List of usage examples for org.bouncycastle.asn1.cms CMSObjectIdentifiers id_ri_ocsp_response
ASN1ObjectIdentifier id_ri_ocsp_response
To view the source code for org.bouncycastle.asn1.cms CMSObjectIdentifiers id_ri_ocsp_response.
Click Source Link
From source file:eu.europa.ec.markt.dss.signature.cades.CAdESLevelBaselineLT.java
License:Open Source License
protected CMSSignedData postExtendCMSSignedData(CMSSignedData cmsSignedData, SignerInformation signerInformation, SignatureParameters parameters) { CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); final ValidationContext validationContext = cadesSignature .getSignatureValidationContext(certificateVerifier); Store certificatesStore = cmsSignedData.getCertificates(); final Store attributeCertificatesStore = cmsSignedData.getAttributeCertificates(); Store crlsStore = cmsSignedData.getCRLs(); Store otherRevocationInfoFormatStoreBasic = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); Store otherRevocationInfoFormatStoreOcsp = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Set<CertificateToken> certificates = cadesSignature.getCertificatesForInclusion(validationContext); final Collection<X509CertificateHolder> newCertificateStore = new HashSet<X509CertificateHolder>( certificatesStore.getMatches(null)); for (final CertificateToken certificateToken : certificates) { final X509CertificateHolder x509CertificateHolder = DSSUtils.getX509CertificateHolder(certificateToken); newCertificateStore.add(x509CertificateHolder); }/*from www . j a v a 2 s . c o m*/ certificatesStore = new CollectionStore(newCertificateStore); final Collection<X509CRLHolder> newCrlsStore = new HashSet<X509CRLHolder>(crlsStore.getMatches(null)); final DefaultAdvancedSignature.RevocationDataForInclusion revocationDataForInclusion = cadesSignature .getRevocationDataForInclusion(validationContext); for (final CRLToken crlToken : revocationDataForInclusion.crlTokens) { final X509CRLHolder x509CRLHolder = crlToken.getX509CrlHolder(); newCrlsStore.add(x509CRLHolder); } crlsStore = new CollectionStore(newCrlsStore); final Collection<ASN1Primitive> newOtherRevocationInfoFormatStore = new HashSet<ASN1Primitive>( otherRevocationInfoFormatStoreBasic.getMatches(null)); for (final OCSPToken ocspToken : revocationDataForInclusion.ocspTokens) { final BasicOCSPResp basicOCSPResp = ocspToken.getBasicOCSPResp(); newOtherRevocationInfoFormatStore.add(DSSASN1Utils.toASN1Primitive(DSSUtils.getEncoded(basicOCSPResp))); } otherRevocationInfoFormatStoreBasic = new CollectionStore(newOtherRevocationInfoFormatStore); final CMSSignedDataBuilder cmsSignedDataBuilder = new CMSSignedDataBuilder(certificateVerifier); cmsSignedData = cmsSignedDataBuilder.regenerateCMSSignedData(cmsSignedData, parameters, certificatesStore, attributeCertificatesStore, crlsStore, otherRevocationInfoFormatStoreBasic, otherRevocationInfoFormatStoreOcsp); return cmsSignedData; }
From source file:eu.europa.ec.markt.dss.signature.cades.CMSSignedDataBuilder.java
License:Open Source License
/** * Note:/*from ww w. j a v a2 s .c om*/ * Section 5.1 of RFC 3852 [4] requires that, the CMS SignedData version be set to 3 if certificates from * SignedData is present AND (any version 1 attribute certificates are present OR any SignerInfo structures * are version 3 OR eContentType from encapContentInfo is other than id-data). Otherwise, the CMS * SignedData version is required to be set to 1. * ---> CMS SignedData Version is handled automatically by BouncyCastle. * * @param parameters set of the driving signing parameters * @param contentSigner the contentSigned to get the hash of the data to be signed * @param signerInfoGeneratorBuilder true if the unsigned attributes must be included * @param originalSignedData the original signed data if extending an existing signature. null otherwise. @return the bouncycastle signed data generator which will * sign * the document and add the required signed and unsigned CMS attributes * @throws eu.europa.ec.markt.dss.exception.DSSException */ protected CMSSignedDataGenerator createCMSSignedDataGenerator(final SignatureParameters parameters, final ContentSigner contentSigner, final SignerInfoGeneratorBuilder signerInfoGeneratorBuilder, final CMSSignedData originalSignedData) throws DSSException { try { final X509Certificate signingCertificate = parameters.getSigningCertificate(); final CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); final X509CertificateHolder certHolder = DSSUtils.getX509CertificateHolder(signingCertificate); final SignerInfoGenerator signerInfoGenerator = signerInfoGeneratorBuilder.build(contentSigner, certHolder); generator.addSignerInfoGenerator(signerInfoGenerator); final Set<X509Certificate> newCertificateChain = new HashSet<X509Certificate>(); if (originalSignedData != null) { generator.addSigners(originalSignedData.getSignerInfos()); generator.addAttributeCertificates(originalSignedData.getAttributeCertificates()); generator.addCRLs(originalSignedData.getCRLs()); generator.addOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic, originalSignedData.getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic)); generator.addOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response, originalSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response)); final Store certificates = originalSignedData.getCertificates(); final Collection<X509CertificateHolder> certificatesMatches = certificates.getMatches(null); for (final X509CertificateHolder certificatesMatch : certificatesMatches) { newCertificateChain.add(DSSUtils.getCertificate(certificatesMatch)); } } final List<X509Certificate> certificateChain = parameters.getCertificateChain(); newCertificateChain.addAll(certificateChain); final Store jcaCertStore = getJcaCertStore(signingCertificate, newCertificateChain); generator.addCertificates(jcaCertStore); return generator; } catch (CMSException e) { throw new DSSException(e); } catch (OperatorCreationException e) { throw new DSSException(e); } }
From source file:eu.europa.ec.markt.dss.signature.cades.CMSSignedDataBuilder.java
License:Open Source License
protected CMSSignedData regenerateCMSSignedData(CMSSignedData cmsSignedData, SignatureParameters parameters, Store certificatesStore, Store attributeCertificatesStore, Store crlsStore, Store otherRevocationInfoFormatStoreBasic, Store otherRevocationInfoFormatStoreOcsp) { try {//from w w w . j av a 2s . co m final CMSSignedDataGenerator cmsSignedDataGenerator = new CMSSignedDataGenerator(); cmsSignedDataGenerator.addSigners(cmsSignedData.getSignerInfos()); cmsSignedDataGenerator.addAttributeCertificates(attributeCertificatesStore); cmsSignedDataGenerator.addCertificates(certificatesStore); cmsSignedDataGenerator.addCRLs(crlsStore); cmsSignedDataGenerator.addOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic, otherRevocationInfoFormatStoreBasic); cmsSignedDataGenerator.addOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response, otherRevocationInfoFormatStoreOcsp); final boolean encapsulate = cmsSignedData.getSignedContent() != null; if (!encapsulate) { final InputStream inputStream = parameters.getDetachedContent().openStream(); final CMSProcessableByteArray content = new CMSProcessableByteArray( DSSUtils.toByteArray(inputStream)); DSSUtils.closeQuietly(inputStream); cmsSignedData = cmsSignedDataGenerator.generate(content, encapsulate); } else { cmsSignedData = cmsSignedDataGenerator.generate(cmsSignedData.getSignedContent(), encapsulate); } return cmsSignedData; } catch (CMSException e) { throw new DSSException(e); } }
From source file:eu.europa.ec.markt.dss.validation102853.cades.CAdESOCSPSource.java
License:Open Source License
@Override public List<BasicOCSPResp> getContainedOCSPResponses() { final List<BasicOCSPResp> list = new ArrayList<BasicOCSPResp>(); // Add OCSPs from SignedData {/*from w w w . j a v a 2s . c o m*/ final Store otherRevocationInfo = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null); final ASN1Encodable[] matches = (ASN1Encodable[]) otherRevocationInfoMatches .toArray(new ASN1Encodable[otherRevocationInfoMatches.size()]); for (final ASN1Encodable asn1Encodable : matches) { final BasicOCSPResponse basicOcspResponse = BasicOCSPResponse.getInstance(asn1Encodable); final BasicOCSPResp basicOCSPResp = new BasicOCSPResp(basicOcspResponse); list.add(basicOCSPResp); } } { final Store otherRevocationInfo = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null); final ASN1Encodable[] matches = (ASN1Encodable[]) otherRevocationInfoMatches .toArray(new ASN1Encodable[otherRevocationInfoMatches.size()]); for (final ASN1Encodable asn1Encodable : matches) { final OCSPResponse ocspResponse = OCSPResponse.getInstance(asn1Encodable); final OCSPResp ocspResp = new OCSPResp(ocspResponse); try { final Object responseObject = ocspResp.getResponseObject(); if (responseObject instanceof BasicOCSPResp) { BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject; list.add(basicOCSPResp); } } catch (OCSPException e) { throw new DSSException(e); } } } // Adds OCSP responses in -XL id_aa_ets_revocationValues inside SignerInfo attribute if present if (signerInformation != null) { final AttributeTable attributes = signerInformation.getUnsignedAttributes(); if (attributes != null) { final Attribute attribute = attributes.get(PKCSObjectIdentifiers.id_aa_ets_revocationValues); /* ETSI TS 101 733 V2.2.1 (2013-04) page 43 6.3.4 revocation-values Attribute Definition This attribute is used to contain the revocation information required for the following forms of extended electronic signature: CAdES-X Long, ES X-Long Type 1, and CAdES-X Long Type 2, see clause B.1.1 for an illustration of this form of electronic signature. The revocation-values attribute is an unsigned attribute. Only a single instance of this attribute shall occur with an electronic signature. It holds the values of CRLs and OCSP referenced in the complete-revocation-references attribute. RevocationValues ::= SEQUENCE { crlVals [0] SEQUENCE OF CertificateList OPTIONAL, ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, otherRevVals [2] OtherRevVals OPTIONAL} */ if (attribute != null) { final ASN1Set attrValues = attribute.getAttrValues(); final ASN1Encodable attValue = attrValues.getObjectAt(0); final RevocationValues revValues = RevocationValues.getInstance(attValue); for (final BasicOCSPResponse revValue : revValues.getOcspVals()) { final BasicOCSPResp ocspResp = new BasicOCSPResp(revValue); list.add(ocspResp); } /* TODO: should add also OtherRevVals, but: "The syntax and semantics of the other revocation values (OtherRevVals) are outside the scope of the present document. The definition of the syntax of the other form of revocation information is as identified by OtherRevRefType." */ } } } /* TODO (pades): Read revocation data from from unsigned attribute 1.2.840.113583.1.1.8 In the PKCS #7 object of a digital signature in a PDF file, identifies a signed attribute that "can include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates." Defined as adbe-revocationInfoArchival { adbe(1.2.840.113583) acrobat(1) security(1) 8 } in "PDF Reference, fifth edition: Adobe Portable Document Format, Version 1.6" Adobe Systems Incorporated, 2004. http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf page 698 RevocationInfoArchival ::= SEQUENCE { crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL } OtherRevInfo ::= SEQUENCE { Type OBJECT IDENTIFIER Value OCTET STRING } */ // TODO: (Bob: 2013 Dec 03) --> NICOLAS: Is there any other container within the CAdES signature with revocation data? (ie: timestamp) return list; }
From source file:eu.europa.ec.markt.dss.validation102853.cades.CAdESSignature.java
License:Open Source License
public boolean isDataForSignatureLevelPresent(final SignatureLevel signatureLevel) { /**/*from w ww. j av a 2s. com*/ * This list contains the detail information collected during the check. It is reset for each call. */ info = new ArrayList<String>(); final AttributeTable unsignedAttributes = getUnsignedAttributes(signerInformation); final AttributeTable signedAttributes = getSignedAttributes(signerInformation); boolean dataForProfilePresent = true; switch (signatureLevel) { case CAdES_BASELINE_LTA: dataForProfilePresent = unsignedAttributes.get(OID.id_aa_ets_archiveTimestampV3) != null; // break omitted purposely case CAdES_101733_A: if (signatureLevel != SignatureLevel.CAdES_BASELINE_LTA) { dataForProfilePresent &= unsignedAttributes.get(OID.id_aa_ets_archiveTimestampV2) != null; } // break omitted purposely case CAdES_BASELINE_LT: final Store certificateStore = cmsSignedData.getCertificates(); final Store crlStore = cmsSignedData.getCRLs(); final Store ocspStore = cmsSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Store ocspBasicStore = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); final int certificateStoreSize = certificateStore.getMatches(null).size(); final int crlStoreSize = crlStore.getMatches(null).size(); info.add("CRL founds: " + crlStoreSize); final int ocspStoreSize = ocspStore.getMatches(null).size(); info.add("OCSP founds: " + ocspStoreSize); final int basicOcspStoreSize = ocspBasicStore.getMatches(null).size(); info.add("BasicOCSP founds: " + basicOcspStoreSize); final int ltInfoSize = crlStoreSize + ocspStoreSize + basicOcspStoreSize; dataForProfilePresent &= (ltInfoSize > 0); // break omitted purposely case CAdES_101733_X: if (!signatureLevel.toString().contains("BASELINE")) { dataForProfilePresent &= (unsignedAttributes .get(PKCSObjectIdentifiers.id_aa_ets_certCRLTimestamp) != null || unsignedAttributes.get(PKCSObjectIdentifiers.id_aa_ets_escTimeStamp) != null); } // break omitted purposely case CAdES_101733_C: if (!signatureLevel.toString().contains("BASELINE")) { dataForProfilePresent &= unsignedAttributes .get(PKCSObjectIdentifiers.id_aa_ets_certificateRefs) != null; dataForProfilePresent &= isDataForSignatureLevelPresent(SignatureLevel.CAdES_BASELINE_T); } // break omitted purposely case CAdES_BASELINE_T: dataForProfilePresent &= unsignedAttributes .get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken) != null; // break omitted purposely case CAdES_BASELINE_B: dataForProfilePresent &= ((signedAttributes.get(PKCSObjectIdentifiers.id_aa_signingCertificate) != null) || (signedAttributes.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2) != null)); break; // break placed purposely case CMS: dataForProfilePresent = true; break; default: throw new IllegalArgumentException("Unknown level " + signatureLevel); } return dataForProfilePresent; }
From source file:eu.europa.esig.dss.cades.signature.CAdESLevelBaselineLT.java
License:Open Source License
@Override protected CMSSignedData postExtendCMSSignedData(CMSSignedData cmsSignedData, SignerInformation signerInformation, CAdESSignatureParameters parameters) { CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); final ValidationContext validationContext = cadesSignature .getSignatureValidationContext(certificateVerifier); Store<X509CertificateHolder> certificatesStore = cmsSignedData.getCertificates(); final Set<CertificateToken> certificates = cadesSignature.getCertificatesForInclusion(validationContext); final Collection<X509CertificateHolder> newCertificateStore = new HashSet<X509CertificateHolder>( certificatesStore.getMatches(null)); for (final CertificateToken certificateToken : certificates) { final X509CertificateHolder x509CertificateHolder = DSSASN1Utils .getX509CertificateHolder(certificateToken); newCertificateStore.add(x509CertificateHolder); }//ww w .j av a 2s. c o m certificatesStore = new CollectionStore<X509CertificateHolder>(newCertificateStore); Store<X509CRLHolder> crlsStore = cmsSignedData.getCRLs(); final Collection<X509CRLHolder> newCrlsStore = new HashSet<X509CRLHolder>(crlsStore.getMatches(null)); final DefaultAdvancedSignature.RevocationDataForInclusion revocationDataForInclusion = cadesSignature .getRevocationDataForInclusion(validationContext); for (final CRLToken crlToken : revocationDataForInclusion.crlTokens) { final X509CRLHolder x509CRLHolder = getX509CrlHolder(crlToken); newCrlsStore.add(x509CRLHolder); } crlsStore = new CollectionStore<X509CRLHolder>(newCrlsStore); Store otherRevocationInfoFormatStoreBasic = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); final Collection<ASN1Primitive> newOtherRevocationInfoFormatStore = new HashSet<ASN1Primitive>( otherRevocationInfoFormatStoreBasic.getMatches(null)); for (final OCSPToken ocspToken : revocationDataForInclusion.ocspTokens) { final BasicOCSPResp basicOCSPResp = ocspToken.getBasicOCSPResp(); newOtherRevocationInfoFormatStore .add(DSSASN1Utils.toASN1Primitive(DSSASN1Utils.getEncoded(basicOCSPResp))); } otherRevocationInfoFormatStoreBasic = new CollectionStore(newOtherRevocationInfoFormatStore); Store attributeCertificatesStore = cmsSignedData.getAttributeCertificates(); Store otherRevocationInfoFormatStoreOcsp = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final CMSSignedDataBuilder cmsSignedDataBuilder = new CMSSignedDataBuilder(certificateVerifier); cmsSignedData = cmsSignedDataBuilder.regenerateCMSSignedData(cmsSignedData, parameters, certificatesStore, attributeCertificatesStore, crlsStore, otherRevocationInfoFormatStoreBasic, otherRevocationInfoFormatStoreOcsp); return cmsSignedData; }
From source file:eu.europa.esig.dss.cades.validation.CAdESOCSPSource.java
License:Open Source License
private void addBasicOcspRespFrom_id_ri_ocsp_response(final List<BasicOCSPResp> basicOCSPResps) { final Store otherRevocationInfo = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null); for (final Object object : otherRevocationInfoMatches) { if (object instanceof DERSequence) { final DERSequence otherRevocationInfoMatch = (DERSequence) object; final BasicOCSPResp basicOCSPResp; if (otherRevocationInfoMatch.size() == 4) { basicOCSPResp = CMSUtils.getBasicOcspResp(otherRevocationInfoMatch); } else { final OCSPResp ocspResp = CMSUtils.getOcspResp(otherRevocationInfoMatch); basicOCSPResp = CMSUtils.getBasicOCSPResp(ocspResp); }/*from w w w . j a v a2 s. c o m*/ addBasicOcspResp(basicOCSPResps, basicOCSPResp); } else { logger.warn("Unsupported object type for id_ri_ocsp_response (SHALL be DER encoding) : " + object.getClass().getSimpleName()); } } }