From: Andrii Shtompel Date: Mon, 1 Aug 2016 15:02:59 +0000 (+0300) Subject: Added CRL issuer (move from x.509 to x509 folder and restructure) X-Git-Tag: 1.2.0+RC1~70^2~25 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;ds=sidebyside;h=ceda0297103a00ef32c48635a487f72a5bed1454;p=platform%2Fupstream%2Fiotivity.git Added CRL issuer (move from x.509 to x509 folder and restructure) Change-Id: I8c2daa4c5d7a0a9bebaaed9765bc3622871b1dd0 Signed-off-by: Andrii Shtompel Signed-off-by: Jee Hyeok Kim Signed-off-by: Andrii Shtompel Reviewed-on: https://gerrit.iotivity.org/gerrit/9899 Tested-by: jenkins-iotivity --- diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlStore.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlStore.java deleted file mode 100644 index edf19f7..0000000 --- a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlStore.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * //****************************************************************** - * // - * // Copyright 2016 Samsung Electronics All Rights Reserved. - * // - * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - * // - * // Licensed under the Apache License, Version 2.0 (the "License"); - * // you may not use this file except in compliance with the License. - * // You may obtain a copy of the License at - * // - * // http://www.apache.org/licenses/LICENSE-2.0 - * // - * // Unless required by applicable law or agreed to in writing, software - * // distributed under the License is distributed on an "AS IS" BASIS, - * // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * // See the License for the specific language governing permissions and - * // limitations under the License. - * // - * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - */ -import org.bouncycastle.cert.X509CRLHolder; - -public final class CrlStore { - - private CrlStore() { - throw new AssertionError(); //to get rid of security issue, connected with Java Reflection API - } - - private static final String CRLFILENAME = "crl.txt"; - - public static void saveCrl(X509CRLHolder crl) { - //TODO: implement Java KeyStore - } - - public static X509CRLHolder loadCrl() { - //TODO: implement Java KeyStore - return null; - } -} diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificateBuilder.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificateBuilder.java similarity index 71% rename from cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificateBuilder.java rename to cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificateBuilder.java index cb577d7..ad7b94b 100644 --- a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificateBuilder.java +++ b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificateBuilder.java @@ -19,7 +19,8 @@ * // * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */ -package org.iotivity.cloud.accountserver.security.x509; +package org.iotivity.cloud.accountserver.x509.cert; + import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.KeyPair; @@ -50,41 +51,46 @@ import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; public class CertificateBuilder { - private String issuer; - private String subjectCN; - private String subjectC; - private String subjectO; - private String subjectOU; - private String subjectAltName; - private Date notBefore; - private Date notAfter; - private PrivateKey privKey; - private PublicKey pubKey; - private BigInteger serial; - private static final String SIGNATURE_ALGORITHM = "SHA256withECDSA"; - private static final String CURVE = "secp256r1"; + private String issuer; + private String subjectCN; + private String subjectC; + private String subjectO; + private String subjectOU; + private String subjectAltName; + private Date notBefore; + private Date notAfter; + private PrivateKey privKey; + private PublicKey pubKey; + private BigInteger serial; + private static final String SIGNATURE_ALGORITHM = "SHA256withECDSA"; + private static final String CURVE = "secp256r1"; private static final String KEY_GENERATOR_ALGORITHM = "ECDSA"; - public CertificateBuilder(String subject, Date notBefore, Date notAfter, BigInteger serial) { + public CertificateBuilder(String subject, Date notBefore, Date notAfter, + BigInteger serial) { Security.addProvider(new BouncyCastleProvider()); init(subject, null, notBefore, notAfter, null, null, serial); } - public CertificateBuilder(String subject, PublicKey pubKey, Date notBefore, Date notAfter, - BigInteger serial, CertificatePrivateKeyPair root) { - X500Name x500name = new X500Name( root.getCertificate().getSubjectX500Principal().getName() ); + public CertificateBuilder(String subject, PublicKey pubKey, Date notBefore, + Date notAfter, BigInteger serial, CertificatePrivateKeyPair root) { + X500Name x500name = new X500Name( + root.getCertificate().getSubjectX500Principal().getName()); RDN cn = x500name.getRDNs(BCStyle.CN)[0]; - init(subject, IETFUtils.valueToString(cn.getFirst().getValue()), notBefore, notAfter, root.getKey(), pubKey, serial); + init(subject, IETFUtils.valueToString(cn.getFirst().getValue()), + notBefore, notAfter, root.getKey(), pubKey, serial); } - public CertificateBuilder(String subject, String issuer, Date notBefore, Date notAfter, - PrivateKey privKey, PublicKey pubKey, BigInteger serial) { + public CertificateBuilder(String subject, String issuer, Date notBefore, + Date notAfter, PrivateKey privKey, PublicKey pubKey, + BigInteger serial) { Security.addProvider(new BouncyCastleProvider()); init(subject, issuer, notBefore, notAfter, privKey, pubKey, serial); } - private void init(String subject, String issuer, Date notBefore, Date notAfter, - PrivateKey privKey, PublicKey pubKey, BigInteger serial) { + private void init(String subject, String issuer, Date notBefore, + Date notAfter, PrivateKey privKey, PublicKey pubKey, + BigInteger serial) { this.subjectCN = subject; this.issuer = issuer; this.notBefore = notBefore; @@ -110,10 +116,9 @@ public class CertificateBuilder { this.subjectAltName = subjectAltName; } - public CertificatePrivateKeyPair build() - throws GeneralSecurityException, OperatorCreationException, CertIOException { - if(null == privKey && null == pubKey) - { + public CertificatePrivateKeyPair build() throws GeneralSecurityException, + OperatorCreationException, CertIOException { + if (null == privKey && null == pubKey) { ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(CURVE); KeyPairGenerator g = null; @@ -131,31 +136,35 @@ public class CertificateBuilder { subjectNameBld.addRDN(BCStyle.CN, subjectCN); - if(null != subjectOU) { + if (null != subjectOU) { subjectNameBld.addRDN(BCStyle.OU, subjectOU); } - if(null != subjectO) { + if (null != subjectO) { subjectNameBld.addRDN(BCStyle.O, subjectO); } - if(null != subjectC) { + if (null != subjectC) { subjectNameBld.addRDN(BCStyle.C, subjectC); } X500NameBuilder issuerNameBld = new X500NameBuilder(BCStyle.INSTANCE); issuerNameBld.addRDN(BCStyle.CN, issuer); - ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider("BC").build(privKey); + ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM) + .setProvider("BC").build(privKey); - X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(issuerNameBld.build(), - serial, notBefore, notAfter ,subjectNameBld.build(), pubKey); + X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder( + issuerNameBld.build(), serial, notBefore, notAfter, + subjectNameBld.build(), pubKey); - if(null != subjectAltName) { - certGen.addExtension(Extension.subjectAlternativeName, false, new DEROctetString(subjectAltName.getBytes())); + if (null != subjectAltName) { + certGen.addExtension(Extension.subjectAlternativeName, false, + new DEROctetString(subjectAltName.getBytes())); } - cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); + cert = new JcaX509CertificateConverter().setProvider("BC") + .getCertificate(certGen.build(sigGen)); return new CertificatePrivateKeyPair(cert, privKey); } diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificatePrivateKeyPair.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificatePrivateKeyPair.java similarity index 92% rename from cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificatePrivateKeyPair.java rename to cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificatePrivateKeyPair.java index e964472..45ad593 100644 --- a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x509/CertificatePrivateKeyPair.java +++ b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/cert/CertificatePrivateKeyPair.java @@ -19,13 +19,14 @@ * // * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */ -package org.iotivity.cloud.accountserver.security.x509; +package org.iotivity.cloud.accountserver.x509.cert; + import java.security.PrivateKey; import java.security.cert.X509Certificate; public class CertificatePrivateKeyPair { private X509Certificate certificate = null; - private PrivateKey key = null; + private PrivateKey key = null; public CertificatePrivateKeyPair(X509Certificate cert, PrivateKey k) { certificate = cert; diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlInfo.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlInfo.java similarity index 80% rename from cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlInfo.java rename to cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlInfo.java index c8a9ca8..bec895c 100644 --- a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlInfo.java +++ b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlInfo.java @@ -19,24 +19,29 @@ * // * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */ +package org.iotivity.cloud.accountserver.x509.crl; + import java.math.BigInteger; import java.util.Date; public class CrlInfo { private BigInteger serialNumber; - private Date revocationDate; + private Date revocationDate; - void setSerialNumber(BigInteger serialNumber) { + public void setSerialNumber(BigInteger serialNumber) { this.serialNumber = serialNumber; } - BigInteger getSerialNumber() { + + public BigInteger getSerialNumber() { return serialNumber; } - void setRevocationDate(Date date) { + + public void setRevocationDate(Date date) { this.revocationDate = date; } - Date getRevocationDate() { + + public Date getRevocationDate() { return new Date(revocationDate.getTime()); } } diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlIssuer.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlIssuer.java similarity index 69% rename from cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlIssuer.java rename to cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlIssuer.java index 6666aae..c02c85f 100644 --- a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/security/x.509/CrlIssuer.java +++ b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlIssuer.java @@ -19,6 +19,19 @@ * // * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */ +package org.iotivity.cloud.accountserver.x509.crl; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.PKCS8EncodedKeySpec; +import java.util.Date; + import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cert.X509v2CRLBuilder; @@ -26,54 +39,49 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import java.math.BigInteger; -import java.security.*; -import java.security.spec.PKCS8EncodedKeySpec; -import java.util.Arrays; -import java.util.Date; - -import java.security.spec.ECGenParameterSpec; - public final class CrlIssuer { - private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME; + private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME; private static final String SIGNING_ALGORITHM = "SHA256withECDSA"; private CrlIssuer() { - throw new AssertionError();//to get rid of security issue, connected with Java Reflection API + throw new AssertionError();// to get rid of security issue, connected + // with Java Reflection API } static { Security.insertProviderAt(new BouncyCastleProvider(), 1); } - public static byte[] generateCrl(String issuerName, - Date thisUpdate, - CrlInfo[] items, - byte[] issuerPrivateKey) throws Exception { + public static byte[] generateCrl(String issuerName, Date thisUpdate, + CrlInfo[] items, byte[] issuerPrivateKey) throws Exception { X500Name issuerDN = new X500Name(issuerName); - X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, thisUpdate); + X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, + thisUpdate); - for (CrlInfo item: items) { - crlBuilder.addCRLEntry(item.getSerialNumber(), item.getRevocationDate(), 0); + for (CrlInfo item : items) { + crlBuilder.addCRLEntry(item.getSerialNumber(), + item.getRevocationDate(), 0); } KeyFactory kf = KeyFactory.getInstance("ECDSA"); - PrivateKey privateKey = kf.generatePrivate(new PKCS8EncodedKeySpec(issuerPrivateKey)); + PrivateKey privateKey = kf + .generatePrivate(new PKCS8EncodedKeySpec(issuerPrivateKey)); // build and sign CRL with CA private key - ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(privateKey); + ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM) + .setProvider(BC).build(privateKey); X509CRLHolder crl = crlBuilder.build(signer); - CrlStore.saveCrl(crl); + byte data[] = crl.getEncoded(); + CrlStore.saveCrl(data); - return crl.getEncoded(); + return data; } public static byte[] getCrl() throws Exception { - X509CRLHolder crl = CrlStore.loadCrl(); - return crl.getEncoded(); + return CrlStore.loadCrl(); } public static void main(String[] args) { @@ -95,25 +103,25 @@ public final class CrlIssuer { KeyPair pair = g.generateKeyPair(); PrivateKey key = pair.getPrivate(); - byte[] crl = generateCrl("C=DE,O=Samsung", new Date(), items, key.getEncoded()); + byte[] crl = generateCrl("C=DE,O=Samsung", new Date(), items, + key.getEncoded()); System.out.println("Success!"); System.out.println("Stored CRL = " + getHex(crl)); - } - catch (java.lang.Exception e) - { + } catch (java.lang.Exception e) { e.printStackTrace(); } System.out.println("End!"); } static final String HEXES = "0123456789ABCDEF"; - public static String getHex( byte [] raw ) { - if ( raw == null ) { + + public static String getHex(byte[] raw) { + if (raw == null) { return null; } - final StringBuilder hex = new StringBuilder( 2 * raw.length ); - for ( final byte b : raw ) { + final StringBuilder hex = new StringBuilder(2 * raw.length); + for (final byte b : raw) { hex.append(HEXES.charAt((b & 0xF0) >> 4)) .append(HEXES.charAt((b & 0x0F))); } diff --git a/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlStore.java b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlStore.java new file mode 100644 index 0000000..3ed43f1 --- /dev/null +++ b/cloud/account/src/main/java/org/iotivity/cloud/accountserver/x509/crl/CrlStore.java @@ -0,0 +1,66 @@ +/* + * //****************************************************************** + * // + * // Copyright 2016 Samsung Electronics All Rights Reserved. + * // + * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + * // + * // Licensed under the Apache License, Version 2.0 (the "License"); + * // you may not use this file except in compliance with the License. + * // You may obtain a copy of the License at + * // + * // http://www.apache.org/licenses/LICENSE-2.0 + * // + * // Unless required by applicable law or agreed to in writing, software + * // distributed under the License is distributed on an "AS IS" BASIS, + * // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * // See the License for the specific language governing permissions and + * // limitations under the License. + * // + * //-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + */ +package org.iotivity.cloud.accountserver.x509.crl; + +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.InputStream; + +public final class CrlStore { + + private CrlStore() { + throw new AssertionError(); // to get rid of security issue, connected + // with Java Reflection API + } + + private static final String CRL_FILE_NAME = "crl"; + + public static void saveCrl(byte[] crl) { + try { + FileOutputStream out = new FileOutputStream(CRL_FILE_NAME); + out.write(crl); + out.close(); + } catch (java.io.IOException e) { + e.printStackTrace(); + } + } + + public static byte[] loadCrl() { + + try { + InputStream f = new FileInputStream(CRL_FILE_NAME); + int size = f.available(); + byte data[] = new byte[size]; + + if(f.read(data) != data.length) { + System.err.println("couldn't read crl"); + } + f.close(); + return data; + + } catch (java.io.IOException e) { + e.printStackTrace(); + } + + return null; + } +}