List of usage examples for org.bouncycastle.asn1.pkcs PKCSObjectIdentifiers id_aa_signatureTimeStampToken
ASN1ObjectIdentifier id_aa_signatureTimeStampToken
To view the source code for org.bouncycastle.asn1.pkcs PKCSObjectIdentifiers id_aa_signatureTimeStampToken.
Click Source Link
From source file:CreateSignature.java
License:Apache License
/** * We are extending CMS Signature//from www . j a va 2s . c o m * * @param signer information about signer * @return information about SignerInformation */ private SignerInformation signTimeStamp(SignerInformation signer) throws IOException, TSPException { AttributeTable unsignedAttributes = signer.getUnsignedAttributes(); ASN1EncodableVector vector = new ASN1EncodableVector(); if (unsignedAttributes != null) { vector = unsignedAttributes.toASN1EncodableVector(); } byte[] token = getTsaClient().getTimeStampToken(signer.getSignature()); ASN1ObjectIdentifier oid = PKCSObjectIdentifiers.id_aa_signatureTimeStampToken; ASN1Encodable signatureTimeStamp = new Attribute(oid, new DERSet(ASN1Primitive.fromByteArray(token))); vector.add(signatureTimeStamp); Attributes signedAttributes = new Attributes(vector); SignerInformation newSigner = SignerInformation.replaceUnsignedAttributes(signer, new AttributeTable(signedAttributes)); // TODO can this actually happen? if (newSigner == null) { return signer; } return newSigner; }
From source file:br.gov.jfrj.siga.cd.AssinaturaDigital.java
License:Open Source License
@SuppressWarnings("unchecked") protected static String validarAssinaturaCMSeCarimboDeTempo(final byte[] digest, final String digestAlgorithm, final byte[] assinatura, Date dtAssinatura) throws InvalidKeyException, SecurityException, CRLException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, AplicacaoException, ChainValidationException, IOException, Exception { String nome = validarAssinaturaCMS(digest, digestAlgorithm, assinatura, dtAssinatura); Map<String, byte[]> map = new HashMap<String, byte[]>(); map.put(digestAlgorithm, digest);/*from ww w . ja v a 2 s. c o m*/ final CMSSignedData s = new CMSSignedData(map, assinatura); Collection ss = s.getSignerInfos().getSigners(); SignerInformation si = (SignerInformation) ss.iterator().next(); Attribute attr = si.getUnsignedAttributes().get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); CMSSignedData cmsTS = new CMSSignedData(attr.getAttrValues().getObjectAt(0).toASN1Primitive().getEncoded()); TimeStampToken tok = new TimeStampToken(cmsTS); Store cs = tok.getCertificates(); SignerId signer_id = tok.getSID(); BigInteger cert_serial_number = signer_id.getSerialNumber(); Collection certs = cs.getMatches(null); Iterator iter = certs.iterator(); X509Certificate certificate = null; while (iter.hasNext()) { X509Certificate cert = (X509Certificate) iter.next(); if (cert_serial_number != null) { if (cert.getSerialNumber().equals(cert_serial_number)) { certificate = cert; } } else { if (certificate == null) { certificate = cert; } } } tok.validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certificate)); // Nato: falta validar as CRLs do carimbo de tempo if (!Arrays.equals(tok.getTimeStampInfo().getMessageImprintDigest(), MessageDigest.getInstance("SHA1").digest(si.getSignature()))) { throw new Exception("Carimbo de tempo no confere com o resumo do documento"); } try { validarAssinaturaCMS(null, null, cmsTS.getEncoded(), tok.getTimeStampInfo().getGenTime()); } catch (Exception e) { throw new Exception("Carimbo de tempo invlido!", e); } return nome; }
From source file:br.gov.jfrj.siga.cd.TimeStamper.java
License:Open Source License
/** * Modyfy PKCS#7 data by adding timestamp * // ww w. j a v a 2 s . c o m * (at) param signedData (at) throws Exception */ public static CMSSignedData addTimestamp(CMSSignedData signedData) throws Exception { Collection ss = signedData.getSignerInfos().getSigners(); SignerInformation si = (SignerInformation) ss.iterator().next(); TimeStampToken tok = getTimeStampToken(si.getSignature()); // CertStore certs = tok.getCertificatesAndCRLs("Collection", "BC"); Store certs = tok.getCertificates(); Store certsAndCrls = AssinaturaDigital.buscarCrlParaCadaCertificado(certs); CMSSignedData cmssdcrl = CMSSignedData.replaceCertificatesAndCRLs(tok.toCMSSignedData(), certsAndCrls, certsAndCrls, certsAndCrls); tok = new TimeStampToken(cmssdcrl); ASN1InputStream asn1InputStream = new ASN1InputStream(tok.getEncoded()); ASN1Primitive tstDER = asn1InputStream.readObject(); DERSet ds = new DERSet(tstDER); Attribute a = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, ds); ASN1EncodableVector dv = new ASN1EncodableVector(); dv.add(a); AttributeTable at = new AttributeTable(dv); si = SignerInformation.replaceUnsignedAttributes(si, at); ss.clear(); ss.add(si); SignerInformationStore sis = new SignerInformationStore(ss); signedData = CMSSignedData.replaceSigners(signedData, sis); return signedData; }
From source file:com.itextpdf.signatures.PdfPKCS7.java
License:Open Source License
/** * Use this constructor if you want to verify a signature. * * @param contentsKey the /Contents key * @param filterSubtype the filtersubtype * @param provider the provider or <code>null</code> for the default provider *//*from ww w .j av a2 s . c o m*/ @SuppressWarnings({ "unchecked" }) public PdfPKCS7(byte[] contentsKey, PdfName filterSubtype, String provider) { this.filterSubtype = filterSubtype; isTsp = PdfName.ETSI_RFC3161.equals(filterSubtype); isCades = PdfName.ETSI_CAdES_DETACHED.equals(filterSubtype); try { this.provider = provider; ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey)); // // Basic checks to make sure it's a PKCS#7 SignedData Object // ASN1Primitive pkcs; try { pkcs = din.readObject(); } catch (IOException e) { throw new IllegalArgumentException(PdfException.CannotDecodePkcs7SigneddataObject); } if (!(pkcs instanceof ASN1Sequence)) { throw new IllegalArgumentException(PdfException.NotAValidPkcs7ObjectNotASequence); } ASN1Sequence signedData = (ASN1Sequence) pkcs; ASN1ObjectIdentifier objId = (ASN1ObjectIdentifier) signedData.getObjectAt(0); if (!objId.getId().equals(SecurityIDs.ID_PKCS7_SIGNED_DATA)) throw new IllegalArgumentException(PdfException.NotAValidPkcs7ObjectNotSignedData); ASN1Sequence content = (ASN1Sequence) ((ASN1TaggedObject) signedData.getObjectAt(1)).getObject(); // the positions that we care are: // 0 - version // 1 - digestAlgorithms // 2 - possible ID_PKCS7_DATA // (the certificates and crls are taken out by other means) // last - signerInfos // the version version = ((ASN1Integer) content.getObjectAt(0)).getValue().intValue(); // the digestAlgorithms digestalgos = new HashSet<>(); Enumeration e = ((ASN1Set) content.getObjectAt(1)).getObjects(); while (e.hasMoreElements()) { ASN1Sequence s = (ASN1Sequence) e.nextElement(); ASN1ObjectIdentifier o = (ASN1ObjectIdentifier) s.getObjectAt(0); digestalgos.add(o.getId()); } // the possible ID_PKCS7_DATA ASN1Sequence rsaData = (ASN1Sequence) content.getObjectAt(2); if (rsaData.size() > 1) { ASN1OctetString rsaDataContent = (ASN1OctetString) ((ASN1TaggedObject) rsaData.getObjectAt(1)) .getObject(); RSAdata = rsaDataContent.getOctets(); } int next = 3; while (content.getObjectAt(next) instanceof ASN1TaggedObject) ++next; // the certificates /* This should work, but that's not always the case because of a bug in BouncyCastle: */ certs = SignUtils.readAllCerts(contentsKey); /* The following workaround was provided by Alfonso Massa, but it doesn't always work either. ASN1Set certSet = null; ASN1Set crlSet = null; while (content.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagged = (ASN1TaggedObject)content.getObjectAt(next); switch (tagged.getTagNo()) { case 0: certSet = ASN1Set.getInstance(tagged, false); break; case 1: crlSet = ASN1Set.getInstance(tagged, false); break; default: throw new IllegalArgumentException("unknown tag value " + tagged.getTagNo()); } ++next; } certs = new ArrayList<Certificate>(certSet.size()); CertificateFactory certFact = CertificateFactory.getInstance("X.509", new BouncyCastleProvider()); for (Enumeration en = certSet.getObjects(); en.hasMoreElements();) { ASN1Primitive obj = ((ASN1Encodable)en.nextElement()).toASN1Primitive(); if (obj instanceof ASN1Sequence) { ByteArrayInputStream stream = new ByteArrayInputStream(obj.getEncoded()); X509Certificate x509Certificate = (X509Certificate)certFact.generateCertificate(stream); stream.close(); certs.add(x509Certificate); } } */ // the signerInfos ASN1Set signerInfos = (ASN1Set) content.getObjectAt(next); if (signerInfos.size() != 1) throw new IllegalArgumentException( PdfException.ThisPkcs7ObjectHasMultipleSignerinfosOnlyOneIsSupportedAtThisTime); ASN1Sequence signerInfo = (ASN1Sequence) signerInfos.getObjectAt(0); // the positions that we care are // 0 - version // 1 - the signing certificate issuer and serial number // 2 - the digest algorithm // 3 or 4 - digestEncryptionAlgorithm // 4 or 5 - encryptedDigest signerversion = ((ASN1Integer) signerInfo.getObjectAt(0)).getValue().intValue(); // Get the signing certificate ASN1Sequence issuerAndSerialNumber = (ASN1Sequence) signerInfo.getObjectAt(1); X509Principal issuer = SignUtils.getIssuerX509Name(issuerAndSerialNumber); BigInteger serialNumber = ((ASN1Integer) issuerAndSerialNumber.getObjectAt(1)).getValue(); for (Object element : certs) { X509Certificate cert = (X509Certificate) element; if (cert.getIssuerDN().equals(issuer) && serialNumber.equals(cert.getSerialNumber())) { signCert = cert; break; } } if (signCert == null) { throw new PdfException(PdfException.CannotFindSigningCertificateWithSerial1) .setMessageParams(issuer.getName() + " / " + serialNumber.toString(16)); } signCertificateChain(); digestAlgorithmOid = ((ASN1ObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(2)).getObjectAt(0)) .getId(); next = 3; boolean foundCades = false; if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagsig = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set sseq = ASN1Set.getInstance(tagsig, false); sigAttr = sseq.getEncoded(); // maybe not necessary, but we use the following line as fallback: sigAttrDer = sseq.getEncoded(ASN1Encoding.DER); for (int k = 0; k < sseq.size(); ++k) { ASN1Sequence seq2 = (ASN1Sequence) sseq.getObjectAt(k); String idSeq2 = ((ASN1ObjectIdentifier) seq2.getObjectAt(0)).getId(); if (idSeq2.equals(SecurityIDs.ID_MESSAGE_DIGEST)) { ASN1Set set = (ASN1Set) seq2.getObjectAt(1); digestAttr = ((ASN1OctetString) set.getObjectAt(0)).getOctets(); } else if (idSeq2.equals(SecurityIDs.ID_ADBE_REVOCATION)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); for (int j = 0; j < seqout.size(); ++j) { ASN1TaggedObject tg = (ASN1TaggedObject) seqout.getObjectAt(j); if (tg.getTagNo() == 0) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findCRL(seqin); } if (tg.getTagNo() == 1) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findOcsp(seqin); } } } else if (isCades && idSeq2.equals(SecurityIDs.ID_AA_SIGNING_CERTIFICATE_V1)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); SigningCertificate sv2 = SigningCertificate.getInstance(seqout); ESSCertID[] cerv2m = sv2.getCerts(); ESSCertID cerv2 = cerv2m[0]; byte[] enc2 = signCert.getEncoded(); MessageDigest m2 = SignUtils.getMessageDigest("SHA-1"); byte[] signCertHash = m2.digest(enc2); byte[] hs2 = cerv2.getCertHash(); if (!Arrays.equals(signCertHash, hs2)) throw new IllegalArgumentException( "Signing certificate doesn't match the ESS information."); foundCades = true; } else if (isCades && idSeq2.equals(SecurityIDs.ID_AA_SIGNING_CERTIFICATE_V2)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); SigningCertificateV2 sv2 = SigningCertificateV2.getInstance(seqout); ESSCertIDv2[] cerv2m = sv2.getCerts(); ESSCertIDv2 cerv2 = cerv2m[0]; AlgorithmIdentifier ai2 = cerv2.getHashAlgorithm(); byte[] enc2 = signCert.getEncoded(); MessageDigest m2 = SignUtils .getMessageDigest(DigestAlgorithms.getDigest(ai2.getAlgorithm().getId())); byte[] signCertHash = m2.digest(enc2); byte[] hs2 = cerv2.getCertHash(); if (!Arrays.equals(signCertHash, hs2)) throw new IllegalArgumentException( "Signing certificate doesn't match the ESS information."); foundCades = true; } } if (digestAttr == null) throw new IllegalArgumentException(PdfException.AuthenticatedAttributeIsMissingTheDigest); ++next; } if (isCades && !foundCades) throw new IllegalArgumentException("CAdES ESS information missing."); digestEncryptionAlgorithmOid = ((ASN1ObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(next++)) .getObjectAt(0)).getId(); digest = ((ASN1OctetString) signerInfo.getObjectAt(next++)).getOctets(); if (next < signerInfo.size() && signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject taggedObject = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set unat = ASN1Set.getInstance(taggedObject, false); AttributeTable attble = new AttributeTable(unat); Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); if (ts != null && ts.getAttrValues().size() > 0) { ASN1Set attributeValues = ts.getAttrValues(); ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0)); org.bouncycastle.asn1.cms.ContentInfo contentInfo = org.bouncycastle.asn1.cms.ContentInfo .getInstance(tokenSequence); this.timeStampToken = new TimeStampToken(contentInfo); } } if (isTsp) { org.bouncycastle.asn1.cms.ContentInfo contentInfoTsp = org.bouncycastle.asn1.cms.ContentInfo .getInstance(signedData); this.timeStampToken = new TimeStampToken(contentInfoTsp); TimeStampTokenInfo info = timeStampToken.getTimeStampInfo(); String algOID = info.getHashAlgorithm().getAlgorithm().getId(); messageDigest = DigestAlgorithms.getMessageDigestFromOid(algOID, null); } else { if (RSAdata != null || digestAttr != null) { if (PdfName.Adbe_pkcs7_sha1.equals(getFilterSubtype())) { messageDigest = DigestAlgorithms.getMessageDigest("SHA1", provider); } else { messageDigest = DigestAlgorithms.getMessageDigest(getHashAlgorithm(), provider); } encContDigest = DigestAlgorithms.getMessageDigest(getHashAlgorithm(), provider); } sig = initSignature(signCert.getPublicKey()); } } catch (Exception e) { throw new PdfException(e); } }
From source file:com.itextpdf.text.pdf.PdfPKCS7.java
License:Open Source License
/** * Verifies a signature using the sub-filter adbe.pkcs7.detached or * adbe.pkcs7.sha1.//from w ww . j a va 2s.c o m * @param contentsKey the /Contents key * @param provider the provider or <code>null</code> for the default provider */ @SuppressWarnings("unchecked") public PdfPKCS7(byte[] contentsKey, String provider) { try { this.provider = provider; ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey)); // // Basic checks to make sure it's a PKCS#7 SignedData Object // DERObject pkcs; try { pkcs = din.readObject(); } catch (IOException e) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("can.t.decode.pkcs7signeddata.object")); } if (!(pkcs instanceof ASN1Sequence)) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.a.sequence")); } ASN1Sequence signedData = (ASN1Sequence) pkcs; DERObjectIdentifier objId = (DERObjectIdentifier) signedData.getObjectAt(0); if (!objId.getId().equals(ID_PKCS7_SIGNED_DATA)) throw new IllegalArgumentException( MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.signed.data")); ASN1Sequence content = (ASN1Sequence) ((DERTaggedObject) signedData.getObjectAt(1)).getObject(); // the positions that we care are: // 0 - version // 1 - digestAlgorithms // 2 - possible ID_PKCS7_DATA // (the certificates and crls are taken out by other means) // last - signerInfos // the version version = ((DERInteger) content.getObjectAt(0)).getValue().intValue(); // the digestAlgorithms digestalgos = new HashSet<String>(); Enumeration<ASN1Sequence> e = ((ASN1Set) content.getObjectAt(1)).getObjects(); while (e.hasMoreElements()) { ASN1Sequence s = e.nextElement(); DERObjectIdentifier o = (DERObjectIdentifier) s.getObjectAt(0); digestalgos.add(o.getId()); } // the certificates X509CertParser cr = new X509CertParser(); cr.engineInit(new ByteArrayInputStream(contentsKey)); certs = cr.engineReadAll(); // the possible ID_PKCS7_DATA ASN1Sequence rsaData = (ASN1Sequence) content.getObjectAt(2); if (rsaData.size() > 1) { DEROctetString rsaDataContent = (DEROctetString) ((DERTaggedObject) rsaData.getObjectAt(1)) .getObject(); RSAdata = rsaDataContent.getOctets(); } // the signerInfos int next = 3; while (content.getObjectAt(next) instanceof DERTaggedObject) ++next; ASN1Set signerInfos = (ASN1Set) content.getObjectAt(next); if (signerInfos.size() != 1) throw new IllegalArgumentException(MessageLocalization.getComposedMessage( "this.pkcs.7.object.has.multiple.signerinfos.only.one.is.supported.at.this.time")); ASN1Sequence signerInfo = (ASN1Sequence) signerInfos.getObjectAt(0); // the positions that we care are // 0 - version // 1 - the signing certificate issuer and serial number // 2 - the digest algorithm // 3 or 4 - digestEncryptionAlgorithm // 4 or 5 - encryptedDigest signerversion = ((DERInteger) signerInfo.getObjectAt(0)).getValue().intValue(); // Get the signing certificate ASN1Sequence issuerAndSerialNumber = (ASN1Sequence) signerInfo.getObjectAt(1); X509Principal issuer = new X509Principal( issuerAndSerialNumber.getObjectAt(0).getDERObject().getEncoded()); BigInteger serialNumber = ((DERInteger) issuerAndSerialNumber.getObjectAt(1)).getValue(); for (Object element : certs) { X509Certificate cert = (X509Certificate) element; if (issuer.equals(cert.getIssuerDN()) && serialNumber.equals(cert.getSerialNumber())) { signCert = cert; break; } } if (signCert == null) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("can.t.find.signing.certificate.with.serial.1", issuer.getName() + " / " + serialNumber.toString(16))); } signCertificateChain(); digestAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(2)).getObjectAt(0)) .getId(); next = 3; if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagsig = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set sseq = ASN1Set.getInstance(tagsig, false); sigAttr = sseq.getEncoded(ASN1Encodable.DER); for (int k = 0; k < sseq.size(); ++k) { ASN1Sequence seq2 = (ASN1Sequence) sseq.getObjectAt(k); if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_MESSAGE_DIGEST)) { ASN1Set set = (ASN1Set) seq2.getObjectAt(1); digestAttr = ((DEROctetString) set.getObjectAt(0)).getOctets(); } else if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_ADBE_REVOCATION)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); for (int j = 0; j < seqout.size(); ++j) { ASN1TaggedObject tg = (ASN1TaggedObject) seqout.getObjectAt(j); if (tg.getTagNo() == 0) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findCRL(seqin); } if (tg.getTagNo() == 1) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findOcsp(seqin); } } } } if (digestAttr == null) throw new IllegalArgumentException(MessageLocalization .getComposedMessage("authenticated.attribute.is.missing.the.digest")); ++next; } digestEncryptionAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(next++)) .getObjectAt(0)).getId(); digest = ((DEROctetString) signerInfo.getObjectAt(next++)).getOctets(); if (next < signerInfo.size() && signerInfo.getObjectAt(next) instanceof DERTaggedObject) { DERTaggedObject taggedObject = (DERTaggedObject) signerInfo.getObjectAt(next); ASN1Set unat = ASN1Set.getInstance(taggedObject, false); AttributeTable attble = new AttributeTable(unat); Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); if (ts != null && ts.getAttrValues().size() > 0) { ASN1Set attributeValues = ts.getAttrValues(); ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0)); ContentInfo contentInfo = new ContentInfo(tokenSequence); this.timeStampToken = new TimeStampToken(contentInfo); } } if (RSAdata != null || digestAttr != null) { if (provider == null || provider.startsWith("SunPKCS11")) messageDigest = MessageDigest.getInstance(getHashAlgorithm()); else messageDigest = MessageDigest.getInstance(getHashAlgorithm(), provider); } if (provider == null) sig = Signature.getInstance(getDigestAlgorithm()); else sig = Signature.getInstance(getDigestAlgorithm(), provider); sig.initVerify(signCert.getPublicKey()); } catch (Exception e) { throw new ExceptionConverter(e); } }
From source file:com.itextpdf.text.pdf.security.PdfPKCS7.java
License:Open Source License
/** * Use this constructor if you want to verify a signature. * @param contentsKey the /Contents key//from w w w .j a v a 2 s . c o m * @param filterSubtype the filtersubtype * @param provider the provider or <code>null</code> for the default provider */ @SuppressWarnings({ "unchecked" }) public PdfPKCS7(byte[] contentsKey, PdfName filterSubtype, String provider) { this.filterSubtype = filterSubtype; isTsp = PdfName.ETSI_RFC3161.equals(filterSubtype); isCades = PdfName.ETSI_CADES_DETACHED.equals(filterSubtype); try { this.provider = provider; ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey)); // // Basic checks to make sure it's a PKCS#7 SignedData Object // ASN1Primitive pkcs; try { pkcs = din.readObject(); } catch (IOException e) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("can.t.decode.pkcs7signeddata.object")); } if (!(pkcs instanceof ASN1Sequence)) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.a.sequence")); } ASN1Sequence signedData = (ASN1Sequence) pkcs; ASN1ObjectIdentifier objId = (ASN1ObjectIdentifier) signedData.getObjectAt(0); if (!objId.getId().equals(SecurityIDs.ID_PKCS7_SIGNED_DATA)) throw new IllegalArgumentException( MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.signed.data")); ASN1Sequence content = (ASN1Sequence) ((ASN1TaggedObject) signedData.getObjectAt(1)).getObject(); // the positions that we care are: // 0 - version // 1 - digestAlgorithms // 2 - possible ID_PKCS7_DATA // (the certificates and crls are taken out by other means) // last - signerInfos // the version version = ((ASN1Integer) content.getObjectAt(0)).getValue().intValue(); // the digestAlgorithms digestalgos = new HashSet<String>(); Enumeration<ASN1Sequence> e = ((ASN1Set) content.getObjectAt(1)).getObjects(); while (e.hasMoreElements()) { ASN1Sequence s = e.nextElement(); ASN1ObjectIdentifier o = (ASN1ObjectIdentifier) s.getObjectAt(0); digestalgos.add(o.getId()); } // the possible ID_PKCS7_DATA ASN1Sequence rsaData = (ASN1Sequence) content.getObjectAt(2); if (rsaData.size() > 1) { ASN1OctetString rsaDataContent = (ASN1OctetString) ((ASN1TaggedObject) rsaData.getObjectAt(1)) .getObject(); RSAdata = rsaDataContent.getOctets(); } int next = 3; while (content.getObjectAt(next) instanceof ASN1TaggedObject) ++next; // the certificates /* This should work, but that's not always the case because of a bug in BouncyCastle: */ X509CertParser cr = new X509CertParser(); cr.engineInit(new ByteArrayInputStream(contentsKey)); certs = cr.engineReadAll(); /* The following workaround was provided by Alfonso Massa, but it doesn't always work either. ASN1Set certSet = null; ASN1Set crlSet = null; while (content.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagged = (ASN1TaggedObject)content.getObjectAt(next); switch (tagged.getTagNo()) { case 0: certSet = ASN1Set.getInstance(tagged, false); break; case 1: crlSet = ASN1Set.getInstance(tagged, false); break; default: throw new IllegalArgumentException("unknown tag value " + tagged.getTagNo()); } ++next; } certs = new ArrayList<Certificate>(certSet.size()); CertificateFactory certFact = CertificateFactory.getInstance("X.509", new BouncyCastleProvider()); for (Enumeration en = certSet.getObjects(); en.hasMoreElements();) { ASN1Primitive obj = ((ASN1Encodable)en.nextElement()).toASN1Primitive(); if (obj instanceof ASN1Sequence) { ByteArrayInputStream stream = new ByteArrayInputStream(obj.getEncoded()); X509Certificate x509Certificate = (X509Certificate)certFact.generateCertificate(stream); stream.close(); certs.add(x509Certificate); } } */ // the signerInfos ASN1Set signerInfos = (ASN1Set) content.getObjectAt(next); if (signerInfos.size() != 1) throw new IllegalArgumentException(MessageLocalization.getComposedMessage( "this.pkcs.7.object.has.multiple.signerinfos.only.one.is.supported.at.this.time")); ASN1Sequence signerInfo = (ASN1Sequence) signerInfos.getObjectAt(0); // the positions that we care are // 0 - version // 1 - the signing certificate issuer and serial number // 2 - the digest algorithm // 3 or 4 - digestEncryptionAlgorithm // 4 or 5 - encryptedDigest signerversion = ((ASN1Integer) signerInfo.getObjectAt(0)).getValue().intValue(); // Get the signing certificate ASN1Sequence issuerAndSerialNumber = (ASN1Sequence) signerInfo.getObjectAt(1); X509Principal issuer = new X509Principal( issuerAndSerialNumber.getObjectAt(0).toASN1Primitive().getEncoded()); BigInteger serialNumber = ((ASN1Integer) issuerAndSerialNumber.getObjectAt(1)).getValue(); for (Object element : certs) { X509Certificate cert = (X509Certificate) element; if (cert.getIssuerDN().equals(issuer) && serialNumber.equals(cert.getSerialNumber())) { signCert = cert; break; } } if (signCert == null) { throw new IllegalArgumentException( MessageLocalization.getComposedMessage("can.t.find.signing.certificate.with.serial.1", issuer.getName() + " / " + serialNumber.toString(16))); } signCertificateChain(); digestAlgorithmOid = ((ASN1ObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(2)).getObjectAt(0)) .getId(); next = 3; boolean foundCades = false; if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject tagsig = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set sseq = ASN1Set.getInstance(tagsig, false); sigAttr = sseq.getEncoded(); // maybe not necessary, but we use the following line as fallback: sigAttrDer = sseq.getEncoded(ASN1Encoding.DER); for (int k = 0; k < sseq.size(); ++k) { ASN1Sequence seq2 = (ASN1Sequence) sseq.getObjectAt(k); String idSeq2 = ((ASN1ObjectIdentifier) seq2.getObjectAt(0)).getId(); if (idSeq2.equals(SecurityIDs.ID_MESSAGE_DIGEST)) { ASN1Set set = (ASN1Set) seq2.getObjectAt(1); digestAttr = ((ASN1OctetString) set.getObjectAt(0)).getOctets(); } else if (idSeq2.equals(SecurityIDs.ID_ADBE_REVOCATION)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); for (int j = 0; j < seqout.size(); ++j) { ASN1TaggedObject tg = (ASN1TaggedObject) seqout.getObjectAt(j); if (tg.getTagNo() == 0) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findCRL(seqin); } if (tg.getTagNo() == 1) { ASN1Sequence seqin = (ASN1Sequence) tg.getObject(); findOcsp(seqin); } } } else if (isCades && idSeq2.equals(SecurityIDs.ID_AA_SIGNING_CERTIFICATE_V1)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); SigningCertificate sv2 = SigningCertificate.getInstance(seqout); ESSCertID[] cerv2m = sv2.getCerts(); ESSCertID cerv2 = cerv2m[0]; byte[] enc2 = signCert.getEncoded(); MessageDigest m2 = new BouncyCastleDigest().getMessageDigest("SHA-1"); byte[] signCertHash = m2.digest(enc2); byte[] hs2 = cerv2.getCertHash(); if (!Arrays.equals(signCertHash, hs2)) throw new IllegalArgumentException( "Signing certificate doesn't match the ESS information."); foundCades = true; } else if (isCades && idSeq2.equals(SecurityIDs.ID_AA_SIGNING_CERTIFICATE_V2)) { ASN1Set setout = (ASN1Set) seq2.getObjectAt(1); ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0); SigningCertificateV2 sv2 = SigningCertificateV2.getInstance(seqout); ESSCertIDv2[] cerv2m = sv2.getCerts(); ESSCertIDv2 cerv2 = cerv2m[0]; AlgorithmIdentifier ai2 = cerv2.getHashAlgorithm(); byte[] enc2 = signCert.getEncoded(); MessageDigest m2 = new BouncyCastleDigest() .getMessageDigest(DigestAlgorithms.getDigest(ai2.getAlgorithm().getId())); byte[] signCertHash = m2.digest(enc2); byte[] hs2 = cerv2.getCertHash(); if (!Arrays.equals(signCertHash, hs2)) throw new IllegalArgumentException( "Signing certificate doesn't match the ESS information."); foundCades = true; } } if (digestAttr == null) throw new IllegalArgumentException(MessageLocalization .getComposedMessage("authenticated.attribute.is.missing.the.digest")); ++next; } if (isCades && !foundCades) throw new IllegalArgumentException("CAdES ESS information missing."); digestEncryptionAlgorithmOid = ((ASN1ObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(next++)) .getObjectAt(0)).getId(); digest = ((ASN1OctetString) signerInfo.getObjectAt(next++)).getOctets(); if (next < signerInfo.size() && signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) { ASN1TaggedObject taggedObject = (ASN1TaggedObject) signerInfo.getObjectAt(next); ASN1Set unat = ASN1Set.getInstance(taggedObject, false); AttributeTable attble = new AttributeTable(unat); Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); if (ts != null && ts.getAttrValues().size() > 0) { ASN1Set attributeValues = ts.getAttrValues(); ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0)); ContentInfo contentInfo = new ContentInfo(tokenSequence); this.timeStampToken = new TimeStampToken(contentInfo); } } if (isTsp) { ContentInfo contentInfoTsp = new ContentInfo(signedData); this.timeStampToken = new TimeStampToken(contentInfoTsp); TimeStampTokenInfo info = timeStampToken.getTimeStampInfo(); String algOID = info.getMessageImprintAlgOID().getId(); messageDigest = DigestAlgorithms.getMessageDigestFromOid(algOID, null); } else { if (RSAdata != null || digestAttr != null) { if (PdfName.ADBE_PKCS7_SHA1.equals(getFilterSubtype())) { messageDigest = DigestAlgorithms.getMessageDigest("SHA1", provider); } else { messageDigest = DigestAlgorithms.getMessageDigest(getHashAlgorithm(), provider); } encContDigest = DigestAlgorithms.getMessageDigest(getHashAlgorithm(), provider); } sig = initSignature(signCert.getPublicKey()); } } catch (Exception e) { throw new ExceptionConverter(e); } }
From source file:com.modemo.javase.signature.ValidationTimeStamp.java
License:Apache License
/** * Extend CMS Signer Information with the TimeStampToken into the unsigned Attributes. * * @param signer information about signer * @return information about SignerInformation * @throws IOException// www.j av a 2 s.c o m */ private SignerInformation signTimeStamp(SignerInformation signer) throws IOException { AttributeTable unsignedAttributes = signer.getUnsignedAttributes(); ASN1EncodableVector vector = new ASN1EncodableVector(); if (unsignedAttributes != null) { vector = unsignedAttributes.toASN1EncodableVector(); } byte[] token = tsaClient.getTimeStampToken(signer.getSignature()); ASN1ObjectIdentifier oid = PKCSObjectIdentifiers.id_aa_signatureTimeStampToken; ASN1Encodable signatureTimeStamp = new Attribute(oid, new DERSet(ASN1Primitive.fromByteArray(token))); vector.add(signatureTimeStamp); Attributes signedAttributes = new Attributes(vector); // There is no other way changing the unsigned attributes of the signer information. // result is never null, new SignerInformation always returned, // see source code of replaceUnsignedAttributes return SignerInformation.replaceUnsignedAttributes(signer, new AttributeTable(signedAttributes)); }
From source file:es.gob.afirma.envelopers.cms.CounterSignerEnveloped.java
License:Open Source License
/** Método utilizado por la firma del érbol para obtener la * contrafirma de los signerInfo de forma recursiva.<br> * @param signerInfo Nodo raí que contiene todos los signerInfos que se * deben firmar.// w w w . java 2s. co m * @param parameters Parámetros necesarios para firmar un determinado * <code>SignerInfo</code> hoja. * @param cert Certificado de firma. * @param keyEntry Clave privada a usar para firmar. * @return El <code>SignerInfo</code> raíz parcial con todos sus nodos * Contrafirmados. * @throws java.security.NoSuchAlgorithmException Si el JRE no soporta algún algoritmo necesario * @throws java.io.IOException Cuando hay problemas de entrada / salida. * @throws CertificateException Caundo hay problemas relacionados con los certificados X.509. * @throws InvalidKeyException Cuando la clave proporcionada no es válida. * @throws SignatureException Cuando ocurren problando hay problemas de adecuación de la clave. */ private SignerInfo getCounterUnsignedAtributes(final SignerInfo signerInfo, final P7ContentSignerParameters parameters, final X509Certificate cert, final PrivateKeyEntry keyEntry) throws NoSuchAlgorithmException, IOException, CertificateException, InvalidKeyException, SignatureException { final List<Object> attributes = new ArrayList<Object>(); final ASN1EncodableVector signerInfosU = new ASN1EncodableVector(); final ASN1EncodableVector signerInfosU2 = new ASN1EncodableVector(); SignerInfo counterSigner = null; if (signerInfo.getUnauthenticatedAttributes() != null) { final Enumeration<?> eAtributes = signerInfo.getUnauthenticatedAttributes().getObjects(); while (eAtributes.hasMoreElements()) { final Attribute data = Attribute.getInstance(eAtributes.nextElement()); if (!data.getAttrType().equals(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) { final ASN1Set setInto = data.getAttrValues(); final Enumeration<?> eAtributesData = setInto.getObjects(); while (eAtributesData.hasMoreElements()) { final Object obj = eAtributesData.nextElement(); if (obj instanceof ASN1Sequence) { final ASN1Sequence atrib = (ASN1Sequence) obj; final SignerInfo si = SignerInfo.getInstance(atrib); final SignerInfo obtained = getCounterUnsignedAtributes(si, parameters, cert, keyEntry); signerInfosU.add(obtained); } else { attributes.add(obj); } } } else { signerInfosU.add(data); } } // FIRMA DEL NODO ACTUAL counterSigner = unsignedAtributte(parameters, cert, signerInfo, keyEntry); signerInfosU.add(counterSigner); // FIRMA DE CADA UNO DE LOS HIJOS ASN1Set a1; final ASN1EncodableVector contexExpecific = new ASN1EncodableVector(); if (signerInfosU.size() > 1) { for (int i = 0; i < signerInfosU.size(); i++) { if (signerInfosU.get(i) instanceof Attribute) { contexExpecific.add(signerInfosU.get(i)); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(i)))); } } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); // introducido este else pero es sospechoso que no estuviera // antes de este ultimo cambio. } else { if (signerInfosU.size() == 1) { if (signerInfosU.get(0) instanceof Attribute) { // anadimos el que hay contexExpecific.add(signerInfosU.get(0)); // creamos el de la contrafirma. signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); contexExpecific .add(new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2))); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(0)))); } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); } else { final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), generateUnsignerInfoFromCounter(uAtrib) // unsignedAttr ); } } } else { signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), generateUnsignerInfoFromCounter(uAtrib) // unsignedAttr ); } return counterSigner; }
From source file:es.gob.afirma.envelopers.cms.CounterSignerEnveloped.java
License:Open Source License
/** Método utilizado por la firma de una hoja del érbol para * obtener la contrafirma de los signerInfo de una determinada hoja de forma * recursiva./*from w w w.ja v a2 s. c o m*/ * @param signerInfo * Nodo raí que contiene todos los signerInfos que se * deben firmar. * @param parameters * Parámetros necesarios para firmar un determinado * SignerInfo hoja. * @param cert * Certificado de firma. * @param keyEntry * Clave privada a usar para firmar * @return El SignerInfo raíz parcial con todos sus nodos * Contrafirmados. * @throws java.security.NoSuchAlgorithmException Si el JRE no soporta algún algoritmo necesario * @throws java.io.IOException Cuando hay problemas de entrada / salida. * @throws java.security.cert.CertificateException Cuando hay problemas relacionados con los certificados X.509. * @throws SignatureException Cuando ocurren problemas en la firma PKCS#1. * @throws InvalidKeyException Cuando hay problemas de adecuación de la clave. */ private SignerInfo getCounterLeafUnsignedAtributes(final SignerInfo signerInfo, final P7ContentSignerParameters parameters, final X509Certificate cert, final PrivateKeyEntry keyEntry) throws NoSuchAlgorithmException, IOException, CertificateException, InvalidKeyException, SignatureException { final List<Object> attributes = new ArrayList<Object>(); final ASN1EncodableVector signerInfosU = new ASN1EncodableVector(); final ASN1EncodableVector signerInfosU2 = new ASN1EncodableVector(); SignerInfo counterSigner = null; if (signerInfo.getUnauthenticatedAttributes() != null) { final Enumeration<?> eAtributes = signerInfo.getUnauthenticatedAttributes().getObjects(); while (eAtributes.hasMoreElements()) { final Attribute data = Attribute.getInstance(eAtributes.nextElement()); if (!data.getAttrType().equals(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) { final ASN1Set setInto = data.getAttrValues(); final Enumeration<?> eAtributesData = setInto.getObjects(); while (eAtributesData.hasMoreElements()) { final Object obj = eAtributesData.nextElement(); if (obj instanceof ASN1Sequence) { signerInfosU.add(getCounterLeafUnsignedAtributes(SignerInfo.getInstance(obj), parameters, cert, keyEntry)); } else { attributes.add(obj); } } } else { signerInfosU.add(data); } } // FIRMA DE CADA UNO DE LOS HIJOS ASN1Set a1; final ASN1EncodableVector contexExpecific = new ASN1EncodableVector(); if (signerInfosU.size() > 1) { for (int i = 0; i < signerInfosU.size(); i++) { if (signerInfosU.get(i) instanceof Attribute) { contexExpecific.add(signerInfosU.get(i)); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(i)))); } } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); } else { if (signerInfosU.size() == 1) { if (signerInfosU.get(0) instanceof Attribute) { // anadimos el que hay contexExpecific.add(signerInfosU.get(0)); // creamos el de la contrafirma. signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2)); contexExpecific.add(uAtrib); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(0)))); } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); } else { final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), generateUnsignerInfoFromCounter(uAtrib) // unsignedAttr ); } } } else { signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), new DERSet(uAtrib) // unsignedAttr ); } return counterSigner; }
From source file:es.gob.afirma.envelopers.cms.CounterSignerEnveloped.java
License:Open Source License
/** Método utilizado por la firma de un nodo del érbol para * obtener la contrafirma de los signerInfo Sin ser recursivo. Esto es por * el caso especial de que puede ser el nodo raiz el nodo a firmar, por lo * que no sería necesario usar la recursividad. * @param signerInfo//from w w w . ja v a 2 s.c o m * Nodo raí que contiene todos los signerInfos que se * deben firmar. * @param parameters * Parámetros necesarios para firmar un determinado * SignerInfo hoja. * @param cert * Certificado de firma. * @param keyEntry * Clave privada a usar para firmar * @return El SignerInfo raíz parcial con todos sus nodos * Contrafirmados. * @throws java.security.NoSuchAlgorithmException Si el JRE no soporta algún algoritmo necesario * @throws java.io.IOException Cuando hay problemas de entrada / salida. * @throws java.security.cert.CertificateException Cuando hay problemas relacionados con los certificados X.509. * @throws SignatureException Cuando ocurren problemas en la firma PKCS#1. * @throws InvalidKeyException Cuando hay problemas de adecuación de la clave. */ private SignerInfo getCounterNodeUnsignedAtributes(final SignerInfo signerInfo, final P7ContentSignerParameters parameters, final X509Certificate cert, final PrivateKeyEntry keyEntry) throws NoSuchAlgorithmException, IOException, CertificateException, InvalidKeyException, SignatureException { final List<Object> attributes = new ArrayList<Object>(); final ASN1EncodableVector signerInfosU = new ASN1EncodableVector(); final ASN1EncodableVector signerInfosU2 = new ASN1EncodableVector(); SignerInfo counterSigner = null; if (signerInfo.getUnauthenticatedAttributes() != null) { final Enumeration<?> eAtributes = signerInfo.getUnauthenticatedAttributes().getObjects(); while (eAtributes.hasMoreElements()) { final Attribute data = Attribute.getInstance(eAtributes.nextElement()); if (!data.getAttrType().equals(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) { final ASN1Set setInto = data.getAttrValues(); final Enumeration<?> eAtributesData = setInto.getObjects(); while (eAtributesData.hasMoreElements()) { final Object obj = eAtributesData.nextElement(); if (obj instanceof ASN1Sequence) { signerInfosU.add(SignerInfo.getInstance(obj)); } else { attributes.add(obj); } } } else { signerInfosU.add(data); } } // FIRMA DEL NODO ACTUAL signerInfosU.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); // FIRMA DE CADA UNO DE LOS HIJOS ASN1Set a1; final ASN1EncodableVector contexExpecific = new ASN1EncodableVector(); if (signerInfosU.size() > 1) { for (int i = 0; i < signerInfosU.size(); i++) { if (signerInfosU.get(i) instanceof Attribute) { contexExpecific.add(signerInfosU.get(i)); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(i)))); } } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); } else { if (signerInfosU.size() == 1) { if (signerInfosU.get(0) instanceof Attribute) { // anadimos el que hay contexExpecific.add(signerInfosU.get(0)); // creamos el de la contrafirma. signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); contexExpecific .add(new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2))); } else { contexExpecific.add( new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU.get(0)))); } a1 = SigUtils.getAttributeSet(new AttributeTable(contexExpecific)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), a1 // unsignedAttr ); } else { final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), generateUnsignerInfoFromCounter(uAtrib) // unsignedAttr ); } } } else { signerInfosU2.add(unsignedAtributte(parameters, cert, signerInfo, keyEntry)); final Attribute uAtrib = new Attribute(CMSAttributes.counterSignature, new DERSet(signerInfosU2)); counterSigner = new SignerInfo(signerInfo.getSID(), signerInfo.getDigestAlgorithm(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithm(), signerInfo.getEncryptedDigest(), new DERSet(uAtrib) // unsignedAttr ); } return counterSigner; }