Example 46 with ContentInfo
use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.
the class DecodedNextCaMessage method decode.
@SuppressWarnings("unchecked")
public static DecodedNextCaMessage decode(CMSSignedData pkiMessage, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
ScepUtil.requireNonNull("pkiMessage", pkiMessage);
SignerInformationStore signerStore = pkiMessage.getSignerInfos();
Collection<SignerInformation> signerInfos = signerStore.getSigners();
if (signerInfos.size() != 1) {
throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
}
SignerInformation signerInfo = signerInfos.iterator().next();
SignerId sid = signerInfo.getSID();
Collection<?> signedDataCerts = null;
if (certStore != null) {
signedDataCerts = certStore.getMatches(sid);
}
if (signedDataCerts == null || signedDataCerts.isEmpty()) {
signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
}
if (signedDataCerts == null || signedDataCerts.size() != 1) {
throw new MessageDecodingException("could not find embedded certificate to verify the signature");
}
AttributeTable signedAttrs = signerInfo.getSignedAttributes();
if (signedAttrs == null) {
throw new MessageDecodingException("missing signed attributes");
}
Date signingTime = null;
// signingTime
ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
if (attrValue != null) {
signingTime = Time.getInstance(attrValue).getDate();
}
DecodedNextCaMessage ret = new DecodedNextCaMessage();
if (signingTime != null) {
ret.setSigningTime(signingTime);
}
ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
ret.setDigestAlgorithm(digestAlgOid);
String sigAlgOid = signerInfo.getEncryptionAlgOID();
if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
ASN1ObjectIdentifier tmpDigestAlgOid;
try {
tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
} catch (Exception ex) {
final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
if (!digestAlgOid.equals(tmpDigestAlgOid)) {
ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use" + " the same digestAlgorithm");
return ret;
}
}
// end if
X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
X509Certificate signerCert;
try {
signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
} catch (CertificateException ex) {
final String msg = "could not construct X509CertificateObject: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureCert(signerCert);
// validate the signature
SignerInformationVerifier verifier;
try {
verifier = new JcaSimpleSignerInfoVerifierBuilder().build(signerCert.getPublicKey());
} catch (OperatorCreationException ex) {
final String msg = "could not build signature verifier: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
boolean signatureValid;
try {
signatureValid = signerInfo.verify(verifier);
} catch (CMSException ex) {
final String msg = "could not verify the signature: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureValid(signatureValid);
if (!signatureValid) {
return ret;
}
// MessageData
CMSTypedData signedContent = pkiMessage.getSignedContent();
ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
if (!CMSObjectIdentifiers.signedData.equals(signedContentType)) {
// fall back: some SCEP client use id-data
if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
ret.setFailureMessage("either id-signedData or id-data is excepted, but not '" + signedContentType.getId());
return ret;
}
}
ContentInfo contentInfo = ContentInfo.getInstance((byte[]) signedContent.getContent());
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
List<X509Certificate> certs;
try {
certs = ScepUtil.getCertsFromSignedData(signedData);
} catch (CertificateException ex) {
final String msg = "could not extract Certificates from the message: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
final int n = certs.size();
X509Certificate caCert = null;
List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
for (int i = 0; i < n; i++) {
X509Certificate cert = certs.get(i);
if (cert.getBasicConstraints() > -1) {
if (caCert != null) {
final String msg = "multiple CA certificates is returned, but exactly 1 is expected";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
caCert = cert;
} else {
raCerts.add(cert);
}
}
if (caCert == null) {
final String msg = "no CA certificate is returned";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
X509Certificate[] locaRaCerts = raCerts.isEmpty() ? null : raCerts.toArray(new X509Certificate[0]);
AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(caCert, locaRaCerts);
ret.setAuthorityCertStore(authorityCertStore);
return ret;
}
Also used :
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
SignerInformation(org.bouncycastle.cms.SignerInformation)
CertificateException(java.security.cert.CertificateException)
SignerInformationStore(org.bouncycastle.cms.SignerInformationStore)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMSTypedData(org.bouncycastle.cms.CMSTypedData)
SignedData(org.bouncycastle.asn1.cms.SignedData)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
SignerId(org.bouncycastle.cms.SignerId)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
CMSException(org.bouncycastle.cms.CMSException)
Example 47 with ContentInfo
use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.
the class ScepResponder method servicePkiOperation.
public ContentInfo servicePkiOperation(CMSSignedData requestContent, AuditEvent event) throws MessageDecodingException, CaException {
ScepUtil.requireNonNull("requestContent", requestContent);
PrivateKey recipientKey = (raEmulator != null) ? raEmulator.getRaKey() : caEmulator.getCaKey();
Certificate recipientCert = (raEmulator != null) ? raEmulator.getRaCert() : caEmulator.getCaCert();
X509Certificate recipientX509Obj;
try {
recipientX509Obj = ScepUtil.toX509Cert(recipientCert);
} catch (CertificateException ex) {
throw new MessageDecodingException("could not parse recipientCert " + recipientCert.getTBSCertificate().getSubject());
}
EnvelopedDataDecryptorInstance decInstance = new EnvelopedDataDecryptorInstance(recipientX509Obj, recipientKey);
EnvelopedDataDecryptor recipient = new EnvelopedDataDecryptor(decInstance);
DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, recipient, null);
PkiMessage rep = servicePkiOperation0(req, event);
event.putEventData(ScepAuditConstants.NAME_pkiStatus, rep.getPkiStatus());
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
event.setLevel(AuditLevel.ERROR);
}
if (rep.getFailInfo() != null) {
event.putEventData(ScepAuditConstants.NAME_failInfo, rep.getFailInfo());
}
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(getSigningKey(), ScepHashAlgo.forNameOrOid(req.getDigestAlgorithm().getId()));
try {
X509Certificate jceSignerCert = ScepUtil.toX509Cert(getSigningCert());
X509Certificate[] certs = control.isSendSignerCert() ? new X509Certificate[] { jceSignerCert } : null;
return rep.encode(getSigningKey(), signatureAlgorithm, jceSignerCert, certs, req.getSignatureCert(), req.getContentEncryptionAlgorithm());
} catch (Exception ex) {
throw new CaException(ex);
}
}
Also used :
EnvelopedDataDecryptor(org.xipki.scep.message.EnvelopedDataDecryptor)
PrivateKey(java.security.PrivateKey)
CertificateException(java.security.cert.CertificateException)
ASN1String(org.bouncycastle.asn1.ASN1String)
X509Certificate(java.security.cert.X509Certificate)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
EnvelopedDataDecryptorInstance(org.xipki.scep.message.EnvelopedDataDecryptorInstance)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 48 with ContentInfo
use of org.bouncycastle.asn1.pkcs.ContentInfo in project pdfbox by apache.
the class PublicKeySecurityHandler method createDERForRecipient.
private ASN1Primitive createDERForRecipient(byte[] in, X509Certificate cert) throws IOException, GeneralSecurityException {
String algorithm = "1.2.840.113549.3.2";
AlgorithmParameterGenerator apg;
KeyGenerator keygen;
Cipher cipher;
try {
apg = AlgorithmParameterGenerator.getInstance(algorithm, SecurityProvider.getProvider());
keygen = KeyGenerator.getInstance(algorithm, SecurityProvider.getProvider());
cipher = Cipher.getInstance(algorithm, SecurityProvider.getProvider());
} catch (NoSuchAlgorithmException e) {
// happens when using the command line app .jar file
throw new IOException("Could not find a suitable javax.crypto provider for algorithm " + algorithm + "; possible reason: using an unsigned .jar file", e);
} catch (NoSuchPaddingException e) {
// should never happen, if this happens throw IOException instead
throw new RuntimeException("Could not find a suitable javax.crypto provider", e);
}
AlgorithmParameters parameters = apg.generateParameters();
ASN1Primitive object;
try (ASN1InputStream input = new ASN1InputStream(parameters.getEncoded("ASN.1"))) {
object = input.readObject();
}
keygen.init(128);
SecretKey secretkey = keygen.generateKey();
cipher.init(1, secretkey, parameters);
byte[] bytes = cipher.doFinal(in);
KeyTransRecipientInfo recipientInfo = computeRecipientInfo(cert, secretkey.getEncoded());
DERSet set = new DERSet(new RecipientInfo(recipientInfo));
AlgorithmIdentifier algorithmId = new AlgorithmIdentifier(new ASN1ObjectIdentifier(algorithm), object);
EncryptedContentInfo encryptedInfo = new EncryptedContentInfo(PKCSObjectIdentifiers.data, algorithmId, new DEROctetString(bytes));
EnvelopedData enveloped = new EnvelopedData(null, set, encryptedInfo, (ASN1Set) null);
ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.envelopedData, enveloped);
return contentInfo.toASN1Primitive();
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
KeyTransRecipientInfo(org.bouncycastle.asn1.cms.KeyTransRecipientInfo)
AlgorithmParameterGenerator(java.security.AlgorithmParameterGenerator)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
COSString(org.apache.pdfbox.cos.COSString)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
DERSet(org.bouncycastle.asn1.DERSet)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
SecretKey(javax.crypto.SecretKey)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
EncryptedContentInfo(org.bouncycastle.asn1.cms.EncryptedContentInfo)
Cipher(javax.crypto.Cipher)
KeyGenerator(javax.crypto.KeyGenerator)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
KeyTransRecipientInfo(org.bouncycastle.asn1.cms.KeyTransRecipientInfo)
RecipientInfo(org.bouncycastle.asn1.cms.RecipientInfo)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
EnvelopedData(org.bouncycastle.asn1.cms.EnvelopedData)
CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData)
AlgorithmParameters(java.security.AlgorithmParameters)
EncryptedContentInfo(org.bouncycastle.asn1.cms.EncryptedContentInfo)
Example 49 with ContentInfo
use of org.bouncycastle.asn1.pkcs.ContentInfo in project keepass2android by PhilippC.
the class SignedData method toASN1Object.
/**
* Produce an object suitable for an ASN1OutputStream.
* <pre>
* SignedData ::= SEQUENCE {
* version Version,
* digestAlgorithms DigestAlgorithmIdentifiers,
* contentInfo ContentInfo,
* certificates
* [0] IMPLICIT ExtendedCertificatesAndCertificates
* OPTIONAL,
* crls
* [1] IMPLICIT CertificateRevocationLists OPTIONAL,
* signerInfos SignerInfos }
* </pre>
*/
public DERObject toASN1Object() {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(version);
v.add(digestAlgorithms);
v.add(contentInfo);
if (certificates != null) {
v.add(new DERTaggedObject(false, 0, certificates));
}
if (crls != null) {
v.add(new DERTaggedObject(false, 1, crls));
}
v.add(signerInfos);
return new BERSequence(v);
}
Also used :
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
BERSequence(org.bouncycastle.asn1.BERSequence)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
Example 50 with ContentInfo
use of org.bouncycastle.asn1.pkcs.ContentInfo in project keepass2android by PhilippC.
the class ContentInfo method toASN1Object.
/**
* Produce an object suitable for an ASN1OutputStream.
* <pre>
* ContentInfo ::= SEQUENCE {
* contentType ContentType,
* content
* [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
* </pre>
*/
public DERObject toASN1Object() {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(contentType);
if (content != null) {
v.add(new BERTaggedObject(0, content));
}
return new BERSequence(v);
}
Also used :
BERSequence(org.bouncycastle.asn1.BERSequence)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
BERTaggedObject(org.bouncycastle.asn1.BERTaggedObject)
Aggregations
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)24
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)22
IOException (java.io.IOException)20
X509Certificate (java.security.cert.X509Certificate)18
CMSSignedData (org.bouncycastle.cms.CMSSignedData)14
CertificateException (java.security.cert.CertificateException)12
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)12
BERSequence (org.bouncycastle.asn1.BERSequence)12
CertificateEncodingException (java.security.cert.CertificateEncodingException)11
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9
ASN1Set (org.bouncycastle.asn1.ASN1Set)9
SignedData (org.bouncycastle.asn1.cms.SignedData)9
CMSException (org.bouncycastle.cms.CMSException)9
PrivateKey (java.security.PrivateKey)8
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8
DERSet (org.bouncycastle.asn1.DERSet)8
ContentInfo (org.bouncycastle.asn1.pkcs.ContentInfo)8
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6
