use of com.mindbright.security.pkcs7.ContentInfo in project XobotOS by xamarin.
the class X509CertFactoryImpl method engineGenerateCertificates.
/**
* Generates the collection of the certificates on the base of provided
* via input stream encodings.
* @see java.security.cert.CertificateFactorySpi#engineGenerateCertificates(InputStream)
* method documentation for more info
*/
public Collection<? extends Certificate> engineGenerateCertificates(InputStream inStream) throws CertificateException {
if (inStream == null) {
throw new CertificateException("inStream == null");
}
ArrayList<Certificate> result = new ArrayList<Certificate>();
try {
if (!inStream.markSupported()) {
// create the mark supporting wrapper
inStream = new RestoringInputStream(inStream);
}
// if it is PEM encoded form this array will contain the encoding
// so ((it is PEM) <-> (encoding != null))
byte[] encoding = null;
// The following by SEQUENCE ASN.1 tag, used for
// recognizing the data format
// (is it PKCS7 ContentInfo structure, X.509 Certificate, or
// unsupported encoding)
int second_asn1_tag = -1;
inStream.mark(1);
int ch;
while ((ch = inStream.read()) != -1) {
// check if it is PEM encoded form
if (ch == '-') {
// beginning of PEM encoding ('-' char)
// decode PEM chunk and store its content (ASN.1 encoding)
encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
} else if (ch == 0x30) {
// beginning of ASN.1 sequence (0x30)
encoding = null;
inStream.reset();
// prepare for data format determination
inStream.mark(CERT_CACHE_SEED_LENGTH);
} else {
// unsupported data
if (result.size() == 0) {
throw new CertificateException("Unsupported encoding");
} else {
// it can be trailing user data,
// so keep it in the stream
inStream.reset();
return result;
}
}
// Check the data format
BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
// read the next ASN.1 tag
// inStream position changed
second_asn1_tag = in.next();
if (encoding == null) {
// keep whole structure in the stream
inStream.reset();
}
// check if it is a TBSCertificate structure
if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
if (result.size() == 0) {
// whether it is PKCS7 structure
break;
} else {
// so return what we already read
return result;
}
} else {
if (encoding == null) {
result.add(getCertificate(inStream));
} else {
result.add(getCertificate(encoding));
}
}
// mark for the next iteration
inStream.mark(1);
}
if (result.size() != 0) {
// some Certificates have been read
return result;
} else if (ch == -1) {
throw new CertificateException("There is no data in the stream");
}
// else: check if it is PKCS7
if (second_asn1_tag == ASN1Constants.TAG_OID) {
// it is PKCS7 ContentInfo structure, so decode it
ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
// retrieve SignedData
SignedData data = info.getSignedData();
if (data == null) {
throw new CertificateException("Invalid PKCS7 data provided");
}
List<org.apache.harmony.security.x509.Certificate> certs = data.getCertificates();
if (certs != null) {
for (org.apache.harmony.security.x509.Certificate cert : certs) {
result.add(new X509CertImpl(cert));
}
}
return result;
}
// else: Unknown data format
throw new CertificateException("Unsupported encoding");
} catch (IOException e) {
throw new CertificateException(e);
}
}
use of com.mindbright.security.pkcs7.ContentInfo in project XobotOS by xamarin.
the class X509CertFactoryImpl method engineGenerateCRLs.
/**
* @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
* method documentation for more info
*/
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
if (inStream == null) {
throw new CRLException("inStream == null");
}
ArrayList<CRL> result = new ArrayList<CRL>();
try {
if (!inStream.markSupported()) {
inStream = new RestoringInputStream(inStream);
}
// if it is PEM encoded form this array will contain the encoding
// so ((it is PEM) <-> (encoding != null))
byte[] encoding = null;
// The following by SEQUENCE ASN.1 tag, used for
// recognizing the data format
// (is it PKCS7 ContentInfo structure, X.509 CRL, or
// unsupported encoding)
int second_asn1_tag = -1;
inStream.mark(1);
int ch;
while ((ch = inStream.read()) != -1) {
// check if it is PEM encoded form
if (ch == '-') {
// beginning of PEM encoding ('-' char)
// decode PEM chunk and store its content (ASN.1 encoding)
encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
} else if (ch == 0x30) {
// beginning of ASN.1 sequence (0x30)
encoding = null;
inStream.reset();
// prepare for data format determination
inStream.mark(CRL_CACHE_SEED_LENGTH);
} else {
// unsupported data
if (result.size() == 0) {
throw new CRLException("Unsupported encoding");
} else {
// it can be trailing user data,
// so keep it in the stream
inStream.reset();
return result;
}
}
// Check the data format
BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
// read the next ASN.1 tag
second_asn1_tag = in.next();
if (encoding == null) {
// keep whole structure in the stream
inStream.reset();
}
// check if it is a TBSCertList structure
if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
if (result.size() == 0) {
// whether it is PKCS7 structure
break;
} else {
// so return what we already read
return result;
}
} else {
if (encoding == null) {
result.add(getCRL(inStream));
} else {
result.add(getCRL(encoding));
}
}
inStream.mark(1);
}
if (result.size() != 0) {
// the stream was read out
return result;
} else if (ch == -1) {
throw new CRLException("There is no data in the stream");
}
// else: check if it is PKCS7
if (second_asn1_tag == ASN1Constants.TAG_OID) {
// it is PKCS7 ContentInfo structure, so decode it
ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
// retrieve SignedData
SignedData data = info.getSignedData();
if (data == null) {
throw new CRLException("Invalid PKCS7 data provided");
}
List<CertificateList> crls = data.getCRLs();
if (crls != null) {
for (CertificateList crl : crls) {
result.add(new X509CRLImpl(crl));
}
}
return result;
}
// else: Unknown data format
throw new CRLException("Unsupported encoding");
} catch (IOException e) {
throw new CRLException(e);
}
}
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class CertPrettyPrint method pkcs7toString.
public String pkcs7toString(Locale clientLocale) {
StringBuffer content = new StringBuffer();
try {
mX509Cert = new X509CertImpl(mCert_b);
return toString(clientLocale);
} catch (Exception e) {
}
ContentInfo ci = null;
try {
ci = (ContentInfo) ASN1Util.decode(ContentInfo.getTemplate(), mCert_b);
} catch (Exception e) {
return "";
}
if (ci.getContentType().equals(ContentInfo.SIGNED_DATA)) {
SignedData sd = null;
try {
sd = (SignedData) ci.getInterpretedContent();
} catch (Exception e) {
return "";
}
if (sd.hasCertificates()) {
SET certs = sd.getCertificates();
for (int i = 0; i < certs.size(); i++) {
org.mozilla.jss.pkix.cert.Certificate cert = (org.mozilla.jss.pkix.cert.Certificate) certs.elementAt(i);
X509CertImpl certImpl = null;
try {
certImpl = new X509CertImpl(ASN1Util.encode(cert));
} catch (Exception e) {
}
CertPrettyPrint print = new CertPrettyPrint(certImpl);
content.append(print.toString(Locale.getDefault()));
content.append("\n");
}
return content.toString();
}
}
return content.toString();
}
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class AuthenticatedSafes method getSafeContentsAt.
/**
* Returns the SafeContents at the given index in the AuthenticatedSafes,
* decrypting it if necessary.
*
* <p>The algorithm used to extract encrypted SafeContents does not
* conform to version 1.0 of the spec. Instead, it conforms to the
* draft 1.0 spec, because this is what Communicator and MSIE seem
* to conform to. This looks like an implementation error that has
* become firmly entrenched to preserve interoperability. The draft
* spec dictates that the encrypted content in the EncryptedContentInfo
* is the DER encoding of a SafeContents. This is simple enough. The
* 1.0 final spec says that the SafeContents is wrapped in a ContentInfo,
* then the ContentInfo is BER encoded, then the value octets (not the
* tag or length) are encrypted. No wonder people stayed with the old way.
*
* @param password The password to use to decrypt the SafeContents if
* it is encrypted. If the SafeContents is known to not be encrypted,
* this parameter can be null. If the password is incorrect, the
* decoding will fail somehow, probably with an InvalidBERException,
* BadPaddingException, or IllegalBlockSizeException.
* @param index The index of the SafeContents to extract.
* @return A SafeContents object, which is merely a
* SEQUENCE of SafeBags.
* @exception IllegalArgumentException If no password was provided,
* but the SafeContents is encrypted.
*/
public SEQUENCE getSafeContentsAt(Password password, int index) throws IllegalStateException, NotInitializedException, NoSuchAlgorithmException, InvalidBERException, IOException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, IllegalBlockSizeException, BadPaddingException {
ContentInfo ci = (ContentInfo) sequence.elementAt(index);
if (ci.getContentType().equals(ContentInfo.ENCRYPTED_DATA)) {
if (password == null) {
// can't decrypt if we don't have a password
throw new IllegalStateException("No password to decode " + "encrypted SafeContents");
}
EncryptedContentInfo encCI = ((EncryptedData) ci.getInterpretedContent()).getEncryptedContentInfo();
// this should be a BER-encoded SafeContents
byte[] decrypted = encCI.decrypt(password, new PasswordConverter());
try {
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, decrypted);
} catch (InvalidBERException e) {
if (ACCEPT_SECURITY_DYNAMICS) {
// try the security dynamics approach
ContentInfo.Template cit = ContentInfo.getTemplate();
ci = (ContentInfo) ASN1Util.decode(cit, decrypted);
if (!ci.getContentType().equals(ContentInfo.DATA)) {
throw new InvalidBERException("");
}
OCTET_STRING os = (OCTET_STRING) ci.getInterpretedContent();
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, os.toByteArray());
} else {
throw e;
}
}
} else if (ci.getContentType().equals(ContentInfo.DATA)) {
// This SafeContents is not encrypted
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(SafeBag.getTemplate());
return (SEQUENCE) ASN1Util.decode(seqt, ((OCTET_STRING) ci.getInterpretedContent()).toByteArray());
} else {
throw new InvalidBERException("AuthenticatedSafes element is" + " neither a Data or an EncryptedData");
}
}
use of com.mindbright.security.pkcs7.ContentInfo in project jss by dogtagpki.
the class AuthenticatedSafes method addEncryptedSafeContents.
/**
* Encrypts a SafeContents and adds it to the AuthenticatedSafes.
*
* @param keyGenAlg The algorithm used to generate a key from the password.
* Must be a PBE algorithm. <code>DEFAULT_KEY_GEN_ALG</code> is
* usually fine here. It only provides 40-bit security, but if the
* private key material is packaged in its own
* <i>EncryptedPrivateKeyInfo</i>, the security of the SafeContents
* is not as important.
* @param password The password to use to generate the encryption key
* and IV.
* @param salt The salt to use to generate the key and IV. If null is
* passed in, the salt will be generated randomly, which is usually
* the right thing to do.
* @param iterationCount The number of hash iterations to perform when
* generating the key and IV. Use DEFAULT_ITERATIONS unless
* you want to be clever.
* @param safeContents A SafeContents, which is a SEQUENCE of SafeBags.
* Each element of the sequence must in fact be an instance of
* <code>SafeBag</code>.
*/
public void addEncryptedSafeContents(PBEAlgorithm keyGenAlg, Password password, byte[] salt, int iterationCount, SEQUENCE safeContents) throws NotInitializedException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException {
try {
// generate salt if necessary
if (salt == null) {
// generate random salt
JSSSecureRandom rand = CryptoManager.getInstance().createPseudoRandomNumberGenerator();
salt = new byte[SALT_LENGTH];
rand.nextBytes(salt);
}
EncryptedContentInfo encCI = EncryptedContentInfo.createPBE(keyGenAlg, password, salt, iterationCount, new PasswordConverter(), ASN1Util.encode(safeContents));
EncryptedData encData = new EncryptedData(encCI);
ContentInfo ci = new ContentInfo(encData);
sequence.addElement(ci);
} catch (CharConversionException e) {
throw new RuntimeException("Unable to convert password: " + e.getMessage(), e);
}
}
Aggregations