Search in sources :

Example 1 with PBMParameter

use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.

the class BaseCmpResponder method verifyProtection.

// method randomBytes
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    PKIHeader header = protectedMsg.getHeader();
    X500Name sender = getX500Sender(header);
    if (sender == null) {
        LOG.warn("tid={}: not authorized requestor 'null'", tid);
        return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
    }
    AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
    if (protectedMsg.hasPasswordBasedMacProtection()) {
        PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
        HashAlgo owfAlg;
        try {
            owfAlg = HashAlgo.getInstance(parameter.getOwf());
        } catch (NoSuchAlgorithmException ex) {
            LogUtil.warn(LOG, ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!cmpControl.isRequestPbmOwfPermitted(owfAlg)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owfAlg.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        SignAlgo macAlg;
        try {
            macAlg = SignAlgo.getInstance(parameter.getMac());
        } catch (NoSuchAlgorithmException ex) {
            LogUtil.warn(LOG, ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!cmpControl.isRequestPbmMacPermitted(macAlg)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", macAlg.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        int iterationCount = parameter.getIterationCount().getValue().intValue();
        if (iterationCount < 1000) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.iterationCount: {} < 1000)", iterationCount);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        ASN1OctetString asn1 = header.getSenderKID();
        byte[] senderKID = (asn1 == null) ? null : asn1.getOctets();
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        CmpRequestorInfo requestor = getMacRequestor(senderKID);
        if (requestor == null) {
            LOG.warn("tid={}: not authorized requestor with senderKID '{}", tid, (senderKID == null) ? "null" : Hex.toHexString(senderKID));
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean macValid = protectedMsg.verify(pkMacBuilder, requestor.getPassword());
        return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
    } else {
        if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
            LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
        }
        X500Name x500Sender = getX500Sender(header);
        CmpRequestorInfo requestor = (x500Sender == null) ? null : getRequestor(x500Sender);
        if (requestor == null) {
            LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(requestor.getCert().getCert());
        if (verifierProvider == null) {
            LOG.warn("tid={}: not authorized requestor '{}'", tid, sender);
            return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean signatureValid = protectedMsg.verify(verifierProvider);
        return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProtectionVerificationResult(org.xipki.security.cmp.ProtectionVerificationResult) X500Name(org.bouncycastle.asn1.x500.X500Name) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) CmpRequestorInfo(org.xipki.ca.api.mgmt.RequestorInfo.CmpRequestorInfo) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 2 with PBMParameter

use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.

the class CmpAgent method verifyProtection.

private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    PKIHeader header = protectedMsg.getHeader();
    if (requestor instanceof Requestor.PbmMacCmpRequestor) {
        if (!protectedMsg.hasPasswordBasedMacProtection()) {
            LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        Responder.PbmMacCmpResponder macResponder = (Responder.PbmMacCmpResponder) responder;
        PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
        HashAlgo owf;
        try {
            owf = HashAlgo.getInstance(parameter.getOwf());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf)", ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!macResponder.isPbmOwfPermitted(owf)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owf);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        SignAlgo mac;
        try {
            mac = SignAlgo.getInstance(parameter.getMac());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac)", ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!macResponder.isPbmMacPermitted(mac)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", mac);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        Requestor.PbmMacCmpRequestor macRequestor = (Requestor.PbmMacCmpRequestor) requestor;
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        boolean macValid = protectedMsg.verify(pkMacBuilder, macRequestor.getPassword());
        return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
    } else {
        if (protectedMsg.hasPasswordBasedMacProtection()) {
            LOG.warn("NOT_SIGNATURE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        if (recipientName != null) {
            boolean authorizedResponder;
            if (header.getSender().getTagNo() != GeneralName.directoryName) {
                authorizedResponder = false;
            } else {
                X500Name msgSender = X500Name.getInstance(header.getSender().getName());
                authorizedResponder = recipientName.equals(msgSender);
            }
            if (!authorizedResponder) {
                LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
                return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            }
        }
        Responder.SignatureCmpResponder sigResponder = (Responder.SignatureCmpResponder) responder;
        SignAlgo protectionAlgo;
        try {
            protectionAlgo = SignAlgo.getInstance(protectedMsg.getHeader().getProtectionAlg());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("tid={}: unknown response protection algorithm: {}", tid, ex.getMessage());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
        }
        if (!sigResponder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) {
            LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, protectionAlgo.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
        }
        X509Cert cert = sigResponder.getCert();
        ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert);
        if (verifierProvider == null) {
            LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean signatureValid = protectedMsg.verify(verifierProvider);
        return new ProtectionVerificationResult(cert, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X500Name(org.bouncycastle.asn1.x500.X500Name) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 3 with PBMParameter

use of org.bouncycastle.asn1.cmp.PBMParameter in project LinLong-Java by zhenwei1108.

the class PKMACBuilder method build.

public MacCalculator build(char[] password) throws CRMFException {
    if (parameters != null) {
        return genCalculator(parameters, password);
    } else {
        byte[] salt = new byte[saltLength];
        if (random == null) {
            this.random = new SecureRandom();
        }
        random.nextBytes(salt);
        return genCalculator(new PBMParameter(salt, owf, iterationCount, mac), password);
    }
}
Also used : SecureRandom(java.security.SecureRandom) PBMParameter(com.github.zhenwei.pkix.util.asn1.cmp.PBMParameter)

Example 4 with PBMParameter

use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.

the class PbmMacCmpCaClient method verifyProtection.

@Override
protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    if (!protectedMsg.hasPasswordBasedMacProtection()) {
        LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
        return false;
    }
    PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
    ASN1ObjectIdentifier algOid = parameter.getOwf().getAlgorithm();
    if (!trustedOwfOids.contains(algOid)) {
        LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", algOid);
        return false;
    }
    algOid = parameter.getMac().getAlgorithm();
    if (!trustedMacOids.contains(algOid)) {
        LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", algOid);
        return false;
    }
    PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
    return protectedMsg.verify(pkMacBuilder, password);
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) PBMParameter(org.bouncycastle.asn1.cmp.PBMParameter)

Example 5 with PBMParameter

use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.

the class PbmMacCmpCaClient method build.

// method decrypt
@Override
protected ProtectedPKIMessage build(ProtectedPKIMessageBuilder builder) throws Exception {
    builder.setSenderKID(kid);
    byte[] salt = new byte[64];
    random.nextBytes(salt);
    PBMParameter pbmParameter = new PBMParameter(salt, requestOwf, requestInterationCount, requestMac);
    try {
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        pkMacBuilder.setParameters(pbmParameter);
        return builder.build(pkMacBuilder.build(password));
    } catch (CRMFException ex) {
        throw new CMPException(ex.getMessage(), ex);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) CMPException(org.bouncycastle.cert.cmp.CMPException) CRMFException(org.bouncycastle.cert.crmf.CRMFException) PBMParameter(org.bouncycastle.asn1.cmp.PBMParameter)

Aggregations

PKMACBuilder (org.bouncycastle.cert.crmf.PKMACBuilder)4 JcePKMACValuesCalculator (org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator)4 PBMParameter (org.bouncycastle.asn1.cmp.PBMParameter)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)2 ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)2 PBMParameter (com.github.zhenwei.pkix.util.asn1.cmp.PBMParameter)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 SecureRandom (java.security.SecureRandom)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1 CMPException (org.bouncycastle.cert.cmp.CMPException)1 CRMFException (org.bouncycastle.cert.crmf.CRMFException)1 CmpRequestorInfo (org.xipki.ca.api.mgmt.RequestorInfo.CmpRequestorInfo)1 ProtectionVerificationResult (org.xipki.security.cmp.ProtectionVerificationResult)1