1 /* 2 * Copyright (c) 2021-2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 package com.ohos.hapsigntool.utils; 17 18 import com.ohos.hapsigntool.error.CustomException; 19 import com.ohos.hapsigntool.error.ERROR; 20 import com.ohos.hapsigntool.error.VerifyCertificateChainException; 21 import org.apache.logging.log4j.LogManager; 22 import org.apache.logging.log4j.Logger; 23 import org.bouncycastle.asn1.x500.X500Name; 24 import org.bouncycastle.asn1.x509.KeyPurposeId; 25 import org.bouncycastle.asn1.x509.KeyUsage; 26 import org.bouncycastle.jce.provider.BouncyCastleProvider; 27 import org.bouncycastle.operator.ContentSigner; 28 import org.bouncycastle.operator.OperatorCreationException; 29 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; 30 31 import javax.security.auth.x500.X500Principal; 32 import java.io.ByteArrayInputStream; 33 import java.math.BigInteger; 34 import java.nio.charset.StandardCharsets; 35 import java.security.PrivateKey; 36 import java.security.SecureRandom; 37 import java.security.cert.CertificateEncodingException; 38 import java.security.cert.CertificateException; 39 import java.security.cert.CertificateFactory; 40 import java.security.cert.X509Certificate; 41 import java.security.interfaces.ECPrivateKey; 42 import java.security.interfaces.RSAPrivateKey; 43 import java.util.ArrayList; 44 import java.util.Collections; 45 import java.util.List; 46 import java.util.regex.Matcher; 47 import java.util.regex.Pattern; 48 49 /** 50 * Cert Usage Util. 51 * 52 * @since 2021/12/28 53 */ 54 public final class CertUtils { 55 /** 56 * Logger. 57 */ 58 private static final Logger LOGGER = LogManager.getLogger(CertUtils.class); 59 60 /** 61 * Max length to print certificate string. 62 */ 63 private static final int MAX_LINE_LENGTH = 65; 64 /** 65 * Length of serial security random number. 66 */ 67 private static final int RANDOM_SERIAL_LENGTH = 32; 68 /** 69 * number constant. 70 */ 71 private static final int SECOND_INDEX = 2; 72 73 /** 74 * ECC. 75 */ 76 private static final String ECC = "ECDSA"; 77 78 /** 79 * Compile String. 80 */ 81 private static final Pattern SIGN_ALGORITHM_PATTERN = Pattern.compile("^SHA([0-9]{3})with([A-Z]{1,5})$"); 82 CertUtils()83 private CertUtils() { 84 // Empty constructor 85 } 86 87 /** 88 * Parse string to key usage. 89 * 90 * @param keyUsageStr Key usage string 91 * @return Key usage 92 */ parseKeyUsage(String keyUsageStr)93 public static int parseKeyUsage(String keyUsageStr) { 94 int keyUsage = 0; 95 if (keyUsageStr.contains("digitalSignature")) { 96 keyUsage |= KeyUsage.digitalSignature; 97 } 98 if (keyUsageStr.contains("nonRepudiation")) { 99 keyUsage |= KeyUsage.nonRepudiation; 100 } 101 if (keyUsageStr.contains("keyEncipherment")) { 102 keyUsage |= KeyUsage.keyEncipherment; 103 } 104 if (keyUsageStr.contains("dataEncipherment")) { 105 keyUsage |= KeyUsage.dataEncipherment; 106 } 107 if (keyUsageStr.contains("keyAgreement")) { 108 keyUsage |= KeyUsage.keyAgreement; 109 } 110 if (keyUsageStr.contains("certificateSignature")) { 111 keyUsage |= KeyUsage.keyCertSign; 112 } 113 if (keyUsageStr.contains("crlSignature")) { 114 keyUsage |= KeyUsage.cRLSign; 115 } 116 if (keyUsageStr.contains("encipherOnly")) { 117 keyUsage |= KeyUsage.encipherOnly; 118 } 119 if (keyUsageStr.contains("decipherOnly")) { 120 keyUsage |= KeyUsage.decipherOnly; 121 } 122 return keyUsage; 123 } 124 125 /** 126 * Parse string to KeyPurposeId[] 127 * 128 * @param extKeyUsageStr ext key usage string 129 * @return KeyPurposeId[] 130 */ parseExtKeyUsage(String extKeyUsageStr)131 public static KeyPurposeId[] parseExtKeyUsage(String extKeyUsageStr) { 132 ArrayList<KeyPurposeId> ids = new ArrayList<>(); 133 if (extKeyUsageStr.contains("clientAuthentication")) { 134 ids.add(KeyPurposeId.id_kp_clientAuth); 135 } 136 if (extKeyUsageStr.contains("serverAuthentication")) { 137 ids.add(KeyPurposeId.id_kp_serverAuth); 138 } 139 if (extKeyUsageStr.contains("codeSignature")) { 140 ids.add(KeyPurposeId.id_kp_codeSigning); 141 } 142 if (extKeyUsageStr.contains("emailProtection")) { 143 ids.add(KeyPurposeId.id_kp_emailProtection); 144 } 145 if (extKeyUsageStr.contains("smartCardLogin")) { 146 ids.add(KeyPurposeId.id_kp_smartcardlogon); 147 } 148 if (extKeyUsageStr.contains("timestamp")) { 149 ids.add(KeyPurposeId.id_kp_timeStamping); 150 } 151 if (extKeyUsageStr.contains("ocspSignature")) { 152 ids.add(KeyPurposeId.id_kp_OCSPSigning); 153 } 154 return ids.toArray(new KeyPurposeId[]{}); 155 } 156 157 /** 158 * buildDN 159 * @param nameString nameString 160 * @return X500Name 161 */ buildDN(String nameString)162 public static X500Name buildDN(String nameString) { 163 checkDN(nameString); 164 X500Name dn = null; 165 try { 166 dn = new X500Name(nameString); 167 } catch (IllegalArgumentException | IndexOutOfBoundsException exception) { 168 LOGGER.debug(exception.getMessage(), exception); 169 CustomException.throwException(ERROR.COMMAND_ERROR, 170 String.format("Error params near: %s. Reason: %s", nameString, exception.getMessage())); 171 } 172 return dn; 173 } 174 175 /** 176 * To verify the format of subject or issuer. 177 * Refer to X500NameStyle.fromString(). 178 * 179 * @param nameString subject or issuer 180 */ checkDN(String nameString)181 private static void checkDN(String nameString) { 182 String errorMsg = String.format("Format error, must be \"X=xx,XX=xxx,...\", please check: \"%s\"", nameString); 183 ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(nameString), ERROR.COMMAND_ERROR, errorMsg); 184 String[] pairs = nameString.split(","); 185 for (String pair : pairs) { 186 ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(nameString.trim()), ERROR.COMMAND_ERROR, errorMsg); 187 String[] kvPair = pair.split("="); 188 ValidateUtils.throwIfNotMatches(kvPair.length == SECOND_INDEX, ERROR.COMMAND_ERROR, errorMsg); 189 // Key will be checked in X500NameStyle.attrNameToOID 190 ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(kvPair[1].trim()), ERROR.COMMAND_ERROR, errorMsg); 191 } 192 } 193 194 /** 195 * Convert byte to CSR String. 196 * 197 * @param csr bytes of CSR 198 * @return String 199 */ toCsrTemplate(byte[] csr)200 public static String toCsrTemplate(byte[] csr) { 201 return "-----BEGIN NEW CERTIFICATE REQUEST-----\n" 202 + java.util.Base64.getMimeEncoder(MAX_LINE_LENGTH, "\n".getBytes(StandardCharsets.UTF_8)) 203 .encodeToString(csr) 204 + "\n-----END NEW CERTIFICATE REQUEST-----\n"; 205 } 206 207 /** 208 * Encoding cert to String. 209 * 210 * @param certificate Cert to convert to string 211 * @return Cert templated string 212 * @throws CertificateEncodingException Failed encoding 213 */ generateCertificateInCer(X509Certificate certificate)214 public static String generateCertificateInCer(X509Certificate certificate) 215 throws CertificateEncodingException { 216 return "-----BEGIN CERTIFICATE-----\n" 217 + java.util.Base64.getMimeEncoder(MAX_LINE_LENGTH, "\n".getBytes(StandardCharsets.UTF_8)) 218 .encodeToString(certificate.getEncoded()) 219 + "\n" + "-----END CERTIFICATE-----" + "\n"; 220 } 221 222 /** 223 * Random serial. 224 * 225 * @return Random big integer 226 */ randomSerial()227 public static BigInteger randomSerial() { 228 return new BigInteger(RANDOM_SERIAL_LENGTH, new SecureRandom()); 229 } 230 231 /** 232 * Convert byte to cert. 233 * 234 * @param cert Byte from cert file 235 * @return Certs 236 * @throws CertificateException Convert failed 237 * @throws VerifyCertificateChainException certificates in file are not certificate chain 238 */ 239 @SuppressWarnings("unchecked") generateCertificates(byte[] cert)240 public static List<X509Certificate> generateCertificates(byte[] cert) throws CertificateException, 241 VerifyCertificateChainException { 242 CertificateFactory factory = CertificateFactory.getInstance("X.509"); 243 List<X509Certificate> certificates = 244 (List<X509Certificate>) factory.generateCertificates(new ByteArrayInputStream(cert)); 245 sortCertificateChain(certificates); 246 CertificateUtils.verifyCertChain(certificates); 247 return certificates; 248 } 249 250 /** 251 * Sort cert chain to sign cert, sub cert, root cert 252 * 253 * @param certificates cert chain 254 */ sortCertificateChain(List<X509Certificate> certificates)255 public static void sortCertificateChain(List<X509Certificate> certificates) { 256 if (certificates != null && certificates.size() > 1) { 257 int size = certificates.size(); 258 X500Principal lastSubjectX500Principal = (certificates.get(size - 1)).getSubjectX500Principal(); 259 X500Principal beforeIssuerX500Principal = (certificates.get(size - SECOND_INDEX)).getIssuerX500Principal(); 260 if (!lastSubjectX500Principal.equals(beforeIssuerX500Principal)) { 261 Collections.reverse(certificates); 262 } 263 } 264 } 265 266 /** 267 * Auto fix algorithm according key type and create content signer. 268 * 269 * @param privateKey Sign key 270 * @param signAlgorithm Sign algorithm 271 * @return ContentSigner 272 */ createFixedContentSigner(PrivateKey privateKey, String signAlgorithm)273 public static ContentSigner createFixedContentSigner(PrivateKey privateKey, String signAlgorithm) { 274 Matcher matcher = SIGN_ALGORITHM_PATTERN.matcher(signAlgorithm); 275 ValidateUtils.throwIfNotMatches(matcher.matches(), ERROR.NOT_SUPPORT_ERROR, "Not Support " + signAlgorithm); 276 String signAlg = signAlgorithm; 277 // Auto fix signAlgorithm error 278 if (privateKey instanceof ECPrivateKey && signAlgorithm.contains("RSA")) { 279 signAlg = signAlgorithm.replace("RSA", ECC); 280 } else { 281 if (privateKey instanceof RSAPrivateKey && signAlgorithm.contains(ECC)) { 282 signAlg = signAlgorithm.replace(ECC, "RSA"); 283 } 284 } 285 286 JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signAlg); 287 jcaContentSignerBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME); 288 try { 289 return jcaContentSignerBuilder.build(privateKey); 290 } catch (OperatorCreationException exception) { 291 LOGGER.debug(exception.getMessage(), exception); 292 CustomException.throwException(ERROR.OPERATOR_CREATION_ERROR, exception.getMessage()); 293 } 294 return null; 295 } 296 } 297