Search in sources :

Example 11 with ContentInfo

use of com.android.apksig.internal.pkcs7.ContentInfo in project XobotOS by xamarin.

the class X509CertFactoryImpl method engineGenerateCertificates.

/**
     * Generates the collection of the certificates on the base of provided
     * via input stream encodings.
     * @see java.security.cert.CertificateFactorySpi#engineGenerateCertificates(InputStream)
     * method documentation for more info
     */
public Collection<? extends Certificate> engineGenerateCertificates(InputStream inStream) throws CertificateException {
    if (inStream == null) {
        throw new CertificateException("inStream == null");
    }
    ArrayList<Certificate> result = new ArrayList<Certificate>();
    try {
        if (!inStream.markSupported()) {
            // create the mark supporting wrapper
            inStream = new RestoringInputStream(inStream);
        }
        // if it is PEM encoded form this array will contain the encoding
        // so ((it is PEM) <-> (encoding != null))
        byte[] encoding = null;
        // The following by SEQUENCE ASN.1 tag, used for
        // recognizing the data format
        // (is it PKCS7 ContentInfo structure, X.509 Certificate, or
        // unsupported encoding)
        int second_asn1_tag = -1;
        inStream.mark(1);
        int ch;
        while ((ch = inStream.read()) != -1) {
            // check if it is PEM encoded form
            if (ch == '-') {
                // beginning of PEM encoding ('-' char)
                // decode PEM chunk and store its content (ASN.1 encoding)
                encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
            } else if (ch == 0x30) {
                // beginning of ASN.1 sequence (0x30)
                encoding = null;
                inStream.reset();
                // prepare for data format determination
                inStream.mark(CERT_CACHE_SEED_LENGTH);
            } else {
                // unsupported data
                if (result.size() == 0) {
                    throw new CertificateException("Unsupported encoding");
                } else {
                    // it can be trailing user data,
                    // so keep it in the stream
                    inStream.reset();
                    return result;
                }
            }
            // Check the data format
            BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
            // read the next ASN.1 tag
            // inStream position changed
            second_asn1_tag = in.next();
            if (encoding == null) {
                // keep whole structure in the stream
                inStream.reset();
            }
            // check if it is a TBSCertificate structure
            if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
                if (result.size() == 0) {
                    // whether it is PKCS7 structure
                    break;
                } else {
                    // so return what we already read
                    return result;
                }
            } else {
                if (encoding == null) {
                    result.add(getCertificate(inStream));
                } else {
                    result.add(getCertificate(encoding));
                }
            }
            // mark for the next iteration
            inStream.mark(1);
        }
        if (result.size() != 0) {
            // some Certificates have been read
            return result;
        } else if (ch == -1) {
            throw new CertificateException("There is no data in the stream");
        }
        // else: check if it is PKCS7
        if (second_asn1_tag == ASN1Constants.TAG_OID) {
            // it is PKCS7 ContentInfo structure, so decode it
            ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
            // retrieve SignedData
            SignedData data = info.getSignedData();
            if (data == null) {
                throw new CertificateException("Invalid PKCS7 data provided");
            }
            List<org.apache.harmony.security.x509.Certificate> certs = data.getCertificates();
            if (certs != null) {
                for (org.apache.harmony.security.x509.Certificate cert : certs) {
                    result.add(new X509CertImpl(cert));
                }
            }
            return result;
        }
        // else: Unknown data format
        throw new CertificateException("Unsupported encoding");
    } catch (IOException e) {
        throw new CertificateException(e);
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) Certificate(java.security.cert.Certificate)

Example 12 with ContentInfo

use of com.android.apksig.internal.pkcs7.ContentInfo in project XobotOS by xamarin.

the class X509CertFactoryImpl method engineGenerateCRLs.

/**
     * @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
     * method documentation for more info
     */
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
    if (inStream == null) {
        throw new CRLException("inStream == null");
    }
    ArrayList<CRL> result = new ArrayList<CRL>();
    try {
        if (!inStream.markSupported()) {
            inStream = new RestoringInputStream(inStream);
        }
        // if it is PEM encoded form this array will contain the encoding
        // so ((it is PEM) <-> (encoding != null))
        byte[] encoding = null;
        // The following by SEQUENCE ASN.1 tag, used for
        // recognizing the data format
        // (is it PKCS7 ContentInfo structure, X.509 CRL, or
        // unsupported encoding)
        int second_asn1_tag = -1;
        inStream.mark(1);
        int ch;
        while ((ch = inStream.read()) != -1) {
            // check if it is PEM encoded form
            if (ch == '-') {
                // beginning of PEM encoding ('-' char)
                // decode PEM chunk and store its content (ASN.1 encoding)
                encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
            } else if (ch == 0x30) {
                // beginning of ASN.1 sequence (0x30)
                encoding = null;
                inStream.reset();
                // prepare for data format determination
                inStream.mark(CRL_CACHE_SEED_LENGTH);
            } else {
                // unsupported data
                if (result.size() == 0) {
                    throw new CRLException("Unsupported encoding");
                } else {
                    // it can be trailing user data,
                    // so keep it in the stream
                    inStream.reset();
                    return result;
                }
            }
            // Check the data format
            BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
            // read the next ASN.1 tag
            second_asn1_tag = in.next();
            if (encoding == null) {
                // keep whole structure in the stream
                inStream.reset();
            }
            // check if it is a TBSCertList structure
            if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
                if (result.size() == 0) {
                    // whether it is PKCS7 structure
                    break;
                } else {
                    // so return what we already read
                    return result;
                }
            } else {
                if (encoding == null) {
                    result.add(getCRL(inStream));
                } else {
                    result.add(getCRL(encoding));
                }
            }
            inStream.mark(1);
        }
        if (result.size() != 0) {
            // the stream was read out
            return result;
        } else if (ch == -1) {
            throw new CRLException("There is no data in the stream");
        }
        // else: check if it is PKCS7
        if (second_asn1_tag == ASN1Constants.TAG_OID) {
            // it is PKCS7 ContentInfo structure, so decode it
            ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
            // retrieve SignedData
            SignedData data = info.getSignedData();
            if (data == null) {
                throw new CRLException("Invalid PKCS7 data provided");
            }
            List<CertificateList> crls = data.getCRLs();
            if (crls != null) {
                for (CertificateList crl : crls) {
                    result.add(new X509CRLImpl(crl));
                }
            }
            return result;
        }
        // else: Unknown data format
        throw new CRLException("Unsupported encoding");
    } catch (IOException e) {
        throw new CRLException(e);
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) ArrayList(java.util.ArrayList) CertificateList(org.apache.harmony.security.x509.CertificateList) IOException(java.io.IOException) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CRL(java.security.cert.X509CRL) CRL(java.security.cert.CRL) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) CRLException(java.security.cert.CRLException)

Example 13 with ContentInfo

use of com.android.apksig.internal.pkcs7.ContentInfo in project jss by dogtagpki.

the class CertPrettyPrint method pkcs7toString.

public String pkcs7toString(Locale clientLocale) {
    StringBuffer content = new StringBuffer();
    try {
        mX509Cert = new X509CertImpl(mCert_b);
        return toString(clientLocale);
    } catch (Exception e) {
    }
    ContentInfo ci = null;
    try {
        ci = (ContentInfo) ASN1Util.decode(ContentInfo.getTemplate(), mCert_b);
    } catch (Exception e) {
        return "";
    }
    if (ci.getContentType().equals(ContentInfo.SIGNED_DATA)) {
        SignedData sd = null;
        try {
            sd = (SignedData) ci.getInterpretedContent();
        } catch (Exception e) {
            return "";
        }
        if (sd.hasCertificates()) {
            SET certs = sd.getCertificates();
            for (int i = 0; i < certs.size(); i++) {
                org.mozilla.jss.pkix.cert.Certificate cert = (org.mozilla.jss.pkix.cert.Certificate) certs.elementAt(i);
                X509CertImpl certImpl = null;
                try {
                    certImpl = new X509CertImpl(ASN1Util.encode(cert));
                } catch (Exception e) {
                }
                CertPrettyPrint print = new CertPrettyPrint(certImpl);
                content.append(print.toString(Locale.getDefault()));
                content.append("\n");
            }
            return content.toString();
        }
    }
    return content.toString();
}
Also used : SET(org.mozilla.jss.asn1.SET) SignedData(org.mozilla.jss.pkcs7.SignedData) ContentInfo(org.mozilla.jss.pkcs7.ContentInfo) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) Certificate(java.security.cert.Certificate)

Example 14 with ContentInfo

use of com.android.apksig.internal.pkcs7.ContentInfo in project jss by dogtagpki.

the class AuthenticatedSafes method getSafeContentsAt.

/**
 * Returns the SafeContents at the given index in the AuthenticatedSafes,
 * decrypting it if necessary.
 *
 * <p>The algorithm used to extract encrypted SafeContents does not
 *  conform to version 1.0 of the spec. Instead, it conforms to the
 *  draft 1.0 spec, because this is what Communicator and MSIE seem
 *  to conform to.  This looks like an implementation error that has
 *  become firmly entrenched to preserve interoperability. The draft
 *  spec dictates that the encrypted content in the EncryptedContentInfo
 *  is the DER encoding of a SafeContents.  This is simple enough.  The
 *  1.0 final spec says that the SafeContents is wrapped in a ContentInfo,
 *  then the ContentInfo is BER encoded, then the value octets (not the
 *  tag or length) are encrypted. No wonder people stayed with the old way.
 *
 * @param password The password to use to decrypt the SafeContents if
 *  it is encrypted.  If the SafeContents is known to not be encrypted,
 *  this parameter can be null. If the password is incorrect, the
 *  decoding will fail somehow, probably with an InvalidBERException,
 *  BadPaddingException, or IllegalBlockSizeException.
 * @param index The index of the SafeContents to extract.
 * @return A SafeContents object, which is merely a
 *      SEQUENCE of SafeBags.
 * @exception IllegalArgumentException If no password was provided,
 *      but the SafeContents is encrypted.
 */
public SEQUENCE getSafeContentsAt(Password password, int index) throws IllegalStateException, NotInitializedException, NoSuchAlgorithmException, InvalidBERException, IOException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, IllegalBlockSizeException, BadPaddingException {
    ContentInfo ci = (ContentInfo) sequence.elementAt(index);
    if (ci.getContentType().equals(ContentInfo.ENCRYPTED_DATA)) {
        if (password == null) {
            // can't decrypt if we don't have a password
            throw new IllegalStateException("No password to decode " + "encrypted SafeContents");
        }
        EncryptedContentInfo encCI = ((EncryptedData) ci.getInterpretedContent()).getEncryptedContentInfo();
        // this should be a BER-encoded SafeContents
        byte[] decrypted = encCI.decrypt(password, new PasswordConverter());
        try {
            SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
            return (SEQUENCE) ASN1Util.decode(seqt, decrypted);
        } catch (InvalidBERException e) {
            if (ACCEPT_SECURITY_DYNAMICS) {
                // try the security dynamics approach
                ContentInfo.Template cit = ContentInfo.getTemplate();
                ci = (ContentInfo) ASN1Util.decode(cit, decrypted);
                if (!ci.getContentType().equals(ContentInfo.DATA)) {
                    throw new InvalidBERException("");
                }
                OCTET_STRING os = (OCTET_STRING) ci.getInterpretedContent();
                SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
                return (SEQUENCE) ASN1Util.decode(seqt, os.toByteArray());
            } else {
                throw e;
            }
        }
    } else if (ci.getContentType().equals(ContentInfo.DATA)) {
        // This SafeContents is not encrypted
        SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
        return (SEQUENCE) ASN1Util.decode(seqt, ((OCTET_STRING) ci.getInterpretedContent()).toByteArray());
    } else {
        throw new InvalidBERException("AuthenticatedSafes element is" + " neither a Data or an EncryptedData");
    }
}
Also used : InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) ContentInfo(org.mozilla.jss.pkcs7.ContentInfo) EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) EncryptedData(org.mozilla.jss.pkcs7.EncryptedData) EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo) ASN1Template(org.mozilla.jss.asn1.ASN1Template)

Example 15 with ContentInfo

use of com.android.apksig.internal.pkcs7.ContentInfo in project jss by dogtagpki.

the class AuthenticatedSafes method addEncryptedSafeContents.

/**
 * Encrypts a SafeContents and adds it to the AuthenticatedSafes.
 *
 * @param keyGenAlg The algorithm used to generate a key from the password.
 *      Must be a PBE algorithm. <code>DEFAULT_KEY_GEN_ALG</code> is
 *      usually fine here. It only provides 40-bit security, but if the
 *      private key material is packaged in its own
 *      <i>EncryptedPrivateKeyInfo</i>, the security of the SafeContents
 *      is not as important.
 * @param password The password to use to generate the encryption key
 *      and IV.
 * @param salt The salt to use to generate the key and IV. If null is
 *      passed in, the salt will be generated randomly, which is usually
 *      the right thing to do.
 * @param iterationCount The number of hash iterations to perform when
 *      generating the key and IV.  Use DEFAULT_ITERATIONS unless
 *      you want to be clever.
 * @param safeContents A SafeContents, which is a SEQUENCE of SafeBags.
 *      Each element of the sequence must in fact be an instance of
 *      <code>SafeBag</code>.
 */
public void addEncryptedSafeContents(PBEAlgorithm keyGenAlg, Password password, byte[] salt, int iterationCount, SEQUENCE safeContents) throws NotInitializedException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException {
    try {
        // generate salt if necessary
        if (salt == null) {
            // generate random salt
            JSSSecureRandom rand = CryptoManager.getInstance().createPseudoRandomNumberGenerator();
            salt = new byte[SALT_LENGTH];
            rand.nextBytes(salt);
        }
        EncryptedContentInfo encCI = EncryptedContentInfo.createPBE(keyGenAlg, password, salt, iterationCount, new PasswordConverter(), ASN1Util.encode(safeContents));
        EncryptedData encData = new EncryptedData(encCI);
        ContentInfo ci = new ContentInfo(encData);
        sequence.addElement(ci);
    } catch (CharConversionException e) {
        throw new RuntimeException("Unable to convert password: " + e.getMessage(), e);
    }
}
Also used : ContentInfo(org.mozilla.jss.pkcs7.ContentInfo) EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo) JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom) EncryptedData(org.mozilla.jss.pkcs7.EncryptedData) CharConversionException(java.io.CharConversionException) EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo)

Aggregations

IOException (java.io.IOException)12 ContentInfo (org.apache.harmony.security.pkcs7.ContentInfo)11 SignedData (org.apache.harmony.security.pkcs7.SignedData)11 BerInputStream (org.apache.harmony.security.asn1.BerInputStream)9 Certificate (java.security.cert.Certificate)8 X509Certificate (java.security.cert.X509Certificate)8 ArrayList (java.util.ArrayList)6 Signature (java.security.Signature)5 SignerInfo (org.apache.harmony.security.pkcs7.SignerInfo)5 ContentInfo (org.mozilla.jss.pkcs7.ContentInfo)5 ByteArrayInputStream (java.io.ByteArrayInputStream)4 CertificateException (java.security.cert.CertificateException)4 X500Principal (javax.security.auth.x500.X500Principal)4 X509CertImpl (org.apache.harmony.security.provider.cert.X509CertImpl)4 BigInteger (java.math.BigInteger)3 GeneralSecurityException (java.security.GeneralSecurityException)3 MessageDigest (java.security.MessageDigest)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 EncryptedContentInfo (org.mozilla.jss.pkcs7.EncryptedContentInfo)3 RandomAccessFile (java.io.RandomAccessFile)2