Search in sources :

Example 6 with Signature

use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.

the class X509CRLHolder method isSignatureValid.

/**
 * Validate the signature on the CRL.
 *
 * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the
 *                         signature.
 * @return true if the signature is valid, false otherwise.
 * @throws CertException if the signature cannot be processed or is inappropriate.
 */
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
    TBSCertList tbsCRL = x509CRL.getTBSCertList();
    if (!CertUtils.isAlgIdEqual(tbsCRL.getSignature(), x509CRL.getSignatureAlgorithm())) {
        throw new CertException("signature invalid - algorithm identifier mismatch");
    }
    ContentVerifier verifier;
    try {
        verifier = verifierProvider.get((tbsCRL.getSignature()));
        OutputStream sOut = verifier.getOutputStream();
        tbsCRL.encodeTo(sOut, ASN1Encoding.DER);
        sOut.close();
    } catch (Exception e) {
        throw new CertException("unable to process signature: " + e.getMessage(), e);
    }
    return verifier.verify(x509CRL.getSignature().getOctets());
}
Also used : ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) ObjectOutputStream(java.io.ObjectOutputStream) OutputStream(java.io.OutputStream) TBSCertList(com.github.zhenwei.core.asn1.x509.TBSCertList) IOException(java.io.IOException)

Example 7 with Signature

use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.

the class SignerInformation method addCounterSigners.

/**
 * Return a signer information object with passed in SignerInformationStore representing counter
 * signatures attached as an unsigned attribute.
 *
 * @param signerInformation the signerInfo to be used as the basis.
 * @param counterSigners    signer info objects carrying counter signature.
 * @return a copy of the original SignerInformationObject with the changed attributes.
 */
public static SignerInformation addCounterSigners(SignerInformation signerInformation, SignerInformationStore counterSigners) {
    // TODO Perform checks from RFC 3852 11.4
    SignerInfo sInfo = signerInformation.info;
    AttributeTable unsignedAttr = signerInformation.getUnsignedAttributes();
    ASN1EncodableVector v;
    if (unsignedAttr != null) {
        v = unsignedAttr.toASN1EncodableVector();
    } else {
        v = new ASN1EncodableVector();
    }
    ASN1EncodableVector sigs = new ASN1EncodableVector();
    for (Iterator it = counterSigners.getSigners().iterator(); it.hasNext(); ) {
        sigs.add(((SignerInformation) it.next()).toASN1Structure());
    }
    v.add(new Attribute(CMSAttributes.counterSignature, new DERSet(sigs)));
    return new SignerInformation(new SignerInfo(sInfo.getSID(), sInfo.getDigestAlgorithm(), sInfo.getAuthenticatedAttributes(), sInfo.getDigestEncryptionAlgorithm(), sInfo.getEncryptedDigest(), new DERSet(v)), signerInformation.contentType, signerInformation.content, null);
}
Also used : SignerInfo(com.github.zhenwei.pkix.util.asn1.cms.SignerInfo) Attribute(com.github.zhenwei.pkix.util.asn1.cms.Attribute) AttributeTable(com.github.zhenwei.pkix.util.asn1.cms.AttributeTable) Iterator(java.util.Iterator) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) DERSet(com.github.zhenwei.core.asn1.DERSet)

Example 8 with Signature

use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.

the class SignerInformation method doVerify.

private boolean doVerify(SignerInformationVerifier verifier) throws CMSException {
    String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
    ContentVerifier contentVerifier;
    try {
        contentVerifier = verifier.getContentVerifier(encryptionAlgorithm, info.getDigestAlgorithm());
    } catch (OperatorCreationException e) {
        throw new CMSException("can't create content verifier: " + e.getMessage(), e);
    }
    try {
        OutputStream sigOut = contentVerifier.getOutputStream();
        if (resultDigest == null) {
            DigestCalculator calc = verifier.getDigestCalculator(this.getDigestAlgorithmID());
            if (content != null) {
                OutputStream digOut = calc.getOutputStream();
                if (signedAttributeSet == null) {
                    if (contentVerifier instanceof RawContentVerifier) {
                        content.write(digOut);
                    } else {
                        OutputStream cOut = new TeeOutputStream(digOut, sigOut);
                        content.write(cOut);
                        cOut.close();
                    }
                } else {
                    content.write(digOut);
                    sigOut.write(this.getEncodedSignedAttributes());
                }
                digOut.close();
            } else if (signedAttributeSet != null) {
                sigOut.write(this.getEncodedSignedAttributes());
            } else {
                // TODO Get rid of this exception and just treat content==null as empty not missing?
                throw new CMSException("data not encapsulated in signature - use detached constructor.");
            }
            resultDigest = calc.getDigest();
        } else {
            if (signedAttributeSet == null) {
                if (content != null) {
                    content.write(sigOut);
                }
            } else {
                sigOut.write(this.getEncodedSignedAttributes());
            }
        }
        sigOut.close();
    } catch (IOException e) {
        throw new CMSException("can't process mime object to create signature.", e);
    } catch (OperatorCreationException e) {
        throw new CMSException("can't create digest calculator: " + e.getMessage(), e);
    }
    // RFC 3852 11.1 Check the content-type attribute is correct
    verifyContentTypeAttributeValue();
    AttributeTable signedAttrTable = this.getSignedAttributes();
    // RFC 6211 Validate Algorithm Identifier protection attribute if present
    verifyAlgorithmIdentifierProtectionAttribute(signedAttrTable);
    // RFC 3852 11.2 Check the message-digest attribute is correct
    verifyMessageDigestAttribute();
    // RFC 3852 11.4 Validate countersignature attribute(s)
    verifyCounterSignatureAttribute(signedAttrTable);
    try {
        if (signedAttributeSet == null && resultDigest != null) {
            if (contentVerifier instanceof RawContentVerifier) {
                RawContentVerifier rawVerifier = (RawContentVerifier) contentVerifier;
                if (encName.equals("RSA")) {
                    DigestInfo digInfo = new DigestInfo(new AlgorithmIdentifier(digestAlgorithm.getAlgorithm(), DERNull.INSTANCE), resultDigest);
                    return rawVerifier.verify(digInfo.getEncoded(ASN1Encoding.DER), this.getSignature());
                }
                return rawVerifier.verify(resultDigest, this.getSignature());
            }
        }
        return contentVerifier.verify(this.getSignature());
    } catch (IOException e) {
        throw new CMSException("can't process mime object to create signature.", e);
    }
}
Also used : TeeOutputStream(com.github.zhenwei.core.util.io.TeeOutputStream) DigestInfo(com.github.zhenwei.core.asn1.x509.DigestInfo) RawContentVerifier(com.github.zhenwei.pkix.operator.RawContentVerifier) ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) TeeOutputStream(com.github.zhenwei.core.util.io.TeeOutputStream) OutputStream(java.io.OutputStream) DigestCalculator(com.github.zhenwei.pkix.operator.DigestCalculator) AttributeTable(com.github.zhenwei.pkix.util.asn1.cms.AttributeTable) RawContentVerifier(com.github.zhenwei.pkix.operator.RawContentVerifier) ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString) IOException(java.io.IOException) OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)

Example 9 with Signature

use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.

the class CMSSignedDataGenerator method generate.

/**
 * Generate a CMS Signed Data object which can be carrying a detached CMS signature, or have
 * encapsulated data, depending on the value of the encapsulated parameter.
 *
 * @param content     the content to be signed.
 * @param encapsulate true if the content should be encapsulated in the signature, false
 *                    otherwise.
 */
public CMSSignedData generate(// FIXME Avoid accessing more than once to support CMSProcessableInputStream
CMSTypedData content, boolean encapsulate) throws CMSException {
    if (!signerInfs.isEmpty()) {
        throw new IllegalStateException("this method can only be used with SignerInfoGenerator");
    }
    // TODO
    // if (signerInfs.isEmpty())
    // {
    // /* RFC 3852 5.2
    // * "In the degenerate case where there are no signers, the
    // * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
    // * case, the content type within the EncapsulatedContentInfo value being
    // * "signed" MUST be id-data (as defined in section 4), and the content
    // * field of the EncapsulatedContentInfo value MUST be omitted."
    // */
    // if (encapsulate)
    // {
    // throw new IllegalArgumentException("no signers, encapsulate must be false");
    // }
    // if (!DATA.equals(eContentType))
    // {
    // throw new IllegalArgumentException("no signers, eContentType must be id-data");
    // }
    // }
    // 
    // if (!DATA.equals(eContentType))
    // {
    // /* RFC 3852 5.3
    // * [The 'signedAttrs']...
    // * field is optional, but it MUST be present if the content type of
    // * the EncapsulatedContentInfo value being signed is not id-data.
    // */
    // // TODO signedAttrs must be present for all signers
    // }
    Set<AlgorithmIdentifier> digestAlgs = new LinkedHashSet<AlgorithmIdentifier>();
    ASN1EncodableVector signerInfos = new ASN1EncodableVector();
    // clear the current preserved digest state
    digests.clear();
    // 
    for (Iterator it = _signers.iterator(); it.hasNext(); ) {
        SignerInformation signer = (SignerInformation) it.next();
        CMSUtils.addDigestAlgs(digestAlgs, signer, digestAlgIdFinder);
        // TODO Verify the content type and calculated digest match the precalculated SignerInfo
        signerInfos.add(signer.toASN1Structure());
    }
    // 
    // add the SignerInfo objects
    // 
    ASN1ObjectIdentifier contentTypeOID = content.getContentType();
    ASN1OctetString octs = null;
    if (content.getContent() != null) {
        ByteArrayOutputStream bOut = null;
        if (encapsulate) {
            bOut = new ByteArrayOutputStream();
        }
        OutputStream cOut = CMSUtils.attachSignersToOutputStream(signerGens, bOut);
        // Just in case it's unencapsulated and there are no signers!
        cOut = CMSUtils.getSafeOutputStream(cOut);
        try {
            content.write(cOut);
            cOut.close();
        } catch (IOException e) {
            throw new CMSException("data processing exception: " + e.getMessage(), e);
        }
        if (encapsulate) {
            octs = new BEROctetString(bOut.toByteArray());
        }
    }
    for (Iterator it = signerGens.iterator(); it.hasNext(); ) {
        SignerInfoGenerator sGen = (SignerInfoGenerator) it.next();
        SignerInfo inf = sGen.generate(contentTypeOID);
        digestAlgs.add(inf.getDigestAlgorithm());
        signerInfos.add(inf);
        byte[] calcDigest = sGen.getCalculatedDigest();
        if (calcDigest != null) {
            digests.put(inf.getDigestAlgorithm().getAlgorithm().getId(), calcDigest);
        }
    }
    ASN1Set certificates = null;
    if (certs.size() != 0) {
        certificates = CMSUtils.createBerSetFromList(certs);
    }
    ASN1Set certrevlist = null;
    if (crls.size() != 0) {
        certrevlist = CMSUtils.createBerSetFromList(crls);
    }
    ContentInfo encInfo = new ContentInfo(contentTypeOID, octs);
    SignedData sd = new SignedData(CMSUtils.convertToBERSet(digestAlgs), encInfo, certificates, certrevlist, new DERSet(signerInfos));
    ContentInfo contentInfo = new ContentInfo(CMSObjectIdentifiers.signedData, sd);
    return new CMSSignedData(content, contentInfo);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString) SignedData(com.github.zhenwei.pkix.util.asn1.cms.SignedData) OutputStream(java.io.OutputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) IOException(java.io.IOException) DERSet(com.github.zhenwei.core.asn1.DERSet) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier) SignerInfo(com.github.zhenwei.pkix.util.asn1.cms.SignerInfo) BEROctetString(com.github.zhenwei.core.asn1.BEROctetString) ASN1Set(com.github.zhenwei.core.asn1.ASN1Set) ContentInfo(com.github.zhenwei.pkix.util.asn1.cms.ContentInfo) Iterator(java.util.Iterator) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)

Example 10 with Signature

use of com.github.zhenwei.core.asn1.ocsp.Signature in project LinLong-Java by zhenwei1108.

the class CMSSignedDataStreamGenerator method getDigestAlgorithms.

/**
 * Return a list of the current Digest AlgorithmIdentifiers applying to the next signature.
 *
 * @return a list of the Digest AlgorithmIdentifiers
 */
public List<AlgorithmIdentifier> getDigestAlgorithms() {
    List digestAlorithms = new ArrayList();
    // 
    for (Iterator it = _signers.iterator(); it.hasNext(); ) {
        SignerInformation signer = (SignerInformation) it.next();
        AlgorithmIdentifier digAlg = CMSSignedHelper.INSTANCE.fixDigestAlgID(signer.getDigestAlgorithmID(), digestAlgIdFinder);
        digestAlorithms.add(digAlg);
    }
    for (Iterator it = signerGens.iterator(); it.hasNext(); ) {
        SignerInfoGenerator signerGen = (SignerInfoGenerator) it.next();
        digestAlorithms.add(signerGen.getDigestAlgorithm());
    }
    return digestAlorithms;
}
Also used : ArrayList(java.util.ArrayList) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)

Aggregations

IOException (java.io.IOException)44 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)34 DERSequence (com.github.zhenwei.core.asn1.DERSequence)29 DERBitString (com.github.zhenwei.core.asn1.DERBitString)21 AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)20 OutputStream (java.io.OutputStream)20 SignatureException (java.security.SignatureException)20 GeneralSecurityException (java.security.GeneralSecurityException)15 Signature (java.security.Signature)15 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)14 DEROctetString (com.github.zhenwei.core.asn1.DEROctetString)14 InvalidKeyException (java.security.InvalidKeyException)13 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)13 Iterator (java.util.Iterator)13 OperatorCreationException (com.github.zhenwei.pkix.operator.OperatorCreationException)11 CertificateEncodingException (java.security.cert.CertificateEncodingException)11 NoSuchProviderException (java.security.NoSuchProviderException)10 ASN1OctetString (com.github.zhenwei.core.asn1.ASN1OctetString)9 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)9 List (java.util.List)9