Search in sources :

Example 21 with Sequence

use of com.google.showcase.v1beta1.Sequence in project jss by dogtagpki.

the class CMCStatusInfo method encode.

@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
    SEQUENCE seq = new SEQUENCE();
    seq.addElement(status);
    seq.addElement(bodyList);
    if (statusString != null) {
        seq.addElement(statusString);
    }
    if (otherInfo != null) {
        seq.addElement(otherInfo);
    }
    seq.encode(implicitTag, ostream);
}
Also used : SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)

Example 22 with Sequence

use of com.google.showcase.v1beta1.Sequence in project jss by dogtagpki.

the class SignerInfo method verifyWithAuthenticatedAttributes.

/**
 * Verifies a SignerInfo with authenticated attributes.  If authenticated
 * attributes are present, then two particular attributes must
 * be present: <ul>
 * <li>PKCS #9 Content-Type, the type of content that is being signed.
 *      This must match the contentType parameter.
 * <li>PKCS #9 Message-Digest, the digest of the content that is being
 *      signed. This must match the messageDigest parameter.
 * </ul>
 * After these two attributes are verified to be both present and correct,
 * the encryptedDigest field of the SignerInfo is verified to be the
 * signature of the contents octets of the DER encoding of the
 * authenticatedAttributes field.
 */
private void verifyWithAuthenticatedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
    int numAttrib = authenticatedAttributes.size();
    if (numAttrib < 2) {
        throw new SignatureException("At least two authenticated attributes must be present:" + " content-type and message-digest");
    }
    // go through the authenticated attributes, verifying the
    // interesting ones
    boolean foundContentType = false;
    boolean foundMessageDigest = false;
    for (int i = 0; i < numAttrib; i++) {
        if (!(authenticatedAttributes.elementAt(i) instanceof Attribute)) {
            throw new SignatureException("Element of authenticatedAttributes is not an Attribute");
        }
        Attribute attrib = (Attribute) authenticatedAttributes.elementAt(i);
        if (attrib.getType().equals(CONTENT_TYPE)) {
            // content-type.  Compare with what was passed in.
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Content-Type attribute " + " does not have exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            OBJECT_IDENTIFIER ctype;
            try {
                if (val instanceof OBJECT_IDENTIFIER) {
                    ctype = (OBJECT_IDENTIFIER) val;
                } else if (val instanceof ANY) {
                    ctype = (OBJECT_IDENTIFIER) ((ANY) val).decodeWith(OBJECT_IDENTIFIER.getTemplate());
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Content-Type authenticated attribute does not have " + "OBJECT IDENTIFIER value");
            }
            // contentType parameter
            if (!ctype.equals(contentType)) {
                throw new SignatureException("Content-type in authenticated attributes does not " + "match content-type being verified");
            }
            // content type is A-OK
            foundContentType = true;
        } else if (attrib.getType().equals(MESSAGE_DIGEST)) {
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Message-digest attribute does not have" + " exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            byte[] mdigest;
            try {
                if (val instanceof OCTET_STRING) {
                    mdigest = ((OCTET_STRING) val).toByteArray();
                } else if (val instanceof ANY) {
                    OCTET_STRING os;
                    os = (OCTET_STRING) ((ANY) val).decodeWith(OCTET_STRING.getTemplate());
                    mdigest = os.toByteArray();
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Message-digest attribute does not" + " have OCTET STRING value");
            }
            // message digest being verified
            if (!byteArraysAreSame(mdigest, messageDigest)) {
                throw new SignatureException("Message-digest attribute does not" + " match message digest being verified");
            }
            // message digest is A-OK
            foundMessageDigest = true;
        }
    // we don't care about other attributes
    }
    if (!foundContentType) {
        throw new SignatureException("Authenticated attributes does not contain" + " PKCS #9 content-type attribute");
    }
    if (!foundMessageDigest) {
        throw new SignatureException("Authenticate attributes does not contain" + " PKCS #9 message-digest attribute");
    }
    SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
    // All the authenticated attributes are present and correct.
    // Now verify the signature.
    CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
    Signature sig = token.getSignatureContext(sigAlg);
    sig.initVerify(pubkey);
    // verify the contents octets of the DER encoded authenticated attribs
    byte[] toBeDigested;
    toBeDigested = ASN1Util.encode(authenticatedAttributes);
    MessageDigest md = MessageDigest.getInstance(DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString());
    byte[] digest = md.digest(toBeDigested);
    byte[] toBeVerified;
    if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
        // create DigestInfo structure
        SEQUENCE digestInfo = new SEQUENCE();
        digestInfo.addElement(new AlgorithmIdentifier(digestAlgorithm.getOID(), null));
        digestInfo.addElement(new OCTET_STRING(digest));
        toBeVerified = ASN1Util.encode(digestInfo);
    } else {
        toBeVerified = digest;
    }
    sig.update(toBeVerified);
    if (!sig.verify(encryptedDigest.toByteArray())) {
        // signature is invalid
        throw new SignatureException("encryptedDigest was not the correct" + " signature of the contents octets of the DER-encoded" + " authenticated attributes");
    }
// SUCCESSFULLY VERIFIED
}
Also used : SET(org.mozilla.jss.asn1.SET) CryptoToken(org.mozilla.jss.crypto.CryptoToken) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) SignatureAlgorithm(org.mozilla.jss.crypto.SignatureAlgorithm) SignatureException(java.security.SignatureException) ANY(org.mozilla.jss.asn1.ANY) AlgorithmIdentifier(org.mozilla.jss.pkix.primitive.AlgorithmIdentifier) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) Signature(org.mozilla.jss.crypto.Signature) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) MessageDigest(java.security.MessageDigest)

Example 23 with Sequence

use of com.google.showcase.v1beta1.Sequence in project jss by dogtagpki.

the class CertificateInfo method encode.

@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
    SEQUENCE seq = new SEQUENCE();
    if (version != v1) {
        // v1 is the default
        seq.addElement(new EXPLICIT(new Tag(0), new INTEGER(version.getNumber())));
    }
    seq.addElement(serialNumber);
    seq.addElement(signatureAlgId);
    seq.addElement(issuer);
    SEQUENCE validity = new SEQUENCE();
    validity.addElement(encodeValidityDate(notBefore));
    validity.addElement(encodeValidityDate(notAfter));
    seq.addElement(validity);
    seq.addElement(subject);
    seq.addElement(subjectPublicKeyInfo);
    if (issuerUniqueIdentifier != null) {
        seq.addElement(new Tag(1), issuerUniqueIdentifier);
    }
    if (subjectUniqueIdentifier != null) {
        seq.addElement(new Tag(2), subjectUniqueIdentifier);
    }
    if (extensions.size() > 0) {
        seq.addElement(new EXPLICIT(new Tag(3), extensions));
    }
    seq.encode(implicitTag, ostream);
}
Also used : SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) Tag(org.mozilla.jss.asn1.Tag) EXPLICIT(org.mozilla.jss.asn1.EXPLICIT) INTEGER(org.mozilla.jss.asn1.INTEGER)

Example 24 with Sequence

use of com.google.showcase.v1beta1.Sequence in project jss by dogtagpki.

the class PFX method encode.

@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
    SEQUENCE seq = new SEQUENCE();
    seq.addElement(version);
    seq.addElement(new ContentInfo(ASN1Util.encode(authSafes)));
    if (macData != null) {
        seq.addElement(macData);
    }
    seq.encode(implicitTag, ostream);
}
Also used : ContentInfo(org.mozilla.jss.pkcs7.ContentInfo) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)

Example 25 with Sequence

use of com.google.showcase.v1beta1.Sequence in project jss by dogtagpki.

the class PFX method main.

public static void main(String[] args) {
    try {
        if (args.length != 2) {
            System.out.println("Usage: PFX <dbdir> <infile>");
            System.exit(-1);
        }
        int certfile = 0;
        CryptoManager.initialize(args[0]);
        // Decode the P12 file
        PFX.Template pfxt = new PFX.Template();
        PFX pfx;
        FileInputStream fis = new FileInputStream(args[1]);
        try (BufferedInputStream in = new BufferedInputStream(fis, 2048)) {
            pfx = (PFX) pfxt.decode(in);
        }
        System.out.println("Decoded PFX");
        // now peruse it for interesting info
        System.out.println("Version: " + pfx.getVersion());
        AuthenticatedSafes authSafes = pfx.getAuthSafes();
        SEQUENCE asSeq = authSafes.getSequence();
        System.out.println("AuthSafes has " + asSeq.size() + " SafeContents");
        System.out.println("Enter password: ");
        Password pass = Password.readPasswordFromConsole();
        // get new password
        System.out.println("Enter new password:");
        Password newPass = Password.readPasswordFromConsole();
        // verify the PFX
        StringBuffer sb = new StringBuffer();
        if (pfx.verifyAuthSafes(pass, sb)) {
            System.out.println("AuthSafes verifies correctly");
        } else {
            System.out.println("AuthSafes failed to verify because: " + sb);
        }
        // get new AuthSafes ready
        AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
        for (int i = 0; i < asSeq.size(); i++) {
            SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);
            System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags");
            for (int j = 0; j < safeContents.size(); j++) {
                SafeBag safeBag = (SafeBag) safeContents.elementAt(j);
                System.out.println("\nBag " + j + " has type " + safeBag.getBagType());
                SET attribs = safeBag.getBagAttributes();
                if (attribs == null) {
                    System.out.println("Bag has no attributes");
                } else {
                    for (int b = 0; b < attribs.size(); b++) {
                        Attribute a = (Attribute) attribs.elementAt(b);
                        if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                            BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                            System.out.println("Friendly Name: " + bs);
                        } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) {
                            OCTET_STRING os = (OCTET_STRING) ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate());
                            System.out.println("LocalKeyID:");
                            AuthenticatedSafes.print_byte_array(os.toByteArray());
                        } else {
                            System.out.println("Unknown attribute type");
                        }
                    }
                }
                ASN1Value val = safeBag.getInterpretedBagContent();
                if (val instanceof PrivateKeyInfo) {
                    System.out.println("content is PrivateKeyInfo");
                } else if (val instanceof EncryptedPrivateKeyInfo) {
                    EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val);
                    System.out.println("content is EncryptedPrivateKeyInfo, algoid:" + epki.getEncryptionAlgorithm().getOID());
                    PrivateKeyInfo pki = epki.decrypt(pass, new PasswordConverter());
                    byte[] salt = new byte[20];
                    JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG();
                    rand.nextBytes(salt);
                    epki = EncryptedPrivateKeyInfo.createPBE(PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki);
                    // replace the old safe bag with the new
                    safeContents.insertElementAt(new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), j);
                    safeContents.removeElementAt(j + 1);
                } else if (val instanceof CertBag) {
                    System.out.println("   content is CertBag");
                    CertBag cb = (CertBag) val;
                    if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
                        OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert();
                        FileOutputStream fos = new FileOutputStream("cert" + (certfile++) + ".der");
                        os.encode(fos);
                        fos.close();
                        Certificate cert = (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray());
                        cert.getInfo().print(System.out);
                    } else {
                        System.out.println("Unrecognized cert type");
                    }
                } else {
                    System.out.println("content is ANY");
                }
            }
            // Add the new safe contents to the authsafes
            if (authSafes.safeContentsIsEncrypted(i)) {
                newAuthSafes.addEncryptedSafeContents(AuthenticatedSafes.DEFAULT_KEY_GEN_ALG, newPass, null, AuthenticatedSafes.DEFAULT_ITERATIONS, safeContents);
            } else {
                newAuthSafes.addSafeContents(safeContents);
            }
        }
        // Create new PFX from new authsafes
        PFX newPfx = new PFX(newAuthSafes);
        newPfx.computeMacData(newPass, null, DEFAULT_ITERATIONS);
        FileOutputStream fos = new FileOutputStream("newjss.p12");
        newPfx.encode(fos);
        fos.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : SET(org.mozilla.jss.asn1.SET) Attribute(org.mozilla.jss.pkix.primitive.Attribute) JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom) ANY(org.mozilla.jss.asn1.ANY) ASN1Template(org.mozilla.jss.asn1.ASN1Template) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) BufferedInputStream(java.io.BufferedInputStream) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) BMPString(org.mozilla.jss.asn1.BMPString) Password(org.mozilla.jss.util.Password) FileInputStream(java.io.FileInputStream) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) DigestException(java.security.DigestException) IOException(java.io.IOException) CharConversionException(java.io.CharConversionException) TokenException(org.mozilla.jss.crypto.TokenException) NotInitializedException(org.mozilla.jss.NotInitializedException) FileOutputStream(java.io.FileOutputStream) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) EncryptedPrivateKeyInfo(org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo) PrivateKeyInfo(org.mozilla.jss.pkix.primitive.PrivateKeyInfo) Certificate(org.mozilla.jss.pkix.cert.Certificate)

Aggregations

SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)50 OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)16 Sequence (org.sbolstandard.core2.Sequence)11 SET (org.mozilla.jss.asn1.SET)9 ANY (org.mozilla.jss.asn1.ANY)8 InvalidBERException (org.mozilla.jss.asn1.InvalidBERException)8 OBJECT_IDENTIFIER (org.mozilla.jss.asn1.OBJECT_IDENTIFIER)8 URI (java.net.URI)7 BMPString (org.mozilla.jss.asn1.BMPString)7 CryptoToken (org.mozilla.jss.crypto.CryptoToken)7 ASN1Value (org.mozilla.jss.asn1.ASN1Value)6 INTEGER (org.mozilla.jss.asn1.INTEGER)6 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)6 FileOutputStream (java.io.FileOutputStream)5 IOException (java.io.IOException)5 SignatureException (java.security.SignatureException)5 EXPLICIT (org.mozilla.jss.asn1.EXPLICIT)5 SafeBag (org.mozilla.jss.pkcs12.SafeBag)5 Certificate (org.mozilla.jss.pkix.cert.Certificate)5 ComponentDefinition (org.sbolstandard.core2.ComponentDefinition)5