.KrbException

Throws:

org.apache.kerby.kerberos.kerb.KrbException

createCertChain

public static X509Certificate[] createCertChain(PkinitPlgCryptoContext cryptoContext)
                                         throws CertificateNotYetValidException,
                                                CertificateExpiredException

Throws:

CertificateNotYetValidException

CertificateExpiredException

verifyKdcSan

public static boolean verifyKdcSan(String hostname,
                   org.apache.kerby.kerberos.kerb.type.base.PrincipalName kdcPrincipal,
                   List<org.apache.kerby.x509.type.Certificate> certificates)
                            throws org.apache.kerby.kerberos.kerb.KrbException

Throws:

org.apache.kerby.kerberos.kerb.KrbException

cryptoRetrieveCertSans

public static List<org.apache.kerby.kerberos.kerb.type.base.PrincipalName> cryptoRetrieveCertSans(List<org.apache.kerby.x509.type.Certificate> certificates)
                                                                                           throws org.apache.kerby.kerberos.kerb.KrbException

Throws:

org.apache.kerby.kerberos.kerb.KrbException

cryptoRetrieveX509Sans

public static List<org.apache.kerby.kerberos.kerb.type.base.PrincipalName> cryptoRetrieveX509Sans(List<org.apache.kerby.x509.type.Certificate> certificates)
                                                                                           throws org.apache.kerby.kerberos.kerb.KrbException

Throws:

org.apache.kerby.kerberos.kerb.KrbException

validateChain

public static void validateChain(List<org.apache.kerby.x509.type.Certificate> certificateList,
                 X509Certificate anchor)
                          throws CertificateException,
                                 NoSuchAlgorithmException,
                                 NoSuchProviderException,
                                 InvalidAlgorithmParameterException,
                                 CertPathValidatorException,
                                 IOException

Validates a chain of X509Certificates.

Parameters:

certificateList - The certificate list

anchor - The anchor

Throws:

CertificateException - e

NoSuchAlgorithmException - e

InvalidAlgorithmParameterException - e

CertPathValidatorException - e

IOException

NoSuchProviderException

createOid

public static org.apache.kerby.asn1.type.Asn1ObjectIdentifier createOid(String content)
                                                                 throws org.apache.kerby.kerberos.kerb.KrbException

Create oid

Parameters:

content - The hex content

Returns:

The oid

Throws:

org.apache.kerby.kerberos.kerb.KrbException - e

changeToCertificate

public static org.apache.kerby.x509.type.Certificate changeToCertificate(X509Certificate x509Certificate)

Change the X509Certificate to Certificate

Parameters:

x509Certificate - The X509Certificate

Returns:

The Certificate