зеркало из https://github.com/mozilla/pjs.git
278 строки
11 KiB
Java
278 строки
11 KiB
Java
/*
|
|
* The contents of this file are subject to the Mozilla Public
|
|
* License Version 1.1 (the "License"); you may not use this file
|
|
* except in compliance with the License. You may obtain a copy of
|
|
* the License at http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS
|
|
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
|
* implied. See the License for the specific language governing
|
|
* rights and limitations under the License.
|
|
*
|
|
* The Original Code is the Netscape Security Services for Java.
|
|
*
|
|
* The Initial Developer of the Original Code is Netscape
|
|
* Communications Corporation. Portions created by Netscape are
|
|
* Copyright (C) 1998-2000 Netscape Communications Corporation. All
|
|
* Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the
|
|
* terms of the GNU General Public License Version 2 or later (the
|
|
* "GPL"), in which case the provisions of the GPL are applicable
|
|
* instead of those above. If you wish to allow use of your
|
|
* version of this file only under the terms of the GPL and not to
|
|
* allow others to use your version of this file under the MPL,
|
|
* indicate your decision by deleting the provisions above and
|
|
* replace them with the notice and other provisions required by
|
|
* the GPL. If you do not delete the provisions above, a recipient
|
|
* may use your version of this file under either the MPL or the
|
|
* GPL.
|
|
*/
|
|
/**
|
|
* This program reads in a PKCS #12 file and dumps its contents to the screen.
|
|
* At the same time, it creates a new PKCS #12 file. As it reads through the
|
|
* old file, it writes its contents into the new file. Then the new file
|
|
* is encrypted and MACed with a new, different password.
|
|
*/
|
|
|
|
/* note that this code still has some problems reading PKCS12 file
|
|
* generated with Communicator.
|
|
*/
|
|
|
|
|
|
import java.io.*;
|
|
import org.mozilla.jss.*;
|
|
import org.mozilla.jss.pkcs12.*;
|
|
import org.mozilla.jss.crypto.*;
|
|
import org.mozilla.jss.asn1.*;
|
|
import org.mozilla.jss.util.*;
|
|
import org.mozilla.jss.pkix.*;
|
|
import org.mozilla.jss.pkix.primitive.*;
|
|
import org.mozilla.jss.pkix.cert.*;
|
|
|
|
|
|
public class pkcs12 {
|
|
|
|
public static void main(String []args) {
|
|
|
|
try {
|
|
|
|
// Read arguments
|
|
if( args.length != 3 ) {
|
|
System.out.println("Usage: PFX <dbdir> <infile> <outfile>");
|
|
System.exit(-1);
|
|
}
|
|
|
|
// open input file for reading
|
|
FileInputStream infile=null;
|
|
try {
|
|
infile = new FileInputStream(args[1]);
|
|
}
|
|
catch (FileNotFoundException f) {
|
|
System.out.println("Cannot open file "+args[1]+
|
|
" for reading: "+f.getMessage());
|
|
return;
|
|
}
|
|
int certfile = 0;
|
|
|
|
// initialize CryptoManager. This is necessary because there is
|
|
// crypto involved with decoding a PKCS #12 file
|
|
CryptoManager.initialize( args[0]+"/secmod.db",
|
|
args[0]+"/key3.db", args[0]+"/cert7.db");
|
|
CryptoManager manager = CryptoManager.getInstance();
|
|
|
|
// Decode the P12 file
|
|
PFX.Template pfxt = new PFX.Template();
|
|
PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048));
|
|
System.out.println("Decoded PFX");
|
|
|
|
// print out information about the top-level PFX structure
|
|
System.out.println("Version: "+pfx.getVersion());
|
|
AuthenticatedSafes authSafes = pfx.getAuthSafes();
|
|
SEQUENCE safeContentsSequence = authSafes.getSequence();
|
|
System.out.println("AuthSafes has "+
|
|
safeContentsSequence.size()+" SafeContents");
|
|
|
|
// Get the password for the old file
|
|
System.out.println("Enter password: ");
|
|
Password pass = Password.readPasswordFromConsole();
|
|
|
|
// get new password, which will be used for the new file we create
|
|
// later
|
|
System.out.println("Enter new password:");
|
|
Password newPass = Password.readPasswordFromConsole();
|
|
|
|
|
|
// Verify the MAC on the PFX. This is important to be sure
|
|
// it hasn't been tampered with.
|
|
StringBuffer sb = new StringBuffer();
|
|
if( pfx.verifyAuthSafes(pass, sb) ) {
|
|
System.out.println("AuthSafes verifies correctly.");
|
|
} else {
|
|
System.out.println("AuthSafes failed to verify because: "+
|
|
sb);
|
|
}
|
|
|
|
// Create a new AuthenticatedSafes. As we read the contents of the
|
|
// old authSafes, we will store them into the new one. After we have
|
|
// cycled through all the contents, they will all have been copied into
|
|
// the new authSafes.
|
|
AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
|
|
|
|
// Loop over contents of the old authenticated safes
|
|
//for(int i=0; i < asSeq.size(); i++) {
|
|
for(int i=0; i < safeContentsSequence.size(); i++) {
|
|
|
|
// The safeContents may or may not be encrypted. We always send
|
|
// the password in. It will get used if it is needed. If the
|
|
// decryption of the safeContents fails for some reason (like
|
|
// a bad password), then this method will throw an exception
|
|
SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);
|
|
|
|
System.out.println("\n\nSafeContents #"+i+" has "+
|
|
safeContents.size()+" bags");
|
|
|
|
// Go through all the bags in this SafeContents
|
|
for(int j=0; j < safeContents.size(); j++) {
|
|
SafeBag safeBag = (SafeBag) safeContents.elementAt(j);
|
|
|
|
// The type of the bag is an OID
|
|
System.out.println("\nBag "+j+" has type "+
|
|
safeBag.getBagType() );
|
|
|
|
|
|
// look for bag attributes
|
|
SET attribs = safeBag.getBagAttributes();
|
|
if( attribs == null ) {
|
|
System.out.println("Bag has no attributes");
|
|
} else {
|
|
for(int b=0; b < attribs.size(); b++) {
|
|
Attribute a = (Attribute) attribs.elementAt(b);
|
|
if( a.getType().equals(SafeBag.FRIENDLY_NAME)) {
|
|
// the friendly name attribute is a nickname
|
|
BMPString bs = (BMPString) ((ANY)a.getValues().
|
|
elementAt(0)).decodeWith(
|
|
BMPString.getTemplate());
|
|
System.out.println("Friendly Name: "+bs);
|
|
} else if(a.getType().equals(SafeBag.LOCAL_KEY_ID)){
|
|
// the local key id is used to match a key
|
|
// to its cert. The key id is the SHA-1 hash of
|
|
// the DER-encoded cert.
|
|
OCTET_STRING os =(OCTET_STRING)
|
|
((ANY)a.getValues().
|
|
elementAt(0)).decodeWith(
|
|
OCTET_STRING.getTemplate());
|
|
System.out.println("LocalKeyID:");
|
|
/*
|
|
AuthenticatedSafes.
|
|
print_byte_array(os.toByteArray());
|
|
*/
|
|
} else {
|
|
System.out.println("Unknown attribute type: "+
|
|
a.getType().toString());
|
|
}
|
|
}
|
|
}
|
|
|
|
// now look at the contents of the bag
|
|
ASN1Value val = safeBag.getInterpretedBagContent();
|
|
|
|
if( val instanceof PrivateKeyInfo ) {
|
|
// A PrivateKeyInfo contains an unencrypted private key
|
|
System.out.println("content is PrivateKeyInfo");
|
|
} else if( val instanceof EncryptedPrivateKeyInfo ) {
|
|
// An EncryptedPrivateKeyInfo is, well, an encrypted
|
|
// PrivateKeyInfo. Usually, strong crypto is used in
|
|
// an EncryptedPrivateKeyInfo.
|
|
EncryptedPrivateKeyInfo epki =
|
|
((EncryptedPrivateKeyInfo)val);
|
|
System.out.println(
|
|
"content is EncryptedPrivateKeyInfo, algoid:"
|
|
+ epki.getEncryptionAlgorithm().getOID());
|
|
|
|
// Because we are in a PKCS #12 file, the passwords are
|
|
// char-to-byte converted in a special way. We have to
|
|
// use the special converter class instead of the default.
|
|
PrivateKeyInfo pki = epki.decrypt(pass,
|
|
new org.mozilla.jss.pkcs12.PasswordConverter() );
|
|
|
|
// import the key into the key3.db
|
|
CryptoToken tok = manager.getTokenByName("Internal Key Storage Token");
|
|
CryptoStore store = tok.getCryptoStore();
|
|
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
|
pki.encode(baos);
|
|
store.importPrivateKey(baos.toByteArray(),
|
|
PrivateKey.RSA);
|
|
|
|
|
|
// re-encrypt the PrivateKeyInfo with the new password
|
|
// and random salt
|
|
byte[] salt = new byte[
|
|
PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()];
|
|
JSSSecureRandom rand = CryptoManager.getInstance().
|
|
getSecureRNG();
|
|
rand.nextBytes(salt);
|
|
epki = EncryptedPrivateKeyInfo.createPBE(
|
|
PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass,
|
|
salt, 1, new PasswordConverter(), pki);
|
|
|
|
// Overwrite the previous EncryptedPrivateKeyInfo with
|
|
// this new one we just created using the new password.
|
|
// This is what will get put in the new PKCS #12 file
|
|
// we are creating.
|
|
safeContents.insertElementAt(
|
|
new SafeBag( safeBag.getBagType(),
|
|
epki, safeBag.getBagAttributes()), i);
|
|
safeContents.removeElementAt(i+1);
|
|
|
|
} else if( val instanceof CertBag ) {
|
|
System.out.println("content is CertBag");
|
|
CertBag cb = (CertBag) val;
|
|
if( cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
|
|
// this is an X.509 certificate
|
|
OCTET_STRING os = (OCTET_STRING)cb.getInterpretedCert();
|
|
Certificate cert = (Certificate)
|
|
ASN1Util.decode(Certificate.getTemplate(),
|
|
os.toByteArray());
|
|
cert.getInfo().print(System.out);
|
|
} else {
|
|
System.out.println("Unrecognized cert type");
|
|
}
|
|
} else {
|
|
System.out.println("content is ANY");
|
|
}
|
|
}
|
|
|
|
// Add the new safe contents to the new authsafes
|
|
if( authSafes.safeContentsIsEncrypted(i) ) {
|
|
newAuthSafes.addEncryptedSafeContents(
|
|
authSafes.DEFAULT_KEY_GEN_ALG, newPass,
|
|
null, authSafes.DEFAULT_ITERATIONS, safeContents);
|
|
} else {
|
|
newAuthSafes.addSafeContents( safeContents );
|
|
}
|
|
}
|
|
|
|
// Create new PFX from the new authsafes
|
|
PFX newPfx = new PFX(newAuthSafes);
|
|
|
|
// Add a MAC to the new PFX
|
|
newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS);
|
|
|
|
// write the new PFX out to a file
|
|
FileOutputStream fos = new FileOutputStream(args[2]);
|
|
newPfx.encode(fos);
|
|
fos.close();
|
|
|
|
|
|
} catch( Exception e ) {
|
|
e.printStackTrace();
|
|
}
|
|
}
|
|
|
|
|
|
|
|
}
|