Examples with Attribute com.github.zhenwei.core.asn1.pkcs.Attribute used on opensource projects

Example 66 with Attribute

use of com.github.zhenwei.core.asn1.pkcs.Attribute in project LinLong-Java by zhenwei1108.

the class CMSEnvelopedDataParser method getUnprotectedAttributes.

/**
 * return a table of the unprotected attributes indexed by the OID of the attribute.
 *
 * @throws IOException
 */
public AttributeTable getUnprotectedAttributes() throws IOException {
    if (unprotectedAttributes == null && attrNotRead) {
        ASN1SetParser set = envelopedData.getUnprotectedAttrs();
        attrNotRead = false;
        if (set != null) {
            ASN1EncodableVector v = new ASN1EncodableVector();
            ASN1Encodable o;
            while ((o = set.readObject()) != null) {
                ASN1SequenceParser seq = (ASN1SequenceParser) o;
                v.add(seq.toASN1Primitive());
            }
            unprotectedAttributes = new AttributeTable(new DERSet(v));
        }
    }
    return unprotectedAttributes;
}

Example 67 with Attribute

use of com.github.zhenwei.core.asn1.pkcs.Attribute in project LinLong-Java by zhenwei1108.

the class SignerInformation method verifyAlgorithmIdentifierProtectionAttribute.

/**
 * RFC 6211 Validate Algorithm Identifier protection attribute if present
 *
 * @param signedAttrTable signed attributes
 * @throws CMSException when cmsAlgorihmProtect attribute was rejected
 */
private void verifyAlgorithmIdentifierProtectionAttribute(AttributeTable signedAttrTable) throws CMSException {
    AttributeTable unsignedAttrTable = this.getUnsignedAttributes();
    if (unsignedAttrTable != null && unsignedAttrTable.getAll(CMSAttributes.cmsAlgorithmProtect).size() > 0) {
        throw new CMSException("A cmsAlgorithmProtect attribute MUST be a signed attribute");
    }
    if (signedAttrTable != null) {
        ASN1EncodableVector protectionAttributes = signedAttrTable.getAll(CMSAttributes.cmsAlgorithmProtect);
        if (protectionAttributes.size() > 1) {
            throw new CMSException("Only one instance of a cmsAlgorithmProtect attribute can be present");
        }
        if (protectionAttributes.size() > 0) {
            Attribute attr = Attribute.getInstance(protectionAttributes.get(0));
            if (attr.getAttrValues().size() != 1) {
                throw new CMSException("A cmsAlgorithmProtect attribute MUST contain exactly one value");
            }
            CMSAlgorithmProtection algorithmProtection = CMSAlgorithmProtection.getInstance(attr.getAttributeValues()[0]);
            if (!CMSUtils.isEquivalent(algorithmProtection.getDigestAlgorithm(), info.getDigestAlgorithm())) {
                throw new CMSException("CMS Algorithm Identifier Protection check failed for digestAlgorithm");
            }
            if (!CMSUtils.isEquivalent(algorithmProtection.getSignatureAlgorithm(), info.getDigestEncryptionAlgorithm())) {
                throw new CMSException("CMS Algorithm Identifier Protection check failed for signatureAlgorithm");
            }
        }
    }
}

Example 68 with Attribute

use of com.github.zhenwei.core.asn1.pkcs.Attribute in project LinLong-Java by zhenwei1108.

the class SignerInformation method getSingleValuedSignedAttribute.

private ASN1Primitive getSingleValuedSignedAttribute(ASN1ObjectIdentifier attrOID, String printableName) throws CMSException {
    AttributeTable unsignedAttrTable = this.getUnsignedAttributes();
    if (unsignedAttrTable != null && unsignedAttrTable.getAll(attrOID).size() > 0) {
        throw new CMSException("The " + printableName + " attribute MUST NOT be an unsigned attribute");
    }
    AttributeTable signedAttrTable = this.getSignedAttributes();
    if (signedAttrTable == null) {
        return null;
    }
    ASN1EncodableVector v = signedAttrTable.getAll(attrOID);
    switch(v.size()) {
        case 0:
            return null;
        case 1:
            {
                Attribute t = (Attribute) v.get(0);
                ASN1Set attrValues = t.getAttrValues();
                if (attrValues.size() != 1) {
                    throw new CMSException("A " + printableName + " attribute MUST have a single attribute value");
                }
                return attrValues.getObjectAt(0).toASN1Primitive();
            }
        default:
            throw new CMSException("The SignedAttributes in a signerInfo MUST NOT include multiple instances of the " + printableName + " attribute");
    }
}

Example 69 with Attribute

use of com.github.zhenwei.core.asn1.pkcs.Attribute in project LinLong-Java by zhenwei1108.

the class RFC3280CertPathUtilities method processCRLF.

/**
 * Obtain and validate the certification path for the complete CRL issuer. If a key usage
 * extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
 *
 * @param crl                CRL which contains revocation information for the certificate
 *                           <code>cert</code>.
 * @param cert               The attribute certificate or certificate to check if it is revoked.
 * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
 * @param defaultCRLSignKey  The public key of the issuer certificate
 *                           <code>defaultCRLSignCert</code>.
 * @param paramsPKIX         PKIX parameters.
 * @param certPathCerts      The certificates on the certification path.
 * @return A <code>Set</code> with all keys of possible CRL issuer certificates.
 * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or some
 *                            error occurs.
 */
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, PKIXExtendedParameters paramsPKIX, List certPathCerts, JcaJceHelper helper) throws AnnotatedException {
    // (f)
    // get issuer from CRL
    X509CertSelector certSelector = new X509CertSelector();
    try {
        byte[] issuerPrincipal = crl.getIssuerX500Principal().getEncoded();
        certSelector.setSubject(issuerPrincipal);
    } catch (IOException e) {
        throw new AnnotatedException("subject criteria for certificate selector to find issuer certificate for CRL could not be set", e);
    }
    PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build();
    // get CRL signing certs
    LinkedHashSet coll = new LinkedHashSet();
    try {
        RevocationUtilities.findCertificates(coll, selector, paramsPKIX.getCertificateStores());
        RevocationUtilities.findCertificates(coll, selector, paramsPKIX.getCertStores());
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
    }
    coll.add(defaultCRLSignCert);
    List validCerts = new ArrayList();
    List validKeys = new ArrayList();
    Iterator cert_it = coll.iterator();
    while (cert_it.hasNext()) {
        X509Certificate signingCert = (X509Certificate) cert_it.next();
        /*
       * CA of the certificate, for which this CRL is checked, has also
       * signed CRL, so skip the path validation, because is already done
       */
        if (signingCert.equals(defaultCRLSignCert)) {
            validCerts.add(signingCert);
            validKeys.add(defaultCRLSignKey);
            continue;
        }
        try {
            CertPathBuilder builder = helper.createCertPathBuilder("PKIX");
            X509CertSelector tmpCertSelector = new X509CertSelector();
            tmpCertSelector.setCertificate(signingCert);
            PKIXExtendedParameters.Builder paramsBuilder = new PKIXExtendedParameters.Builder(paramsPKIX).setTargetConstraints(new PKIXCertStoreSelector.Builder(tmpCertSelector).build());
            /*
         * if signingCert is placed not higher on the cert path a
         * dependency loop results. CRL for cert is checked, but
         * signingCert is needed for checking the CRL which is dependent
         * on checking cert because it is higher in the cert path and so
         * signing signingCert transitively. so, revocation is disabled,
         * forgery attacks of the CRL are detected in this outer loop
         * for all other it must be enabled to prevent forgery attacks
         */
            if (certPathCerts.contains(signingCert)) {
                paramsBuilder.setRevocationEnabled(false);
            } else {
                paramsBuilder.setRevocationEnabled(true);
            }
            PKIXExtendedBuilderParameters extParams = new PKIXExtendedBuilderParameters.Builder(paramsBuilder.build()).build();
            List certs = builder.build(extParams).getCertPath().getCertificates();
            validCerts.add(signingCert);
            validKeys.add(RevocationUtilities.getNextWorkingKey(certs, 0, helper));
        } catch (CertPathBuilderException e) {
            throw new AnnotatedException("CertPath for CRL signer failed to validate.", e);
        } catch (CertPathValidatorException e) {
            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
        } catch (Exception e) {
            throw new AnnotatedException(e.getMessage());
        }
    }
    Set checkKeys = new HashSet();
    AnnotatedException lastException = null;
    for (int i = 0; i < validCerts.size(); i++) {
        X509Certificate signCert = (X509Certificate) validCerts.get(i);
        boolean[] keyUsage = signCert.getKeyUsage();
        if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])) {
            lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
        } else {
            checkKeys.add(validKeys.get(i));
        }
    }
    if (checkKeys.isEmpty() && lastException == null) {
        throw new AnnotatedException("Cannot find a valid issuer certificate.");
    }
    if (checkKeys.isEmpty() && lastException != null) {
        throw lastException;
    }
    return checkKeys;
}

Example 70 with Attribute

use of com.github.zhenwei.core.asn1.pkcs.Attribute in project LinLong-Java by zhenwei1108.

the class AttributeTable method getAll.

/**
 * Return all the attributes matching the OBJECT IDENTIFIER oid. The vector will be empty if there
 * are no attributes of the required type present.
 *
 * @param oid type of attribute required.
 * @return a vector of all the attributes found of type oid.
 */
public ASN1EncodableVector getAll(ASN1ObjectIdentifier oid) {
    ASN1EncodableVector v = new ASN1EncodableVector();
    Object value = attributes.get(oid);
    if (value instanceof Vector) {
        Enumeration e = ((Vector) value).elements();
        while (e.hasMoreElements()) {
            v.add((Attribute) e.nextElement());
        }
    } else if (value != null) {
        v.add((Attribute) value);
    }
    return v;
}