use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.
the class X509AttributeCertificateHolder method isSignatureValid.
/**
* Validate the signature on the attribute certificate in this holder.
*
* @param verifierProvider a ContentVerifierProvider that can generate a verifier for the
* signature.
* @return true if the signature is valid, false otherwise.
* @throws CertException if the signature cannot be processed or is inappropriate.
*/
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
AttributeCertificateInfo acinfo = attrCert.getAcinfo();
if (!CertUtils.isAlgIdEqual(acinfo.getSignature(), attrCert.getSignatureAlgorithm())) {
throw new CertException("signature invalid - algorithm identifier mismatch");
}
ContentVerifier verifier;
try {
verifier = verifierProvider.get((acinfo.getSignature()));
OutputStream sOut = verifier.getOutputStream();
acinfo.encodeTo(sOut, ASN1Encoding.DER);
sOut.close();
} catch (Exception e) {
throw new CertException("unable to process signature: " + e.getMessage(), e);
}
return verifier.verify(this.getSignature());
}
use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.
the class X509CRLHolder method isSignatureValid.
/**
* Validate the signature on the CRL.
*
* @param verifierProvider a ContentVerifierProvider that can generate a verifier for the
* signature.
* @return true if the signature is valid, false otherwise.
* @throws CertException if the signature cannot be processed or is inappropriate.
*/
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
TBSCertList tbsCRL = x509CRL.getTBSCertList();
if (!CertUtils.isAlgIdEqual(tbsCRL.getSignature(), x509CRL.getSignatureAlgorithm())) {
throw new CertException("signature invalid - algorithm identifier mismatch");
}
ContentVerifier verifier;
try {
verifier = verifierProvider.get((tbsCRL.getSignature()));
OutputStream sOut = verifier.getOutputStream();
tbsCRL.encodeTo(sOut, ASN1Encoding.DER);
sOut.close();
} catch (Exception e) {
throw new CertException("unable to process signature: " + e.getMessage(), e);
}
return verifier.verify(x509CRL.getSignature().getOctets());
}
use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.
the class SignerInformation method doVerify.
private boolean doVerify(SignerInformationVerifier verifier) throws CMSException {
String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
ContentVerifier contentVerifier;
try {
contentVerifier = verifier.getContentVerifier(encryptionAlgorithm, info.getDigestAlgorithm());
} catch (OperatorCreationException e) {
throw new CMSException("can't create content verifier: " + e.getMessage(), e);
}
try {
OutputStream sigOut = contentVerifier.getOutputStream();
if (resultDigest == null) {
DigestCalculator calc = verifier.getDigestCalculator(this.getDigestAlgorithmID());
if (content != null) {
OutputStream digOut = calc.getOutputStream();
if (signedAttributeSet == null) {
if (contentVerifier instanceof RawContentVerifier) {
content.write(digOut);
} else {
OutputStream cOut = new TeeOutputStream(digOut, sigOut);
content.write(cOut);
cOut.close();
}
} else {
content.write(digOut);
sigOut.write(this.getEncodedSignedAttributes());
}
digOut.close();
} else if (signedAttributeSet != null) {
sigOut.write(this.getEncodedSignedAttributes());
} else {
// TODO Get rid of this exception and just treat content==null as empty not missing?
throw new CMSException("data not encapsulated in signature - use detached constructor.");
}
resultDigest = calc.getDigest();
} else {
if (signedAttributeSet == null) {
if (content != null) {
content.write(sigOut);
}
} else {
sigOut.write(this.getEncodedSignedAttributes());
}
}
sigOut.close();
} catch (IOException e) {
throw new CMSException("can't process mime object to create signature.", e);
} catch (OperatorCreationException e) {
throw new CMSException("can't create digest calculator: " + e.getMessage(), e);
}
// RFC 3852 11.1 Check the content-type attribute is correct
verifyContentTypeAttributeValue();
AttributeTable signedAttrTable = this.getSignedAttributes();
// RFC 6211 Validate Algorithm Identifier protection attribute if present
verifyAlgorithmIdentifierProtectionAttribute(signedAttrTable);
// RFC 3852 11.2 Check the message-digest attribute is correct
verifyMessageDigestAttribute();
// RFC 3852 11.4 Validate countersignature attribute(s)
verifyCounterSignatureAttribute(signedAttrTable);
try {
if (signedAttributeSet == null && resultDigest != null) {
if (contentVerifier instanceof RawContentVerifier) {
RawContentVerifier rawVerifier = (RawContentVerifier) contentVerifier;
if (encName.equals("RSA")) {
DigestInfo digInfo = new DigestInfo(new AlgorithmIdentifier(digestAlgorithm.getAlgorithm(), DERNull.INSTANCE), resultDigest);
return rawVerifier.verify(digInfo.getEncoded(ASN1Encoding.DER), this.getSignature());
}
return rawVerifier.verify(resultDigest, this.getSignature());
}
}
return contentVerifier.verify(this.getSignature());
} catch (IOException e) {
throw new CMSException("can't process mime object to create signature.", e);
}
}
use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.
the class BcITSContentVerifierProvider method get.
public ContentVerifier get(final int verifierAlgorithmIdentifier) throws OperatorCreationException {
if (sigChoice != verifierAlgorithmIdentifier) {
throw new OperatorCreationException("wrong verifier for algorithm: " + verifierAlgorithmIdentifier);
}
final Digest digest = BcDefaultDigestProvider.INSTANCE.get(digestAlgo);
final byte[] parentDigest = new byte[digest.getDigestSize()];
digest.update(parentData, 0, parentData.length);
digest.doFinal(parentDigest, 0);
final byte[] parentTBSDigest = issuer.getIssuer().isSelf() ? new byte[digest.getDigestSize()] : null;
if (parentTBSDigest != null) {
byte[] enc = OEREncoder.toByteArray(issuer.toASN1Structure().getCertificateBase().getToBeSignedCertificate(), IEEE1609dot2.tbsCertificate);
digest.update(enc, 0, enc.length);
digest.doFinal(parentTBSDigest, 0);
}
final OutputStream os = new OutputStream() {
public void write(int b) throws IOException {
digest.update((byte) b);
}
public void write(byte[] b) throws IOException {
digest.update(b, 0, b.length);
}
public void write(byte[] b, int off, int len) throws IOException {
digest.update(b, off, len);
}
};
return new ContentVerifier() {
final DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(), BcDefaultDigestProvider.INSTANCE.get(digestAlgo));
public AlgorithmIdentifier getAlgorithmIdentifier() {
return null;
}
public OutputStream getOutputStream() {
return os;
}
public boolean verify(byte[] expected) {
byte[] clientCertDigest = new byte[digest.getDigestSize()];
digest.doFinal(clientCertDigest, 0);
// System.out.println("Verify: "+ Hex.toHexString(clientCertDigest));
signer.init(false, pubParams);
signer.update(clientCertDigest, 0, clientCertDigest.length);
//
if (parentTBSDigest != null && Arrays.areEqual(clientCertDigest, parentTBSDigest)) {
byte[] empty = new byte[digest.getDigestSize()];
digest.doFinal(empty, 0);
// System.out.println("Empty: "+Hex.toHexString(empty));
signer.update(empty, 0, empty.length);
} else {
signer.update(parentDigest, 0, parentDigest.length);
}
return signer.verifySignature(expected);
}
};
}
use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.
the class BasicOCSPResp method isSignatureValid.
/**
* verify the signature against the tbsResponseData object we contain.
*/
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws OCSPException {
try {
ContentVerifier verifier = verifierProvider.get(resp.getSignatureAlgorithm());
OutputStream vOut = verifier.getOutputStream();
vOut.write(resp.getTbsResponseData().getEncoded(ASN1Encoding.DER));
vOut.close();
return verifier.verify(this.getSignature());
} catch (Exception e) {
throw new OCSPException("exception processing sig: " + e, e);
}
}
Aggregations