Example 6 with Attribute
use of org.bouncycastle.asn1.cms.Attribute in project robovm by robovm.
the class SignedData method calculateVersion.
// RFC3852, section 5.1:
// IF ((certificates is present) AND
// (any certificates with a type of other are present)) OR
// ((crls is present) AND
// (any crls with a type of other are present))
// THEN version MUST be 5
// ELSE
// IF (certificates is present) AND
// (any version 2 attribute certificates are present)
// THEN version MUST be 4
// ELSE
// IF ((certificates is present) AND
// (any version 1 attribute certificates are present)) OR
// (any SignerInfo structures are version 3) OR
// (encapContentInfo eContentType is other than id-data)
// THEN version MUST be 3
// ELSE version MUST be 1
//
private ASN1Integer calculateVersion(ASN1ObjectIdentifier contentOid, ASN1Set certs, ASN1Set crls, ASN1Set signerInfs) {
boolean otherCert = false;
boolean otherCrl = false;
boolean attrCertV1Found = false;
boolean attrCertV2Found = false;
if (certs != null) {
for (Enumeration en = certs.getObjects(); en.hasMoreElements(); ) {
Object obj = en.nextElement();
if (obj instanceof ASN1TaggedObject) {
ASN1TaggedObject tagged = ASN1TaggedObject.getInstance(obj);
if (tagged.getTagNo() == 1) {
attrCertV1Found = true;
} else if (tagged.getTagNo() == 2) {
attrCertV2Found = true;
} else if (tagged.getTagNo() == 3) {
otherCert = true;
}
}
}
}
if (otherCert) {
return new ASN1Integer(5);
}
if (// no need to check if otherCert is true
crls != null) {
for (Enumeration en = crls.getObjects(); en.hasMoreElements(); ) {
Object obj = en.nextElement();
if (obj instanceof ASN1TaggedObject) {
otherCrl = true;
}
}
}
if (otherCrl) {
return VERSION_5;
}
if (attrCertV2Found) {
return VERSION_4;
}
if (attrCertV1Found) {
return VERSION_3;
}
if (checkForVersion3(signerInfs)) {
return VERSION_3;
}
if (!CMSObjectIdentifiers.data.equals(contentOid)) {
return VERSION_3;
}
return VERSION_1;
}
Also used :
Enumeration(java.util.Enumeration)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
BERTaggedObject(org.bouncycastle.asn1.BERTaggedObject)
ASN1Object(org.bouncycastle.asn1.ASN1Object)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Example 7 with Attribute
use of org.bouncycastle.asn1.cms.Attribute in project robovm by robovm.
the class RFC3280CertPathUtilities method processCRLF.
/**
* Obtain and validate the certification path for the complete CRL issuer.
* If a key usage extension is present in the CRL issuer's certificate,
* verify that the cRLSign bit is set.
*
* @param crl CRL which contains revocation information for the certificate
* <code>cert</code>.
* @param cert The attribute certificate or certificate to check if it is
* revoked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param paramsPKIX paramsPKIX PKIX parameters.
* @param certPathCerts The certificates on the certification path.
* @return A <code>Set</code> with all keys of possible CRL issuer
* certificates.
* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or
* some error occurs.
*/
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts) throws AnnotatedException {
// (f)
// get issuer from CRL
X509CertStoreSelector selector = new X509CertStoreSelector();
try {
byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();
selector.setSubject(issuerPrincipal);
} catch (IOException e) {
throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
}
// get CRL signing certs
Collection coll;
try {
coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores());
coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores()));
coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores()));
} catch (AnnotatedException e) {
throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
}
coll.add(defaultCRLSignCert);
Iterator cert_it = coll.iterator();
List validCerts = new ArrayList();
List validKeys = new ArrayList();
while (cert_it.hasNext()) {
X509Certificate signingCert = (X509Certificate) cert_it.next();
/*
* CA of the certificate, for which this CRL is checked, has also
* signed CRL, so skip the path validation, because is already done
*/
if (signingCert.equals(defaultCRLSignCert)) {
validCerts.add(signingCert);
validKeys.add(defaultCRLSignKey);
continue;
}
try {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
selector = new X509CertStoreSelector();
selector.setCertificate(signingCert);
ExtendedPKIXParameters temp = (ExtendedPKIXParameters) paramsPKIX.clone();
temp.setTargetCertConstraints(selector);
ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(temp);
/*
* if signingCert is placed not higher on the cert path a
* dependency loop results. CRL for cert is checked, but
* signingCert is needed for checking the CRL which is dependent
* on checking cert because it is higher in the cert path and so
* signing signingCert transitively. so, revocation is disabled,
* forgery attacks of the CRL are detected in this outer loop
* for all other it must be enabled to prevent forgery attacks
*/
if (certPathCerts.contains(signingCert)) {
params.setRevocationEnabled(false);
} else {
params.setRevocationEnabled(true);
}
List certs = builder.build(params).getCertPath().getCertificates();
validCerts.add(signingCert);
validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0));
} catch (CertPathBuilderException e) {
throw new AnnotatedException("Internal error.", e);
} catch (CertPathValidatorException e) {
throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
} catch (Exception e) {
throw new RuntimeException(e.getMessage());
}
}
Set checkKeys = new HashSet();
AnnotatedException lastException = null;
for (int i = 0; i < validCerts.size(); i++) {
X509Certificate signCert = (X509Certificate) validCerts.get(i);
boolean[] keyusage = signCert.getKeyUsage();
if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) {
lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
} else {
checkKeys.add(validKeys.get(i));
}
}
if (checkKeys.isEmpty() && lastException == null) {
throw new AnnotatedException("Cannot find a valid issuer certificate.");
}
if (checkKeys.isEmpty() && lastException != null) {
throw lastException;
}
return checkKeys;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters)
X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
Iterator(java.util.Iterator)
Collection(java.util.Collection)
List(java.util.List)
ArrayList(java.util.ArrayList)
CertPathBuilder(java.security.cert.CertPathBuilder)
HashSet(java.util.HashSet)
Example 8 with Attribute
use of org.bouncycastle.asn1.cms.Attribute in project robovm by robovm.
the class SignerInformation method doVerify.
private boolean doVerify(SignerInformationVerifier verifier) throws CMSException {
String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
ContentVerifier contentVerifier;
try {
contentVerifier = verifier.getContentVerifier(encryptionAlgorithm, info.getDigestAlgorithm());
} catch (OperatorCreationException e) {
throw new CMSException("can't create content verifier: " + e.getMessage(), e);
}
try {
OutputStream sigOut = contentVerifier.getOutputStream();
if (resultDigest == null) {
DigestCalculator calc = verifier.getDigestCalculator(this.getDigestAlgorithmID());
if (content != null) {
OutputStream digOut = calc.getOutputStream();
if (signedAttributeSet == null) {
if (contentVerifier instanceof RawContentVerifier) {
content.write(digOut);
} else {
OutputStream cOut = new TeeOutputStream(digOut, sigOut);
content.write(cOut);
cOut.close();
}
} else {
content.write(digOut);
sigOut.write(this.getEncodedSignedAttributes());
}
digOut.close();
} else if (signedAttributeSet != null) {
sigOut.write(this.getEncodedSignedAttributes());
} else {
// TODO Get rid of this exception and just treat content==null as empty not missing?
throw new CMSException("data not encapsulated in signature - use detached constructor.");
}
resultDigest = calc.getDigest();
} else {
if (signedAttributeSet == null) {
if (content != null) {
content.write(sigOut);
}
} else {
sigOut.write(this.getEncodedSignedAttributes());
}
}
sigOut.close();
} catch (IOException e) {
throw new CMSException("can't process mime object to create signature.", e);
} catch (OperatorCreationException e) {
throw new CMSException("can't create digest calculator: " + e.getMessage(), e);
}
// RFC 3852 11.1 Check the content-type attribute is correct
{
ASN1Primitive validContentType = getSingleValuedSignedAttribute(CMSAttributes.contentType, "content-type");
if (validContentType == null) {
if (!isCounterSignature && signedAttributeSet != null) {
throw new CMSException("The content-type attribute type MUST be present whenever signed attributes are present in signed-data");
}
} else {
if (isCounterSignature) {
throw new CMSException("[For counter signatures,] the signedAttributes field MUST NOT contain a content-type attribute");
}
if (!(validContentType instanceof ASN1ObjectIdentifier)) {
throw new CMSException("content-type attribute value not of ASN.1 type 'OBJECT IDENTIFIER'");
}
ASN1ObjectIdentifier signedContentType = (ASN1ObjectIdentifier) validContentType;
if (!signedContentType.equals(contentType)) {
throw new CMSException("content-type attribute value does not match eContentType");
}
}
}
// RFC 3852 11.2 Check the message-digest attribute is correct
{
ASN1Primitive validMessageDigest = getSingleValuedSignedAttribute(CMSAttributes.messageDigest, "message-digest");
if (validMessageDigest == null) {
if (signedAttributeSet != null) {
throw new CMSException("the message-digest signed attribute type MUST be present when there are any signed attributes present");
}
} else {
if (!(validMessageDigest instanceof ASN1OctetString)) {
throw new CMSException("message-digest attribute value not of ASN.1 type 'OCTET STRING'");
}
ASN1OctetString signedMessageDigest = (ASN1OctetString) validMessageDigest;
if (!Arrays.constantTimeAreEqual(resultDigest, signedMessageDigest.getOctets())) {
throw new CMSSignerDigestMismatchException("message-digest attribute value does not match calculated value");
}
}
}
// RFC 3852 11.4 Validate countersignature attribute(s)
{
AttributeTable signedAttrTable = this.getSignedAttributes();
if (signedAttrTable != null && signedAttrTable.getAll(CMSAttributes.counterSignature).size() > 0) {
throw new CMSException("A countersignature attribute MUST NOT be a signed attribute");
}
AttributeTable unsignedAttrTable = this.getUnsignedAttributes();
if (unsignedAttrTable != null) {
ASN1EncodableVector csAttrs = unsignedAttrTable.getAll(CMSAttributes.counterSignature);
for (int i = 0; i < csAttrs.size(); ++i) {
Attribute csAttr = (Attribute) csAttrs.get(i);
if (csAttr.getAttrValues().size() < 1) {
throw new CMSException("A countersignature attribute MUST contain at least one AttributeValue");
}
// Note: We don't recursively validate the countersignature value
}
}
}
try {
if (signedAttributeSet == null && resultDigest != null) {
if (contentVerifier instanceof RawContentVerifier) {
RawContentVerifier rawVerifier = (RawContentVerifier) contentVerifier;
if (encName.equals("RSA")) {
DigestInfo digInfo = new DigestInfo(new AlgorithmIdentifier(digestAlgorithm.getAlgorithm(), DERNull.INSTANCE), resultDigest);
return rawVerifier.verify(digInfo.getEncoded(ASN1Encoding.DER), this.getSignature());
}
return rawVerifier.verify(resultDigest, this.getSignature());
}
}
return contentVerifier.verify(this.getSignature());
} catch (IOException e) {
throw new CMSException("can't process mime object to create signature.", e);
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
TeeOutputStream(org.bouncycastle.util.io.TeeOutputStream)
Attribute(org.bouncycastle.asn1.cms.Attribute)
ContentVerifier(org.bouncycastle.operator.ContentVerifier)
RawContentVerifier(org.bouncycastle.operator.RawContentVerifier)
OutputStream(java.io.OutputStream)
TeeOutputStream(org.bouncycastle.util.io.TeeOutputStream)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
RawContentVerifier(org.bouncycastle.operator.RawContentVerifier)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
IOException(java.io.IOException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DigestInfo(org.bouncycastle.asn1.x509.DigestInfo)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 9 with Attribute
use of org.bouncycastle.asn1.cms.Attribute in project robovm by robovm.
the class SignerInformation method addCounterSigners.
/**
* Return a signer information object with passed in SignerInformationStore representing counter
* signatures attached as an unsigned attribute.
*
* @param signerInformation the signerInfo to be used as the basis.
* @param counterSigners signer info objects carrying counter signature.
* @return a copy of the original SignerInformationObject with the changed attributes.
*/
public static SignerInformation addCounterSigners(SignerInformation signerInformation, SignerInformationStore counterSigners) {
// TODO Perform checks from RFC 3852 11.4
SignerInfo sInfo = signerInformation.info;
AttributeTable unsignedAttr = signerInformation.getUnsignedAttributes();
ASN1EncodableVector v;
if (unsignedAttr != null) {
v = unsignedAttr.toASN1EncodableVector();
} else {
v = new ASN1EncodableVector();
}
ASN1EncodableVector sigs = new ASN1EncodableVector();
for (Iterator it = counterSigners.getSigners().iterator(); it.hasNext(); ) {
sigs.add(((SignerInformation) it.next()).toASN1Structure());
}
v.add(new Attribute(CMSAttributes.counterSignature, new DERSet(sigs)));
return new SignerInformation(new SignerInfo(sInfo.getSID(), sInfo.getDigestAlgorithm(), sInfo.getAuthenticatedAttributes(), sInfo.getDigestEncryptionAlgorithm(), sInfo.getEncryptedDigest(), new DERSet(v)), signerInformation.contentType, signerInformation.content, null);
}
Also used :
SignerInfo(org.bouncycastle.asn1.cms.SignerInfo)
Attribute(org.bouncycastle.asn1.cms.Attribute)
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
Iterator(java.util.Iterator)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
DERSet(org.bouncycastle.asn1.DERSet)
Example 10 with Attribute
use of org.bouncycastle.asn1.cms.Attribute in project robovm by robovm.
the class X509AttributeCertificateHolder method isSignatureValid.
/**
* Validate the signature on the attribute certificate in this holder.
*
* @param verifierProvider a ContentVerifierProvider that can generate a verifier for the signature.
* @return true if the signature is valid, false otherwise.
* @throws CertException if the signature cannot be processed or is inappropriate.
*/
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws CertException {
AttributeCertificateInfo acinfo = attrCert.getAcinfo();
if (!CertUtils.isAlgIdEqual(acinfo.getSignature(), attrCert.getSignatureAlgorithm())) {
throw new CertException("signature invalid - algorithm identifier mismatch");
}
ContentVerifier verifier;
try {
verifier = verifierProvider.get((acinfo.getSignature()));
OutputStream sOut = verifier.getOutputStream();
DEROutputStream dOut = new DEROutputStream(sOut);
dOut.writeObject(acinfo);
sOut.close();
} catch (Exception e) {
throw new CertException("unable to process signature: " + e.getMessage(), e);
}
return verifier.verify(attrCert.getSignatureValue().getBytes());
}
Also used :
AttributeCertificateInfo(org.bouncycastle.asn1.x509.AttributeCertificateInfo)
ContentVerifier(org.bouncycastle.operator.ContentVerifier)
OutputStream(java.io.OutputStream)
DEROutputStream(org.bouncycastle.asn1.DEROutputStream)
IOException(java.io.IOException)
DEROutputStream(org.bouncycastle.asn1.DEROutputStream)
Aggregations
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)18
IOException (java.io.IOException)15
List (java.util.List)11
ArrayList (java.util.ArrayList)10
Attribute (org.bouncycastle.asn1.cms.Attribute)10
DERSequence (org.bouncycastle.asn1.DERSequence)9
X509Certificate (java.security.cert.X509Certificate)8
Iterator (java.util.Iterator)8
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)8
DERObject (org.bouncycastle.asn1.DERObject)8
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)6
ASN1Set (org.bouncycastle.asn1.ASN1Set)6
AttributeTable (org.bouncycastle.asn1.cms.AttributeTable)6
Enumeration (java.util.Enumeration)5
X500Principal (javax.security.auth.x500.X500Principal)5
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
Vector (java.util.Vector)4
Attribute (org.bouncycastle.asn1.x509.Attribute)4
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)4
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)4
