List of usage examples for org.bouncycastle.asn1.cms ContentInfo getContent
public ASN1Encodable getContent()
From source file:org.jscep.content.NextCaCertificateContentHandler.java
License:Open Source License
/** * {@inheritDoc}/*from w ww . j a va2s. c om*/ */ public List<X509Certificate> getContent(InputStream in, String mimeType) throws IOException { LOGGER.entering(getClass().getName(), "getContent", new Object[] { in, mimeType }); if (mimeType.equals("application/x-x509-next-ca-cert")) { // http://tools.ietf.org/html/draft-nourse-scep-20#section-4.6.1 // The response consists of a SignedData PKCS#7 [RFC2315], // signed by the current CA (or RA) signing key. final List<X509Certificate> certs = new ArrayList<X509Certificate>(); Collection<? extends Certificate> collection; try { CMSSignedData cmsMessageData = new CMSSignedData(getBytes(in)); ContentInfo cmsContentInfo = ContentInfo .getInstance(ASN1Object.fromByteArray(cmsMessageData.getEncoded())); // TODO: This must be signed by the current CA. final SignedData sd = SignedData.getInstance(cmsContentInfo.getContent()); if (SignedDataUtil.isSignedBy(sd, issuer) == false) { IOException ioe = new IOException("Invalid Signer"); LOGGER.throwing(getClass().getName(), "getContent", ioe); throw ioe; } // The content of the SignedData PKCS#7 [RFC2315] is a degenerate // certificates-only Signed-data (Section 3.3) message containing the // new CA certificate and any new RA certificates, as defined in // Section 5.2.1.1.2, to be used when the current CA certificate // expires. CertStore store = SignedDataUtil.extractCertStore(sd); collection = store.getCertificates(new X509CertSelector()); } catch (GeneralSecurityException e) { final IOException ioe = new IOException(e); LOGGER.throwing(getClass().getName(), "getContent", ioe); throw ioe; } catch (CMSException e) { final IOException ioe = new IOException(e); LOGGER.throwing(getClass().getName(), "getContent", ioe); throw ioe; } for (Certificate cert : collection) { certs.add((X509Certificate) cert); } LOGGER.exiting(getClass().getName(), "getContent", certs); return certs; } else { IOException ioe = new IOException("Invalid Content Type"); LOGGER.throwing(getClass().getName(), "getContent", ioe); throw ioe; } }
From source file:org.jscep.pkcs7.SignedDataParser.java
License:Open Source License
/** * Parses the provided ASN1 object and extracts a degenerate SignedData * instance.//from w w w. jav a 2s . c o m * * @param signedData the ASN1 object to parse. * @return a new degenerate SignedData instance. * @throws IOException if any I/O error occurs. */ public SignedData parse(ASN1Encodable signedData) throws IOException { LOGGER.entering(getClass().getName(), "parse", signedData); try { ContentInfo ci = ContentInfo.getInstance(signedData); ASN1Sequence seq = (ASN1Sequence) ci.getContent(); final SignedData sd = new SignedData(seq); LOGGER.exiting(getClass().getName(), "parse", sd); return sd; } catch (Exception e) { LOGGER.throwing(getClass().getName(), "parse", e); throw new IOException(e); } }
From source file:org.signserver.module.mrtdsodsigner.jmrtd.SODFile.java
License:Open Source License
/** * Reads the security object (containing the hashes * of the data groups) found in the SOd on the passport. * //from www. j a v a 2 s . c o m * @return the security object * * @throws IOException */ private static LDSSecurityObject getSecurityObject(SignedData signedData) { try { ContentInfo contentInfo = signedData.getEncapContentInfo(); byte[] content = ((DEROctetString) contentInfo.getContent()).getOctets(); ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(content)); LDSSecurityObject sod = new LDSSecurityObject((ASN1Sequence) in.readObject()); Object nextObject = in.readObject(); if (nextObject != null) { LOGGER.warning("extra object found after LDSSecurityObject..."); } return sod; } catch (IOException ioe) { throw new IllegalStateException("Could not read security object in signedData"); } }
From source file:org.signserver.module.mrtdsodsigner.jmrtd.SODFile.java
License:Open Source License
/** * Gets the contents of the security object over which the * signature is to be computed. /*from w ww.jav a 2 s . c o m*/ * * See RFC 3369, Cryptographic Message Syntax, August 2002, * Section 5.4 for details. * * FIXME: Maybe throw an exception instead of issuing warnings * on stderr if signed attributes don't check out. * * @see #getDocSigningCertificate() * @see #getSignature() * * @return the contents of the security object over which the * signature is to be computed */ private static byte[] getEContent(SignedData signedData) throws IOException { SignerInfo signerInfo = getSignerInfo(signedData); ASN1Set signedAttributesSet = signerInfo.getAuthenticatedAttributes(); ContentInfo contentInfo = signedData.getEncapContentInfo(); byte[] contentBytes = ((DEROctetString) contentInfo.getContent()).getOctets(); if (signedAttributesSet.size() == 0) { /* Signed attributes absent, return content to be signed... */ return contentBytes; } else { /* Signed attributes present (i.e. a structure containing a hash of the content), return that structure to be signed... */ /* This option is taken by ICAO passports. */ byte[] attributesBytes = signedAttributesSet.getEncoded(); String digAlg = signerInfo.getDigestAlgorithm().getAlgorithm().getId(); try { /* We'd better check that the content actually digests to the hash value contained! ;) */ Enumeration<?> attributes = signedAttributesSet.getObjects(); byte[] storedDigestedContent = null; while (attributes.hasMoreElements()) { Attribute attribute = Attribute.getInstance(attributes.nextElement()); DERObjectIdentifier attrType = attribute.getAttrType(); if (attrType.equals(RFC_3369_MESSAGE_DIGEST_OID)) { ASN1Set attrValuesSet = attribute.getAttrValues(); if (attrValuesSet.size() != 1) { LOGGER.warning( "Expected only one attribute value in signedAttribute message digest in eContent!"); } storedDigestedContent = ((DEROctetString) attrValuesSet.getObjectAt(0)).getOctets(); } } if (storedDigestedContent == null) { LOGGER.warning("Error extracting signedAttribute message digest in eContent!"); } MessageDigest dig = MessageDigest.getInstance(digAlg); byte[] computedDigestedContent = dig.digest(contentBytes); if (!Arrays.equals(storedDigestedContent, computedDigestedContent)) { LOGGER.warning("Error checking signedAttribute message digest in eContent!"); } } catch (NoSuchAlgorithmException nsae) { LOGGER.warning("Error checking signedAttribute in eContent! No such algorithm " + digAlg); } return attributesBytes; } }
From source file:org.signserver.module.mrtdsodsigner.jmrtd.SODFile.java
License:Open Source License
private static SignedData createSignedData(String digestAlgorithm, String digestEncryptionAlgorithm, Map<Integer, byte[]> dataGroupHashes, byte[] encryptedDigest, X509Certificate docSigningCertificate) throws NoSuchAlgorithmException, CertificateException, IOException { ASN1Set digestAlgorithmsSet = createSingletonSet(createDigestAlgorithms(digestAlgorithm)); ContentInfo contentInfo = createContentInfo(digestAlgorithm, dataGroupHashes); byte[] content = ((DEROctetString) contentInfo.getContent()).getOctets(); ASN1Set certificates = createSingletonSet(createCertificate(docSigningCertificate)); ASN1Set crls = null;// w ww .j av a 2 s . c o m ASN1Set signerInfos = createSingletonSet(createSignerInfo(digestAlgorithm, digestEncryptionAlgorithm, null, content, encryptedDigest, docSigningCertificate).toASN1Primitive()); return new SignedData(digestAlgorithmsSet, contentInfo, certificates, crls, signerInfos); }
From source file:org.signserver.module.mrtdsodsigner.jmrtd.SODFile.java
License:Open Source License
private static SignedData createSignedData(String digestAlgorithm, String digestEncryptionAlgorithm, Map<Integer, byte[]> dataGroupHashes, PrivateKey privateKey, X509Certificate docSigningCertificate, String provider, String ldsVersion, String unicodeVersion) throws NoSuchAlgorithmException, CertificateException, IOException { ASN1Set digestAlgorithmsSet = createSingletonSet(createDigestAlgorithms(digestAlgorithm)); ContentInfo contentInfo = createContentInfo(digestAlgorithm, dataGroupHashes, ldsVersion, unicodeVersion); byte[] content = ((DEROctetString) contentInfo.getContent()).getOctets(); ASN1Encodable digestEncryptionAlgorithmParams; byte[] encryptedDigest = null; try {//ww w .ja va 2 s .c o m byte[] dataToBeSigned = createAuthenticatedAttributes(digestAlgorithm, content) .getEncoded(ASN1Encoding.DER); Signature s; if (provider != null) { s = Signature.getInstance(digestEncryptionAlgorithm, provider); } else { s = Signature.getInstance(digestEncryptionAlgorithm); } s.initSign(privateKey); s.update(dataToBeSigned); encryptedDigest = s.sign(); if (PKCS1_RSA_PSS_OID.toString().equals(lookupOIDByMnemonic(digestEncryptionAlgorithm).toString())) { // try { // digestEncryptionAlgorithmParams = ASN1Object.fromByteArray( // s.getParameters().getEncoded()); // } catch (UnsupportedOperationException ex) { // // Some providers does not support getting the parameters // // (i.e. SunPKCS11 provider). Instead we assume they // // use the default parameters. digestEncryptionAlgorithmParams = algorithmParameters.get(digestEncryptionAlgorithm); // } } else { digestEncryptionAlgorithmParams = null; } } catch (Exception e) { e.printStackTrace(); return null; } ASN1Set certificates = createSingletonSet(createCertificate(docSigningCertificate)); ASN1Set crls = null; ASN1Set signerInfos = createSingletonSet( createSignerInfo(digestAlgorithm, digestEncryptionAlgorithm, digestEncryptionAlgorithmParams, content, encryptedDigest, docSigningCertificate).toASN1Primitive()); return new SignedData(digestAlgorithmsSet, contentInfo, certificates, crls, signerInfos); }
From source file:org.xipki.pki.scep.client.Client.java
License:Open Source License
public X509CRL scepGetCrl(final PrivateKey identityKey, final X509Certificate identityCert, final X500Name issuer, final BigInteger serialNumber) throws ScepClientException { ParamUtil.requireNonNull("identityKey", identityKey); ParamUtil.requireNonNull("identityCert", identityCert); ParamUtil.requireNonNull("issuer", issuer); ParamUtil.requireNonNull("serialNumber", serialNumber); initIfNotInited();//w w w .j a va 2 s .co m PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL); IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber); pkiMessage.setMessageData(isn); ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert); ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request); CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes()); PkiMessage response = decode(cmsSignedData, identityKey, identityCert); ContentInfo messageData = ContentInfo.getInstance(response.getMessageData()); try { return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent())); } catch (CRLException ex) { throw new ScepClientException(ex.getMessage(), ex); } }
From source file:org.xipki.pki.scep.client.Client.java
License:Open Source License
public List<X509Certificate> scepGetCert(final PrivateKey identityKey, final X509Certificate identityCert, final X500Name issuer, final BigInteger serialNumber) throws ScepClientException { ParamUtil.requireNonNull("identityKey", identityKey); ParamUtil.requireNonNull("identityCert", identityCert); ParamUtil.requireNonNull("issuer", issuer); ParamUtil.requireNonNull("serialNumber", serialNumber); initIfNotInited();//from w w w . ja v a 2s. co m PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert); IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber); request.setMessageData(isn); ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert); ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest); CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes()); DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert); ContentInfo messageData = ContentInfo.getInstance(response.getMessageData()); try { return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent())); } catch (CertificateException ex) { throw new ScepClientException(ex.getMessage(), ex); } }
From source file:org.xipki.pki.scep.client.Client.java
License:Open Source License
private static AuthorityCertStore retrieveCaCertStore(final ScepHttpResponse resp, final CaCertValidator caValidator) throws ScepClientException { String ct = resp.getContentType(); X509Certificate caCert = null; List<X509Certificate> raCerts = new LinkedList<X509Certificate>(); if (ScepConstants.CT_X509_CA_CERT.equalsIgnoreCase(ct)) { caCert = parseCert(resp.getContentBytes()); } else if (ScepConstants.CT_X509_CA_RA_CERT.equalsIgnoreCase(ct)) { ContentInfo contentInfo = ContentInfo.getInstance(resp.getContentBytes()); SignedData signedData;//from w w w . j a v a 2s .c o m try { signedData = SignedData.getInstance(contentInfo.getContent()); } catch (IllegalArgumentException ex) { throw new ScepClientException("invalid SignedData message: " + ex.getMessage(), ex); } List<X509Certificate> certs; try { certs = ScepUtil.getCertsFromSignedData(signedData); } catch (CertificateException ex) { throw new ScepClientException(ex.getMessage(), ex); } final int n = certs.size(); if (n < 2) { throw new ScepClientException( "at least 2 certificates are expected, but only " + n + " is available"); } for (int i = 0; i < n; i++) { X509Certificate cert = certs.get(i); if (cert.getBasicConstraints() > -1) { if (caCert != null) { throw new ScepClientException( "multiple CA certificates is returned, but exactly 1 is expected"); } caCert = cert; } else { raCerts.add(cert); } } if (caCert == null) { throw new ScepClientException("no CA certificate is returned"); } } else { throw new ScepClientException("invalid Content-Type '" + ct + "'"); } if (!caValidator.isTrusted(caCert)) { throw new ScepClientException( "CA certificate '" + caCert.getSubjectX500Principal() + "' is not trusted"); } if (raCerts.isEmpty()) { return AuthorityCertStore.getInstance(caCert); } else { AuthorityCertStore cs = AuthorityCertStore.getInstance(caCert, raCerts.toArray(new X509Certificate[0])); X509Certificate raEncCert = cs.getEncryptionCert(); X509Certificate raSignCert = cs.getSignatureCert(); try { if (!ScepUtil.issues(caCert, raEncCert)) { throw new ScepClientException( "RA certificate '" + raEncCert.getSubjectX500Principal() + " is not issued by the CA"); } if (raSignCert != raEncCert && ScepUtil.issues(caCert, raSignCert)) { throw new ScepClientException( "RA certificate '" + raSignCert.getSubjectX500Principal() + " is not issued by the CA"); } } catch (CertificateException ex) { throw new ScepClientException("invalid certificate: " + ex.getMessage(), ex); } return cs; } }
From source file:org.xipki.pki.scep.client.EnrolmentResponse.java
License:Open Source License
public EnrolmentResponse(final PkiMessage pkcsRep) throws ScepClientException { ParamUtil.requireNonNull("pkcsRep", pkcsRep); MessageType messageType = pkcsRep.getMessageType(); if (MessageType.CertRep != messageType) { throw new ScepClientException("messageType must not be other than CertRep: " + messageType); }/* ww w .j a va 2s . c om*/ this.pkcsRep = pkcsRep; if (PkiStatus.SUCCESS != pkcsRep.getPkiStatus()) { return; } ASN1Encodable messageData = pkcsRep.getMessageData(); if (!(messageData instanceof ContentInfo)) { throw new ScepClientException("pkcsRep is not a ContentInfo"); } ContentInfo ci = (ContentInfo) messageData; SignedData sd = SignedData.getInstance(ci.getContent()); ASN1Set asn1Certs = sd.getCertificates(); if (asn1Certs == null || asn1Certs.size() == 0) { throw new ScepClientException("no certificate is embedded in pkcsRep"); } List<X509Certificate> certs; try { certs = ScepUtil.getCertsFromSignedData(sd); } catch (CertificateException ex) { throw new ScepClientException(ex.getMessage(), ex); } this.certificates = Collections.unmodifiableList(certs); }