PkinitCrypto (Kerby-kerb Common 1.0.0-RC2 API)

java.lang.Object
- org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto

```
public class PkinitCrypto
extends Object
```
Ref. pkinit_crypto_openssl.c in MIT krb5 project.

Constructor Summary

Constructors
Constructor and Description

PkinitCrypto()

Constructors
Constructor and Description
`PkinitCrypto()`

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static org.apache.kerby.x509.type.Certificate`	`changeToCertificate(X509Certificate x509Certificate)` Change the X509Certificate to Certificate
`static boolean`	`checkDHWellknown(PkinitPlgCryptoContext cryptoctx, org.apache.kerby.x509.type.DhParameter dhParameter, int dhPrimeBits)` Check DH wellknown
`static byte[]`	`cmsSignedDataCreate(byte[] data, String oid, int version, org.apache.kerby.cms.type.DigestAlgorithmIdentifiers digestAlgorithmIdentifiers, org.apache.kerby.cms.type.CertificateSet certificateSet, org.apache.kerby.cms.type.RevocationInfoChoices crls, org.apache.kerby.cms.type.SignerInfos signerInfos)` RFC4556: The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), and the content field is a SignedData.
`static X509Certificate[]`	`createCertChain(PkinitPlgCryptoContext cryptoContext)`
`static DHPublicKey`	`createDHPublicKey(BigInteger p, BigInteger g, BigInteger y)` Create DH public key
`static org.apache.kerby.asn1.type.Asn1ObjectIdentifier`	`createOid(String content)` Create oid
`static List<PrincipalName>`	`cryptoRetrieveCertSans(List<org.apache.kerby.x509.type.Certificate> certificates)`
`static List<PrincipalName>`	`cryptoRetrieveX509Sans(List<org.apache.kerby.x509.type.Certificate> certificates)`
`static byte[]`	`eContentInfoCreate(byte[] data, String oid)`
`static boolean`	`pkinitCheckDhParams(DHParameterSpec dh1, org.apache.kerby.x509.type.DhParameter dh2)` Check parameters against a well-known DH group
`static String`	`pkinitType2OID(CmsMessageType cmsMsgType)` Change the CMS message type to oid
`static void`	`serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext cryptoctx, org.apache.kerby.x509.type.DhParameter dhParameter)` KDC check the key parameter
`static void`	`validateChain(List<org.apache.kerby.x509.type.Certificate> certificateList, org.apache.kerby.x509.type.Certificate anchor)` Validates a chain of `X509Certificate`s.
`static void`	`verifyCmsSignedData(CmsMessageType cmsMsgType, org.apache.kerby.cms.type.SignedData signedData)` Verify CMS Signed Data
`static boolean`	`verifyKdcSan(String hostname, PrincipalName kdcPrincipal, List<org.apache.kerby.x509.type.Certificate> certificates)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- PkinitCrypto
```
public PkinitCrypto()
```

Method Detail

verifyCmsSignedData

public static void verifyCmsSignedData(CmsMessageType cmsMsgType,
                                       org.apache.kerby.cms.type.SignedData signedData)
                                throws KrbException

Verify CMS Signed Data

Parameters:: cmsMsgType - The CMS message type; signedData - The signed data
Throws:: KrbException - e

pkinitType2OID
```
public static String pkinitType2OID(CmsMessageType cmsMsgType)
```
Change the CMS message type to oid

Parameters:

cmsMsgType - The CMS message type

Returns:

oid

serverCheckDH

public static void serverCheckDH(PluginOpts pluginOpts,
                                 PkinitPlgCryptoContext cryptoctx,
                                 org.apache.kerby.x509.type.DhParameter dhParameter)
                          throws KrbException

KDC check the key parameter

Parameters:: pluginOpts - The PluginOpts; cryptoctx - The PkinitPlgCryptoContext; dhParameter - The DhParameter
Throws:: KrbException - e

checkDHWellknown

public static boolean checkDHWellknown(PkinitPlgCryptoContext cryptoctx,
                                       org.apache.kerby.x509.type.DhParameter dhParameter,
                                       int dhPrimeBits)
                                throws KrbException

Check DH wellknown

Parameters:: cryptoctx - The PkinitPlgCryptoContext; dhParameter - The DhParameter; dhPrimeBits - The dh prime bits
Returns:: boolean
Throws:: KrbException - e

pkinitCheckDhParams

public static boolean pkinitCheckDhParams(DHParameterSpec dh1,
                                          org.apache.kerby.x509.type.DhParameter dh2)

Check parameters against a well-known DH group

Parameters:: dh1 - The DHParameterSpec; dh2 - The DhParameter

createDHPublicKey

public static DHPublicKey createDHPublicKey(BigInteger p,
                                            BigInteger g,
                                            BigInteger y)

Create DH public key

Parameters:: p - The prime modulus; g - The base generator; y - The public value
Returns:: DHPublicKey

cmsSignedDataCreate

public static byte[] cmsSignedDataCreate(byte[] data,
                                         String oid,
                                         int version,
                                         org.apache.kerby.cms.type.DigestAlgorithmIdentifiers digestAlgorithmIdentifiers,
                                         org.apache.kerby.cms.type.CertificateSet certificateSet,
                                         org.apache.kerby.cms.type.RevocationInfoChoices crls,
                                         org.apache.kerby.cms.type.SignerInfos signerInfos)
                                  throws KrbException

RFC4556: The contentType field of the type ContentInfo is id-signedData (1.2.840.113549.1.7.2), and the content field is a SignedData. The eContentType field for the type SignedData is id-pkinit-authData (1.3.6.1.5.2.3.1), and the eContent field contains the DER encoding of the type AuthPack.

Parameters:: data - The data; oid - The oid for eContentType; version - The SignedData version; digestAlgorithmIdentifiers - The digest algorithmIdentifiers; certificateSet - The certificate set; crls - The revocation info choices; signerInfos - The signerInfos
Returns:: The encoded signed data bytes
Throws:: KrbException - e

eContentInfoCreate

public static byte[] eContentInfoCreate(byte[] data,
                                        String oid)
                                 throws KrbException

Throws:: KrbException

createCertChain

public static X509Certificate[] createCertChain(PkinitPlgCryptoContext cryptoContext)
                                         throws CertificateNotYetValidException,
                                                CertificateExpiredException

Throws:: CertificateNotYetValidException; CertificateExpiredException

verifyKdcSan

public static boolean verifyKdcSan(String hostname,
                                   PrincipalName kdcPrincipal,
                                   List<org.apache.kerby.x509.type.Certificate> certificates)
                            throws KrbException

Throws:: KrbException

cryptoRetrieveCertSans

public static List<PrincipalName> cryptoRetrieveCertSans(List<org.apache.kerby.x509.type.Certificate> certificates)
                                                  throws KrbException

Throws:: KrbException

cryptoRetrieveX509Sans

public static List<PrincipalName> cryptoRetrieveX509Sans(List<org.apache.kerby.x509.type.Certificate> certificates)
                                                  throws KrbException

Throws:: KrbException

validateChain

public static void validateChain(List<org.apache.kerby.x509.type.Certificate> certificateList,
                                 org.apache.kerby.x509.type.Certificate anchor)
                          throws CertificateException,
                                 NoSuchAlgorithmException,
                                 NoSuchProviderException,
                                 InvalidAlgorithmParameterException,
                                 CertPathValidatorException

Validates a chain of X509Certificates.

Parameters:: certificateList - The certificate list; anchor - The anchor
Throws:: CertificateException - e; NoSuchAlgorithmException - e; InvalidAlgorithmParameterException - e; CertPathValidatorException - e; NoSuchProviderException

createOid

public static org.apache.kerby.asn1.type.Asn1ObjectIdentifier createOid(String content)
                                                                 throws KrbException

Create oid

Parameters:: content - The hex content
Returns:: The oid
Throws:: KrbException - e

changeToCertificate
```
public static org.apache.kerby.x509.type.Certificate changeToCertificate(X509Certificate x509Certificate)
```
Change the X509Certificate to Certificate

Parameters:

x509Certificate - The X509Certificate

Returns:

The Certificate

Class PkinitCrypto

Constructor Summary