Search in sources :

Example 1 with ContentVerifier

use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.

the class X509AttributeCertificateHolder method isSignatureValid.

/**
 * Validate the signature on the attribute certificate in this holder.
 *
 * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the
 *                         signature.
 * @return true if the signature is valid, false otherwise.
 * @throws CertException if the signature cannot be processed or is inappropriate.
 */
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
    AttributeCertificateInfo acinfo = attrCert.getAcinfo();
    if (!CertUtils.isAlgIdEqual(acinfo.getSignature(), attrCert.getSignatureAlgorithm())) {
        throw new CertException("signature invalid - algorithm identifier mismatch");
    }
    ContentVerifier verifier;
    try {
        verifier = verifierProvider.get((acinfo.getSignature()));
        OutputStream sOut = verifier.getOutputStream();
        acinfo.encodeTo(sOut, ASN1Encoding.DER);
        sOut.close();
    } catch (Exception e) {
        throw new CertException("unable to process signature: " + e.getMessage(), e);
    }
    return verifier.verify(this.getSignature());
}
Also used : AttributeCertificateInfo(com.github.zhenwei.core.asn1.x509.AttributeCertificateInfo) ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) OutputStream(java.io.OutputStream) ObjectOutputStream(java.io.ObjectOutputStream) IOException(java.io.IOException)

Example 2 with ContentVerifier

use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.

the class X509CRLHolder method isSignatureValid.

/**
 * Validate the signature on the CRL.
 *
 * @param verifierProvider a ContentVerifierProvider that can generate a verifier for the
 *                         signature.
 * @return true if the signature is valid, false otherwise.
 * @throws CertException if the signature cannot be processed or is inappropriate.
 */
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
    TBSCertList tbsCRL = x509CRL.getTBSCertList();
    if (!CertUtils.isAlgIdEqual(tbsCRL.getSignature(), x509CRL.getSignatureAlgorithm())) {
        throw new CertException("signature invalid - algorithm identifier mismatch");
    }
    ContentVerifier verifier;
    try {
        verifier = verifierProvider.get((tbsCRL.getSignature()));
        OutputStream sOut = verifier.getOutputStream();
        tbsCRL.encodeTo(sOut, ASN1Encoding.DER);
        sOut.close();
    } catch (Exception e) {
        throw new CertException("unable to process signature: " + e.getMessage(), e);
    }
    return verifier.verify(x509CRL.getSignature().getOctets());
}
Also used : ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) ObjectOutputStream(java.io.ObjectOutputStream) OutputStream(java.io.OutputStream) TBSCertList(com.github.zhenwei.core.asn1.x509.TBSCertList) IOException(java.io.IOException)

Example 3 with ContentVerifier

use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.

the class SignerInformation method doVerify.

private boolean doVerify(SignerInformationVerifier verifier) throws CMSException {
    String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
    ContentVerifier contentVerifier;
    try {
        contentVerifier = verifier.getContentVerifier(encryptionAlgorithm, info.getDigestAlgorithm());
    } catch (OperatorCreationException e) {
        throw new CMSException("can't create content verifier: " + e.getMessage(), e);
    }
    try {
        OutputStream sigOut = contentVerifier.getOutputStream();
        if (resultDigest == null) {
            DigestCalculator calc = verifier.getDigestCalculator(this.getDigestAlgorithmID());
            if (content != null) {
                OutputStream digOut = calc.getOutputStream();
                if (signedAttributeSet == null) {
                    if (contentVerifier instanceof RawContentVerifier) {
                        content.write(digOut);
                    } else {
                        OutputStream cOut = new TeeOutputStream(digOut, sigOut);
                        content.write(cOut);
                        cOut.close();
                    }
                } else {
                    content.write(digOut);
                    sigOut.write(this.getEncodedSignedAttributes());
                }
                digOut.close();
            } else if (signedAttributeSet != null) {
                sigOut.write(this.getEncodedSignedAttributes());
            } else {
                // TODO Get rid of this exception and just treat content==null as empty not missing?
                throw new CMSException("data not encapsulated in signature - use detached constructor.");
            }
            resultDigest = calc.getDigest();
        } else {
            if (signedAttributeSet == null) {
                if (content != null) {
                    content.write(sigOut);
                }
            } else {
                sigOut.write(this.getEncodedSignedAttributes());
            }
        }
        sigOut.close();
    } catch (IOException e) {
        throw new CMSException("can't process mime object to create signature.", e);
    } catch (OperatorCreationException e) {
        throw new CMSException("can't create digest calculator: " + e.getMessage(), e);
    }
    // RFC 3852 11.1 Check the content-type attribute is correct
    verifyContentTypeAttributeValue();
    AttributeTable signedAttrTable = this.getSignedAttributes();
    // RFC 6211 Validate Algorithm Identifier protection attribute if present
    verifyAlgorithmIdentifierProtectionAttribute(signedAttrTable);
    // RFC 3852 11.2 Check the message-digest attribute is correct
    verifyMessageDigestAttribute();
    // RFC 3852 11.4 Validate countersignature attribute(s)
    verifyCounterSignatureAttribute(signedAttrTable);
    try {
        if (signedAttributeSet == null && resultDigest != null) {
            if (contentVerifier instanceof RawContentVerifier) {
                RawContentVerifier rawVerifier = (RawContentVerifier) contentVerifier;
                if (encName.equals("RSA")) {
                    DigestInfo digInfo = new DigestInfo(new AlgorithmIdentifier(digestAlgorithm.getAlgorithm(), DERNull.INSTANCE), resultDigest);
                    return rawVerifier.verify(digInfo.getEncoded(ASN1Encoding.DER), this.getSignature());
                }
                return rawVerifier.verify(resultDigest, this.getSignature());
            }
        }
        return contentVerifier.verify(this.getSignature());
    } catch (IOException e) {
        throw new CMSException("can't process mime object to create signature.", e);
    }
}
Also used : TeeOutputStream(com.github.zhenwei.core.util.io.TeeOutputStream) DigestInfo(com.github.zhenwei.core.asn1.x509.DigestInfo) RawContentVerifier(com.github.zhenwei.pkix.operator.RawContentVerifier) ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) TeeOutputStream(com.github.zhenwei.core.util.io.TeeOutputStream) OutputStream(java.io.OutputStream) DigestCalculator(com.github.zhenwei.pkix.operator.DigestCalculator) AttributeTable(com.github.zhenwei.pkix.util.asn1.cms.AttributeTable) RawContentVerifier(com.github.zhenwei.pkix.operator.RawContentVerifier) ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString) IOException(java.io.IOException) OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)

Example 4 with ContentVerifier

use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.

the class BcITSContentVerifierProvider method get.

public ContentVerifier get(final int verifierAlgorithmIdentifier) throws OperatorCreationException {
    if (sigChoice != verifierAlgorithmIdentifier) {
        throw new OperatorCreationException("wrong verifier for algorithm: " + verifierAlgorithmIdentifier);
    }
    final Digest digest = BcDefaultDigestProvider.INSTANCE.get(digestAlgo);
    final byte[] parentDigest = new byte[digest.getDigestSize()];
    digest.update(parentData, 0, parentData.length);
    digest.doFinal(parentDigest, 0);
    final byte[] parentTBSDigest = issuer.getIssuer().isSelf() ? new byte[digest.getDigestSize()] : null;
    if (parentTBSDigest != null) {
        byte[] enc = OEREncoder.toByteArray(issuer.toASN1Structure().getCertificateBase().getToBeSignedCertificate(), IEEE1609dot2.tbsCertificate);
        digest.update(enc, 0, enc.length);
        digest.doFinal(parentTBSDigest, 0);
    }
    final OutputStream os = new OutputStream() {

        public void write(int b) throws IOException {
            digest.update((byte) b);
        }

        public void write(byte[] b) throws IOException {
            digest.update(b, 0, b.length);
        }

        public void write(byte[] b, int off, int len) throws IOException {
            digest.update(b, off, len);
        }
    };
    return new ContentVerifier() {

        final DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(), BcDefaultDigestProvider.INSTANCE.get(digestAlgo));

        public AlgorithmIdentifier getAlgorithmIdentifier() {
            return null;
        }

        public OutputStream getOutputStream() {
            return os;
        }

        public boolean verify(byte[] expected) {
            byte[] clientCertDigest = new byte[digest.getDigestSize()];
            digest.doFinal(clientCertDigest, 0);
            // System.out.println("Verify: "+ Hex.toHexString(clientCertDigest));
            signer.init(false, pubParams);
            signer.update(clientCertDigest, 0, clientCertDigest.length);
            // 
            if (parentTBSDigest != null && Arrays.areEqual(clientCertDigest, parentTBSDigest)) {
                byte[] empty = new byte[digest.getDigestSize()];
                digest.doFinal(empty, 0);
                // System.out.println("Empty: "+Hex.toHexString(empty));
                signer.update(empty, 0, empty.length);
            } else {
                signer.update(parentDigest, 0, parentDigest.length);
            }
            return signer.verifySignature(expected);
        }
    };
}
Also used : DSADigestSigner(com.github.zhenwei.core.crypto.signers.DSADigestSigner) Digest(com.github.zhenwei.core.crypto.Digest) ECDSASigner(com.github.zhenwei.core.crypto.signers.ECDSASigner) OutputStream(java.io.OutputStream) ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException)

Example 5 with ContentVerifier

use of com.github.zhenwei.pkix.operator.ContentVerifier in project LinLong-Java by zhenwei1108.

the class BasicOCSPResp method isSignatureValid.

/**
 * verify the signature against the tbsResponseData object we contain.
 */
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws OCSPException {
    try {
        ContentVerifier verifier = verifierProvider.get(resp.getSignatureAlgorithm());
        OutputStream vOut = verifier.getOutputStream();
        vOut.write(resp.getTbsResponseData().getEncoded(ASN1Encoding.DER));
        vOut.close();
        return verifier.verify(this.getSignature());
    } catch (Exception e) {
        throw new OCSPException("exception processing sig: " + e, e);
    }
}
Also used : ContentVerifier(com.github.zhenwei.pkix.operator.ContentVerifier) OutputStream(java.io.OutputStream) IOException(java.io.IOException)

Aggregations

ContentVerifier (com.github.zhenwei.pkix.operator.ContentVerifier)11 OutputStream (java.io.OutputStream)11 IOException (java.io.IOException)8 OperatorCreationException (com.github.zhenwei.pkix.operator.OperatorCreationException)3 ObjectOutputStream (java.io.ObjectOutputStream)3 DigestCalculator (com.github.zhenwei.pkix.operator.DigestCalculator)2 ASN1Exception (com.github.zhenwei.core.asn1.ASN1Exception)1 ASN1OctetString (com.github.zhenwei.core.asn1.ASN1OctetString)1 CertificationRequestInfo (com.github.zhenwei.core.asn1.pkcs.CertificationRequestInfo)1 AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)1 AttributeCertificateInfo (com.github.zhenwei.core.asn1.x509.AttributeCertificateInfo)1 DigestInfo (com.github.zhenwei.core.asn1.x509.DigestInfo)1 TBSCertList (com.github.zhenwei.core.asn1.x509.TBSCertList)1 TBSCertificate (com.github.zhenwei.core.asn1.x509.TBSCertificate)1 Digest (com.github.zhenwei.core.crypto.Digest)1 DSADigestSigner (com.github.zhenwei.core.crypto.signers.DSADigestSigner)1 ECDSASigner (com.github.zhenwei.core.crypto.signers.ECDSASigner)1 TeeOutputStream (com.github.zhenwei.core.util.io.TeeOutputStream)1 CertIOException (com.github.zhenwei.pkix.cert.CertIOException)1 DigestCalculatorProvider (com.github.zhenwei.pkix.operator.DigestCalculatorProvider)1