Examples with JcePKMACValuesCalculator org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator used on opensource projects

Search in sources :

Example 1 with JcePKMACValuesCalculator

use of org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator in project xipki by xipki.

the class CmpAgent method verifyProtection.

private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    PKIHeader header = protectedMsg.getHeader();
    if (requestor instanceof Requestor.PbmMacCmpRequestor) {
        if (!protectedMsg.hasPasswordBasedMacProtection()) {
            LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        Responder.PbmMacCmpResponder macResponder = (Responder.PbmMacCmpResponder) responder;
        PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
        HashAlgo owf;
        try {
            owf = HashAlgo.getInstance(parameter.getOwf());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf)", ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!macResponder.isPbmOwfPermitted(owf)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owf);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        SignAlgo mac;
        try {
            mac = SignAlgo.getInstance(parameter.getMac());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac)", ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!macResponder.isPbmMacPermitted(mac)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", mac);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        Requestor.PbmMacCmpRequestor macRequestor = (Requestor.PbmMacCmpRequestor) requestor;
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        boolean macValid = protectedMsg.verify(pkMacBuilder, macRequestor.getPassword());
        return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
    } else {
        if (protectedMsg.hasPasswordBasedMacProtection()) {
            LOG.warn("NOT_SIGNATURE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        if (recipientName != null) {
            boolean authorizedResponder;
            if (header.getSender().getTagNo() != GeneralName.directoryName) {
                authorizedResponder = false;
            } else {
                X500Name msgSender = X500Name.getInstance(header.getSender().getName());
                authorizedResponder = recipientName.equals(msgSender);
            }
            if (!authorizedResponder) {
                LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
                return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
            }
        }
        Responder.SignatureCmpResponder sigResponder = (Responder.SignatureCmpResponder) responder;
        SignAlgo protectionAlgo;
        try {
            protectionAlgo = SignAlgo.getInstance(protectedMsg.getHeader().getProtectionAlg());
        } catch (NoSuchAlgorithmException ex) {
            LOG.warn("tid={}: unknown response protection algorithm: {}", tid, ex.getMessage());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
        }
        if (!sigResponder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) {
            LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, protectionAlgo.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_INVALID);
        }
        X509Cert cert = sigResponder.getCert();
        ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert);
        if (verifierProvider == null) {
            LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean signatureValid = protectedMsg.verify(verifierProvider);
        return new ProtectionVerificationResult(cert, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X500Name(org.bouncycastle.asn1.x500.X500Name) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 2 with JcePKMACValuesCalculator

use of org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator in project xipki by xipki.

the class BaseCmpResponder method verifyProtection.

// method randomBytes
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    PKIHeader header = protectedMsg.getHeader();
    X500Name sender = getX500Sender(header);
    if (sender == null) {
        LOG.warn("tid={}: not authorized requestor 'null'", tid);
        return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
    }
    AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
    if (protectedMsg.hasPasswordBasedMacProtection()) {
        PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
        HashAlgo owfAlg;
        try {
            owfAlg = HashAlgo.getInstance(parameter.getOwf());
        } catch (NoSuchAlgorithmException ex) {
            LogUtil.warn(LOG, ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!cmpControl.isRequestPbmOwfPermitted(owfAlg)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", owfAlg.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        SignAlgo macAlg;
        try {
            macAlg = SignAlgo.getInstance(parameter.getMac());
        } catch (NoSuchAlgorithmException ex) {
            LogUtil.warn(LOG, ex);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        if (!cmpControl.isRequestPbmMacPermitted(macAlg)) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", macAlg.getJceName());
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        int iterationCount = parameter.getIterationCount().getValue().intValue();
        if (iterationCount < 1000) {
            LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.iterationCount: {} < 1000)", iterationCount);
            return new ProtectionVerificationResult(null, ProtectionResult.MAC_ALGO_FORBIDDEN);
        }
        ASN1OctetString asn1 = header.getSenderKID();
        // CHECKSTYLE:SKIP
        byte[] senderKID = (asn1 == null) ? null : asn1.getOctets();
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        CmpRequestorInfo requestor = getMacRequestor(senderKID);
        if (requestor == null) {
            LOG.warn("tid={}: not authorized requestor with senderKID '{}", tid, (senderKID == null) ? "null" : Hex.toHexString(senderKID));
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean macValid = protectedMsg.verify(pkMacBuilder, requestor.getPassword());
        return new ProtectionVerificationResult(requestor, macValid ? ProtectionResult.MAC_VALID : ProtectionResult.MAC_INVALID);
    } else {
        if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) {
            LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
            return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
        }
        X500Name x500Sender = getX500Sender(header);
        CmpRequestorInfo requestor = (x500Sender == null) ? null : getRequestor(x500Sender);
        if (requestor == null) {
            LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(requestor.getCert().getCert());
        if (verifierProvider == null) {
            LOG.warn("tid={}: not authorized requestor '{}'", tid, sender);
            return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
        boolean signatureValid = protectedMsg.verify(verifierProvider);
        return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.SIGNATURE_VALID : ProtectionResult.SIGNATURE_INVALID);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProtectionVerificationResult(org.xipki.security.cmp.ProtectionVerificationResult) X500Name(org.bouncycastle.asn1.x500.X500Name) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) CmpRequestorInfo(org.xipki.ca.api.mgmt.RequestorInfo.CmpRequestorInfo) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 3 with JcePKMACValuesCalculator

use of org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator in project xipki by xipki.

the class PbmMacCmpCaClient method verifyProtection.

@Override
protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    if (!protectedMsg.hasPasswordBasedMacProtection()) {
        LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
        return false;
    }
    PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters());
    ASN1ObjectIdentifier algOid = parameter.getOwf().getAlgorithm();
    if (!trustedOwfOids.contains(algOid)) {
        LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", algOid);
        return false;
    }
    algOid = parameter.getMac().getAlgorithm();
    if (!trustedMacOids.contains(algOid)) {
        LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", algOid);
        return false;
    }
    PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
    return protectedMsg.verify(pkMacBuilder, password);
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) PBMParameter(org.bouncycastle.asn1.cmp.PBMParameter)

Example 4 with JcePKMACValuesCalculator

use of org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator in project xipki by xipki.

the class PbmMacCmpCaClient method build.

// method decrypt
@Override
protected ProtectedPKIMessage build(ProtectedPKIMessageBuilder builder) throws Exception {
    builder.setSenderKID(kid);
    byte[] salt = new byte[64];
    random.nextBytes(salt);
    PBMParameter pbmParameter = new PBMParameter(salt, requestOwf, requestInterationCount, requestMac);
    try {
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        pkMacBuilder.setParameters(pbmParameter);
        return builder.build(pkMacBuilder.build(password));
    } catch (CRMFException ex) {
        throw new CMPException(ex.getMessage(), ex);
    }
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) CMPException(org.bouncycastle.cert.cmp.CMPException) CRMFException(org.bouncycastle.cert.crmf.CRMFException) PBMParameter(org.bouncycastle.asn1.cmp.PBMParameter)

Example 5 with JcePKMACValuesCalculator

use of org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator in project xipki by xipki.

the class CmpUtil method addProtection.

// method addProtection
public static PKIMessage addProtection(PKIMessage pkiMessage, char[] password, PBMParameter pbmParameter, GeneralName signerName, byte[] senderKid) throws CMPException {
    ProtectedPKIMessageBuilder builder = newProtectedPKIMessageBuilder(pkiMessage, signerName, senderKid);
    ProtectedPKIMessage signedMessage;
    try {
        PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
        pkMacBuilder.setParameters(pbmParameter);
        signedMessage = builder.build(pkMacBuilder.build(password));
    } catch (CRMFException ex) {
        throw new CMPException(ex.getMessage(), ex);
    }
    return signedMessage.toASN1Structure();
}
Also used : PKMACBuilder(org.bouncycastle.cert.crmf.PKMACBuilder) JcePKMACValuesCalculator(org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator) CMPException(org.bouncycastle.cert.cmp.CMPException) CRMFException(org.bouncycastle.cert.crmf.CRMFException) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProtectedPKIMessageBuilder(org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder)

Aggregations

PKMACBuilder (org.bouncycastle.cert.crmf.PKMACBuilder)5 JcePKMACValuesCalculator (org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator)5 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)3 PBMParameter (org.bouncycastle.asn1.cmp.PBMParameter)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 CMPException (org.bouncycastle.cert.cmp.CMPException)2 CRMFException (org.bouncycastle.cert.crmf.CRMFException)2 ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1 ProtectedPKIMessageBuilder (org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder)1 CmpRequestorInfo (org.xipki.ca.api.mgmt.RequestorInfo.CmpRequestorInfo)1 ProtectionVerificationResult (org.xipki.security.cmp.ProtectionVerificationResult)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial