Search in sources :

Example 46 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class DecodedNextCaMessage method decode.

@SuppressWarnings("unchecked")
public static DecodedNextCaMessage decode(CMSSignedData pkiMessage, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
    ScepUtil.requireNonNull("pkiMessage", pkiMessage);
    SignerInformationStore signerStore = pkiMessage.getSignerInfos();
    Collection<SignerInformation> signerInfos = signerStore.getSigners();
    if (signerInfos.size() != 1) {
        throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
    }
    SignerInformation signerInfo = signerInfos.iterator().next();
    SignerId sid = signerInfo.getSID();
    Collection<?> signedDataCerts = null;
    if (certStore != null) {
        signedDataCerts = certStore.getMatches(sid);
    }
    if (signedDataCerts == null || signedDataCerts.isEmpty()) {
        signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
    }
    if (signedDataCerts == null || signedDataCerts.size() != 1) {
        throw new MessageDecodingException("could not find embedded certificate to verify the signature");
    }
    AttributeTable signedAttrs = signerInfo.getSignedAttributes();
    if (signedAttrs == null) {
        throw new MessageDecodingException("missing signed attributes");
    }
    Date signingTime = null;
    // signingTime
    ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
    if (attrValue != null) {
        signingTime = Time.getInstance(attrValue).getDate();
    }
    DecodedNextCaMessage ret = new DecodedNextCaMessage();
    if (signingTime != null) {
        ret.setSigningTime(signingTime);
    }
    ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
    ret.setDigestAlgorithm(digestAlgOid);
    String sigAlgOid = signerInfo.getEncryptionAlgOID();
    if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
        ASN1ObjectIdentifier tmpDigestAlgOid;
        try {
            tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
        } catch (Exception ex) {
            final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
            LOG.error(msg);
            LOG.debug(msg, ex);
            ret.setFailureMessage(msg);
            return ret;
        }
        if (!digestAlgOid.equals(tmpDigestAlgOid)) {
            ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use" + " the same digestAlgorithm");
            return ret;
        }
    }
    // end if
    X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
    X509Certificate signerCert;
    try {
        signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
    } catch (CertificateException ex) {
        final String msg = "could not construct X509CertificateObject: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    ret.setSignatureCert(signerCert);
    // validate the signature
    SignerInformationVerifier verifier;
    try {
        verifier = new JcaSimpleSignerInfoVerifierBuilder().build(signerCert.getPublicKey());
    } catch (OperatorCreationException ex) {
        final String msg = "could not build signature verifier: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    boolean signatureValid;
    try {
        signatureValid = signerInfo.verify(verifier);
    } catch (CMSException ex) {
        final String msg = "could not verify the signature: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    ret.setSignatureValid(signatureValid);
    if (!signatureValid) {
        return ret;
    }
    // MessageData
    CMSTypedData signedContent = pkiMessage.getSignedContent();
    ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
    if (!CMSObjectIdentifiers.signedData.equals(signedContentType)) {
        // fall back: some SCEP client use id-data
        if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
            ret.setFailureMessage("either id-signedData or id-data is excepted, but not '" + signedContentType.getId());
            return ret;
        }
    }
    ContentInfo contentInfo = ContentInfo.getInstance((byte[]) signedContent.getContent());
    SignedData signedData = SignedData.getInstance(contentInfo.getContent());
    List<X509Certificate> certs;
    try {
        certs = ScepUtil.getCertsFromSignedData(signedData);
    } catch (CertificateException ex) {
        final String msg = "could not extract Certificates from the message: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    final int n = certs.size();
    X509Certificate caCert = null;
    List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
    for (int i = 0; i < n; i++) {
        X509Certificate cert = certs.get(i);
        if (cert.getBasicConstraints() > -1) {
            if (caCert != null) {
                final String msg = "multiple CA certificates is returned, but exactly 1 is expected";
                LOG.error(msg);
                ret.setFailureMessage(msg);
                return ret;
            }
            caCert = cert;
        } else {
            raCerts.add(cert);
        }
    }
    if (caCert == null) {
        final String msg = "no CA certificate is returned";
        LOG.error(msg);
        ret.setFailureMessage(msg);
        return ret;
    }
    X509Certificate[] locaRaCerts = raCerts.isEmpty() ? null : raCerts.toArray(new X509Certificate[0]);
    AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(caCert, locaRaCerts);
    ret.setAuthorityCertStore(authorityCertStore);
    return ret;
}
Also used : AttributeTable(org.bouncycastle.asn1.cms.AttributeTable) SignerInformation(org.bouncycastle.cms.SignerInformation) CertificateException(java.security.cert.CertificateException) SignerInformationStore(org.bouncycastle.cms.SignerInformationStore) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) CMSTypedData(org.bouncycastle.cms.CMSTypedData) SignedData(org.bouncycastle.asn1.cms.SignedData) CMSSignedData(org.bouncycastle.cms.CMSSignedData) JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder) Date(java.util.Date) CMSException(org.bouncycastle.cms.CMSException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) LinkedList(java.util.LinkedList) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) SignerId(org.bouncycastle.cms.SignerId) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CMSException(org.bouncycastle.cms.CMSException)

Example 47 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class ScepResponder method servicePkiOperation.

public ContentInfo servicePkiOperation(CMSSignedData requestContent, AuditEvent event) throws MessageDecodingException, CaException {
    ScepUtil.requireNonNull("requestContent", requestContent);
    PrivateKey recipientKey = (raEmulator != null) ? raEmulator.getRaKey() : caEmulator.getCaKey();
    Certificate recipientCert = (raEmulator != null) ? raEmulator.getRaCert() : caEmulator.getCaCert();
    X509Certificate recipientX509Obj;
    try {
        recipientX509Obj = ScepUtil.toX509Cert(recipientCert);
    } catch (CertificateException ex) {
        throw new MessageDecodingException("could not parse recipientCert " + recipientCert.getTBSCertificate().getSubject());
    }
    EnvelopedDataDecryptorInstance decInstance = new EnvelopedDataDecryptorInstance(recipientX509Obj, recipientKey);
    EnvelopedDataDecryptor recipient = new EnvelopedDataDecryptor(decInstance);
    DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, recipient, null);
    PkiMessage rep = servicePkiOperation0(req, event);
    event.putEventData(ScepAuditConstants.NAME_pkiStatus, rep.getPkiStatus());
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        event.setLevel(AuditLevel.ERROR);
    }
    if (rep.getFailInfo() != null) {
        event.putEventData(ScepAuditConstants.NAME_failInfo, rep.getFailInfo());
    }
    String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(getSigningKey(), ScepHashAlgo.forNameOrOid(req.getDigestAlgorithm().getId()));
    try {
        X509Certificate jceSignerCert = ScepUtil.toX509Cert(getSigningCert());
        X509Certificate[] certs = control.isSendSignerCert() ? new X509Certificate[] { jceSignerCert } : null;
        return rep.encode(getSigningKey(), signatureAlgorithm, jceSignerCert, certs, req.getSignatureCert(), req.getContentEncryptionAlgorithm());
    } catch (Exception ex) {
        throw new CaException(ex);
    }
}
Also used : EnvelopedDataDecryptor(org.xipki.scep.message.EnvelopedDataDecryptor) PrivateKey(java.security.PrivateKey) CertificateException(java.security.cert.CertificateException) ASN1String(org.bouncycastle.asn1.ASN1String) X509Certificate(java.security.cert.X509Certificate) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) EnvelopedDataDecryptorInstance(org.xipki.scep.message.EnvelopedDataDecryptorInstance) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 48 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project pdfbox by apache.

the class PublicKeySecurityHandler method createDERForRecipient.

private ASN1Primitive createDERForRecipient(byte[] in, X509Certificate cert) throws IOException, GeneralSecurityException {
    String algorithm = "1.2.840.113549.3.2";
    AlgorithmParameterGenerator apg;
    KeyGenerator keygen;
    Cipher cipher;
    try {
        apg = AlgorithmParameterGenerator.getInstance(algorithm, SecurityProvider.getProvider());
        keygen = KeyGenerator.getInstance(algorithm, SecurityProvider.getProvider());
        cipher = Cipher.getInstance(algorithm, SecurityProvider.getProvider());
    } catch (NoSuchAlgorithmException e) {
        // happens when using the command line app .jar file
        throw new IOException("Could not find a suitable javax.crypto provider for algorithm " + algorithm + "; possible reason: using an unsigned .jar file", e);
    } catch (NoSuchPaddingException e) {
        // should never happen, if this happens throw IOException instead
        throw new RuntimeException("Could not find a suitable javax.crypto provider", e);
    }
    AlgorithmParameters parameters = apg.generateParameters();
    ASN1Primitive object;
    try (ASN1InputStream input = new ASN1InputStream(parameters.getEncoded("ASN.1"))) {
        object = input.readObject();
    }
    keygen.init(128);
    SecretKey secretkey = keygen.generateKey();
    cipher.init(1, secretkey, parameters);
    byte[] bytes = cipher.doFinal(in);
    KeyTransRecipientInfo recipientInfo = computeRecipientInfo(cert, secretkey.getEncoded());
    DERSet set = new DERSet(new RecipientInfo(recipientInfo));
    AlgorithmIdentifier algorithmId = new AlgorithmIdentifier(new ASN1ObjectIdentifier(algorithm), object);
    EncryptedContentInfo encryptedInfo = new EncryptedContentInfo(PKCSObjectIdentifiers.data, algorithmId, new DEROctetString(bytes));
    EnvelopedData enveloped = new EnvelopedData(null, set, encryptedInfo, (ASN1Set) null);
    ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.envelopedData, enveloped);
    return contentInfo.toASN1Primitive();
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) KeyTransRecipientInfo(org.bouncycastle.asn1.cms.KeyTransRecipientInfo) AlgorithmParameterGenerator(java.security.AlgorithmParameterGenerator) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) DEROctetString(org.bouncycastle.asn1.DEROctetString) COSString(org.apache.pdfbox.cos.COSString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) DERSet(org.bouncycastle.asn1.DERSet) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) SecretKey(javax.crypto.SecretKey) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) EncryptedContentInfo(org.bouncycastle.asn1.cms.EncryptedContentInfo) Cipher(javax.crypto.Cipher) KeyGenerator(javax.crypto.KeyGenerator) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) KeyTransRecipientInfo(org.bouncycastle.asn1.cms.KeyTransRecipientInfo) RecipientInfo(org.bouncycastle.asn1.cms.RecipientInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) EnvelopedData(org.bouncycastle.asn1.cms.EnvelopedData) CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData) AlgorithmParameters(java.security.AlgorithmParameters) EncryptedContentInfo(org.bouncycastle.asn1.cms.EncryptedContentInfo)

Example 49 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project keepass2android by PhilippC.

the class SignedData method toASN1Object.

/**
 * Produce an object suitable for an ASN1OutputStream.
 * <pre>
 *  SignedData ::= SEQUENCE {
 *      version Version,
 *      digestAlgorithms DigestAlgorithmIdentifiers,
 *      contentInfo ContentInfo,
 *      certificates
 *          [0] IMPLICIT ExtendedCertificatesAndCertificates
 *                   OPTIONAL,
 *      crls
 *          [1] IMPLICIT CertificateRevocationLists OPTIONAL,
 *      signerInfos SignerInfos }
 * </pre>
 */
public DERObject toASN1Object() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(version);
    v.add(digestAlgorithms);
    v.add(contentInfo);
    if (certificates != null) {
        v.add(new DERTaggedObject(false, 0, certificates));
    }
    if (crls != null) {
        v.add(new DERTaggedObject(false, 1, crls));
    }
    v.add(signerInfos);
    return new BERSequence(v);
}
Also used : DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) BERSequence(org.bouncycastle.asn1.BERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 50 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project keepass2android by PhilippC.

the class ContentInfo method toASN1Object.

/**
 * Produce an object suitable for an ASN1OutputStream.
 * <pre>
 * ContentInfo ::= SEQUENCE {
 *          contentType ContentType,
 *          content
 *          [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
 * </pre>
 */
public DERObject toASN1Object() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(contentType);
    if (content != null) {
        v.add(new BERTaggedObject(0, content));
    }
    return new BERSequence(v);
}
Also used : BERSequence(org.bouncycastle.asn1.BERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) BERTaggedObject(org.bouncycastle.asn1.BERTaggedObject)

Aggregations

ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)24 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)22 IOException (java.io.IOException)20 X509Certificate (java.security.cert.X509Certificate)18 CMSSignedData (org.bouncycastle.cms.CMSSignedData)14 CertificateException (java.security.cert.CertificateException)12 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)12 BERSequence (org.bouncycastle.asn1.BERSequence)12 CertificateEncodingException (java.security.cert.CertificateEncodingException)11 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9 ASN1Set (org.bouncycastle.asn1.ASN1Set)9 SignedData (org.bouncycastle.asn1.cms.SignedData)9 CMSException (org.bouncycastle.cms.CMSException)9 PrivateKey (java.security.PrivateKey)8 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8 DERSet (org.bouncycastle.asn1.DERSet)8 ContentInfo (org.bouncycastle.asn1.pkcs.ContentInfo)8 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6