List of usage examples for org.bouncycastle.cms CMSSignedData getCRLs
public Store<X509CRLHolder> getCRLs()
From source file:ee.ria.xroad.proxy.messagelog.TimestamperUtil.java
License:Open Source License
@SuppressWarnings("unchecked") static TimeStampToken addSignerCertificate(TimeStampResponse tsResponse, X509Certificate signerCertificate) throws Exception { CMSSignedData cms = tsResponse.getTimeStampToken().toCMSSignedData(); List<X509Certificate> collection = new ArrayList<>(); collection.add(signerCertificate);//from ww w. j av a 2s .c o m collection.addAll(cms.getCertificates().getMatches(null)); return new TimeStampToken(CMSSignedData.replaceCertificatesAndCRLs(cms, new JcaCertStore(collection), cms.getAttributeCertificates(), cms.getCRLs())); }
From source file:eu.europa.ec.markt.dss.signature.cades.CAdESLevelBaselineLT.java
License:Open Source License
protected CMSSignedData postExtendCMSSignedData(CMSSignedData cmsSignedData, SignerInformation signerInformation, SignatureParameters parameters) { CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); final ValidationContext validationContext = cadesSignature .getSignatureValidationContext(certificateVerifier); Store certificatesStore = cmsSignedData.getCertificates(); final Store attributeCertificatesStore = cmsSignedData.getAttributeCertificates(); Store crlsStore = cmsSignedData.getCRLs(); Store otherRevocationInfoFormatStoreBasic = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); Store otherRevocationInfoFormatStoreOcsp = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Set<CertificateToken> certificates = cadesSignature.getCertificatesForInclusion(validationContext); final Collection<X509CertificateHolder> newCertificateStore = new HashSet<X509CertificateHolder>( certificatesStore.getMatches(null)); for (final CertificateToken certificateToken : certificates) { final X509CertificateHolder x509CertificateHolder = DSSUtils.getX509CertificateHolder(certificateToken); newCertificateStore.add(x509CertificateHolder); }/*from w w w. java 2 s .c o m*/ certificatesStore = new CollectionStore(newCertificateStore); final Collection<X509CRLHolder> newCrlsStore = new HashSet<X509CRLHolder>(crlsStore.getMatches(null)); final DefaultAdvancedSignature.RevocationDataForInclusion revocationDataForInclusion = cadesSignature .getRevocationDataForInclusion(validationContext); for (final CRLToken crlToken : revocationDataForInclusion.crlTokens) { final X509CRLHolder x509CRLHolder = crlToken.getX509CrlHolder(); newCrlsStore.add(x509CRLHolder); } crlsStore = new CollectionStore(newCrlsStore); final Collection<ASN1Primitive> newOtherRevocationInfoFormatStore = new HashSet<ASN1Primitive>( otherRevocationInfoFormatStoreBasic.getMatches(null)); for (final OCSPToken ocspToken : revocationDataForInclusion.ocspTokens) { final BasicOCSPResp basicOCSPResp = ocspToken.getBasicOCSPResp(); newOtherRevocationInfoFormatStore.add(DSSASN1Utils.toASN1Primitive(DSSUtils.getEncoded(basicOCSPResp))); } otherRevocationInfoFormatStoreBasic = new CollectionStore(newOtherRevocationInfoFormatStore); final CMSSignedDataBuilder cmsSignedDataBuilder = new CMSSignedDataBuilder(certificateVerifier); cmsSignedData = cmsSignedDataBuilder.regenerateCMSSignedData(cmsSignedData, parameters, certificatesStore, attributeCertificatesStore, crlsStore, otherRevocationInfoFormatStoreBasic, otherRevocationInfoFormatStoreOcsp); return cmsSignedData; }
From source file:eu.europa.ec.markt.dss.signature.cades.CMSSignedDataBuilder.java
License:Open Source License
/** * Note:/*from w w w.j a va2 s .c o m*/ * Section 5.1 of RFC 3852 [4] requires that, the CMS SignedData version be set to 3 if certificates from * SignedData is present AND (any version 1 attribute certificates are present OR any SignerInfo structures * are version 3 OR eContentType from encapContentInfo is other than id-data). Otherwise, the CMS * SignedData version is required to be set to 1. * ---> CMS SignedData Version is handled automatically by BouncyCastle. * * @param parameters set of the driving signing parameters * @param contentSigner the contentSigned to get the hash of the data to be signed * @param signerInfoGeneratorBuilder true if the unsigned attributes must be included * @param originalSignedData the original signed data if extending an existing signature. null otherwise. @return the bouncycastle signed data generator which will * sign * the document and add the required signed and unsigned CMS attributes * @throws eu.europa.ec.markt.dss.exception.DSSException */ protected CMSSignedDataGenerator createCMSSignedDataGenerator(final SignatureParameters parameters, final ContentSigner contentSigner, final SignerInfoGeneratorBuilder signerInfoGeneratorBuilder, final CMSSignedData originalSignedData) throws DSSException { try { final X509Certificate signingCertificate = parameters.getSigningCertificate(); final CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); final X509CertificateHolder certHolder = DSSUtils.getX509CertificateHolder(signingCertificate); final SignerInfoGenerator signerInfoGenerator = signerInfoGeneratorBuilder.build(contentSigner, certHolder); generator.addSignerInfoGenerator(signerInfoGenerator); final Set<X509Certificate> newCertificateChain = new HashSet<X509Certificate>(); if (originalSignedData != null) { generator.addSigners(originalSignedData.getSignerInfos()); generator.addAttributeCertificates(originalSignedData.getAttributeCertificates()); generator.addCRLs(originalSignedData.getCRLs()); generator.addOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic, originalSignedData.getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic)); generator.addOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response, originalSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response)); final Store certificates = originalSignedData.getCertificates(); final Collection<X509CertificateHolder> certificatesMatches = certificates.getMatches(null); for (final X509CertificateHolder certificatesMatch : certificatesMatches) { newCertificateChain.add(DSSUtils.getCertificate(certificatesMatch)); } } final List<X509Certificate> certificateChain = parameters.getCertificateChain(); newCertificateChain.addAll(certificateChain); final Store jcaCertStore = getJcaCertStore(signingCertificate, newCertificateChain); generator.addCertificates(jcaCertStore); return generator; } catch (CMSException e) { throw new DSSException(e); } catch (OperatorCreationException e) { throw new DSSException(e); } }
From source file:eu.europa.esig.dss.cades.signature.CAdESLevelBaselineLT.java
License:Open Source License
@Override protected CMSSignedData postExtendCMSSignedData(CMSSignedData cmsSignedData, SignerInformation signerInformation, CAdESSignatureParameters parameters) { CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); final ValidationContext validationContext = cadesSignature .getSignatureValidationContext(certificateVerifier); Store<X509CertificateHolder> certificatesStore = cmsSignedData.getCertificates(); final Set<CertificateToken> certificates = cadesSignature.getCertificatesForInclusion(validationContext); final Collection<X509CertificateHolder> newCertificateStore = new HashSet<X509CertificateHolder>( certificatesStore.getMatches(null)); for (final CertificateToken certificateToken : certificates) { final X509CertificateHolder x509CertificateHolder = DSSASN1Utils .getX509CertificateHolder(certificateToken); newCertificateStore.add(x509CertificateHolder); }/*w ww .j a v a 2 s. c om*/ certificatesStore = new CollectionStore<X509CertificateHolder>(newCertificateStore); Store<X509CRLHolder> crlsStore = cmsSignedData.getCRLs(); final Collection<X509CRLHolder> newCrlsStore = new HashSet<X509CRLHolder>(crlsStore.getMatches(null)); final DefaultAdvancedSignature.RevocationDataForInclusion revocationDataForInclusion = cadesSignature .getRevocationDataForInclusion(validationContext); for (final CRLToken crlToken : revocationDataForInclusion.crlTokens) { final X509CRLHolder x509CRLHolder = getX509CrlHolder(crlToken); newCrlsStore.add(x509CRLHolder); } crlsStore = new CollectionStore<X509CRLHolder>(newCrlsStore); Store otherRevocationInfoFormatStoreBasic = cmsSignedData .getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); final Collection<ASN1Primitive> newOtherRevocationInfoFormatStore = new HashSet<ASN1Primitive>( otherRevocationInfoFormatStoreBasic.getMatches(null)); for (final OCSPToken ocspToken : revocationDataForInclusion.ocspTokens) { final BasicOCSPResp basicOCSPResp = ocspToken.getBasicOCSPResp(); newOtherRevocationInfoFormatStore .add(DSSASN1Utils.toASN1Primitive(DSSASN1Utils.getEncoded(basicOCSPResp))); } otherRevocationInfoFormatStoreBasic = new CollectionStore(newOtherRevocationInfoFormatStore); Store attributeCertificatesStore = cmsSignedData.getAttributeCertificates(); Store otherRevocationInfoFormatStoreOcsp = cmsSignedData .getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final CMSSignedDataBuilder cmsSignedDataBuilder = new CMSSignedDataBuilder(certificateVerifier); cmsSignedData = cmsSignedDataBuilder.regenerateCMSSignedData(cmsSignedData, parameters, certificatesStore, attributeCertificatesStore, crlsStore, otherRevocationInfoFormatStoreBasic, otherRevocationInfoFormatStoreOcsp); return cmsSignedData; }
From source file:eu.europa.esig.dss.cades.signature.CMSSignedDataBuilder.java
License:Open Source License
/** * Note://w w w . j av a 2s.c o m * Section 5.1 of RFC 3852 [4] requires that, the CMS SignedData version be set to 3 if certificates from * SignedData is present AND (any version 1 attribute certificates are present OR any SignerInfo structures * are version 3 OR eContentType from encapContentInfo is other than id-data). Otherwise, the CMS * SignedData version is required to be set to 1. * ---> CMS SignedData Version is handled automatically by BouncyCastle. * * @param parameters set of the driving signing parameters * @param contentSigner the contentSigned to get the hash of the data to be signed * @param signerInfoGeneratorBuilder true if the unsigned attributes must be included * @param originalSignedData the original signed data if extending an existing signature. null otherwise. * @return the bouncycastle signed data generator which signs the document and adds the required signed and unsigned CMS attributes * @throws eu.europa.esig.dss.DSSException */ protected CMSSignedDataGenerator createCMSSignedDataGenerator(final CAdESSignatureParameters parameters, final ContentSigner contentSigner, final SignerInfoGeneratorBuilder signerInfoGeneratorBuilder, final CMSSignedData originalSignedData) throws DSSException { try { final CertificateToken signingCertificate = parameters.getSigningCertificate(); final CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); final X509CertificateHolder certHolder = DSSASN1Utils.getX509CertificateHolder(signingCertificate); final SignerInfoGenerator signerInfoGenerator = signerInfoGeneratorBuilder.build(contentSigner, certHolder); generator.addSignerInfoGenerator(signerInfoGenerator); final Set<CertificateToken> certificateChain = new HashSet<CertificateToken>(); if (originalSignedData != null) { generator.addSigners(originalSignedData.getSignerInfos()); generator.addAttributeCertificates(originalSignedData.getAttributeCertificates()); generator.addCRLs(originalSignedData.getCRLs()); generator.addOtherRevocationInfo(id_pkix_ocsp_basic, originalSignedData.getOtherRevocationInfo(id_pkix_ocsp_basic)); generator.addOtherRevocationInfo(id_ri_ocsp_response, originalSignedData.getOtherRevocationInfo(id_ri_ocsp_response)); final Store certificates = originalSignedData.getCertificates(); final Collection<X509CertificateHolder> certificatesMatches = certificates.getMatches(null); for (final X509CertificateHolder certificatesMatch : certificatesMatches) { final CertificateToken x509Certificate = DSSASN1Utils.getCertificate(certificatesMatch); certificateChain.add(x509Certificate); } } certificateChain.add(parameters.getSigningCertificate()); certificateChain.addAll(parameters.getCertificateChain()); final boolean trustAnchorBPPolicy = parameters.bLevel().isTrustAnchorBPPolicy(); final Store jcaCertStore = getJcaCertStore(certificateChain, trustAnchorBPPolicy); generator.addCertificates(jcaCertStore); return generator; } catch (CMSException e) { throw new DSSException(e); } catch (OperatorCreationException e) { throw new DSSException(e); } }
From source file:org.apache.kerby.pkix.SignedDataEngine.java
License:Apache License
/** * Validates a CMS SignedData using the public key corresponding to the private * key used to sign the structure./* w ww .jav a 2s .c o m*/ * * @param s * @return true if the signature is valid. * @throws Exception */ public static boolean validateSignedData(CMSSignedData s) throws Exception { Store certStore = s.getCertificates(); Store crlStore = s.getCRLs(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { return false; } } Collection certColl = certStore.getMatches(null); Collection crlColl = crlStore.getMatches(null); if (certColl.size() != s.getCertificates().getMatches(null).size() || crlColl.size() != s.getCRLs().getMatches(null).size()) { return false; } return true; }
From source file:org.ejbca.core.protocol.scep.ProtocolScepHttpTest.java
License:Open Source License
private void checkScepResponse(byte[] retMsg, String userDN, String _senderNonce, String _transId, boolean crlRep, String digestOid, boolean noca) throws CMSException, OperatorCreationException, NoSuchProviderException, CRLException, InvalidKeyException, NoSuchAlgorithmException, SignatureException, CertificateException { // Parse response message ////from w w w. j a va2 s. c o m CMSSignedData s = new CMSSignedData(retMsg); // The signer, i.e. the CA, check it's the right CA SignerInformationStore signers = s.getSignerInfos(); @SuppressWarnings("unchecked") Collection<SignerInformation> col = signers.getSigners(); assertTrue(col.size() > 0); Iterator<SignerInformation> iter = col.iterator(); SignerInformation signerInfo = iter.next(); // Check that the message is signed with the correct digest alg assertEquals(signerInfo.getDigestAlgOID(), digestOid); SignerId sinfo = signerInfo.getSID(); // Check that the signer is the expected CA assertEquals(CertTools.stringToBCDNString(cacert.getIssuerDN().getName()), CertTools.stringToBCDNString(sinfo.getIssuer().toString())); // Verify the signature JcaDigestCalculatorProviderBuilder calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME); JcaSignerInfoVerifierBuilder jcaSignerInfoVerifierBuilder = new JcaSignerInfoVerifierBuilder( calculatorProviderBuilder.build()).setProvider(BouncyCastleProvider.PROVIDER_NAME); boolean ret = signerInfo.verify(jcaSignerInfoVerifierBuilder.build(cacert.getPublicKey())); assertTrue(ret); // Get authenticated attributes AttributeTable tab = signerInfo.getSignedAttributes(); // --Fail info Attribute attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_failInfo)); // No failInfo on this success message assertNull(attr); // --Message type attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_messageType)); assertNotNull(attr); ASN1Set values = attr.getAttrValues(); assertEquals(values.size(), 1); ASN1String str = DERPrintableString.getInstance((values.getObjectAt(0))); String messageType = str.getString(); assertEquals("3", messageType); // --Success status attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_pkiStatus)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); str = DERPrintableString.getInstance((values.getObjectAt(0))); assertEquals(ResponseStatus.SUCCESS.getStringValue(), str.getString()); // --SenderNonce attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_senderNonce)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); ASN1OctetString octstr = ASN1OctetString.getInstance(values.getObjectAt(0)); // SenderNonce is something the server came up with, but it should be 16 // chars assertTrue(octstr.getOctets().length == 16); // --Recipient Nonce attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_recipientNonce)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); octstr = ASN1OctetString.getInstance(values.getObjectAt(0)); // recipient nonce should be the same as we sent away as sender nonce assertEquals(_senderNonce, new String(Base64.encode(octstr.getOctets()))); // --Transaction ID attr = tab.get(new ASN1ObjectIdentifier(ScepRequestMessage.id_transId)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); str = DERPrintableString.getInstance((values.getObjectAt(0))); // transid should be the same as the one we sent assertEquals(_transId, str.getString()); // // Check different message types // if (messageType.equals("3")) { // First we extract the encrypted data from the CMS enveloped data // contained // within the CMS signed data final CMSProcessable sp = s.getSignedContent(); final byte[] content = (byte[]) sp.getContent(); final CMSEnvelopedData ed = new CMSEnvelopedData(content); final RecipientInformationStore recipients = ed.getRecipientInfos(); Store certstore; @SuppressWarnings("unchecked") Collection<RecipientInformation> c = recipients.getRecipients(); assertEquals(c.size(), 1); Iterator<RecipientInformation> riIterator = c.iterator(); byte[] decBytes = null; RecipientInformation recipient = riIterator.next(); JceKeyTransEnvelopedRecipient rec = new JceKeyTransEnvelopedRecipient(key1.getPrivate()); rec.setContentProvider(BouncyCastleProvider.PROVIDER_NAME); decBytes = recipient.getContent(rec); // This is yet another CMS signed data CMSSignedData sd = new CMSSignedData(decBytes); // Get certificates from the signed data certstore = sd.getCertificates(); if (crlRep) { // We got a reply with a requested CRL @SuppressWarnings("unchecked") final Collection<X509CRLHolder> crls = (Collection<X509CRLHolder>) sd.getCRLs().getMatches(null); assertEquals(crls.size(), 1); final Iterator<X509CRLHolder> it = crls.iterator(); // CRL is first (and only) final X509CRL retCrl = new JcaX509CRLConverter().getCRL(it.next()); log.info("Got CRL with DN: " + retCrl.getIssuerDN().getName()); // check the returned CRL assertEquals(CertTools.getSubjectDN(cacert), CertTools.getIssuerDN(retCrl)); retCrl.verify(cacert.getPublicKey()); } else { // We got a reply with a requested certificate @SuppressWarnings("unchecked") final Collection<X509CertificateHolder> certs = (Collection<X509CertificateHolder>) certstore .getMatches(null); // EJBCA returns the issued cert and the CA cert (cisco vpn // client requires that the ca cert is included) if (noca) { assertEquals(certs.size(), 1); } else { assertEquals(certs.size(), 2); } final Iterator<X509CertificateHolder> it = certs.iterator(); // Issued certificate must be first boolean verified = false; boolean gotcacert = false; JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); while (it.hasNext()) { X509Certificate retcert = jcaX509CertificateConverter.getCertificate(it.next()); log.info("Got cert with DN: " + retcert.getSubjectDN().getName()); // check the returned certificate String subjectdn = CertTools.stringToBCDNString(retcert.getSubjectDN().getName()); if (CertTools.stringToBCDNString(userDN).equals(subjectdn)) { // issued certificate assertEquals(CertTools.stringToBCDNString(userDN), subjectdn); assertEquals(CertTools.getSubjectDN(cacert), CertTools.getIssuerDN(retcert)); retcert.verify(cacert.getPublicKey()); assertTrue(checkKeys(key1.getPrivate(), retcert.getPublicKey())); verified = true; } else { // ca certificate assertEquals(CertTools.getSubjectDN(cacert), CertTools.getSubjectDN(retcert)); gotcacert = true; } } assertTrue(verified); if (noca) { assertFalse(gotcacert); } else { assertTrue(gotcacert); } } } }