Examples with InvalidBERException org.mozilla.jss.asn1.InvalidBERException used on opensource projects

Example 1 with InvalidBERException

use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.

the class Decryptor method decrypt.

/**
 * Decrypts the given ciphertext. It must have been created previously
 * with the SecretDecoderRing, either the JSS version or the NSS version.
 * The key used for decryption must exist on the token that was passed
 * into the constructor. The token will be searched for a key whose keyID
 * matches the keyID in the encoded SecretDecoderRing result.
 *
 * @param ciphertext A DER-encoded Encoding object, created from a previous
 *  call to Encryptor.encrypt(), or with the NSS SecretDecoderRing.
 * @return The decrypted plaintext.
 * @throws InvalidKeyException If no key can be found with the matching
 *  keyID.
 */
public byte[] decrypt(byte[] ciphertext) throws NotInitializedException, GeneralSecurityException, TokenException {
    CryptoManager cm = CryptoManager.getInstance();
    CryptoToken savedToken = cm.getThreadToken();
    try {
        cm.setThreadToken(token);
        // 
        // decode ASN1
        // 
        Encoding encoding = (Encoding) ASN1Util.decode(Encoding.getTemplate(), ciphertext);
        // 
        // lookup the algorithm
        // 
        EncryptionAlgorithm alg = EncryptionAlgorithm.fromOID(encoding.getEncryptionOID());
        // 
        // Lookup the key
        // 
        SecretKey key = keyManager.lookupKey(alg, encoding.getKeyID());
        if (key == null) {
            throw new InvalidKeyException("No matching key found");
        }
        // 
        // do the decryption
        // 
        IvParameterSpec ivSpec = new IvParameterSpec(encoding.getIv());
        Cipher cipher = Cipher.getInstance(alg.toString(), Encryptor.PROVIDER);
        cipher.init(Cipher.DECRYPT_MODE, key, ivSpec);
        byte[] paddedPtext = cipher.doFinal(encoding.getCiphertext());
        return org.mozilla.jss.crypto.Cipher.unPad(paddedPtext, alg.getBlockSize());
    } catch (InvalidBERException ibe) {
        throw new GeneralSecurityException(ibe.toString());
    } catch (IllegalStateException ise) {
        throw new GeneralSecurityException(ise.toString());
    } finally {
        cm.setThreadToken(savedToken);
    }
}

Example 2 with InvalidBERException

use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.

the class Name method AVAToString.

private String AVAToString(AVA ava) throws InvalidBERException {
    OBJECT_IDENTIFIER oid = ava.getOID();
    String type = typeToString(oid);
    if (type == null) {
        return "";
    } else {
        return type + "=" + ava.getValue().decodeWith(DirectoryString.getTemplate());
    }
}

Example 3 with InvalidBERException

use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.

the class CRLDistributionPoint method setFullName.

/**
 * Sets the <code>fullName</code> of the <code>DistributionPointName</code>. It may be set to <code>null</code>.
 * If it is set to a non-null value, <code>relativeName</code> will be
 * set to <code>null</code>, because at most one of these two attributes
 * can be specified at a time.
 *
 * @exception GeneralNamesException If an error occurs encoding the
 *                name.
 */
public void setFullName(GeneralNames fullName) throws GeneralNamesException, IOException {
    this.fullName = fullName;
    if (fullName != null) {
        // encode the name to catch any problems with it
        DerOutputStream derOut = new DerOutputStream();
        fullName.encode(derOut);
        try {
            ANY raw = new ANY(derOut.toByteArray());
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            raw.encodeWithAlternateTag(Tag.get(0), bos);
            fullNameEncoding = new ANY(bos.toByteArray());
        } catch (InvalidBERException e) {
            // in DerOutputStream
            throw new GeneralNamesException(e.toString());
        }
        this.relativeName = null;
    }
}

Example 4 with InvalidBERException

use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.

the class SignerInfo method verifyWithAuthenticatedAttributes.

/**
 * Verifies a SignerInfo with authenticated attributes.  If authenticated
 * attributes are present, then two particular attributes must
 * be present: <ul>
 * <li>PKCS #9 Content-Type, the type of content that is being signed.
 *      This must match the contentType parameter.
 * <li>PKCS #9 Message-Digest, the digest of the content that is being
 *      signed. This must match the messageDigest parameter.
 * </ul>
 * After these two attributes are verified to be both present and correct,
 * the encryptedDigest field of the SignerInfo is verified to be the
 * signature of the contents octets of the DER encoding of the
 * authenticatedAttributes field.
 */
private void verifyWithAuthenticatedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
    int numAttrib = authenticatedAttributes.size();
    if (numAttrib < 2) {
        throw new SignatureException("At least two authenticated attributes must be present:" + " content-type and message-digest");
    }
    // go through the authenticated attributes, verifying the
    // interesting ones
    boolean foundContentType = false;
    boolean foundMessageDigest = false;
    for (int i = 0; i < numAttrib; i++) {
        if (!(authenticatedAttributes.elementAt(i) instanceof Attribute)) {
            throw new SignatureException("Element of authenticatedAttributes is not an Attribute");
        }
        Attribute attrib = (Attribute) authenticatedAttributes.elementAt(i);
        if (attrib.getType().equals(CONTENT_TYPE)) {
            // content-type.  Compare with what was passed in.
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Content-Type attribute " + " does not have exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            OBJECT_IDENTIFIER ctype;
            try {
                if (val instanceof OBJECT_IDENTIFIER) {
                    ctype = (OBJECT_IDENTIFIER) val;
                } else if (val instanceof ANY) {
                    ctype = (OBJECT_IDENTIFIER) ((ANY) val).decodeWith(OBJECT_IDENTIFIER.getTemplate());
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Content-Type authenticated attribute does not have " + "OBJECT IDENTIFIER value");
            }
            // contentType parameter
            if (!ctype.equals(contentType)) {
                throw new SignatureException("Content-type in authenticated attributes does not " + "match content-type being verified");
            }
            // content type is A-OK
            foundContentType = true;
        } else if (attrib.getType().equals(MESSAGE_DIGEST)) {
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Message-digest attribute does not have" + " exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            byte[] mdigest;
            try {
                if (val instanceof OCTET_STRING) {
                    mdigest = ((OCTET_STRING) val).toByteArray();
                } else if (val instanceof ANY) {
                    OCTET_STRING os;
                    os = (OCTET_STRING) ((ANY) val).decodeWith(OCTET_STRING.getTemplate());
                    mdigest = os.toByteArray();
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Message-digest attribute does not" + " have OCTET STRING value");
            }
            // message digest being verified
            if (!byteArraysAreSame(mdigest, messageDigest)) {
                throw new SignatureException("Message-digest attribute does not" + " match message digest being verified");
            }
            // message digest is A-OK
            foundMessageDigest = true;
        }
    // we don't care about other attributes
    }
    if (!foundContentType) {
        throw new SignatureException("Authenticated attributes does not contain" + " PKCS #9 content-type attribute");
    }
    if (!foundMessageDigest) {
        throw new SignatureException("Authenticate attributes does not contain" + " PKCS #9 message-digest attribute");
    }
    SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
    // All the authenticated attributes are present and correct.
    // Now verify the signature.
    CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
    Signature sig = token.getSignatureContext(sigAlg);
    sig.initVerify(pubkey);
    // verify the contents octets of the DER encoded authenticated attribs
    byte[] toBeDigested;
    toBeDigested = ASN1Util.encode(authenticatedAttributes);
    MessageDigest md = MessageDigest.getInstance(DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString());
    byte[] digest = md.digest(toBeDigested);
    byte[] toBeVerified;
    if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
        // create DigestInfo structure
        SEQUENCE digestInfo = new SEQUENCE();
        digestInfo.addElement(new AlgorithmIdentifier(digestAlgorithm.getOID(), null));
        digestInfo.addElement(new OCTET_STRING(digest));
        toBeVerified = ASN1Util.encode(digestInfo);
    } else {
        toBeVerified = digest;
    }
    sig.update(toBeVerified);
    if (!sig.verify(encryptedDigest.toByteArray())) {
        // signature is invalid
        throw new SignatureException("encryptedDigest was not the correct" + " signature of the contents octets of the DER-encoded" + " authenticated attributes");
    }
// SUCCESSFULLY VERIFIED
}

Example 5 with InvalidBERException

use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.

the class IssuingDistributionPoint method setFullName.

/**
 * Sets the <code>fullName</code> of the <code>DistributionPointName</code>. It may be set to <code>null</code>.
 * If it is set to a non-null value, <code>relativeName</code> will be
 * set to <code>null</code>, because at most one of these two attributes
 * can be specified at a time.
 *
 * @exception GeneralNamesException If an error occurs encoding the
 *                name.
 */
public void setFullName(GeneralNames fullName) throws GeneralNamesException, IOException {
    this.fullName = fullName;
    if (fullName != null) {
        // encode the name to catch any problems with it
        DerOutputStream derOut = new DerOutputStream();
        fullName.encode(derOut);
        try {
            ANY raw = new ANY(derOut.toByteArray());
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            raw.encodeWithAlternateTag(Tag.get(0), bos);
            fullNameEncoding = new ANY(bos.toByteArray());
        } catch (InvalidBERException e) {
            // in DerOutputStream
            throw new GeneralNamesException(e.toString());
        }
        this.relativeName = null;
    }
}