Search in sources :

Example 6 with OBJECT_IDENTIFIER

use of org.mozilla.jss.asn1.OBJECT_IDENTIFIER in project jss by dogtagpki.

the class PKCS12Util method getKeyInfo.

/**
 * Loads key bags (for IMPORT and other operations on existing
 * PKCS #12 files).  Does not decrypt EncryptedPrivateKeyInfo
 * values, but stores them in PKCS12KeyInfo objects for possible
 * later use.
 */
public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception {
    PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded());
    // get key attributes
    SET bagAttrs = bag.getBagAttributes();
    for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
        Attribute attr = (Attribute) bagAttrs.elementAt(i);
        OBJECT_IDENTIFIER oid = attr.getType();
        if (oid.equals(SafeBag.FRIENDLY_NAME)) {
            SET values = attr.getValues();
            ANY value = (ANY) values.elementAt(0);
            ByteArrayInputStream bis = new ByteArrayInputStream(value.getEncoded());
            BMPString friendlyName = (BMPString) new BMPString.Template().decode(bis);
            keyInfo.setFriendlyName(friendlyName.toString());
            logger.debug("   Friendly name: " + keyInfo.getFriendlyName());
        } else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
            SET values = attr.getValues();
            ANY value = (ANY) values.elementAt(0);
            ByteArrayInputStream bis = new ByteArrayInputStream(value.getEncoded());
            OCTET_STRING keyIdAsn1 = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
            byte[] keyID = keyIdAsn1.toByteArray();
            keyInfo.setID(keyID);
        } else {
            logger.warn("   " + oid + ": " + attr.getValues());
        }
    }
    return keyInfo;
}
Also used : SET(org.mozilla.jss.asn1.SET) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) Attribute(org.mozilla.jss.pkix.primitive.Attribute) ByteArrayInputStream(java.io.ByteArrayInputStream) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) ANY(org.mozilla.jss.asn1.ANY) BMPString(org.mozilla.jss.asn1.BMPString)

Example 7 with OBJECT_IDENTIFIER

use of org.mozilla.jss.asn1.OBJECT_IDENTIFIER in project jss by dogtagpki.

the class SignerInfo method verifyWithAuthenticatedAttributes.

/**
 * Verifies a SignerInfo with authenticated attributes.  If authenticated
 * attributes are present, then two particular attributes must
 * be present: <ul>
 * <li>PKCS #9 Content-Type, the type of content that is being signed.
 *      This must match the contentType parameter.
 * <li>PKCS #9 Message-Digest, the digest of the content that is being
 *      signed. This must match the messageDigest parameter.
 * </ul>
 * After these two attributes are verified to be both present and correct,
 * the encryptedDigest field of the SignerInfo is verified to be the
 * signature of the contents octets of the DER encoding of the
 * authenticatedAttributes field.
 */
private void verifyWithAuthenticatedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
    int numAttrib = authenticatedAttributes.size();
    if (numAttrib < 2) {
        throw new SignatureException("At least two authenticated attributes must be present:" + " content-type and message-digest");
    }
    // go through the authenticated attributes, verifying the
    // interesting ones
    boolean foundContentType = false;
    boolean foundMessageDigest = false;
    for (int i = 0; i < numAttrib; i++) {
        if (!(authenticatedAttributes.elementAt(i) instanceof Attribute)) {
            throw new SignatureException("Element of authenticatedAttributes is not an Attribute");
        }
        Attribute attrib = (Attribute) authenticatedAttributes.elementAt(i);
        if (attrib.getType().equals(CONTENT_TYPE)) {
            // content-type.  Compare with what was passed in.
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Content-Type attribute " + " does not have exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            OBJECT_IDENTIFIER ctype;
            try {
                if (val instanceof OBJECT_IDENTIFIER) {
                    ctype = (OBJECT_IDENTIFIER) val;
                } else if (val instanceof ANY) {
                    ctype = (OBJECT_IDENTIFIER) ((ANY) val).decodeWith(OBJECT_IDENTIFIER.getTemplate());
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Content-Type authenticated attribute does not have " + "OBJECT IDENTIFIER value");
            }
            // contentType parameter
            if (!ctype.equals(contentType)) {
                throw new SignatureException("Content-type in authenticated attributes does not " + "match content-type being verified");
            }
            // content type is A-OK
            foundContentType = true;
        } else if (attrib.getType().equals(MESSAGE_DIGEST)) {
            SET vals = attrib.getValues();
            if (vals.size() != 1) {
                throw new SignatureException("Message-digest attribute does not have" + " exactly one value");
            }
            ASN1Value val = vals.elementAt(0);
            byte[] mdigest;
            try {
                if (val instanceof OCTET_STRING) {
                    mdigest = ((OCTET_STRING) val).toByteArray();
                } else if (val instanceof ANY) {
                    OCTET_STRING os;
                    os = (OCTET_STRING) ((ANY) val).decodeWith(OCTET_STRING.getTemplate());
                    mdigest = os.toByteArray();
                } else {
                    // what the heck is it? not what it's supposed to be
                    throw new InvalidBERException("Content-Type authenticated attribute has unexpected" + " content type");
                }
            } catch (InvalidBERException e) {
                throw new SignatureException("Message-digest attribute does not" + " have OCTET STRING value");
            }
            // message digest being verified
            if (!byteArraysAreSame(mdigest, messageDigest)) {
                throw new SignatureException("Message-digest attribute does not" + " match message digest being verified");
            }
            // message digest is A-OK
            foundMessageDigest = true;
        }
    // we don't care about other attributes
    }
    if (!foundContentType) {
        throw new SignatureException("Authenticated attributes does not contain" + " PKCS #9 content-type attribute");
    }
    if (!foundMessageDigest) {
        throw new SignatureException("Authenticate attributes does not contain" + " PKCS #9 message-digest attribute");
    }
    SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
    // All the authenticated attributes are present and correct.
    // Now verify the signature.
    CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
    Signature sig = token.getSignatureContext(sigAlg);
    sig.initVerify(pubkey);
    // verify the contents octets of the DER encoded authenticated attribs
    byte[] toBeDigested;
    toBeDigested = ASN1Util.encode(authenticatedAttributes);
    MessageDigest md = MessageDigest.getInstance(DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString());
    byte[] digest = md.digest(toBeDigested);
    byte[] toBeVerified;
    if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
        // create DigestInfo structure
        SEQUENCE digestInfo = new SEQUENCE();
        digestInfo.addElement(new AlgorithmIdentifier(digestAlgorithm.getOID(), null));
        digestInfo.addElement(new OCTET_STRING(digest));
        toBeVerified = ASN1Util.encode(digestInfo);
    } else {
        toBeVerified = digest;
    }
    sig.update(toBeVerified);
    if (!sig.verify(encryptedDigest.toByteArray())) {
        // signature is invalid
        throw new SignatureException("encryptedDigest was not the correct" + " signature of the contents octets of the DER-encoded" + " authenticated attributes");
    }
// SUCCESSFULLY VERIFIED
}
Also used : SET(org.mozilla.jss.asn1.SET) CryptoToken(org.mozilla.jss.crypto.CryptoToken) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) SignatureAlgorithm(org.mozilla.jss.crypto.SignatureAlgorithm) SignatureException(java.security.SignatureException) ANY(org.mozilla.jss.asn1.ANY) AlgorithmIdentifier(org.mozilla.jss.pkix.primitive.AlgorithmIdentifier) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) Signature(org.mozilla.jss.crypto.Signature) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) MessageDigest(java.security.MessageDigest)

Example 8 with OBJECT_IDENTIFIER

use of org.mozilla.jss.asn1.OBJECT_IDENTIFIER in project jss by dogtagpki.

the class SignerInfo method verifyWithoutSignedAttributes.

/**
 * Verifies that the message digest passed in, when encrypted with the
 * given public key, matches the encrypted digest in the SignerInfo.
 */
private void verifyWithoutSignedAttributes(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey) throws NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, TokenException, SignatureException {
    if (!contentType.equals(ContentInfo.DATA)) {
        // to go into signedAttributes.
        throw new SignatureException("Content-Type is not DATA, but there are" + " no signed attributes");
    }
    SignatureAlgorithm sigAlg = SignatureAlgorithm.fromOID(digestEncryptionAlgorithm.getOID());
    CryptoToken token = CryptoManager.getInstance().getInternalCryptoToken();
    Signature sig;
    byte[] toBeVerified;
    if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
        // create DigestInfo structure
        SEQUENCE digestInfo = createDigestInfo(messageDigest, false);
        toBeVerified = ASN1Util.encode(digestInfo);
        sig = token.getSignatureContext(sigAlg.getRawAlg());
    } else {
        toBeVerified = messageDigest;
        sig = token.getSignatureContext(sigAlg);
    }
    sig.initVerify(pubkey);
    sig.update(toBeVerified);
    if (sig.verify(encryptedDigest.toByteArray())) {
        // success
        return;
    } else {
        throw new SignatureException("Encrypted message digest parameter does not " + "match encrypted digest in SignerInfo");
    }
}
Also used : CryptoToken(org.mozilla.jss.crypto.CryptoToken) Signature(org.mozilla.jss.crypto.Signature) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) SignatureAlgorithm(org.mozilla.jss.crypto.SignatureAlgorithm) SignatureException(java.security.SignatureException)

Example 9 with OBJECT_IDENTIFIER

use of org.mozilla.jss.asn1.OBJECT_IDENTIFIER in project jss by dogtagpki.

the class EC method decodeNSSOID.

public static ECParameterSpec decodeNSSOID(byte[] data) {
    int offset = 0;
    if (data[offset] == 0x00) {
        offset += 1;
    }
    ASN1Value value;
    try {
        value = ASN1Util.decode(OBJECT_IDENTIFIER.getTemplate(), Arrays.copyOfRange(data, offset, data.length));
        if (!(value instanceof OBJECT_IDENTIFIER)) {
            throw new RuntimeException("Unrecognized byte data: " + Utils.HexEncode(data));
        }
    } catch (Exception e) {
        throw new RuntimeException(e.getMessage() + "\nData: " + Utils.HexEncode(data), e);
    }
    OBJECT_IDENTIFIER oid = (OBJECT_IDENTIFIER) value;
    ECCurve curve = ECCurve.fromOID(oid);
    if (curve == null) {
        throw new RuntimeException("Unrecognized curve: " + Utils.HexEncode(data) + " == OID " + oid);
    }
    return curve.getECParameterSpec();
}
Also used : ASN1Value(org.mozilla.jss.asn1.ASN1Value) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) ECPoint(java.security.spec.ECPoint)

Example 10 with OBJECT_IDENTIFIER

use of org.mozilla.jss.asn1.OBJECT_IDENTIFIER in project jss by dogtagpki.

the class PKCS12Util method getCertInfos.

public void getCertInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
    logger.debug("Loading certificates:");
    AuthenticatedSafes safes = pfx.getAuthSafes();
    for (int i = 0; i < safes.getSize(); i++) {
        SEQUENCE contents = safes.getSafeContentsAt(password, i);
        for (int j = 0; j < contents.size(); j++) {
            SafeBag bag = (SafeBag) contents.elementAt(j);
            OBJECT_IDENTIFIER oid = bag.getBagType();
            if (!oid.equals(SafeBag.CERT_BAG))
                continue;
            logger.debug(" - Certificate:");
            PKCS12CertInfo certInfo = getCertInfo(bag);
            pkcs12.addCertInfo(certInfo, true);
        }
    }
}
Also used : SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) OBJECT_IDENTIFIER(org.mozilla.jss.asn1.OBJECT_IDENTIFIER) SafeBag(org.mozilla.jss.pkcs12.SafeBag) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)

Aggregations

OBJECT_IDENTIFIER (org.mozilla.jss.asn1.OBJECT_IDENTIFIER)14 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)10 OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)8 ByteArrayInputStream (java.io.ByteArrayInputStream)4 SignatureException (java.security.SignatureException)4 ANY (org.mozilla.jss.asn1.ANY)4 SET (org.mozilla.jss.asn1.SET)4 CryptoToken (org.mozilla.jss.crypto.CryptoToken)4 Signature (org.mozilla.jss.crypto.Signature)4 SignatureAlgorithm (org.mozilla.jss.crypto.SignatureAlgorithm)4 ASN1Value (org.mozilla.jss.asn1.ASN1Value)3 InvalidBERException (org.mozilla.jss.asn1.InvalidBERException)3 Extension (org.mozilla.jss.pkix.cert.Extension)3 AlgorithmIdentifier (org.mozilla.jss.pkix.primitive.AlgorithmIdentifier)3 Attribute (org.mozilla.jss.pkix.primitive.Attribute)3 BMPString (org.mozilla.jss.asn1.BMPString)2 BOOLEAN (org.mozilla.jss.asn1.BOOLEAN)2 PrintableString (org.mozilla.jss.asn1.PrintableString)2 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)2 SafeBag (org.mozilla.jss.pkcs12.SafeBag)2