Example 16 with SignerInfo
use of org.bouncycastle.asn1.cms.SignerInfo in project xipki by xipki.
the class DecodedNextCaMessage method decode.
@SuppressWarnings("unchecked")
public static DecodedNextCaMessage decode(CMSSignedData pkiMessage, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
ScepUtil.requireNonNull("pkiMessage", pkiMessage);
SignerInformationStore signerStore = pkiMessage.getSignerInfos();
Collection<SignerInformation> signerInfos = signerStore.getSigners();
if (signerInfos.size() != 1) {
throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
}
SignerInformation signerInfo = signerInfos.iterator().next();
SignerId sid = signerInfo.getSID();
Collection<?> signedDataCerts = null;
if (certStore != null) {
signedDataCerts = certStore.getMatches(sid);
}
if (signedDataCerts == null || signedDataCerts.isEmpty()) {
signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
}
if (signedDataCerts == null || signedDataCerts.size() != 1) {
throw new MessageDecodingException("could not find embedded certificate to verify the signature");
}
AttributeTable signedAttrs = signerInfo.getSignedAttributes();
if (signedAttrs == null) {
throw new MessageDecodingException("missing signed attributes");
}
Date signingTime = null;
// signingTime
ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
if (attrValue != null) {
signingTime = Time.getInstance(attrValue).getDate();
}
DecodedNextCaMessage ret = new DecodedNextCaMessage();
if (signingTime != null) {
ret.setSigningTime(signingTime);
}
ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
ret.setDigestAlgorithm(digestAlgOid);
String sigAlgOid = signerInfo.getEncryptionAlgOID();
if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
ASN1ObjectIdentifier tmpDigestAlgOid;
try {
tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
} catch (Exception ex) {
final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
if (!digestAlgOid.equals(tmpDigestAlgOid)) {
ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use" + " the same digestAlgorithm");
return ret;
}
}
// end if
X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
X509Certificate signerCert;
try {
signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
} catch (CertificateException ex) {
final String msg = "could not construct X509CertificateObject: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureCert(signerCert);
// validate the signature
SignerInformationVerifier verifier;
try {
verifier = new JcaSimpleSignerInfoVerifierBuilder().build(signerCert.getPublicKey());
} catch (OperatorCreationException ex) {
final String msg = "could not build signature verifier: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
boolean signatureValid;
try {
signatureValid = signerInfo.verify(verifier);
} catch (CMSException ex) {
final String msg = "could not verify the signature: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureValid(signatureValid);
if (!signatureValid) {
return ret;
}
// MessageData
CMSTypedData signedContent = pkiMessage.getSignedContent();
ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
if (!CMSObjectIdentifiers.signedData.equals(signedContentType)) {
// fall back: some SCEP client use id-data
if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
ret.setFailureMessage("either id-signedData or id-data is excepted, but not '" + signedContentType.getId());
return ret;
}
}
ContentInfo contentInfo = ContentInfo.getInstance((byte[]) signedContent.getContent());
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
List<X509Certificate> certs;
try {
certs = ScepUtil.getCertsFromSignedData(signedData);
} catch (CertificateException ex) {
final String msg = "could not extract Certificates from the message: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
final int n = certs.size();
X509Certificate caCert = null;
List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
for (int i = 0; i < n; i++) {
X509Certificate cert = certs.get(i);
if (cert.getBasicConstraints() > -1) {
if (caCert != null) {
final String msg = "multiple CA certificates is returned, but exactly 1 is expected";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
caCert = cert;
} else {
raCerts.add(cert);
}
}
if (caCert == null) {
final String msg = "no CA certificate is returned";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
X509Certificate[] locaRaCerts = raCerts.isEmpty() ? null : raCerts.toArray(new X509Certificate[0]);
AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(caCert, locaRaCerts);
ret.setAuthorityCertStore(authorityCertStore);
return ret;
}
Also used :
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
SignerInformation(org.bouncycastle.cms.SignerInformation)
CertificateException(java.security.cert.CertificateException)
SignerInformationStore(org.bouncycastle.cms.SignerInformationStore)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMSTypedData(org.bouncycastle.cms.CMSTypedData)
SignedData(org.bouncycastle.asn1.cms.SignedData)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
SignerId(org.bouncycastle.cms.SignerId)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
CMSException(org.bouncycastle.cms.CMSException)
Example 17 with SignerInfo
use of org.bouncycastle.asn1.cms.SignerInfo in project jruby-openssl by jruby.
the class PKCS7 method add_signer.
@JRubyMethod
public IRubyObject add_signer(IRubyObject obj) {
SignerInfoWithPkey signedInfo = ((SignerInfo) obj).getSignerInfo().dup();
try {
p7.addSigner(signedInfo);
} catch (PKCS7Exception e) {
throw newPKCS7Error(getRuntime(), e);
}
if (p7.isSigned()) {
ASN1Encodable objectId = org.jruby.ext.openssl.impl.PKCS7.OID_pkcs7_data;
signedInfo.addSignedAttribute(ASN1Registry.NID_pkcs9_contentType, objectId);
}
return this;
}
Also used :
SignerInfoWithPkey(org.jruby.ext.openssl.impl.SignerInfoWithPkey)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
PKCS7Exception(org.jruby.ext.openssl.impl.PKCS7Exception)
NotVerifiedPKCS7Exception(org.jruby.ext.openssl.impl.NotVerifiedPKCS7Exception)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 18 with SignerInfo
use of org.bouncycastle.asn1.cms.SignerInfo in project jruby-openssl by jruby.
the class SignerInfoWithPkey method toASN1Object.
/**
* Produce an object suitable for an ASN1OutputStream.
* <pre>
* SignerInfo ::= SEQUENCE {
* version Version,
* issuerAndSerialNumber IssuerAndSerialNumber,
* digestAlgorithm DigestAlgorithmIdentifier,
* authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
* digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
* encryptedDigest EncryptedDigest,
* unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
* }
*
* EncryptedDigest ::= OCTET STRING
*
* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
*
* DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
* </pre>
*/
public ASN1Encodable toASN1Object() {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(version);
v.add(issuerAndSerialNumber);
v.add(digAlgorithm);
if (authenticatedAttributes != null) {
v.add(new DERTaggedObject(false, 0, authenticatedAttributes));
}
v.add(digEncryptionAlgorithm);
v.add(encryptedDigest);
if (unauthenticatedAttributes != null) {
v.add(new DERTaggedObject(false, 1, unauthenticatedAttributes));
}
return new DLSequence(v);
}
Also used :
DLSequence(org.bouncycastle.asn1.DLSequence)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
Aggregations
ASN1Set (org.bouncycastle.asn1.ASN1Set)8
AttributeTable (org.bouncycastle.asn1.cms.AttributeTable)8
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)7
SignerInfo (org.bouncycastle.asn1.cms.SignerInfo)6
IOException (java.io.IOException)5
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)5
Attribute (org.bouncycastle.asn1.cms.Attribute)5
CMSException (org.bouncycastle.cms.CMSException)5
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)4
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)4
DERSet (org.bouncycastle.asn1.DERSet)4
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)4
CMSSignedData (org.bouncycastle.cms.CMSSignedData)4
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)4
X509Certificate (java.security.cert.X509Certificate)3
Date (java.util.Date)3
SignedData (org.bouncycastle.asn1.cms.SignedData)3
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)2
OutputStream (java.io.OutputStream)2
