List of usage examples for org.bouncycastle.asn1 DEROctetString DEROctetString
public DEROctetString(ASN1Encodable obj) throws IOException
From source file:org.ejbca.core.protocol.ws.CertificateExtensionTest.java
License:Open Source License
private void checkExtension(byte[] values[], byte extension[], String sOID) throws IOException { assertNotNull(getNoCertExtensionProperties(sOID), extension); final byte octets[]; {/*www.j ava 2s. co m*/ final ASN1Primitive asn1o = ASN1Primitive.fromByteArray(extension); assertNotNull(asn1o); log.info("The extension for the OID '" + sOID + "' of class '" + asn1o.getClass().getCanonicalName() + "' is: " + asn1o); assertTrue(asn1o instanceof ASN1OctetString); octets = ((ASN1OctetString) asn1o).getOctets(); if (values.length == 1) { assertArrayEquals((new DEROctetString(values[0])).getEncoded(), octets); return; } } final ASN1Sequence seq; { final ASN1Primitive asn1o = ASN1Primitive.fromByteArray(octets); log.info("The contents of the '" + sOID + "' can be decoded to a '" + asn1o.getClass().getCanonicalName() + "' class."); assertTrue(asn1o instanceof ASN1Sequence); seq = (ASN1Sequence) asn1o; } assertEquals(values.length, seq.size()); for (int i = 0; i < seq.size(); i++) { final ASN1Primitive derO = seq.getObjectAt(i).toASN1Primitive(); assertTrue(derO instanceof ASN1OctetString); assertArrayEquals((new DEROctetString(values[i])).getEncoded(), ((ASN1OctetString) derO).getOctets()); } }
From source file:org.ejbca.core.protocol.ws.CertificateExtensionTest.java
License:Open Source License
private void editUser(byte[] values[], byte value[]) throws Exception { final UserDataVOWS userData = new UserDataVOWS(TEST_USER, PASSWORD, true, "C=SE, CN=cert extension test", getAdminCAName(), null, "foo@anatom.se", UserDataVOWS.STATUS_NEW, UserDataVOWS.TOKEN_TYPE_USERGENERATED, END_ENTITY_PROFILE, CERTIFICATE_PROFILE, null); final List<ExtendedInformationWS> lei = new LinkedList<ExtendedInformationWS>(); for (int i = 0; i < values.length; i++) { final ExtendedInformationWS ei = new ExtendedInformationWS(); ei.setName(sOID_several + ".value" + Integer.toString(i + 1)); ei.setValue(new String(Hex.encode((new DEROctetString(values[i])).getEncoded()))); lei.add(ei);/*from ww w. j av a 2s . c o m*/ } if (value != null && value.length > 0) { final ExtendedInformationWS ei = new ExtendedInformationWS(); ei.setName(sOID_one); ei.setValue(new String(Hex.encode((new DEROctetString(value)).getEncoded()))); lei.add(ei); } userData.setExtendedInformation(lei); this.ejbcaraws.editUser(userData); }
From source file:org.ejbca.core.protocol.ws.client.NestedCrmfRequestMissingStoredCertTestCommand.java
License:Open Source License
/** * Runs the command/*from w w w . ja v a 2s . c o m*/ * * @throws IllegalAdminCommandException Error in command args * @throws ErrorAdminCommandException Error running command */ public void execute() throws IllegalAdminCommandException, ErrorAdminCommandException { try { CertRequest certReq = genCertReq(userDN, null); PKIMessage certMsg = genPKIMessage(false, certReq); if (certMsg == null) { getPrintStream().println("No certificate request."); System.exit(-1); } AlgorithmIdentifier pAlg = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption); certMsg.getHeader().setProtectionAlg(pAlg); certMsg.getHeader().setSenderKID(new DEROctetString("EMPTY".getBytes())); PKIMessage signedMsg = signPKIMessage(certMsg, innerSignKey); addExtraCert(signedMsg, innerCertificate); if (signedMsg == null) { getPrintStream().println("No protected message."); System.exit(-1); } PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=CMSSender,C=SE")), new GeneralName(new X509Name(((X509Certificate) cacert).getSubjectDN().getName()))); myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date())); // senderNonce myPKIHeader.setSenderNonce(new DEROctetString(nonce)); // TransactionId myPKIHeader.setTransactionID(new DEROctetString(nonce)); //myPKIHeader.addGeneralInfo(new InfoTypeAndValue(ASN1Sequence.getInstance(crmfMsg))); byte[] recipNonce = new byte[16]; random.nextBytes(recipNonce); myPKIHeader.setRecipNonce(new DEROctetString(recipNonce)); PKIBody myPKIBody = new PKIBody(signedMsg, 20); // NestedMessageContent PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody); KeyPair signkeys = KeyTools.genKeys("1024", "RSA"); PKIMessage cmsMessage = signPKIMessage(myPKIMessage, signkeys.getPrivate()); reqId = signedMsg.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(cmsMessage); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmp(ba); if (resp == null || resp.length <= 0) { getPrintStream().println("No response message."); System.exit(-1); } PKIMessage respObject = PKIMessage .getInstance(new ASN1InputStream(new ByteArrayInputStream(resp)).readObject()); if (respObject == null) { getPrintStream().println("No response message object could be optained"); System.exit(-1); } PKIBody body = respObject.getBody(); if (body.getTagNo() != 23) { getPrintStream().println("Expected tagnr 23, but found " + body.getTagNo()); System.exit(-1); } getPrintStream().println("Response tagnr checked 23 ok"); getPrintStream() .println("FailInfo error code: " + body.getError().getPKIStatus().getFailInfo().getPadBits()); getPrintStream().println( "Error Message: " + body.getError().getPKIStatus().getStatusString().getString(0).getString()); } catch (IOException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (InvalidKeyException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchAlgorithmException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (SignatureException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchProviderException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (CertificateEncodingException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (InvalidAlgorithmParameterException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (Exception e) { e.printStackTrace(getPrintStream()); System.exit(-1); } getPrintStream().println("Test successfull"); }
From source file:org.ejbca.core.protocol.ws.client.NestedCrmfRequestTestCommand.java
License:Open Source License
/** * Runs the command//from ww w . j av a 2 s . c o m * * @throws IllegalAdminCommandException Error in command args * @throws ErrorAdminCommandException Error running command */ public void execute() throws IllegalAdminCommandException, ErrorAdminCommandException { try { CertRequest certReq = genCertReq(userDN, null); PKIMessage certMsg = genPKIMessage(false, certReq); if (certMsg == null) { getPrintStream().println("No certificate request."); System.exit(-1); } AlgorithmIdentifier pAlg = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption); certMsg.getHeader().setProtectionAlg(pAlg); certMsg.getHeader().setSenderKID(new DEROctetString("CMPEnduser".getBytes())); PKIMessage signedMsg = signPKIMessage(certMsg, innerSignKey); addExtraCert(signedMsg, innerCertificate); if (signedMsg == null) { getPrintStream().println("No protected message."); System.exit(-1); } PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=CMSSender,C=SE")), new GeneralName(new X509Name(((X509Certificate) cacert).getSubjectDN().getName()))); myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date())); // senderNonce myPKIHeader.setSenderNonce(new DEROctetString(nonce)); // TransactionId myPKIHeader.setTransactionID(new DEROctetString(nonce)); //myPKIHeader.addGeneralInfo(new InfoTypeAndValue(ASN1Sequence.getInstance(crmfMsg))); PKIBody myPKIBody = new PKIBody(signedMsg, 20); // NestedMessageContent PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody); PKIMessage cmsMessage = signPKIMessage(myPKIMessage, outerSignKey); reqId = signedMsg.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(cmsMessage); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmp(ba); if (resp == null || resp.length <= 0) { getPrintStream().println("No response message."); System.exit(-1); } /* if ( !checkCmpResponseGeneral(resp, true) ) { System.exit(-1); } */ final X509Certificate cert = checkCmpCertRepMessage(resp, reqId); if (cert == null) { getPrintStream().println("No certificate was created."); System.exit(-1); } getPrintStream().println("Certificate for " + userDN + " was created with the serialnumber: " + cert.getSerialNumber().toString()); if (createsCertsPath != null) { String filename = CertTools.getPartFromDN(cert.getSubjectDN().toString(), "CN") + ".pem"; writeCertificate(cert, createsCertsPath, filename); getPrintStream().println("Certificate was written to: " + createsCertsPath + "/" + filename); } } catch (IOException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (InvalidKeyException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchAlgorithmException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (SignatureException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchProviderException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (CertificateEncodingException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (Exception e) { e.printStackTrace(getPrintStream()); System.exit(-1); } getPrintStream().println("Test successfull"); }
From source file:org.ejbca.core.protocol.ws.client.NestedCrmfRequestWrongSignatureTestCommand.java
License:Open Source License
/** * Runs the command//from w ww . j a v a 2 s. c o m * * @throws IllegalAdminCommandException Error in command args * @throws ErrorAdminCommandException Error running command */ public void execute() throws IllegalAdminCommandException, ErrorAdminCommandException { try { CertRequest certReq = genCertReq(userDN, null); PKIMessage certMsg = genPKIMessage(false, certReq); if (certMsg == null) { getPrintStream().println("No certificate request."); System.exit(-1); } AlgorithmIdentifier pAlg = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption); certMsg.getHeader().setProtectionAlg(pAlg); certMsg.getHeader().setSenderKID(new DEROctetString("EMPTY".getBytes())); PKIMessage signedMsg = signPKIMessage(certMsg, innerSignKey); addExtraCert(signedMsg, innerCertificate); if (signedMsg == null) { getPrintStream().println("No protected message."); System.exit(-1); } PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=CMSSender,C=SE")), new GeneralName(new X509Name(((X509Certificate) cacert).getSubjectDN().getName()))); myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date())); // senderNonce myPKIHeader.setSenderNonce(new DEROctetString(nonce)); // TransactionId myPKIHeader.setTransactionID(new DEROctetString(nonce)); //myPKIHeader.addGeneralInfo(new InfoTypeAndValue(ASN1Sequence.getInstance(crmfMsg))); byte[] recipNonce = new byte[16]; random.nextBytes(recipNonce); myPKIHeader.setRecipNonce(new DEROctetString(recipNonce)); PKIBody myPKIBody = new PKIBody(signedMsg, 20); // NestedMessageContent PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody); PKIMessage signedCrmfMsg2 = signPKIMessage(certMsg, outerSignKey); myPKIMessage.setProtection(signedCrmfMsg2.getProtection()); reqId = signedMsg.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(myPKIMessage); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmp(ba); if (resp == null || resp.length <= 0) { getPrintStream().println("No response message."); System.exit(-1); } getPrintStream().println("Got response"); /* if ( !checkCmpResponseGeneral(resp, false) ) { System.exit(-1); } getPrintStream().println("Response checked OK"); */ PKIMessage respObject = PKIMessage .getInstance(new ASN1InputStream(new ByteArrayInputStream(resp)).readObject()); if (respObject == null) { getPrintStream().println("No response message object could be optained"); System.exit(-1); } getPrintStream().println("Response object created OK"); PKIBody body = respObject.getBody(); /* if(body.getTagNo() == 23) { getPrintStream().println("Response tagnr 23 checked OK"); getPrintStream().println("FailInfo error code: " + body.getError().getPKIStatus().getFailInfo().intValue()); getPrintStream().println("Error Message: " + body.getError().getPKIStatus().getStatusString().getString(0).getString()); } else if(body.getTagNo() == 1) { final X509Certificate cert = checkCmpCertRepMessage(resp, reqId); if ( cert==null ) { getPrintStream().println("No certificate was created"); } else { getPrintStream().println("Certificate for " + userDN + " was created with the serialnumber: " + cert.getSerialNumber().toString()); } } else { getPrintStream().println("Expected tagnr 23 or 1, but found " + body.getTagNo() + ". ERROR"); } */ if (body.getTagNo() != 23) { getPrintStream().println("Expected tagnr 23 or 1. Found tagnr " + body.getTagNo() + "."); if (body.getTagNo() == 1) { final X509Certificate cert = checkCmpCertRepMessage(resp, reqId); if (cert == null) { getPrintStream().println("No certificate was created"); } else { getPrintStream().println("Certificate for " + userDN + " was created with the serialnumber: " + cert.getSerialNumber().toString()); } } } else { getPrintStream().println("Response tagnr 23 checked OK"); getPrintStream().println( "FailInfo error code: " + body.getError().getPKIStatus().getFailInfo().getPadBits()); getPrintStream().println("Error Message: " + body.getError().getPKIStatus().getStatusString().getString(0).getString()); } } catch (IOException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (InvalidKeyException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchAlgorithmException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (SignatureException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (NoSuchProviderException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (CertificateEncodingException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (InvalidAlgorithmParameterException e) { e.printStackTrace(getPrintStream()); System.exit(-1); } catch (Exception e) { e.printStackTrace(getPrintStream()); System.exit(-1); } getPrintStream().println("Test successfull"); }
From source file:org.ejbca.core.protocol.ws.CommonEjbcaWS.java
License:Open Source License
private PKCS10CertificationRequest getP10Request() throws Exception { final KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); // Make a PKCS10 request with extensions ASN1EncodableVector attributes = new ASN1EncodableVector(); // Add a custom extension (dummy) ASN1EncodableVector attr = new ASN1EncodableVector(); attr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(new ASN1ObjectIdentifier("1.2.3.4"), false, new DEROctetString("foo123".getBytes())); Extensions exts = extgen.generate(); attr.add(new DERSet(exts)); attributes.add(new DERSequence(attr)); PKCS10CertificationRequest pkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", CertTools.stringToBcX500Name("CN=NOUSED"), keys.getPublic(), new DERSet(attributes), keys.getPrivate(), null);// w ww .j a va2 s . c o m return pkcs10; }
From source file:org.ejbca.core.protocol.ws.CommonEjbcaWS.java
License:Open Source License
private CertReqMsg createCrmfRequest(final String issuerDN, final String userDN, final KeyPair keys, final String extensionOid) throws IOException { CertTemplateBuilder myCertTemplate = new CertTemplateBuilder(); myCertTemplate.setIssuer(new X500Name(issuerDN)); myCertTemplate.setSubject(new X500Name(userDN)); byte[] bytes = keys.getPublic().getEncoded(); ByteArrayInputStream bIn = new ByteArrayInputStream(bytes); ASN1InputStream dIn = new ASN1InputStream(bIn); try {/* w w w .j a va2 s . c om*/ SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo((ASN1Sequence) dIn.readObject()); myCertTemplate.setPublicKey(keyInfo); } finally { dIn.close(); } // If we did not pass any extensions as parameter, we will create some of our own, standard ones ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(new ASN1ObjectIdentifier(extensionOid), false, new DEROctetString("foo123".getBytes())); myCertTemplate.setExtensions(extgen.generate()); CertRequest myCertRequest = new CertRequest(4, myCertTemplate.build(), null); CertReqMsg myCertReqMsg = new CertReqMsg(myCertRequest, null, null); return myCertReqMsg; }
From source file:org.ejbca.extra.ra.ScepRequestGenerator.java
License:Open Source License
/** Generates a SCEP CertReq. Keys must have been set in the generator for this to succeed * /*from ww w. j a v a 2s. c om*/ */ public byte[] generateCertReq(String dn, String password, X509Certificate ca) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException, IOException, CMSException, InvalidAlgorithmParameterException, CertStoreException, CertificateEncodingException, IllegalStateException { this.cacert = ca; this.reqdn = dn; // Create challenge password attribute for PKCS10 // Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} // // Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { // type ATTRIBUTE.&id({IOSet}), // values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type}) // } ASN1EncodableVector challpwdattr = new ASN1EncodableVector(); // Challenge password attribute challpwdattr.add(PKCSObjectIdentifiers.pkcs_9_at_challengePassword); ASN1EncodableVector pwdvalues = new ASN1EncodableVector(); pwdvalues.add(new DERUTF8String(password)); challpwdattr.add(new DERSet(pwdvalues)); // Requested extensions attribute ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); // AltNames GeneralNames san = CertTools.getGeneralNamesFromAltName("dNSName=foo.bar.com,iPAddress=10.0.0.1"); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); try { dOut.writeObject(san); } catch (IOException e) { throw new IllegalArgumentException("error encoding value: " + e); } Vector oidvec = new Vector(); oidvec.add(X509Extensions.SubjectAlternativeName); Vector valuevec = new Vector(); valuevec.add(new X509Extension(false, new DEROctetString(bOut.toByteArray()))); X509Extensions exts = new X509Extensions(oidvec, valuevec); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) contains two sequences (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(challpwdattr)); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request p10request = new PKCS10CertificationRequest("SHA1WithRSA", CertTools.stringToBcX509Name(reqdn), keys.getPublic(), attributes, keys.getPrivate()); // Create self signed cert, validity 1 day cert = CertTools.genSelfCert(reqdn, 24 * 60 * 60 * 1000, null, keys.getPrivate(), keys.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, false); // wrap message in pkcs#7 byte[] msg = wrap(p10request.getEncoded(), "19"); return msg; }
From source file:org.ejbca.extra.ra.ScepRequestGenerator.java
License:Open Source License
private CMSSignedData sign(CMSProcessable signThis, String messageType) throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, InvalidAlgorithmParameterException, CertStoreException { CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator(); // add authenticated attributes...status, transactionId, sender- and more... Hashtable attributes = new Hashtable(); DERObjectIdentifier oid;//from w w w . j av a 2 s . c o m Attribute attr; DERSet value; // Message type (certreq) oid = new DERObjectIdentifier(ScepRequestMessage.id_messageType); value = new DERSet(new DERPrintableString(messageType)); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); // TransactionId byte[] digest = CertTools.generateMD5Fingerprint(cert.getPublicKey().getEncoded()); transactionId = new String(Base64.encode(digest)); oid = new DERObjectIdentifier(ScepRequestMessage.id_transId); value = new DERSet(new DERPrintableString(Base64.encode(digest))); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); // senderNonce byte[] nonce = new byte[16]; SecureRandom randomSource = SecureRandom.getInstance("SHA1PRNG"); randomSource.nextBytes(nonce); senderNonce = new String(Base64.encode(nonce)); if (nonce != null) { oid = new DERObjectIdentifier(ScepRequestMessage.id_senderNonce); log.debug("Added senderNonce: " + senderNonce); value = new DERSet(new DEROctetString(nonce)); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); } // Add our signer info and sign the message ArrayList certList = new ArrayList(); certList.add(cert); CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); gen1.addCertificatesAndCRLs(certs); gen1.addSigner(keys.getPrivate(), cert, digestOid, new AttributeTable(attributes), null); // The signed data to be enveloped CMSSignedData s = gen1.generate(signThis, true, "BC"); return s; }
From source file:org.ejbca.ui.cmpclient.CmpClientMessageHelper.java
License:Open Source License
private PKIMessage protectPKIMessageWithHMAC(PKIMessage msg, boolean badObjectId, String password, int iterations) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException { // Create the PasswordBased protection of the message PKIHeaderBuilder head = getHeaderBuilder(msg.getHeader()); // SHA1//from w w w. j a va 2 s . c om AlgorithmIdentifier owfAlg = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); // 567 iterations int iterationCount = iterations; ASN1Integer iteration = new ASN1Integer(iterationCount); // HMAC/SHA1 AlgorithmIdentifier macAlg = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.7")); byte[] salt = "foo123".getBytes(); DEROctetString derSalt = new DEROctetString(salt); // Create the new protected return message String objectId = "1.2.840.113533.7.66.13"; if (badObjectId) { objectId += ".7"; } PBMParameter pp = new PBMParameter(derSalt, owfAlg, iteration, macAlg); AlgorithmIdentifier pAlg = new AlgorithmIdentifier(new ASN1ObjectIdentifier(objectId), pp); head.setProtectionAlg(pAlg); PKIHeader header = head.build(); // Calculate the protection bits byte[] raSecret = password.getBytes(); byte[] basekey = new byte[raSecret.length + salt.length]; System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); for (int i = 0; i < salt.length; i++) { basekey[raSecret.length + i] = salt[i]; } // Construct the base key according to rfc4210, section 5.1.3.1 MessageDigest dig = MessageDigest.getInstance(owfAlg.getAlgorithm().getId(), "BC"); for (int i = 0; i < iterationCount; i++) { basekey = dig.digest(basekey); dig.reset(); } // For HMAC/SHA1 there is another oid, that is not known in BC, but the // result is the same so... String macOid = macAlg.getAlgorithm().getId(); PKIBody body = msg.getBody(); byte[] protectedBytes = getProtectedBytes(header, body); Mac mac = Mac.getInstance(macOid, "BC"); SecretKey key = new SecretKeySpec(basekey, macOid); mac.init(key); mac.reset(); mac.update(protectedBytes, 0, protectedBytes.length); byte[] out = mac.doFinal(); DERBitString bs = new DERBitString(out); return new PKIMessage(header, body, bs); }