use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.
the class BaseCmpResponder method verifyProtection.
// method randomBytes
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException {
ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
PKIHeader header = protectedMsg.getHeader();
X500Name sender = getX500Sender(header);
if (sender == null) {
LOG.warn("tid={}: not authorized requestor 'null'", tid);
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
if (protectedMsg.hasPasswordBasedMacProtection()) {
PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
HashAlgo owfAlg;
try {
owfAlg = HashAlgo.getInstance(parameter.getOwf());
} catch (NoSuchAlgorithmException ex) {
LogUtil.warn(LOG, ex);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
if (!cmpControl.isRequestPbmOwfPermitted(owfAlg)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owfAlg.getJceName());
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
SignAlgo macAlg;
try {
macAlg = SignAlgo.getInstance(parameter.getMac());
} catch (NoSuchAlgorithmException ex) {
LogUtil.warn(LOG, ex);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
if (!cmpControl.isRequestPbmMacPermitted(macAlg)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", macAlg.getJceName());
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
int iterationCount = parameter.getIterationCount().getValue().intValue();
if (iterationCount < 1000) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.iterationCount: {} < 1000)", iterationCount);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
ASN1OctetString asn1 = header.getSenderKID();
byte[] senderKID = (asn1 == null) ? null : asn1.getOctets();
PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
CmpRequestorInfo requestor = getMacRequestor(senderKID);
if (requestor == null) {
LOG.warn("tid={}: not authorized requestor with senderKID '{}", tid, (senderKID == null) ? "null" : Hex.toHexString(senderKID));
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
boolean macValid = protectedMsg.verify(pkMacBuilder, requestor.getPassword());
return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
} else {
if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
}
X500Name x500Sender = getX500Sender(header);
CmpRequestorInfo requestor = (x500Sender == null) ? null : getRequestor(x500Sender);
if (requestor == null) {
LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender());
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(requestor.getCert().getCert());
if (verifierProvider == null) {
LOG.warn("tid={}: not authorized requestor '{}'", tid, sender);
return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
boolean signatureValid = protectedMsg.verify(verifierProvider);
return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
}
}
use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.
the class CmpAgent method verifyProtection.
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
PKIHeader header = protectedMsg.getHeader();
if (requestor instanceof Requestor.PbmMacCmpRequestor) {
if (!protectedMsg.hasPasswordBasedMacProtection()) {
LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
Responder.PbmMacCmpResponder macResponder = (Responder.PbmMacCmpResponder) responder;
PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
HashAlgo owf;
try {
owf = HashAlgo.getInstance(parameter.getOwf());
} catch (NoSuchAlgorithmException ex) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf)", ex);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
if (!macResponder.isPbmOwfPermitted(owf)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owf);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
SignAlgo mac;
try {
mac = SignAlgo.getInstance(parameter.getMac());
} catch (NoSuchAlgorithmException ex) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac)", ex);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
if (!macResponder.isPbmMacPermitted(mac)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", mac);
return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
}
Requestor.PbmMacCmpRequestor macRequestor = (Requestor.PbmMacCmpRequestor) requestor;
PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
boolean macValid = protectedMsg.verify(pkMacBuilder, macRequestor.getPassword());
return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
} else {
if (protectedMsg.hasPasswordBasedMacProtection()) {
LOG.warn("NOT_SIGNATURE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
if (recipientName != null) {
boolean authorizedResponder;
if (header.getSender().getTagNo() != GeneralName.directoryName) {
authorizedResponder = false;
} else {
X500Name msgSender = X500Name.getInstance(header.getSender().getName());
authorizedResponder = recipientName.equals(msgSender);
}
if (!authorizedResponder) {
LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
}
Responder.SignatureCmpResponder sigResponder = (Responder.SignatureCmpResponder) responder;
SignAlgo protectionAlgo;
try {
protectionAlgo = SignAlgo.getInstance(protectedMsg.getHeader().getProtectionAlg());
} catch (NoSuchAlgorithmException ex) {
LOG.warn("tid={}: unknown response protection algorithm: {}", tid, ex.getMessage());
return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
}
if (!sigResponder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) {
LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, protectionAlgo.getJceName());
return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
}
X509Cert cert = sigResponder.getCert();
ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert);
if (verifierProvider == null) {
LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
}
boolean signatureValid = protectedMsg.verify(verifierProvider);
return new ProtectionVerificationResult(cert, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
}
}
use of org.bouncycastle.asn1.cmp.PBMParameter in project LinLong-Java by zhenwei1108.
the class PKMACBuilder method build.
public MacCalculator build(char[] password) throws CRMFException {
if (parameters != null) {
return genCalculator(parameters, password);
} else {
byte[] salt = new byte[saltLength];
if (random == null) {
this.random = new SecureRandom();
}
random.nextBytes(salt);
return genCalculator(new PBMParameter(salt, owf, iterationCount, mac), password);
}
}
use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.
the class PbmMacCmpCaClient method verifyProtection.
@Override
protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
if (!protectedMsg.hasPasswordBasedMacProtection()) {
LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return false;
}
PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
ASN1ObjectIdentifier algOid = parameter.getOwf().getAlgorithm();
if (!trustedOwfOids.contains(algOid)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", algOid);
return false;
}
algOid = parameter.getMac().getAlgorithm();
if (!trustedMacOids.contains(algOid)) {
LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", algOid);
return false;
}
PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
return protectedMsg.verify(pkMacBuilder, password);
}
use of org.bouncycastle.asn1.cmp.PBMParameter in project xipki by xipki.
the class PbmMacCmpCaClient method build.
// method decrypt
@Override
protected ProtectedPKIMessage build(ProtectedPKIMessageBuilder builder) throws Exception {
builder.setSenderKID(kid);
byte[] salt = new byte[64];
random.nextBytes(salt);
PBMParameter pbmParameter = new PBMParameter(salt, requestOwf, requestInterationCount, requestMac);
try {
PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
pkMacBuilder.setParameters(pbmParameter);
return builder.build(pkMacBuilder.build(password));
} catch (CRMFException ex) {
throw new CMPException(ex.getMessage(), ex);
}
}
Aggregations