Example 11 with ContentInfo
use of com.mindbright.security.pkcs7.ContentInfo in project XobotOS by xamarin.
the class X509CertFactoryImpl method engineGenerateCertificates.
/**
* Generates the collection of the certificates on the base of provided
* via input stream encodings.
* @see java.security.cert.CertificateFactorySpi#engineGenerateCertificates(InputStream)
* method documentation for more info
*/
public Collection<? extends Certificate> engineGenerateCertificates(InputStream inStream) throws CertificateException {
if (inStream == null) {
throw new CertificateException("inStream == null");
}
ArrayList<Certificate> result = new ArrayList<Certificate>();
try {
if (!inStream.markSupported()) {
// create the mark supporting wrapper
inStream = new RestoringInputStream(inStream);
}
// if it is PEM encoded form this array will contain the encoding
// so ((it is PEM) <-> (encoding != null))
byte[] encoding = null;
// The following by SEQUENCE ASN.1 tag, used for
// recognizing the data format
// (is it PKCS7 ContentInfo structure, X.509 Certificate, or
// unsupported encoding)
int second_asn1_tag = -1;
inStream.mark(1);
int ch;
while ((ch = inStream.read()) != -1) {
// check if it is PEM encoded form
if (ch == '-') {
// beginning of PEM encoding ('-' char)
// decode PEM chunk and store its content (ASN.1 encoding)
encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
} else if (ch == 0x30) {
// beginning of ASN.1 sequence (0x30)
encoding = null;
inStream.reset();
// prepare for data format determination
inStream.mark(CERT_CACHE_SEED_LENGTH);
} else {
// unsupported data
if (result.size() == 0) {
throw new CertificateException("Unsupported encoding");
} else {
// it can be trailing user data,
// so keep it in the stream
inStream.reset();
return result;
}
}
// Check the data format
BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
// read the next ASN.1 tag
// inStream position changed
second_asn1_tag = in.next();
if (encoding == null) {
// keep whole structure in the stream
inStream.reset();
}
// check if it is a TBSCertificate structure
if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
if (result.size() == 0) {
// whether it is PKCS7 structure
break;
} else {
// so return what we already read
return result;
}
} else {
if (encoding == null) {
result.add(getCertificate(inStream));
} else {
result.add(getCertificate(encoding));
}
}
// mark for the next iteration
inStream.mark(1);
}
if (result.size() != 0) {
// some Certificates have been read
return result;
} else if (ch == -1) {
throw new CertificateException("There is no data in the stream");
}
// else: check if it is PKCS7
if (second_asn1_tag == ASN1Constants.TAG_OID) {
// it is PKCS7 ContentInfo structure, so decode it
ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
// retrieve SignedData
SignedData data = info.getSignedData();
if (data == null) {
throw new CertificateException("Invalid PKCS7 data provided");
}
List<org.apache.harmony.security.x509.Certificate> certs = data.getCertificates();
if (certs != null) {
for (org.apache.harmony.security.x509.Certificate cert : certs) {
result.add(new X509CertImpl(cert));
}
}
return result;
}
// else: Unknown data format
throw new CertificateException("Unsupported encoding");
} catch (IOException e) {
throw new CertificateException(e);
}
}
Also used :
SignedData(org.apache.harmony.security.pkcs7.SignedData)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo)
BerInputStream(org.apache.harmony.security.asn1.BerInputStream)
Certificate(java.security.cert.Certificate)
Example 12 with ContentInfo
use of com.mindbright.security.pkcs7.ContentInfo in project XobotOS by xamarin.
the class X509CertFactoryImpl method engineGenerateCRLs.
/**
* @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
* method documentation for more info
*/
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
if (inStream == null) {
throw new CRLException("inStream == null");
}
ArrayList<CRL> result = new ArrayList<CRL>();
try {
if (!inStream.markSupported()) {
inStream = new RestoringInputStream(inStream);
}
// if it is PEM encoded form this array will contain the encoding
// so ((it is PEM) <-> (encoding != null))
byte[] encoding = null;
// The following by SEQUENCE ASN.1 tag, used for
// recognizing the data format
// (is it PKCS7 ContentInfo structure, X.509 CRL, or
// unsupported encoding)
int second_asn1_tag = -1;
inStream.mark(1);
int ch;
while ((ch = inStream.read()) != -1) {
// check if it is PEM encoded form
if (ch == '-') {
// beginning of PEM encoding ('-' char)
// decode PEM chunk and store its content (ASN.1 encoding)
encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
} else if (ch == 0x30) {
// beginning of ASN.1 sequence (0x30)
encoding = null;
inStream.reset();
// prepare for data format determination
inStream.mark(CRL_CACHE_SEED_LENGTH);
} else {
// unsupported data
if (result.size() == 0) {
throw new CRLException("Unsupported encoding");
} else {
// it can be trailing user data,
// so keep it in the stream
inStream.reset();
return result;
}
}
// Check the data format
BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
// read the next ASN.1 tag
second_asn1_tag = in.next();
if (encoding == null) {
// keep whole structure in the stream
inStream.reset();
}
// check if it is a TBSCertList structure
if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
if (result.size() == 0) {
// whether it is PKCS7 structure
break;
} else {
// so return what we already read
return result;
}
} else {
if (encoding == null) {
result.add(getCRL(inStream));
} else {
result.add(getCRL(encoding));
}
}
inStream.mark(1);
}
if (result.size() != 0) {
// the stream was read out
return result;
} else if (ch == -1) {
throw new CRLException("There is no data in the stream");
}
// else: check if it is PKCS7
if (second_asn1_tag == ASN1Constants.TAG_OID) {
// it is PKCS7 ContentInfo structure, so decode it
ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
// retrieve SignedData
SignedData data = info.getSignedData();
if (data == null) {
throw new CRLException("Invalid PKCS7 data provided");
}
List<CertificateList> crls = data.getCRLs();
if (crls != null) {
for (CertificateList crl : crls) {
result.add(new X509CRLImpl(crl));
}
}
return result;
}
// else: Unknown data format
throw new CRLException("Unsupported encoding");
} catch (IOException e) {
throw new CRLException(e);
}
}
Also used :
SignedData(org.apache.harmony.security.pkcs7.SignedData)
ArrayList(java.util.ArrayList)
CertificateList(org.apache.harmony.security.x509.CertificateList)
IOException(java.io.IOException)
ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo)
X509CRL(java.security.cert.X509CRL)
CRL(java.security.cert.CRL)
BerInputStream(org.apache.harmony.security.asn1.BerInputStream)
CRLException(java.security.cert.CRLException)
Example 13 with ContentInfo
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class CertPrettyPrint method pkcs7toString.
public String pkcs7toString(Locale clientLocale) {
StringBuffer content = new StringBuffer();
try {
mX509Cert = new X509CertImpl(mCert_b);
return toString(clientLocale);
} catch (Exception e) {
}
ContentInfo ci = null;
try {
ci = (ContentInfo) ASN1Util.decode(ContentInfo.getTemplate(), mCert_b);
} catch (Exception e) {
return "";
}
if (ci.getContentType().equals(ContentInfo.SIGNED_DATA)) {
SignedData sd = null;
try {
sd = (SignedData) ci.getInterpretedContent();
} catch (Exception e) {
return "";
}
if (sd.hasCertificates()) {
SET certs = sd.getCertificates();
for (int i = 0; i < certs.size(); i++) {
org.mozilla.jss.pkix.cert.Certificate cert = (org.mozilla.jss.pkix.cert.Certificate) certs.elementAt(i);
X509CertImpl certImpl = null;
try {
certImpl = new X509CertImpl(ASN1Util.encode(cert));
} catch (Exception e) {
}
CertPrettyPrint print = new CertPrettyPrint(certImpl);
content.append(print.toString(Locale.getDefault()));
content.append("\n");
}
return content.toString();
}
}
return content.toString();
}
Also used :
SET(org.mozilla.jss.asn1.SET)
SignedData(org.mozilla.jss.pkcs7.SignedData)
ContentInfo(org.mozilla.jss.pkcs7.ContentInfo)
X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl)
Certificate(java.security.cert.Certificate)
Example 14 with ContentInfo
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class AuthenticatedSafes method getSafeContentsAt.
/**
* Returns the SafeContents at the given index in the AuthenticatedSafes,
* decrypting it if necessary.
*
* <p>The algorithm used to extract encrypted SafeContents does not
* conform to version 1.0 of the spec. Instead, it conforms to the
* draft 1.0 spec, because this is what Communicator and MSIE seem
* to conform to. This looks like an implementation error that has
* become firmly entrenched to preserve interoperability. The draft
* spec dictates that the encrypted content in the EncryptedContentInfo
* is the DER encoding of a SafeContents. This is simple enough. The
* 1.0 final spec says that the SafeContents is wrapped in a ContentInfo,
* then the ContentInfo is BER encoded, then the value octets (not the
* tag or length) are encrypted. No wonder people stayed with the old way.
*
* @param password The password to use to decrypt the SafeContents if
* it is encrypted. If the SafeContents is known to not be encrypted,
* this parameter can be null. If the password is incorrect, the
* decoding will fail somehow, probably with an InvalidBERException,
* BadPaddingException, or IllegalBlockSizeException.
* @param index The index of the SafeContents to extract.
* @return A SafeContents object, which is merely a
* SEQUENCE of SafeBags.
* @exception IllegalArgumentException If no password was provided,
* but the SafeContents is encrypted.
*/
public SEQUENCE getSafeContentsAt(Password password, int index) throws IllegalStateException, NotInitializedException, NoSuchAlgorithmException, InvalidBERException, IOException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, IllegalBlockSizeException, BadPaddingException {
ContentInfo ci = (ContentInfo) sequence.elementAt(index);
if (ci.getContentType().equals(ContentInfo.ENCRYPTED_DATA)) {
if (password == null) {
// can't decrypt if we don't have a password
throw new IllegalStateException("No password to decode " + "encrypted SafeContents");
}
EncryptedContentInfo encCI = ((EncryptedData) ci.getInterpretedContent()).getEncryptedContentInfo();
// this should be a BER-encoded SafeContents
byte[] decrypted = encCI.decrypt(password, new PasswordConverter());
try {
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, decrypted);
} catch (InvalidBERException e) {
if (ACCEPT_SECURITY_DYNAMICS) {
// try the security dynamics approach
ContentInfo.Template cit = ContentInfo.getTemplate();
ci = (ContentInfo) ASN1Util.decode(cit, decrypted);
if (!ci.getContentType().equals(ContentInfo.DATA)) {
throw new InvalidBERException("");
}
OCTET_STRING os = (OCTET_STRING) ci.getInterpretedContent();
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, os.toByteArray());
} else {
throw e;
}
}
} else if (ci.getContentType().equals(ContentInfo.DATA)) {
// This SafeContents is not encrypted
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, ((OCTET_STRING) ci.getInterpretedContent()).toByteArray());
} else {
throw new InvalidBERException("AuthenticatedSafes element is" + " neither a Data or an EncryptedData");
}
}
Also used :
InvalidBERException(org.mozilla.jss.asn1.InvalidBERException)
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
ContentInfo(org.mozilla.jss.pkcs7.ContentInfo)
EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo)
SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)
EncryptedData(org.mozilla.jss.pkcs7.EncryptedData)
EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo)
ASN1Template(org.mozilla.jss.asn1.ASN1Template)
Example 15 with ContentInfo
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class AuthenticatedSafes method addEncryptedSafeContents.
/**
* Encrypts a SafeContents and adds it to the AuthenticatedSafes.
*
* @param keyGenAlg The algorithm used to generate a key from the password.
* Must be a PBE algorithm. <code>DEFAULT_KEY_GEN_ALG</code> is
* usually fine here. It only provides 40-bit security, but if the
* private key material is packaged in its own
* <i>EncryptedPrivateKeyInfo</i>, the security of the SafeContents
* is not as important.
* @param password The password to use to generate the encryption key
* and IV.
* @param salt The salt to use to generate the key and IV. If null is
* passed in, the salt will be generated randomly, which is usually
* the right thing to do.
* @param iterationCount The number of hash iterations to perform when
* generating the key and IV. Use DEFAULT_ITERATIONS unless
* you want to be clever.
* @param safeContents A SafeContents, which is a SEQUENCE of SafeBags.
* Each element of the sequence must in fact be an instance of
* <code>SafeBag</code>.
*/
public void addEncryptedSafeContents(PBEAlgorithm keyGenAlg, Password password, byte[] salt, int iterationCount, SEQUENCE safeContents) throws NotInitializedException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException {
try {
// generate salt if necessary
if (salt == null) {
// generate random salt
JSSSecureRandom rand = CryptoManager.getInstance().createPseudoRandomNumberGenerator();
salt = new byte[SALT_LENGTH];
rand.nextBytes(salt);
}
EncryptedContentInfo encCI = EncryptedContentInfo.createPBE(keyGenAlg, password, salt, iterationCount, new PasswordConverter(), ASN1Util.encode(safeContents));
EncryptedData encData = new EncryptedData(encCI);
ContentInfo ci = new ContentInfo(encData);
sequence.addElement(ci);
} catch (CharConversionException e) {
throw new RuntimeException("Unable to convert password: " + e.getMessage(), e);
}
}
Also used :
ContentInfo(org.mozilla.jss.pkcs7.ContentInfo)
EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo)
JSSSecureRandom(org.mozilla.jss.crypto.JSSSecureRandom)
EncryptedData(org.mozilla.jss.pkcs7.EncryptedData)
CharConversionException(java.io.CharConversionException)
EncryptedContentInfo(org.mozilla.jss.pkcs7.EncryptedContentInfo)
Aggregations
IOException (java.io.IOException)12
ContentInfo (org.apache.harmony.security.pkcs7.ContentInfo)11
SignedData (org.apache.harmony.security.pkcs7.SignedData)11
BerInputStream (org.apache.harmony.security.asn1.BerInputStream)9
Certificate (java.security.cert.Certificate)8
X509Certificate (java.security.cert.X509Certificate)8
ArrayList (java.util.ArrayList)6
Signature (java.security.Signature)5
SignerInfo (org.apache.harmony.security.pkcs7.SignerInfo)5
ContentInfo (org.mozilla.jss.pkcs7.ContentInfo)5
ByteArrayInputStream (java.io.ByteArrayInputStream)4
CertificateException (java.security.cert.CertificateException)4
X500Principal (javax.security.auth.x500.X500Principal)4
X509CertImpl (org.apache.harmony.security.provider.cert.X509CertImpl)4
BigInteger (java.math.BigInteger)3
GeneralSecurityException (java.security.GeneralSecurityException)3
MessageDigest (java.security.MessageDigest)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
EncryptedContentInfo (org.mozilla.jss.pkcs7.EncryptedContentInfo)3
RandomAccessFile (java.io.RandomAccessFile)2
