Java Code Examples for org.bouncycastle.asn1.DERBitString#getBytes()

The following examples show how to use org.bouncycastle.asn1.DERBitString#getBytes() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
private String dumpBitString(DERBitString asn1BitString) throws IOException {
	StringBuilder sb = new StringBuilder();
	byte[] bytes = asn1BitString.getBytes();

	sb.append(indentSequence.toString(indentLevel));
	sb.append("BIT STRING");
	try {
		String dump = dump(bytes);
		sb.append(", encapsulates:");
		sb.append(NEWLINE);
		sb.append(dump);
	} catch (Exception e) {
		sb.append("=");

		// print short bit strings as string of bits and long ones as hex dump
		if (bytes.length < 8) {
			sb.append(new BigInteger(1, bytes).toString(2));
		} else {
			sb.append(NEWLINE);
			sb.append(dumpHexClear(bytes));
		}
	}
	sb.append(NEWLINE);

	return sb.toString();
}
 
Example 2
private String getBitString(byte[] octets) throws IOException {

		if (octets == null) {
			return "";
		}

		DERBitString derBitString = DERBitString.getInstance(ASN1Primitive.fromByteArray(octets));
		byte[] bitStringBytes = derBitString.getBytes();

		return new BigInteger(1, bitStringBytes).toString(2);
	}
 
Example 3
private void decodeSpkac(byte[] der) throws SpkacException {
	try {
		ASN1Sequence signedPublicKeyAndChallenge = ASN1Sequence.getInstance(der);

		ASN1Sequence publicKeyAndChallenge = (ASN1Sequence) signedPublicKeyAndChallenge.getObjectAt(0);
		ASN1Sequence signatureAlgorithm = (ASN1Sequence) signedPublicKeyAndChallenge.getObjectAt(1);
		DERBitString signature = (DERBitString) signedPublicKeyAndChallenge.getObjectAt(2);

		ASN1ObjectIdentifier signatureAlgorithmOid = (ASN1ObjectIdentifier) signatureAlgorithm.getObjectAt(0);

		ASN1Sequence spki = (ASN1Sequence) publicKeyAndChallenge.getObjectAt(0);
		DERIA5String challenge = (DERIA5String) publicKeyAndChallenge.getObjectAt(1);

		ASN1Sequence publicKeyAlgorithm = (ASN1Sequence) spki.getObjectAt(0);
		DERBitString publicKey = (DERBitString) spki.getObjectAt(1);

		ASN1ObjectIdentifier publicKeyAlgorithmOid = (ASN1ObjectIdentifier) publicKeyAlgorithm.getObjectAt(0);
		ASN1Primitive algorithmParameters = publicKeyAlgorithm.getObjectAt(1).toASN1Primitive();

		this.challenge = challenge.getString();
		this.publicKey = decodePublicKeyFromBitString(publicKeyAlgorithmOid, algorithmParameters, publicKey);
		this.signatureAlgorithm = getSignatureAlgorithm(signatureAlgorithmOid);
		this.signature = signature.getBytes();
	} catch (Exception ex) {
		throw new SpkacException(res.getString("NoDecodeSpkac.exception.message"), ex);
	}
}
 
Example 4
/**
 *
 * @param ApplicationParam
 * @param ChallengeParam
 * @param kh
 * @param PublicKey
 * @return
 * @throws NoSuchAlgorithmException
 * @throws NoSuchProviderException
 * @throws InvalidKeySpecException
 */
private String objectTBS(String ApplicationParam, String ChallengeParam, String kh, String PublicKey)
        throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, DecoderException {

    byte constant = (byte) 0x00;
    byte[] Challenge = Base64.decodeBase64(ChallengeParam);
    int ChanllengeL = Challenge.length;
    byte[] Application = Base64.decodeBase64(ApplicationParam);
    int ApplicationL = Application.length;
    byte[] keyHandle = Base64.decodeBase64(kh);
    int keyHandleL = keyHandle.length;
    byte[] publicKey = Base64.decodeBase64(PublicKey);
    int publicKeyL = publicKey.length;

    //  Convert back to publicKey
    KeyFactory kf = KeyFactory.getInstance("ECDSA", "BCFIPS");
    X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(publicKey);
    PublicKey pub = kf.generatePublic(pubKeySpec);

    ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(pub.getEncoded()));
    ASN1Primitive obj = null;
    try {
        obj = bIn.readObject();
    } catch (IOException ex) {}
    Enumeration e = ((ASN1Sequence) obj).getObjects();

    byte[] q = null;
    while (e.hasMoreElements()) {
        ASN1Primitive o = (ASN1Primitive) e.nextElement();
        if (o instanceof DERBitString) {
            DERBitString bt = (DERBitString) o;
            q = bt.getBytes();
        }
    }

    int pukL = skfsConstants.P256_PUBLIC_KEY_SIZE; //ECDSA secp256r1 publickey length
    byte[] ob2Sign = new byte[1 + ChanllengeL + ApplicationL + keyHandleL + pukL];

    int tot = 1;
    ob2Sign[0] = constant;
    System.arraycopy(Application, 0, ob2Sign, tot, ApplicationL);
    tot += ApplicationL;
    System.arraycopy(Challenge, 0, ob2Sign, tot, ChanllengeL);
    tot += ChanllengeL;
    System.arraycopy(keyHandle, 0, ob2Sign, tot, keyHandleL);
    tot += keyHandleL;
    System.arraycopy(q, 0, ob2Sign, tot, pukL);
    tot += pukL;

    return Base64.encodeBase64String(ob2Sign);
}
 
Example 5
/**
 * Function to create the packed FIDO U2F data-structure to sign when
 * registering a new public-key with a FIDO U2F server. See the U2F Raw
 * Messages specification for details:
 *
 * https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
 *
 * @param ApplicationParam String The application parameter is the SHA-256
 * hash of the application identity of the application requesting the
 * registration; it is 32-bytes in length
 * @param ChallengeParam String The challenge parameter is the SHA-256 hash
 * of the Client Data, a string JSON data structure the FIDO Client
 * prepares. Among other things, the Client Data contains the challenge from
 * the relying party (hence the name of the parameter)
 * @param kh String Base64-encoded, encrypted JSON data-structure of the
 * private-key, origin and the message-digest of the private-key
 * @param PublicKey String Base64-encoded public-key of the ECDSA key-pair
 * @return String Base64-encoded data-structure of the object being signed
 * as per the FIDO U2F protocol for a new-key registration
 *
 * @throws NoSuchAlgorithmException
 * @throws NoSuchProviderException
 * @throws InvalidKeySpecException
 * @throws java.io.IOException
 */
public static String createRegistrationObjectToSign(String ApplicationParam,
        String ChallengeParam,
        String kh,
        String PublicKey)
        throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, IOException {
    // U2F Signed Registration constant
    final byte[] constant = {(byte) 0x00};
    int constantL = constant.length;

    // 32-byte challenge parameter
    byte[] Challenge = Base64.getUrlDecoder().decode(ChallengeParam);
    int ChanllengeL = Challenge.length;

    // 32-byte application parameter
    byte[] Application = Base64.getUrlDecoder().decode(ApplicationParam);
    int ApplicationL = Application.length;

    // Variable length encrypted key-handle JSON data-structure
    byte[] keyHandle = Base64.getUrlDecoder().decode(kh);
    int keyHandleL = keyHandle.length;

    // Fixed-length ECDSA public key
    byte[] publicKey = Base64.getUrlDecoder().decode(PublicKey);
    int pbkL = Constants.ECDSA_P256_PUBLICKEY_LENGTH;

    // Test the public key for sanity
    KeyFactory kf = KeyFactory.getInstance("ECDSA", "BCFIPS");
    X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(publicKey);
    PublicKey pub = kf.generatePublic(pubKeySpec);
    ECPublicKey ecpub = (ECPublicKey) pub;

    ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(pub.getEncoded()));
    ASN1Primitive obj = bIn.readObject();
    Enumeration e = ((ASN1Sequence) obj).getObjects();

    byte[] q = null;
    while (e.hasMoreElements()) {
        ASN1Primitive o = (ASN1Primitive) e.nextElement();
        if (o instanceof DERBitString) {
            DERBitString bt = (DERBitString) o;
            q = bt.getBytes();
        }
    }

    // Create byte[] for to-be-signed (TBS) object
    // Could have also used  ByteBuffer for this
    int currpos = 0;
    byte[] tbs = new byte[constantL + ChanllengeL + ApplicationL + keyHandleL + pbkL];

    // Copy the Signed Registration constant to TBS
    System.arraycopy(constant, 0, tbs, currpos, constantL);
    currpos += constantL;

    // Copy ApplicationParameters to TBS
    System.arraycopy(Application, 0, tbs, currpos, ApplicationL);
    currpos += ApplicationL;

    // Copy ChallengeParameters to TBS
    System.arraycopy(Challenge, 0, tbs, currpos, ChanllengeL);
    currpos += ChanllengeL;

    // Copy encrypted KeyHandle JSON to TBS
    System.arraycopy(keyHandle, 0, tbs, currpos, keyHandleL);
    currpos += keyHandleL;

    // Copy public-key to TBS
    System.arraycopy(q, 0, tbs, currpos, pbkL);

    // Return Base64-encoded TBS
    return Base64.getUrlEncoder().encodeToString(tbs);
}
 
Example 6
/**
 * Function to create the Base64-encoded packed data-structure of the
 * Registration Data object for response to a FIDO U2F server. See:
 *
 * https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html#response-message-framing
 *
 * Note: Could have used ByteBuffer instead of copying arrays, but will plan
 * on updating to ByteBuffer in the next release.
 *
 * @param userPublicKey String with Base64-encoded public-key being
 * registered
 * @param keyHandle String with Base64-encoded JSON structure with encrypted
 * private key
 * @param AttestationCertificate String with Base64-encoded certificate of
 * Attestation key
 * @param Signature String with Base64-encoded digital signature of response
 * @return String with Base64-encoded message of packed Registration
 * Response
 *
 * @throws NoSuchAlgorithmException
 * @throws NoSuchProviderException
 * @throws InvalidKeySpecException
 * @throws java.io.IOException
 */
public static String createRegistrationData(String userPublicKey,
        String keyHandle,
        String AttestationCertificate,
        String Signature)
        throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, IOException {
    // Required reserved legacy-byte for U2F response
    byte constant = 0x05;

    // User's Public key
    byte[] upk = Base64.getUrlDecoder().decode(userPublicKey);
    int upklen = Constants.ECDSA_P256_PUBLICKEY_LENGTH;    //ECDSA secp256r1 publickey length

    // Key Handle and its length
    byte[] kh = Base64.getUrlDecoder().decode(keyHandle);
    int khlen = kh.length;

    // Registration Response allows 1-byte for KH length; problem if more than 255
    if (khlen > 255) {
        System.err.println("Fatal error: Key-handle length greater than 255");
        return null;
    }

    // Attestation certificate and its length
    byte[] ac = Base64.getUrlDecoder().decode(AttestationCertificate);
    int aclen = ac.length;

    // Attestation digital signature of response with length
    byte[] acsig = Base64.getUrlDecoder().decode(Signature);
    int acsiglen = acsig.length;

    // Test the public key for sanity
    KeyFactory kf = KeyFactory.getInstance("ECDSA", "BCFIPS");
    X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(upk);
    PublicKey pbk = kf.generatePublic(pubKeySpec);

    ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(pbk.getEncoded()));
    ASN1Primitive obj = bIn.readObject();
    Enumeration e = ((ASN1Sequence) obj).getObjects();

    byte[] q = null;
    while (e.hasMoreElements()) {
        ASN1Primitive o = (ASN1Primitive) e.nextElement();
        if (o instanceof DERBitString) {
            DERBitString bt = (DERBitString) o;
            q = bt.getBytes();
        }
    }

    // Create byte array for Registration Response's raw-message
    byte[] regresp = new byte[1 + upklen + 1 + khlen + aclen + acsiglen];

    // Copy the reserved legacy-byte constant to regresp; set currpos to 1
    regresp[0] = constant;
    int currpos = 1;

    // Copy public-key to regresp; update currpos
    System.arraycopy(q, 0, regresp, currpos, upklen);
    currpos += upklen;

    // Copy key-handle length byte to regresp
    regresp[currpos] = (byte) khlen;
    currpos += 1;

    // Copy key-handle to regresp
    System.arraycopy(kh, 0, regresp, currpos, khlen);
    currpos += khlen;

    // Copy attestation certificate to regresp
    System.arraycopy(ac, 0, regresp, currpos, aclen);
    currpos += aclen;

    // Finally, copy signature to regresp
    System.arraycopy(acsig, 0, regresp, currpos, acsiglen);

    // Return URL-safe Base64-encoded response
    return org.apache.commons.codec.binary.Base64.encodeBase64URLSafeString(regresp);
}
 
Example 7
public KerberosApRequest ( byte[] token, KerberosKey[] keys ) throws PACDecodingException {
    if ( token.length <= 0 )
        throw new PACDecodingException("Empty kerberos ApReq");

    DLSequence sequence;
    try {
        try ( ASN1InputStream stream = new ASN1InputStream(new ByteArrayInputStream(token)) ) {
            sequence = ASN1Util.as(DLSequence.class, stream);
        }
    }
    catch ( IOException e ) {
        throw new PACDecodingException("Malformed Kerberos Ticket", e);
    }

    Enumeration<?> fields = sequence.getObjects();
    while ( fields.hasMoreElements() ) {
        ASN1TaggedObject tagged = ASN1Util.as(ASN1TaggedObject.class, fields.nextElement());
        switch ( tagged.getTagNo() ) {
        case 0:
            ASN1Integer pvno = ASN1Util.as(ASN1Integer.class, tagged);
            if ( !pvno.getValue().equals(new BigInteger(KerberosConstants.KERBEROS_VERSION)) ) {
                throw new PACDecodingException("Invalid kerberos version");
            }
            break;
        case 1:
            ASN1Integer msgType = ASN1Util.as(ASN1Integer.class, tagged);
            if ( !msgType.getValue().equals(new BigInteger(KerberosConstants.KERBEROS_AP_REQ)) )
                throw new PACDecodingException("Invalid kerberos request");
            break;
        case 2:
            DERBitString bitString = ASN1Util.as(DERBitString.class, tagged);
            this.apOptions = bitString.getBytes()[ 0 ];
            break;
        case 3:
            DERApplicationSpecific derTicket = ASN1Util.as(DERApplicationSpecific.class, tagged);
            if ( !derTicket.isConstructed() )
                throw new PACDecodingException("Malformed Kerberos Ticket");
            this.ticket = new KerberosTicket(derTicket.getContents(), this.apOptions, keys);
            break;
        case 4:
            // Let's ignore this for now
            break;
        default:
            throw new PACDecodingException("Invalid field in kerberos ticket");
        }
    }
}
 
Example 8
public KerberosApRequest ( byte[] token, KerberosKey[] keys ) throws PACDecodingException {
    if ( token.length <= 0 )
        throw new PACDecodingException("Empty kerberos ApReq");

    DLSequence sequence;
    try {
        try ( ASN1InputStream stream = new ASN1InputStream(new ByteArrayInputStream(token)) ) {
            sequence = ASN1Util.as(DLSequence.class, stream);
        }
    }
    catch ( IOException e ) {
        throw new PACDecodingException("Malformed Kerberos Ticket", e);
    }

    Enumeration<?> fields = sequence.getObjects();
    while ( fields.hasMoreElements() ) {
        ASN1TaggedObject tagged = ASN1Util.as(ASN1TaggedObject.class, fields.nextElement());
        switch ( tagged.getTagNo() ) {
        case 0:
            ASN1Integer pvno = ASN1Util.as(ASN1Integer.class, tagged);
            if ( !pvno.getValue().equals(new BigInteger(KerberosConstants.KERBEROS_VERSION)) ) {
                throw new PACDecodingException("Invalid kerberos version");
            }
            break;
        case 1:
            ASN1Integer msgType = ASN1Util.as(ASN1Integer.class, tagged);
            if ( !msgType.getValue().equals(new BigInteger(KerberosConstants.KERBEROS_AP_REQ)) )
                throw new PACDecodingException("Invalid kerberos request");
            break;
        case 2:
            DERBitString bitString = ASN1Util.as(DERBitString.class, tagged);
            this.apOptions = bitString.getBytes()[ 0 ];
            break;
        case 3:
            DERApplicationSpecific derTicket = ASN1Util.as(DERApplicationSpecific.class, tagged);
            if ( !derTicket.isConstructed() )
                throw new PACDecodingException("Malformed Kerberos Ticket");
            this.ticket = new KerberosTicket(derTicket.getContents(), this.apOptions, keys);
            break;
        case 4:
            // Let's ignore this for now
            break;
        default:
            throw new PACDecodingException("Invalid field in kerberos ticket");
        }
    }
}