summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPeter Palfrader <peter@palfrader.org>2003-10-15 16:41:45 +0000
committerPeter Palfrader <peter@palfrader.org>2003-10-15 16:41:45 +0000
commitfaec826c0d976301b075500b079241bc88619658 (patch)
tree19fa92059c9b834b33478fbe43073a941b127898 /src
parent36655a8f9b45442647b01adbdc1f4fc2c4e4b66d (diff)
Verify remote peer cert during MMTP handshake
Diffstat (limited to 'src')
-rw-r--r--src/org/noreply/fancydress/type3/mmtp/MMTP.java3
-rw-r--r--src/org/noreply/fancydress/type3/mmtp/MMTPTrustManager.java59
2 files changed, 43 insertions, 19 deletions
diff --git a/src/org/noreply/fancydress/type3/mmtp/MMTP.java b/src/org/noreply/fancydress/type3/mmtp/MMTP.java
index 1d03eed..bc19e8e 100644
--- a/src/org/noreply/fancydress/type3/mmtp/MMTP.java
+++ b/src/org/noreply/fancydress/type3/mmtp/MMTP.java
@@ -20,7 +20,7 @@ public class MMTP {
byte[] ackExpected = Util.concat( Util.toOctets("RECEIVED\r\n"),
CryptoPrimitives.hash(packet.asOctets(), Util.toOctets("RECEIVED")));
byte[] ackRead = new byte[30];
- MMTPTrustManager trustManager = new MMTPTrustManager();
+ MMTPTrustManager trustManager = new MMTPTrustManager(packet.getRoute().getKeyID());
TrustManager[] trustManagers = { trustManager };
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
@@ -58,7 +58,6 @@ public class MMTP {
} else {
System.out.println("Got ACK");
};
- System.out.println(Util.asHex(packet.getRoute().getKeyID()));
in.close();
out.close();
socket.close();
diff --git a/src/org/noreply/fancydress/type3/mmtp/MMTPTrustManager.java b/src/org/noreply/fancydress/type3/mmtp/MMTPTrustManager.java
index e39f5f9..4748a84 100644
--- a/src/org/noreply/fancydress/type3/mmtp/MMTPTrustManager.java
+++ b/src/org/noreply/fancydress/type3/mmtp/MMTPTrustManager.java
@@ -5,13 +5,28 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
import java.security.AlgorithmParameters;
-import java.math.*;
+import java.security.NoSuchAlgorithmException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchProviderException;
+import java.security.SignatureException;
+import java.math.BigInteger;
import org.bouncycastle.util.encoders.Base64;
import org.noreply.fancydress.misc.*;
import org.noreply.fancydress.crypto.*;
public class MMTPTrustManager implements X509TrustManager {
- public MMTPTrustManager() {
+ /**
+ * Hash of the expected identity key.
+ */
+ private byte[] identity;
+
+ /**
+ * Create a new MMTPTrustManager instance.
+ *
+ * @param keyid fingerprint (== keyid, == hash of the key) of the identity key.
+ */
+ public MMTPTrustManager(byte[] identity) {
+ this.identity = identity;
}
/**
@@ -55,20 +70,31 @@ public class MMTPTrustManager implements X509TrustManager {
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException
{
- System.out.println("call to checkServerTrusted()\n");
- System.out.println("certs: " + chain.length);
- for (int i=0; i<chain.length; i++) {
- System.out.println("cert "+i+"\n" + chain[i]);
- System.out.println("alg name: " + chain[i].getSigAlgName() );
- java.security.interfaces.RSAPublicKey pk = (java.security.interfaces.RSAPublicKey) chain[i].getPublicKey();
- BigInteger modulus = pk.getModulus();
- BigInteger exp = pk.getPublicExponent();
- RSAPublicKey rsa = new RSAPublicKey(modulus,exp);
- System.out.println("fpr: " + Util.asHex( rsa.getFingerprint() ));
- //System.out.println("fpr: " + chain[i].getSigAlgParams() == null ? "null" : Util.asHex( CryptoPrimitives.hash( chain[i].getSigAlgParams() )));
- }
- System.out.println("authtype: " + authType);
+ /* Make sure we got two keys */
+ if (chain.length != 2)
+ throw new CertificateException("Did not get excatly 2 certificates in cert chain.");
+ /* Verify, that the first cert is signed by the second cert */
+ java.security.interfaces.RSAPublicKey identityCertKey = (java.security.interfaces.RSAPublicKey) chain[1].getPublicKey();
+ try {
+ chain[0].verify(identityCertKey);
+ } catch (NoSuchAlgorithmException e) {
+ throw new CertificateException("Could not verify chain. Caused by NoSuchAlgorithmException,");
+ } catch (InvalidKeyException e) {
+ throw new CertificateException("Could not verify chain. Caused by InvalidKeyException,");
+ } catch (NoSuchProviderException e) {
+ throw new CertificateException("Could not verify chain. Caused by NoSuchProviderException,");
+ } catch (SignatureException e) {
+ throw new CertificateException("Could not verify chain. Caused by SignatureException,");
+ };
+
+ /* Verify, that the second cert is the identity key */
+ BigInteger modulus = identityCertKey.getModulus();
+ BigInteger exp = identityCertKey.getPublicExponent();
+ RSAPublicKey rsa = new RSAPublicKey(modulus,exp);
+ byte[] fpr = rsa.getFingerprint();
+ if (!Util.equal(identity, fpr))
+ throw new CertificateException("Identity key's fingerprint does not match expected value.");
}
/**
@@ -79,7 +105,6 @@ public class MMTPTrustManager implements X509TrustManager {
* certificates.
*/
public X509Certificate[] getAcceptedIssuers() {
- System.out.println("call to getAcceptedIssuers()\n");
- return new X509Certificate[0];
+ throw new Error("Not needed\n");
}
}