List of usage examples for org.bouncycastle.asn1 DEROctetString getOctets
public byte[] getOctets()
From source file:es.uji.security.crypto.pdf.PdfPKCS7TSA.java
License:Mozilla Public License
/** * Verifies a signature using the sub-filter adbe.pkcs7.detached or * adbe.pkcs7.sha1. * @param contentsKey the /Contents key * @param provider the provider or <code>null</code> for the default provider *//*from www .j av a2 s . c o m*/ public PdfPKCS7TSA(byte[] contentsKey, Provider provider) { try { this.provider = provider; ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey)); // // Basic checks to make sure it's a PKCS#7 SignedData Object // DERObject pkcs; try { pkcs = din.readObject(); } catch (IOException e) { throw new IllegalArgumentException("can't decode PKCS7SignedData object"); } if (!(pkcs instanceof ASN1Sequence)) { throw new IllegalArgumentException("Not a valid PKCS#7 object - not a sequence"); } ASN1Sequence signedData = (ASN1Sequence) pkcs; DERObjectIdentifier objId = (DERObjectIdentifier) signedData.getObjectAt(0); if (!objId.getId().equals(ID_PKCS7_SIGNED_DATA)) throw new IllegalArgumentException("Not a valid PKCS#7 object - not signed data"); ASN1Sequence content = (ASN1Sequence) ((DERTaggedObject) signedData.getObjectAt(1)).getObject(); // the positions that we care are: // 0 - version // 1 - digestAlgorithms // 2 - possible ID_PKCS7_DATA // (the certificates and crls are taken out by other means) // last - signerInfos // the version version = ((DERInteger) content.getObjectAt(0)).getValue().intValue(); // the digestAlgorithms digestalgos = new HashSet(); Enumeration e = ((ASN1Set) content.getObjectAt(1)).getObjects(); while (e.hasMoreElements()) { ASN1Sequence s = (ASN1Sequence) e.nextElement(); DERObjectIdentifier o = (DERObjectIdentifier) s.getObjectAt(0); digestalgos.add(o.getId()); } // the certificates and crls X509CertParser cr = new X509CertParser(); cr.engineInit(new ByteArrayInputStream(contentsKey)); certs = cr.engineReadAll(); X509CRLParser cl = new X509CRLParser(); cl.engineInit(new ByteArrayInputStream(contentsKey)); crls = cl.engineReadAll(); // the possible ID_PKCS7_DATA ASN1Sequence rsaData = (ASN1Sequence) content.getObjectAt(2); if (rsaData.size() > 1) { DEROctetString rsaDataContent = (DEROctetString) ((DERTaggedObject) rsaData.getObjectAt(1)) .getObject(); RSAdata = rsaDataContent.getOctets(); } // the signerInfos int next = 3; while (content.getObjectAt(next) instanceof DERTaggedObject) ++next; ASN1Set signerInfos = (ASN1Set) content.getObjectAt(next); if (signerInfos.size() != 1) throw new IllegalArgumentException( "This PKCS#7 object has multiple SignerInfos - only one is supported at this time"); ASN1Sequence signerInfo = (ASN1Sequence) signerInfos.getObjectAt(0); // the positions that we care are // 0 - version // 1 - the signing certificate serial number // 2 - the digest algorithm // 3 or 4 - digestEncryptionAlgorithm // 4 or 5 - encryptedDigest signerversion = ((DERInteger) signerInfo.getObjectAt(0)).getValue().intValue(); // Get the signing certificate ASN1Sequence issuerAndSerialNumber = (ASN1Sequence) signerInfo.getObjectAt(1); BigInteger serialNumber = ((DERInteger) issuerAndSerialNumber.getObjectAt(1)).getValue(); for (Iterator i = certs.iterator(); i.hasNext();) { X509Certificate cert = (X509Certificate) i.next(); if (serialNumber.equals(cert.getSerialNumber())) { signCert = cert; break; } } if (signCert == null) { throw new IllegalArgumentException( "Can't find signing certificate with serial " + serialNumber.toString(16)); } signCertificateChain(); digestAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(2)).getObjectAt(0)) .getId(); next = 3; if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagsig = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set sseq = ASN1Set.getInstance(tagsig, false); sigAttr = sseq.getEncoded(ASN1Encodable.DER); for (int k = 0; k < sseq.size(); ++k) { ASN1Sequence seq2 = (ASN1Sequence) sseq.getObjectAt(k); if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_MESSAGE_DIGEST)) { ASN1Set set = (ASN1Set) seq2.getObjectAt(1); digestAttr = ((DEROctetString) set.getObjectAt(0)).getOctets(); } else if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_ADBE_REVOCATION)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); for (int j = 0; j < seqout.size(); ++j) { ASN1TaggedObject tg = (ASN1TaggedObject) seqout.getObjectAt(j); if (tg.getTagNo() != 1) continue; ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findOcsp(seqin); } } } if (digestAttr == null) throw new IllegalArgumentException("Authenticated attribute is missing the digest."); ++next; } digestEncryptionAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(next++)) .getObjectAt(0)).getId(); digest = ((DEROctetString) signerInfo.getObjectAt(next++)).getOctets(); if (next < signerInfo.size() && (signerInfo.getObjectAt(next) instanceof DERTaggedObject)) { DERTaggedObject taggedObject = (DERTaggedObject) signerInfo.getObjectAt(next); ASN1Set unat = ASN1Set.getInstance(taggedObject, false); AttributeTable attble = new AttributeTable(unat); Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); if (ts != null) { ASN1Set attributeValues = ts.getAttrValues(); ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0)); ContentInfo contentInfo = new ContentInfo(tokenSequence); this.timeStampToken = new TimestampToken(contentInfo.getEncoded()); } } if (RSAdata != null || digestAttr != null) { if (provider == null || provider.getName().startsWith("SunPKCS11")) messageDigest = MessageDigest.getInstance(getHashAlgorithm()); else messageDigest = MessageDigest.getInstance(getHashAlgorithm(), provider); } if (provider == null) sig = Signature.getInstance(getDigestAlgorithm()); else sig = Signature.getInstance(getDigestAlgorithm(), provider); sig.initVerify(signCert.getPublicKey()); } catch (Exception e) { throw new ExceptionConverter(e); } }
From source file:eu.europa.ec.markt.dss.DSSASN1Utils.java
License:Open Source License
/** * This method checks if a given {@code DEROctetString} is null. * * @param derOctetString// ww w .j av a 2 s . co m * @return */ public static boolean isDEROctetStringNull(final DEROctetString derOctetString) { final byte[] derOctetStringBytes = derOctetString.getOctets(); final ASN1Primitive asn1Null = DSSASN1Utils.toASN1Primitive(derOctetStringBytes); return DERNull.INSTANCE.equals(asn1Null); }
From source file:eu.europa.ec.markt.dss.DSSUtils.java
License:Open Source License
private static String getAccessLocation(final X509Certificate certificate, final ASN1ObjectIdentifier accessMethod) { try {/*from w w w.j a v a2s .co m*/ final byte[] authInfoAccessExtensionValue = certificate .getExtensionValue(Extension.authorityInfoAccess.getId()); if (null == authInfoAccessExtensionValue) { return null; } /* Parse the extension */ final ASN1InputStream asn1InputStream = new ASN1InputStream( new ByteArrayInputStream(authInfoAccessExtensionValue)); final DEROctetString oct = (DEROctetString) (asn1InputStream.readObject()); asn1InputStream.close(); final ASN1InputStream asn1InputStream2 = new ASN1InputStream(oct.getOctets()); final AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(asn1InputStream2.readObject()); asn1InputStream2.close(); String accessLocation = null; final AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (final AccessDescription accessDescription : accessDescriptions) { // LOG.debug("access method: " + accessDescription.getAccessMethod()); final boolean correctAccessMethod = accessDescription.getAccessMethod().equals(accessMethod); if (!correctAccessMethod) { continue; } GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) { // LOG.debug("not a uniform resource identifier"); continue; } final DERIA5String str = (DERIA5String) ((DERTaggedObject) gn.toASN1Primitive()).getObject(); accessLocation = str.getString(); // The HTTP protocol is preferred. if (Protocol.isHttpUrl(accessLocation)) { // LOG.debug("access location: " + accessLocation); break; } } return accessLocation; } catch (final IOException e) { // we do nothing // LOG.("IO error: " + e.getMessage(), e); } return null; }
From source file:eu.europa.ec.markt.dss.DSSUtils.java
License:Open Source License
public static List<String> getPolicyIdentifiers(final X509Certificate cert) { final byte[] certificatePolicies = cert.getExtensionValue(X509Extension.certificatePolicies.getId()); if (certificatePolicies == null) { return Collections.emptyList(); }/*from w ww. j av a2s . c om*/ ASN1InputStream input = null; ASN1Sequence seq = null; try { input = new ASN1InputStream(certificatePolicies); final DEROctetString s = (DEROctetString) input.readObject(); final byte[] content = s.getOctets(); input.close(); input = new ASN1InputStream(content); seq = (ASN1Sequence) input.readObject(); } catch (IOException e) { throw new DSSException("Error when computing certificate's extensions.", e); } finally { closeQuietly(input); } final List<String> policyIdentifiers = new ArrayList<String>(); for (int ii = 0; ii < seq.size(); ii++) { final PolicyInformation policyInfo = PolicyInformation.getInstance(seq.getObjectAt(ii)); // System.out.println("\t----> PolicyIdentifier: " + policyInfo.getPolicyIdentifier().getId()); policyIdentifiers.add(policyInfo.getPolicyIdentifier().getId()); } return policyIdentifiers; }
From source file:eu.europa.ec.markt.dss.DSSUtils.java
License:Open Source License
public static List<String> getQCStatementsIdList(final X509Certificate x509Certificate) { final List<String> extensionIdList = new ArrayList<String>(); final byte[] qcStatement = x509Certificate.getExtensionValue(X509Extension.qCStatements.getId()); if (qcStatement != null) { ASN1InputStream input = null; try {/* w ww. j a v a2s. c o m*/ input = new ASN1InputStream(qcStatement); final DEROctetString s = (DEROctetString) input.readObject(); final byte[] content = s.getOctets(); input.close(); input = new ASN1InputStream(content); final ASN1Sequence seq = (ASN1Sequence) input.readObject(); /* Sequence of QCStatement */ for (int ii = 0; ii < seq.size(); ii++) { final QCStatement statement = QCStatement.getInstance(seq.getObjectAt(ii)); extensionIdList.add(statement.getStatementId().getId()); } } catch (IOException e) { throw new DSSException(e); } finally { DSSUtils.closeQuietly(input); } } return extensionIdList; }
From source file:eu.europa.ec.markt.dss.signature.cades.CadesLevelBaselineLTATimestampExtractor.java
License:Open Source License
private void handleRevocationEncoded(ArrayList<DEROctetString> crlHashesList, byte[] ocspHolderEncoded) { final byte[] digest = DSSUtils.digest(hashIndexDigestAlgorithm, ocspHolderEncoded); final DEROctetString derOctetStringDigest = new DEROctetString(digest); if (crlHashesList.remove(derOctetStringDigest)) { // attribute present in signature and in timestamp if (LOG.isDebugEnabled()) { LOG.debug("CRL/OCSP present in timestamp {}", DSSUtils.toHex(derOctetStringDigest.getOctets())); }/*from ww w . j a v a2 s .com*/ } else { if (LOG.isDebugEnabled()) { LOG.debug("CRL/OCSP not present in timestamp {}", DSSUtils.toHex(derOctetStringDigest.getOctets())); } } }
From source file:eu.europa.ec.markt.dss.validation.cades.CAdESSignature.java
License:Open Source License
@Override public byte[] getArchiveTimestampData(int index, Document originalDocument) throws IOException { ByteArrayOutputStream toTimestamp = new ByteArrayOutputStream(); ContentInfo contentInfo = cmsSignedData.getContentInfo(); SignedData signedData = SignedData.getInstance(contentInfo.getContent()); /* The encapContentInfo should always be present according to the standard, but sometimes it's omitted */ // 5.4.1/*w w w. ja v a 2 s .c om*/ if (signedData.getEncapContentInfo() == null || signedData.getEncapContentInfo().getContent() == null) { /* Detached signatures have either no encapContentInfo in signedData, or it exists but has no eContent */ if (originalDocument != null) { toTimestamp.write(originalDocument.openStream()); } else { throw new RuntimeException("Signature is detached and no original data provided."); } } else { ContentInfo content = signedData.getEncapContentInfo(); DEROctetString octet = (DEROctetString) content.getContent(); ContentInfo info2 = new ContentInfo(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"), new BERConstructedOctetString(octet.getOctets())); toTimestamp.write(info2.getEncoded()); } if (signedData.getCertificates() != null) { DEROutputStream output = new DEROutputStream(toTimestamp); output.writeObject(signedData.getCertificates()); output.close(); } if (signedData.getCRLs() != null) { toTimestamp.write(signedData.getCRLs().getEncoded()); } if (signerInformation.getUnsignedAttributes() != null) { ASN1EncodableVector original = signerInformation.getUnsignedAttributes().toASN1EncodableVector(); List<Attribute> timeStampToRemove = getTimeStampToRemove(index); ASN1EncodableVector filtered = new ASN1EncodableVector(); for (int i = 0; i < original.size(); i++) { DEREncodable enc = original.get(i); if (!timeStampToRemove.contains(enc)) { filtered.add(original.get(i)); } } SignerInformation filteredInfo = SignerInformation.replaceUnsignedAttributes(signerInformation, new AttributeTable(filtered)); toTimestamp.write(filteredInfo.toASN1Structure().getEncoded()); } return toTimestamp.toByteArray(); }
From source file:eu.europa.ec.markt.dss.validation.certificate.AIACertificateSource.java
License:Open Source License
@SuppressWarnings("deprecation") private String getAccessLocation(X509Certificate certificate, DERObjectIdentifier accessMethod) { try {//from w w w .j a v a2 s . c o m byte[] authInfoAccessExtensionValue = certificate .getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); /* If the extension is not there, then return null */ if (null == authInfoAccessExtensionValue) { return null; } /* Parse the extension */ AuthorityInformationAccess authorityInformationAccess; DEROctetString oct = (DEROctetString) (new ASN1InputStream( new ByteArrayInputStream(authInfoAccessExtensionValue)).readObject()); authorityInformationAccess = new AuthorityInformationAccess( (ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject()); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { LOG.fine("access method: " + accessDescription.getAccessMethod()); boolean correctAccessMethod = accessDescription.getAccessMethod().equals(accessMethod); if (!correctAccessMethod) { continue; } GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) { LOG.fine("not a uniform resource identifier"); continue; } DERIA5String str = (DERIA5String) ((DERTaggedObject) gn.getDERObject()).getObject(); String accessLocation = str.getString(); LOG.fine("access location: " + accessLocation); return accessLocation; } return null; } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } }
From source file:eu.europa.ec.markt.dss.validation.certificate.CertificateAndContext.java
License:Open Source License
/** * Indicates if the revocation data should be checked for an OCSP signing certificate.<br> * http://www.ietf.org/rfc/rfc2560.txt?number=2560<br> * A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA * does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the * extension should be NULL.//from w w w .j av a2 s . c o m * * @return */ public boolean has_id_pkix_ocsp_nocheck_extension() { byte[] extensionValue = certificate.getExtensionValue(OID._1_3_6_1_5_5_7_48_1_5.getName()); try { if (extensionValue != null) { DERObject derObject = toDERObject(extensionValue); if (derObject instanceof DEROctetString) { DEROctetString derOctetString = (DEROctetString) derObject; byte[] data = derOctetString.getOctets(); return data.length == 0; } } } catch (Exception e) { } return false; }
From source file:eu.europa.ec.markt.dss.validation.crl.CRLCertificateVerifier.java
License:Open Source License
private BigInteger getCrlNumber(X509CRL crl) { byte[] crlNumberExtensionValue = crl.getExtensionValue(X509Extensions.CRLNumber.getId()); if (null == crlNumberExtensionValue) { return null; }// ww w . j a v a2 s . c o m try { DEROctetString octetString = (DEROctetString) (new ASN1InputStream( new ByteArrayInputStream(crlNumberExtensionValue)).readObject()); byte[] octets = octetString.getOctets(); DERInteger integer = (DERInteger) new ASN1InputStream(octets).readObject(); BigInteger crlNumber = integer.getPositiveValue(); return crlNumber; } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } }