List of usage examples for org.bouncycastle.cms CMSSignedData getSignerInfos
public SignerInformationStore getSignerInfos()
From source file:org.jnotary.crypto.Verifier.java
License:Open Source License
@SuppressWarnings("rawtypes") public VerifyResult verifySignature(byte[] signedData, TrustedStore trustedUserCertificateStore) throws Exception { CMSSignedData sdata = new CMSSignedData(signedData); Store certStore = sdata.getCertificates(); SignerInformationStore signersStore = sdata.getSignerInfos(); Collection signers = signersStore.getSigners(); Iterator it = signers.iterator(); final Map<SignerId, java.security.cert.X509Certificate> certificates = new HashMap<SignerId, java.security.cert.X509Certificate>(); List<SignerInformation> signerInfoList = new ArrayList<SignerInformation>(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); signerInfoList.add(signer);//from w w w. ja va 2 s . c o m X509CertificateHolder cert = getCertificateHolder(trustedUserCertificateStore, certStore, signer); ByteArrayInputStream certBais = new ByteArrayInputStream(cert.getEncoded()); java.security.cert.X509Certificate x509cert = (java.security.cert.X509Certificate) CertificateFactory .getInstance("X.509").generateCertificate(certBais); certificates.put(signer.getSID(), x509cert); verifyDate(signer, x509cert); if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) throw new Exception("Signature verification failed for " + cert.getSubject().toString()); } CMSTypedData ctd = sdata.getSignedContent(); if (ctd == null) throw new Exception("Data not exists"); return new VerifyResult((byte[]) ctd.getContent(), signerInfoList, certificates); }
From source file:org.mailster.core.crypto.smime.SmimeUtilities.java
License:Open Source License
/** * Take a CMS SignedData message and a trust anchor and determine if * the message is signed with a valid signature from a end entity * certificate recognized by the trust anchor rootCert. */// www .ja v a 2s . c om public static boolean isValid(CMSSignedData signedData, X509Certificate rootCert) throws Exception { CertStore certsAndCRLs = signedData.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<?> it = signers.getSigners().iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); X509CertSelector signerConstraints = signer.getSID(); signerConstraints.setKeyUsage(getKeyUsageForSignature()); PKIXCertPathBuilderResult result = buildPath(rootCert, signer.getSID(), certsAndCRLs); if (signer.verify(result.getPublicKey(), "BC")) return true; } return false; }
From source file:org.roda.common.certification.SignatureUtility.java
@SuppressWarnings("unchecked") private boolean verifySignatures(CMSSignedData s, byte[] contentDigest) throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, CertStoreException, CertificateException, OperatorCreationException { boolean valid = true; // CertStore certStore = s.getCertificatesAndCRLs("Collection", provider); Store<?> certStore = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection<SignerInformation> c = signers.getSigners(); Iterator<SignerInformation> it = c.iterator(); while (it.hasNext()) { SignerInformation signer = it.next(); Collection<?> certCollection = certStore.getMatches(signer.getSID()); Iterator<?> certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next(); SignerInformationVerifier signerVerifierInformation = new BcRSASignerInfoVerifierBuilder( new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(certHolder); boolean certValid = signer.verify(signerVerifierInformation); valid &= certValid;/*from w ww .ja v a2 s . c o m*/ if (!certValid) { System.err.println("Invalid certificate " + certHolder); } if (contentDigest != null) { boolean digestValid = MessageDigest.isEqual(contentDigest, signer.getContentDigest()); valid &= digestValid; if (!digestValid) { System.err.println("Invalid digest " + contentDigest); } } } return valid; }
From source file:org.roda.core.plugins.plugins.characterization.SignatureUtility.java
private boolean verifySignatures(CMSSignedData s, byte[] contentDigest) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, CMSException { boolean valid = true; Store<?> certStore = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection<SignerInformation> c = signers.getSigners(); Iterator<SignerInformation> it = c.iterator(); while (it.hasNext()) { SignerInformation signer = it.next(); Collection<?> certCollection = certStore.getMatches(signer.getSID()); Iterator<?> certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next(); X509Certificate cert = new JcaX509CertificateConverter().setProvider(provider) .getCertificate(certHolder); boolean certValid = signer.verify(cert, provider); valid &= certValid;// w ww . j a v a 2 s. com if (!certValid) { LOGGER.error("Invalid certificate '{}'", cert); } if (contentDigest != null) { boolean digestValid = MessageDigest.isEqual(contentDigest, signer.getContentDigest()); valid &= digestValid; if (!digestValid) { LOGGER.error("Invalid digest '{}'", contentDigest); } } } return valid; }
From source file:org.signserver.module.cmssigner.CMSSignerTest.java
License:Open Source License
private void helperBasicCMSSign(final int workerId, final String sigAlg, final String expectedDigAlgOID, final String expectedEncAlgOID, final String includedCertificateLevelsProperty, final int expectedIncludedCertificateLevels) throws Exception { final int reqid = 37; final String testDocument = "Something to sign...123"; final GenericSignRequest signRequest = new GenericSignRequest(reqid, testDocument.getBytes()); // override signature algorithm if set if (sigAlg != null) { workerSession.setWorkerProperty(workerId, CMSSigner.SIGNATUREALGORITHM_PROPERTY, sigAlg); } else {//from ww w .j a v a2s. c o m workerSession.removeWorkerProperty(workerId, CMSSigner.SIGNATUREALGORITHM_PROPERTY); } if (includedCertificateLevelsProperty != null) { workerSession.setWorkerProperty(workerId, WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS, includedCertificateLevelsProperty); } else { workerSession.removeWorkerProperty(workerId, WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS); } workerSession.reloadConfiguration(workerId); final GenericSignResponse res = (GenericSignResponse) workerSession.process(workerId, signRequest, new RequestContext()); final byte[] data = res.getProcessedData(); // Answer to right question assertSame("Request ID", reqid, res.getRequestID()); // Output for manual inspection final FileOutputStream fos = new FileOutputStream( new File(getSignServerHome(), "tmp" + File.separator + "signedcms_" + sigAlg + ".p7s")); fos.write((byte[]) data); fos.close(); // Check certificate returned final Certificate signercert = res.getSignerCertificate(); assertNotNull("Signer certificate", signercert); // Check that the signed data contains the document (i.e. not detached) final CMSSignedData signedData = new CMSSignedData(data); final byte[] content = (byte[]) signedData.getSignedContent().getContent(); assertEquals("Signed document", testDocument, new String(content)); // Get signers final Collection signers = signedData.getSignerInfos().getSigners(); final SignerInformation signer = (SignerInformation) signers.iterator().next(); // Verify using the signer's certificate assertTrue("Verification using signer certificate", signer.verify(signercert.getPublicKey(), "BC")); // Check that the signer's certificate is included CertStore certs = signedData.getCertificatesAndCRLs("Collection", "BC"); X509Principal issuer = new X509Principal(signer.getSID().getIssuer()); CertSelector cs = new AttributeCertificateHolder(issuer, signer.getSID().getSerialNumber()); Collection<? extends Certificate> signerCerts = certs.getCertificates(cs); assertEquals("Certificate included", expectedIncludedCertificateLevels, signerCerts.size()); if (!signerCerts.isEmpty()) { assertEquals(signercert, signerCerts.iterator().next()); } // check the signature algorithm assertEquals("Digest algorithm", expectedDigAlgOID, signer.getDigestAlgorithmID().getAlgorithm().getId()); assertEquals("Encryption algorithm", expectedEncAlgOID, signer.getEncryptionAlgOID()); }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSignerTest.java
License:Open Source License
/** * Performs test using specified signature algorithm, digest algorithm and with the optional SigningCertificate attribute included or not included. * //from w w w .ja v a 2s. c o m * The SigningCertificate attribute is specified in RFC 2634. * * SigningCertificate ::= SEQUENCE { * certs SEQUENCE OF ESSCertID, * policies SEQUENCE OF PolicyInformation OPTIONAL * } * * id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1) * member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) * smime(16) id-aa(2) 12 } * * ESSCertID ::= SEQUENCE { * certHash Hash, * issuerSerial IssuerSerial OPTIONAL * } * Hash ::= OCTET STRING -- SHA1 hash of entire certificate * * IssuerSerial ::= SEQUENCE { * issuer GeneralNames, * serialNumber CertificateSerialNumber * } * * @param signingAlgo Signature algorithm to use * @param expectedDigestOID Expected digest OID * @param requestData Request data to test with * @param includeSigningCertAttr If true, include and test the SigningCertificate attribute * @throws Exception */ private void testProcessDataWithAlgo(final String signingAlgo, final String expectedDigestOID, final byte[] requestData, final boolean includeSigningCertAttr, final String includeCertificateLevels) throws Exception { SignServerUtil.installBCProvider(); final String CRYPTOTOKEN_CLASSNAME = "org.signserver.server.cryptotokens.HardCodedCryptoToken"; final ProcessRequest signRequest; final GlobalConfigurationSessionMock globalConfig = new GlobalConfigurationSessionMock(); final WorkerSessionMock workerMock = new WorkerSessionMock(globalConfig); final WorkerConfig config = new WorkerConfig(); config.setProperty("NAME", "TestMSAuthCodeTimeStampSigner"); config.setProperty("AUTHTYPE", "NOAUTH"); config.setProperty("TIMESOURCE", "org.signserver.server.ZeroTimeSource"); config.setProperty("SIGNATUREALGORITHM", signingAlgo); config.setProperty("DEFAULTKEY", HardCodedCryptoTokenAliases.KEY_ALIAS_1); if (includeSigningCertAttr) { config.setProperty("INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE", "true"); } if (includeCertificateLevels != null) { config.setProperty(WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS, includeCertificateLevels); } final MSAuthCodeTimeStampSigner worker = new MSAuthCodeTimeStampSigner() { @Override protected IGlobalConfigurationSession.IRemote getGlobalConfigurationSession() { return globalConfig; } }; workerMock.setupWorker(SIGNER_ID, CRYPTOTOKEN_CLASSNAME, config, worker); workerMock.reloadConfiguration(SIGNER_ID); // if the INCLUDE_CERTIFICATE_LEVELS property has been set, // check that it gives a not supported error if (includeCertificateLevels != null) { final List<String> errors = worker.getFatalErrors(); assertTrue("Should contain config error", errors.contains(WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS + " is not supported.")); return; } // create sample hard-coded request signRequest = new GenericSignRequest(REQUEST_ID, requestData); final RequestContext requestContext = new RequestContext(); GenericSignResponse resp = (GenericSignResponse) workerMock.process(SIGNER_ID, signRequest, requestContext); // check that the response contains the needed attributes byte[] buf = resp.getProcessedData(); ASN1Sequence asn1seq = ASN1Sequence.getInstance(Base64.decode(buf)); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1seq.getObjectAt(0)); ASN1TaggedObject ato = ASN1TaggedObject.getInstance(asn1seq.getObjectAt(1)); assertEquals("Invalid OID in response", SIGNED_DATA_OID, oid.getId()); ASN1Sequence asn1seq1 = ASN1Sequence.getInstance(ato.getObject()); ASN1Set asn1set = ASN1Set.getInstance(asn1seq1.getObjectAt(4)); ASN1Sequence asn1seq2 = ASN1Sequence.getInstance(asn1set.getObjectAt(0)); ASN1TaggedObject ato1 = ASN1TaggedObject.getInstance(asn1seq2.getObjectAt(3)); ASN1Sequence asn1seq3 = ASN1Sequence.getInstance(ato1.getObject()); ASN1Sequence asn1seq4 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(0)); ASN1Sequence asn1seq5 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(1)); ASN1Sequence asn1seq6 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(2)); final X509Certificate cert = (X509Certificate) CertTools .getCertfromByteArray(HardCodedCryptoToken.certbytes1); // expected serial number final BigInteger sn = cert.getSerialNumber(); // if INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE is set to false, the attribute should not be included if (!includeSigningCertAttr) { assertEquals("Number of attributes", 3, asn1seq3.size()); } else { final ASN1Sequence scAttr = ASN1Sequence.getInstance(asn1seq3.getObjectAt(3)); TestUtils.checkSigningCertificateAttribute(scAttr, cert); } ASN1ObjectIdentifier ctOID = ASN1ObjectIdentifier.getInstance(asn1seq4.getObjectAt(0)); assertEquals("Invalid OID for content type", CONTENT_TYPE_OID, ctOID.getId()); ASN1ObjectIdentifier stOID = ASN1ObjectIdentifier.getInstance(asn1seq5.getObjectAt(0)); assertEquals("Invalid OID for signing time", SIGNING_TIME_OID, stOID.getId()); ASN1ObjectIdentifier mdOID = ASN1ObjectIdentifier.getInstance(asn1seq6.getObjectAt(0)); assertEquals("Invalid OID for content type", MESSAGE_DIGEST_OID, mdOID.getId()); // get signing time from response ASN1Set set = ASN1Set.getInstance(asn1seq5.getObjectAt(1)); ASN1Encodable t = set.getObjectAt(0); Time t2 = Time.getInstance(t); Date d = t2.getDate(); // the expected time (the "starting point" of time according to java.util.Date, consistent with the behavior of ZeroTimeSource Date d0 = new Date(0); assertEquals("Unexpected signing time in response", d0, d); // check expected signing algo ASN1Set set1 = ASN1Set.getInstance(asn1seq1.getObjectAt(1)); ASN1Sequence asn1seq7 = ASN1Sequence.getInstance(set1.getObjectAt(0)); ASN1ObjectIdentifier algOid = ASN1ObjectIdentifier.getInstance(asn1seq7.getObjectAt(0)); assertEquals("Unexpected digest OID in response", expectedDigestOID, algOid.getId()); // check that the request is included final CMSSignedData signedData = new CMSSignedData(asn1seq.getEncoded()); final byte[] content = (byte[]) signedData.getSignedContent().getContent(); final ASN1Sequence seq = ASN1Sequence.getInstance(Base64.decode(requestData)); final ASN1Sequence seq2 = ASN1Sequence.getInstance(seq.getObjectAt(1)); final ASN1TaggedObject tag = ASN1TaggedObject.getInstance(seq2.getObjectAt(1)); final ASN1OctetString data = ASN1OctetString.getInstance(tag.getObject()); assertTrue("Contains request data", Arrays.equals(data.getOctets(), content)); // check the signing certificate final X509Certificate signercert = (X509Certificate) resp.getSignerCertificate(); assertEquals("Serial number", sn, signercert.getSerialNumber()); assertEquals("Issuer", cert.getIssuerDN(), signercert.getIssuerDN()); // check ContentInfo, according to the Microsoft specification, the contentInfo in the response is // identical to the contentInfo in the request final ContentInfo expCi = new ContentInfo(seq2); final ContentInfo ci = new ContentInfo(ASN1Sequence.getInstance(asn1seq1.getObjectAt(2))); assertEquals("Content info should match the request", expCi, ci); // Get signers final Collection signers = signedData.getSignerInfos().getSigners(); final SignerInformation signer = (SignerInformation) signers.iterator().next(); // Verify using the signer's certificate assertTrue("Verification using signer certificate", signer.verify(signercert.getPublicKey(), "BC")); // Check that the time source is being logged LogMap logMap = LogMap.getInstance(requestContext); assertEquals("timesource", ZeroTimeSource.class.getSimpleName(), logMap.get("TSA_TIMESOURCE")); assertNotNull("response", logMap.get(ITimeStampLogger.LOG_TSA_TIMESTAMPRESPONSE_ENCODED)); assertEquals("log line doesn't contain newlines", -1, logMap.get(ITimeStampLogger.LOG_TSA_TIMESTAMPRESPONSE_ENCODED).lastIndexOf('\n')); }
From source file:org.signserver.server.cryptotokens.P11SignTest.java
License:Open Source License
private void msauthTSSigner(final int workerId) throws Exception { // Generate CSR PKCS10CertReqInfo certReqInfo = new PKCS10CertReqInfo("SHA1WithRSA", "CN=Worker" + workerId, null); Base64SignerCertReqData reqData = (Base64SignerCertReqData) getWorkerSession() .getCertificateRequest(workerId, certReqInfo, false); // Issue certificate PKCS10CertificationRequest csr = new PKCS10CertificationRequest(Base64.decode(reqData.getBase64CertReq())); KeyPair issuerKeyPair = CryptoUtils.generateRSA(512); X509CertificateHolder cert = new X509v3CertificateBuilder(new X500Name("CN=TestP11 Issuer"), BigInteger.ONE, new Date(), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365)), csr.getSubject(), csr.getSubjectPublicKeyInfo()) .addExtension(org.bouncycastle.asn1.x509.X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)) .build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC") .build(issuerKeyPair.getPrivate())); // Install certificate and chain workerSession.uploadSignerCertificate(workerId, cert.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(workerId, Arrays.asList(cert.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(workerId); // Test active List<String> errors = workerSession.getStatus(workerId).getFatalErrors(); assertEquals("errors: " + errors, 0, errors.size()); // Test signing GenericSignRequest signRequest = new GenericSignRequest(678, MSAUTHCODE_REQUEST_DATA.getBytes()); final GenericSignResponse res = (GenericSignResponse) workerSession.process(workerId, signRequest, new RequestContext()); Certificate signercert = res.getSignerCertificate(); assertNotNull(signercert);//from w ww . j ava 2 s. c om byte[] buf = res.getProcessedData(); CMSSignedData s = new CMSSignedData(Base64.decode(buf)); int verified = 0; Store certStore = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder signerCert = (X509CertificateHolder) certIt.next(); if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(signerCert))) { verified++; } } assertEquals("signer verified", 1, verified); }
From source file:org.votingsystem.callable.MessageTimeStamper.java
License:Open Source License
public byte[] getDigestToken() { if (timeStampToken == null) return null; CMSSignedData tokenCMSSignedData = timeStampToken.toCMSSignedData(); Collection signers = tokenCMSSignedData.getSignerInfos().getSigners(); SignerInformation tsaSignerInfo = (SignerInformation) signers.iterator().next(); AttributeTable signedAttrTable = tsaSignerInfo.getSignedAttributes(); ASN1EncodableVector v = signedAttrTable.getAll(CMSAttributes.messageDigest); Attribute t = (Attribute) v.get(0); ASN1Set attrValues = t.getAttrValues(); DERObject validMessageDigest = attrValues.getObjectAt(0).getDERObject(); ASN1OctetString signedMessageDigest = (ASN1OctetString) validMessageDigest; byte[] digestToken = signedMessageDigest.getOctets(); //String digestTokenStr = new String(Base64.encode(digestToken)); //log.info(" digestTokenStr: " + digestTokenStr); return digestToken; }
From source file:org.votingsystem.signature.smime.SMIMEMessage.java
License:Open Source License
private void replaceSigners(CMSSignedData cmsdata) throws Exception { log.info("replaceSigners"); SMIMESignedGenerator gen = new SMIMESignedGenerator(); gen.addAttributeCertificates(cmsdata.getAttributeCertificates()); gen.addCertificates(cmsdata.getCertificates()); gen.addSigners(cmsdata.getSignerInfos()); MimeMultipart mimeMultipart = gen.generate(smimeSigned.getContent(), smimeSigned.getContent().getFileName()); setContent(mimeMultipart, mimeMultipart.getContentType()); saveChanges();//from w w w . jav a2 s. c o m }
From source file:org.votingsystem.signature.util.CMSUtils.java
License:Open Source License
public static byte[] getDigestToken(TimeStampToken timeStampToken) { if (timeStampToken == null) return null; CMSSignedData tokenCMSSignedData = timeStampToken.toCMSSignedData(); Collection signers = tokenCMSSignedData.getSignerInfos().getSigners(); SignerInformation tsaSignerInfo = (SignerInformation) signers.iterator().next(); AttributeTable signedAttrTable = tsaSignerInfo.getSignedAttributes(); ASN1EncodableVector v = signedAttrTable.getAll(CMSAttributes.messageDigest); Attribute t = (Attribute) v.get(0); ASN1Set attrValues = t.getAttrValues(); DERObject validMessageDigest = attrValues.getObjectAt(0).getDERObject(); ASN1OctetString signedMessageDigest = (ASN1OctetString) validMessageDigest; byte[] digestToken = signedMessageDigest.getOctets(); //String digestTokenStr = new String(Base64.encode(digestToken)); return digestToken; }