Search in sources :

Example 1 with AttributeTypeAndValue

use of org.openecard.bouncycastle.asn1.x500.AttributeTypeAndValue in project OpenAttestation by OpenAttestation.

the class X509AttributeCertificate method valueOf.

/**
     *
     * @param encodedCertificate
     * @return
     */
@JsonCreator
public static X509AttributeCertificate valueOf(@JsonProperty("encoded") byte[] encodedCertificate) {
    X509AttributeCertificate result = new X509AttributeCertificate(encodedCertificate);
    X509AttributeCertificateHolder cert;
    try {
        cert = new X509AttributeCertificateHolder(encodedCertificate);
    } catch (IOException e) {
        throw new IllegalArgumentException(e);
    }
    // calls toString() on each X500Name so we get the default representation; we can do it ourselves for custom display;  output example: CN=Attr CA,OU=CPG,OU=DCSG,O=Intel,ST=CA,C=US
    log.debug("issuer: {}", StringUtils.join(cert.getIssuer().getNames(), "; "));
    // but expected to be only one
    result.issuer = StringUtils.join(cert.getIssuer().getNames(), "; ");
    // output example:   1
    log.debug("serial number: {}", cert.getSerialNumber().toString());
    result.serialNumber = cert.getSerialNumber();
    // output example:  2.25=#041092a71a228c174522a18bfd3ed3d00b39
    log.debug("holder: {}", StringUtils.join(cert.getHolder().getEntityNames(), ", "));
    // now let's get the UUID specifically out of this
    log.debug("holder has {} entity names", cert.getHolder().getEntityNames().length);
    for (X500Name entityName : cert.getHolder().getEntityNames()) {
        log.debug("holder entity name has {} rdns", entityName.getRDNs().length);
        for (RDN rdn : entityName.getRDNs()) {
            log.debug("entity rdn is multivalued? {}", rdn.isMultiValued());
            AttributeTypeAndValue attr = rdn.getFirst();
            if (attr.getType().toString().equals(OID.HOST_UUID)) {
                UUID uuid = UUID.valueOf(DEROctetString.getInstance(attr.getValue()).getOctets());
                log.debug("holder uuid: {}", uuid);
                // example: 33766a63-5c55-4461-8a84-5936577df450
                result.subject = uuid.toString();
            }
        }
    }
    // if we ddin't identify the UUID,  just display the subject same way we did the issuer... concat all the entity names. example: 2.25=#041033766a635c5544618a845936577df450  (notice that in the value, there's a #0410 prepended to the uuid 33766a635c5544618a845936577df450)
    if (result.subject == null) {
        result.subject = StringUtils.join(cert.getHolder().getEntityNames(), "; ");
    }
    // output example: Thu Aug 08 15:21:13 PDT 2013
    log.debug("not before: {}", cert.getNotBefore());
    // output example: Sun Sep 08 15:21:13 PDT 2013
    log.debug("not after: {}", cert.getNotAfter());
    result.notBefore = cert.getNotBefore();
    result.notAfter = cert.getNotAfter();
    Attribute[] attributes = cert.getAttributes();
    result.tags1 = new ArrayList<UTF8NameValueMicroformat>();
    result.tags2 = new ArrayList<UTF8NameValueSequence>();
    result.tagsOther = new ArrayList<ASN1Encodable>();
    for (Attribute attr : attributes) {
        log.debug("attr {} is {}", attr.hashCode(), attr.toString());
        result.attributes.add(attr);
        for (ASN1Encodable value : attr.getAttributeValues()) {
            //                result.tags.add(new AttributeOidAndValue(attr.getAttrType().toString(), DERUTF8String.getInstance(value).getString()));
            if (attr.getAttrType().toString().equals(UTF8NameValueMicroformat.OID)) {
                // our values are just UTF-8 strings  but if you use new String(value.getEncoded())  you will get two extra spaces at the beginning of the string                    
                log.debug("name-value microformat attribute: {}", DERUTF8String.getInstance(value).getString());
                UTF8NameValueMicroformat microformat = new UTF8NameValueMicroformat(DERUTF8String.getInstance(value));
                log.debug("name-value microformat attribute (2)  name {} value {}", microformat.getName(), microformat.getValue());
                result.tags1.add(microformat);
            } else if (attr.getAttrType().toString().equals(UTF8NameValueSequence.OID)) {
                UTF8NameValueSequence sequence = new UTF8NameValueSequence(ASN1Sequence.getInstance(value));
                String name = sequence.getName();
                List<String> values = sequence.getValues();
                log.debug("name-values asn.1 attribute {} values {}", name, values);
                result.tags2.add(sequence);
            } else {
                log.debug("unrecognzied attribute type {}", attr.getAttrType().toString());
                result.tagsOther.add(value);
            }
        /*
                 * output examples:
                 * attribute: 1.3.6.1.4.1.99999.1.1.1.1 is US
                 * attribute: 1.3.6.1.4.1.99999.2.2.2.2 is CA
                 * attribute: 1.3.6.1.4.1.99999.3.3.3.3 is Folsom
                 */
        }
    }
    log.debug("valueOf ok");
    return result;
}
Also used : Attribute(org.bouncycastle.asn1.x509.Attribute) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder) IOException(java.io.IOException) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue) ArrayList(java.util.ArrayList) List(java.util.List) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) UUID(com.intel.mtwilson.util.io.UUID) RDN(org.bouncycastle.asn1.x500.RDN) JsonCreator(org.codehaus.jackson.annotate.JsonCreator)

Example 2 with AttributeTypeAndValue

use of org.openecard.bouncycastle.asn1.x500.AttributeTypeAndValue in project OpenAttestation by OpenAttestation.

the class X509AttrBuilder method subjectUuid.

/*
     public X509AttrBuilder subjectName(sun.security.x509.X500Name subjectName) {
     return subjectName(subjectName.getRFC2253Name());
     }
     */
public X509AttrBuilder subjectUuid(UUID uuid) {
    DEROctetString uuidText = new DEROctetString(uuid.toByteArray().getBytes());
    ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(OID.HOST_UUID);
    AttributeTypeAndValue attr = new AttributeTypeAndValue(oid, uuidText);
    RDN rdn = new RDN(attr);
    subjectName = new X500Name(new RDN[] { rdn });
    return this;
}
Also used : X500Name(org.bouncycastle.asn1.x500.X500Name) RDN(org.bouncycastle.asn1.x500.RDN) DEROctetString(org.bouncycastle.asn1.DEROctetString) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)

Example 3 with AttributeTypeAndValue

use of org.openecard.bouncycastle.asn1.x500.AttributeTypeAndValue in project j2objc by google.

the class JarUtils method verifySignature.

/**
     * This method handle all the work with  PKCS7, ASN1 encoding, signature verifying,
     * and certification path building.
     * See also PKCS #7: Cryptographic Message Syntax Standard:
     * http://www.ietf.org/rfc/rfc2315.txt
     * @param signature - the input stream of signature file to be verified
     * @param signatureBlock - the input stream of corresponding signature block file
     * @return array of certificates used to verify the signature file
     * @throws IOException - if some errors occurs during reading from the stream
     * @throws GeneralSecurityException - if signature verification process fails
     */
public static Certificate[] verifySignature(InputStream signature, InputStream signatureBlock) throws IOException, GeneralSecurityException {
    BerInputStream bis = new BerInputStream(signatureBlock);
    ContentInfo info = (ContentInfo) ContentInfo.ASN1.decode(bis);
    SignedData signedData = info.getSignedData();
    if (signedData == null) {
        throw new IOException("No SignedData found");
    }
    Collection<org.apache.harmony.security.x509.Certificate> encCerts = signedData.getCertificates();
    if (encCerts.isEmpty()) {
        return null;
    }
    X509Certificate[] certs = new X509Certificate[encCerts.size()];
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    int i = 0;
    for (org.apache.harmony.security.x509.Certificate encCert : encCerts) {
        final byte[] encoded = encCert.getEncoded();
        final InputStream is = new ByteArrayInputStream(encoded);
        certs[i++] = new VerbatimX509Certificate((X509Certificate) cf.generateCertificate(is), encoded);
    }
    List<SignerInfo> sigInfos = signedData.getSignerInfos();
    SignerInfo sigInfo;
    if (!sigInfos.isEmpty()) {
        sigInfo = sigInfos.get(0);
    } else {
        return null;
    }
    // Issuer
    X500Principal issuer = sigInfo.getIssuer();
    // Certificate serial number
    BigInteger snum = sigInfo.getSerialNumber();
    // Locate the certificate
    int issuerSertIndex = 0;
    for (i = 0; i < certs.length; i++) {
        if (issuer.equals(certs[i].getIssuerDN()) && snum.equals(certs[i].getSerialNumber())) {
            issuerSertIndex = i;
            break;
        }
    }
    if (i == certs.length) {
        // No issuer certificate found
        return null;
    }
    if (certs[issuerSertIndex].hasUnsupportedCriticalExtension()) {
        throw new SecurityException("Can not recognize a critical extension");
    }
    // Get Signature instance
    final String daOid = sigInfo.getDigestAlgorithm();
    final String daName = sigInfo.getDigestAlgorithmName();
    final String deaOid = sigInfo.getDigestEncryptionAlgorithm();
    final String deaName = sigInfo.getDigestEncryptionAlgorithmName();
    String alg = null;
    Signature sig = null;
    if (daOid != null && deaOid != null) {
        alg = daOid + "with" + deaOid;
        try {
            sig = Signature.getInstance(alg);
        } catch (NoSuchAlgorithmException e) {
        }
        // Try to convert to names instead of OID.
        if (sig == null && daName != null && deaName != null) {
            alg = daName + "with" + deaName;
            try {
                sig = Signature.getInstance(alg);
            } catch (NoSuchAlgorithmException e) {
            }
        }
    }
    if (sig == null && deaOid != null) {
        alg = deaOid;
        try {
            sig = Signature.getInstance(alg);
        } catch (NoSuchAlgorithmException e) {
        }
        if (sig == null) {
            alg = deaName;
            try {
                sig = Signature.getInstance(alg);
            } catch (NoSuchAlgorithmException e) {
            }
        }
    }
    // We couldn't find a valid Signature type.
    if (sig == null) {
        return null;
    }
    sig.initVerify(certs[issuerSertIndex]);
    // If the authenticatedAttributes field of SignerInfo contains more than zero attributes,
    // compute the message digest on the ASN.1 DER encoding of the Attributes value.
    // Otherwise, compute the message digest on the data.
    List<AttributeTypeAndValue> atr = sigInfo.getAuthenticatedAttributes();
    byte[] sfBytes = new byte[signature.available()];
    signature.read(sfBytes);
    if (atr == null) {
        sig.update(sfBytes);
    } else {
        sig.update(sigInfo.getEncodedAuthenticatedAttributes());
        // If the authenticatedAttributes field contains the message-digest attribute,
        // verify that it equals the computed digest of the signature file
        byte[] existingDigest = null;
        for (AttributeTypeAndValue a : atr) {
            if (Arrays.equals(a.getType().getOid(), MESSAGE_DIGEST_OID)) {
                if (existingDigest != null) {
                    throw new SecurityException("Too many MessageDigest attributes");
                }
                Collection<?> entries = a.getValue().getValues(ASN1OctetString.getInstance());
                if (entries.size() != 1) {
                    throw new SecurityException("Too many values for MessageDigest attribute");
                }
                existingDigest = (byte[]) entries.iterator().next();
            }
        }
        // must have a message-digest attribute.
        if (existingDigest == null) {
            throw new SecurityException("Missing MessageDigest in Authenticated Attributes");
        }
        MessageDigest md = null;
        if (daOid != null) {
            md = MessageDigest.getInstance(daOid);
        }
        if (md == null && daName != null) {
            md = MessageDigest.getInstance(daName);
        }
        if (md == null) {
            return null;
        }
        byte[] computedDigest = md.digest(sfBytes);
        if (!Arrays.equals(existingDigest, computedDigest)) {
            throw new SecurityException("Incorrect MD");
        }
    }
    if (!sig.verify(sigInfo.getEncryptedDigest())) {
        throw new SecurityException("Incorrect signature");
    }
    return createChain(certs[issuerSertIndex], certs);
}
Also used : ASN1OctetString(org.apache.harmony.security.asn1.ASN1OctetString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CertificateFactory(java.security.cert.CertificateFactory) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) MessageDigest(java.security.MessageDigest) SignedData(org.apache.harmony.security.pkcs7.SignedData) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) AttributeTypeAndValue(org.apache.harmony.security.x501.AttributeTypeAndValue) SignerInfo(org.apache.harmony.security.pkcs7.SignerInfo) ByteArrayInputStream(java.io.ByteArrayInputStream) Signature(java.security.Signature) X500Principal(javax.security.auth.x500.X500Principal) BigInteger(java.math.BigInteger) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 4 with AttributeTypeAndValue

use of org.openecard.bouncycastle.asn1.x500.AttributeTypeAndValue in project XobotOS by xamarin.

the class DNParser method parse.

/**
     * Parses DN
     *
     * @return a list of Relative Distinguished Names(RND),
     *         each RDN is represented as a list of AttributeTypeAndValue objects
     */
public List<List<AttributeTypeAndValue>> parse() throws IOException {
    List<List<AttributeTypeAndValue>> list = new ArrayList<List<AttributeTypeAndValue>>();
    String attType = nextAT();
    if (attType == null) {
        //empty list of RDNs
        return list;
    }
    List<AttributeTypeAndValue> atav = new ArrayList<AttributeTypeAndValue>();
    while (true) {
        if (pos == chars.length) {
            //empty Attribute Value
            atav.add(new AttributeTypeAndValue(attType, new AttributeValue("", false)));
            list.add(0, atav);
            return list;
        }
        switch(chars[pos]) {
            case '"':
                atav.add(new AttributeTypeAndValue(attType, new AttributeValue(quotedAV(), hasQE)));
                break;
            case '#':
                atav.add(new AttributeTypeAndValue(attType, new AttributeValue(hexAV(), encoded)));
                break;
            case '+':
            case ',':
            case // compatibility with RFC 1779: semicolon can separate RDNs
            ';':
                //empty attribute value
                atav.add(new AttributeTypeAndValue(attType, new AttributeValue("", false)));
                break;
            default:
                atav.add(new AttributeTypeAndValue(attType, new AttributeValue(escapedAV(), hasQE)));
        }
        if (pos >= chars.length) {
            list.add(0, atav);
            return list;
        }
        if (chars[pos] == ',' || chars[pos] == ';') {
            list.add(0, atav);
            atav = new ArrayList<AttributeTypeAndValue>();
        } else if (chars[pos] != '+') {
            throw new IOException("Invalid distinguished name string");
        }
        pos++;
        attType = nextAT();
        if (attType == null) {
            throw new IOException("Invalid distinguished name string");
        }
    }
}
Also used : AttributeValue(org.apache.harmony.security.x501.AttributeValue) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) IOException(java.io.IOException) AttributeTypeAndValue(org.apache.harmony.security.x501.AttributeTypeAndValue)

Example 5 with AttributeTypeAndValue

use of org.openecard.bouncycastle.asn1.x500.AttributeTypeAndValue in project robovm by robovm.

the class JarUtils method verifySignature.

/**
     * This method handle all the work with  PKCS7, ASN1 encoding, signature verifying,
     * and certification path building.
     * See also PKCS #7: Cryptographic Message Syntax Standard:
     * http://www.ietf.org/rfc/rfc2315.txt
     * @param signature - the input stream of signature file to be verified
     * @param signatureBlock - the input stream of corresponding signature block file
     * @return array of certificates used to verify the signature file
     * @throws IOException - if some errors occurs during reading from the stream
     * @throws GeneralSecurityException - if signature verification process fails
     */
public static Certificate[] verifySignature(InputStream signature, InputStream signatureBlock) throws IOException, GeneralSecurityException {
    BerInputStream bis = new BerInputStream(signatureBlock);
    ContentInfo info = (ContentInfo) ContentInfo.ASN1.decode(bis);
    SignedData signedData = info.getSignedData();
    if (signedData == null) {
        throw new IOException("No SignedData found");
    }
    Collection<org.apache.harmony.security.x509.Certificate> encCerts = signedData.getCertificates();
    if (encCerts.isEmpty()) {
        return null;
    }
    X509Certificate[] certs = new X509Certificate[encCerts.size()];
    int i = 0;
    for (org.apache.harmony.security.x509.Certificate encCert : encCerts) {
        certs[i++] = new X509CertImpl(encCert);
    }
    List<SignerInfo> sigInfos = signedData.getSignerInfos();
    SignerInfo sigInfo;
    if (!sigInfos.isEmpty()) {
        sigInfo = sigInfos.get(0);
    } else {
        return null;
    }
    // Issuer
    X500Principal issuer = sigInfo.getIssuer();
    // Certificate serial number
    BigInteger snum = sigInfo.getSerialNumber();
    // Locate the certificate
    int issuerSertIndex = 0;
    for (i = 0; i < certs.length; i++) {
        if (issuer.equals(certs[i].getIssuerDN()) && snum.equals(certs[i].getSerialNumber())) {
            issuerSertIndex = i;
            break;
        }
    }
    if (i == certs.length) {
        // No issuer certificate found
        return null;
    }
    if (certs[issuerSertIndex].hasUnsupportedCriticalExtension()) {
        throw new SecurityException("Can not recognize a critical extension");
    }
    // Get Signature instance
    final String daOid = sigInfo.getDigestAlgorithm();
    final String daName = sigInfo.getDigestAlgorithmName();
    final String deaOid = sigInfo.getDigestEncryptionAlgorithm();
    String alg = null;
    Signature sig = null;
    if (daOid != null && deaOid != null) {
        alg = daOid + "with" + deaOid;
        try {
            sig = Signature.getInstance(alg);
        } catch (NoSuchAlgorithmException e) {
        }
        // Try to convert to names instead of OID.
        if (sig == null) {
            final String deaName = sigInfo.getDigestEncryptionAlgorithmName();
            alg = daName + "with" + deaName;
            try {
                sig = Signature.getInstance(alg);
            } catch (NoSuchAlgorithmException e) {
            }
        }
    }
    /*
         * TODO figure out the case in which we'd only use digestAlgorithm and
         * add a test for it.
         */
    if (sig == null && daOid != null) {
        alg = daOid;
        try {
            sig = Signature.getInstance(alg);
        } catch (NoSuchAlgorithmException e) {
        }
        if (sig == null && daName != null) {
            alg = daName;
            try {
                sig = Signature.getInstance(alg);
            } catch (NoSuchAlgorithmException e) {
            }
        }
    }
    // We couldn't find a valid Signature type.
    if (sig == null) {
        return null;
    }
    sig.initVerify(certs[issuerSertIndex]);
    // If the authenticatedAttributes field of SignerInfo contains more than zero attributes,
    // compute the message digest on the ASN.1 DER encoding of the Attributes value.
    // Otherwise, compute the message digest on the data.
    List<AttributeTypeAndValue> atr = sigInfo.getAuthenticatedAttributes();
    byte[] sfBytes = new byte[signature.available()];
    signature.read(sfBytes);
    if (atr == null) {
        sig.update(sfBytes);
    } else {
        sig.update(sigInfo.getEncodedAuthenticatedAttributes());
        // If the authenticatedAttributes field contains the message-digest attribute,
        // verify that it equals the computed digest of the signature file
        byte[] existingDigest = null;
        for (AttributeTypeAndValue a : atr) {
            if (Arrays.equals(a.getType().getOid(), MESSAGE_DIGEST_OID)) {
                if (existingDigest != null) {
                    throw new SecurityException("Too many MessageDigest attributes");
                }
                Collection<?> entries = a.getValue().getValues(ASN1OctetString.getInstance());
                if (entries.size() != 1) {
                    throw new SecurityException("Too many values for MessageDigest attribute");
                }
                existingDigest = (byte[]) entries.iterator().next();
            }
        }
        // message digest entry.
        if (existingDigest == null) {
            throw new SecurityException("Missing MessageDigest in Authenticated Attributes");
        }
        MessageDigest md = null;
        if (daOid != null) {
            md = MessageDigest.getInstance(daOid);
        }
        if (md == null && daName != null) {
            md = MessageDigest.getInstance(daName);
        }
        if (md == null) {
            return null;
        }
        byte[] computedDigest = md.digest(sfBytes);
        if (!Arrays.equals(existingDigest, computedDigest)) {
            throw new SecurityException("Incorrect MD");
        }
    }
    if (!sig.verify(sigInfo.getEncryptedDigest())) {
        throw new SecurityException("Incorrect signature");
    }
    return createChain(certs[issuerSertIndex], certs);
}
Also used : ASN1OctetString(org.apache.harmony.security.asn1.ASN1OctetString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CertImpl(org.apache.harmony.security.provider.cert.X509CertImpl) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) MessageDigest(java.security.MessageDigest) SignedData(org.apache.harmony.security.pkcs7.SignedData) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) AttributeTypeAndValue(org.apache.harmony.security.x501.AttributeTypeAndValue) SignerInfo(org.apache.harmony.security.pkcs7.SignerInfo) Signature(java.security.Signature) X500Principal(javax.security.auth.x500.X500Principal) BigInteger(java.math.BigInteger) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

AttributeTypeAndValue (org.bouncycastle.asn1.x500.AttributeTypeAndValue)13 RDN (org.bouncycastle.asn1.x500.RDN)12 IOException (java.io.IOException)8 ArrayList (java.util.ArrayList)8 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)7 X500Name (org.bouncycastle.asn1.x500.X500Name)7 AttributeTypeAndValue (org.apache.harmony.security.x501.AttributeTypeAndValue)6 BigInteger (java.math.BigInteger)5 List (java.util.List)5 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)5 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)5 GeneralSecurityException (java.security.GeneralSecurityException)3 MessageDigest (java.security.MessageDigest)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 Signature (java.security.Signature)3 Certificate (java.security.cert.Certificate)3 X509Certificate (java.security.cert.X509Certificate)3 LinkedList (java.util.LinkedList)3 X500Principal (javax.security.auth.x500.X500Principal)3 BerInputStream (org.apache.harmony.security.asn1.BerInputStream)3