List of usage examples for org.bouncycastle.cms SignerId match
public boolean match(Object obj)
From source file:ee.ria.xroad.common.signature.TimestampVerifier.java
License:Open Source License
private static X509Certificate getTspCertificate(SignerId signerId, List<X509Certificate> tspCerts) throws Exception { log.trace("getTspCertificate({}, {}, {})", new Object[] { signerId.getIssuer(), signerId.getSerialNumber(), Arrays.toString(signerId.getSubjectKeyIdentifier()) }); for (X509Certificate cert : tspCerts) { log.trace("Comparing with cert: {}, {}", cert.getIssuerDN(), cert.getSerialNumber()); if (signerId.match(new X509CertificateHolder(cert.getEncoded()))) { return cert; }/*from w w w. ja v a 2s.c o m*/ } return null; }
From source file:eu.europa.ec.markt.dss.validation102853.cades.CAdESSignature.java
License:Open Source License
/** * ETSI TS 101 733 V2.2.1 (2013-04)<p/> * 5.6.3 Signature Verification Process<p/> * TODO (Bob 28.05.2014) The position of the signing certificate must be clarified * ...the public key from the first certificate identified in the sequence of certificate identifiers from SigningCertificate shall be the key used to verify the digital * signature.//w ww . j a v a2 s . c o m * * @return */ @Override public CandidatesForSigningCertificate getCandidatesForSigningCertificate() { if (candidatesForSigningCertificate != null) { return candidatesForSigningCertificate; } LOG.debug("--> Searching the signing certificate..."); candidatesForSigningCertificate = new CandidatesForSigningCertificate(); final Collection<CertificateToken> keyInfoCertificates = getCertificateSource().getKeyInfoCertificates(); final SignerId sid = signerInformation.getSID(); for (final CertificateToken certificateToken : keyInfoCertificates) { final SigningCertificateValidity signingCertificateValidity = new SigningCertificateValidity( certificateToken); candidatesForSigningCertificate.add(signingCertificateValidity); final X509CertificateHolder x509CertificateHolder = DSSUtils.getX509CertificateHolder(certificateToken); final boolean match = sid.match(x509CertificateHolder); if (match) { this.signingCertificateValidity = signingCertificateValidity; break; } } if (signingCertificateValidity == null) { LOG.debug("--> Signing certificate not found: " + sid); return candidatesForSigningCertificate; } final IssuerSerial signingTokenIssuerSerial = DSSUtils .getIssuerSerial(signingCertificateValidity.getCertificateToken()); final BigInteger signingTokenSerialNumber = signingTokenIssuerSerial.getSerial().getValue(); final GeneralNames signingTokenIssuerName = signingTokenIssuerSerial.getIssuer(); final AttributeTable signedAttributes = getSignedAttributes(signerInformation); final Attribute signingCertificateAttributeV1 = signedAttributes .get(PKCSObjectIdentifiers.id_aa_signingCertificate); if (signingCertificateAttributeV1 != null) { signingCertificateValidity.setAttributePresent(true); verifySigningCertificateV1(signingTokenSerialNumber, signingTokenIssuerName, signingCertificateAttributeV1); return candidatesForSigningCertificate; } final Attribute signingCertificateAttributeV2 = signedAttributes .get(PKCSObjectIdentifiers.id_aa_signingCertificateV2); if (signingCertificateAttributeV2 != null) { signingCertificateValidity.setAttributePresent(true); verifySigningCertificateV2(signingTokenSerialNumber, signingTokenIssuerName, signingCertificateAttributeV2); return candidatesForSigningCertificate; } LOG.debug("--> There is no signed reference to the signing certificate: " + signingCertificateValidity.getCertificateToken().getAbbreviation()); return candidatesForSigningCertificate; }
From source file:eu.europa.esig.dss.cades.validation.CAdESSignature.java
License:Open Source License
/** * ETSI TS 101 733 V2.2.1 (2013-04)/*from w ww. ja v a 2 s .co m*/ * 5.6.3 Signature Verification Process * ...the public key from the first certificate identified in the sequence * of certificate identifiers from SigningCertificate shall be the key used * to verify the digital signature. * * @return */ @Override public CandidatesForSigningCertificate getCandidatesForSigningCertificate() { if (candidatesForSigningCertificate != null) { return candidatesForSigningCertificate; } if (LOG.isDebugEnabled()) { LOG.debug("Searching the signing certificate..."); } candidatesForSigningCertificate = new CandidatesForSigningCertificate(); final Collection<CertificateToken> keyInfoCertificates = getCertificateSource().getKeyInfoCertificates(); final SignerId signerId = signerInformation.getSID(); for (final CertificateToken certificateToken : keyInfoCertificates) { final CertificateValidity certificateValidity = new CertificateValidity(certificateToken); candidatesForSigningCertificate.add(certificateValidity); final X509CertificateHolder x509CertificateHolder = DSSASN1Utils .getX509CertificateHolder(certificateToken); final boolean match = signerId.match(x509CertificateHolder); if (match) { this.signingCertificateValidity = certificateValidity; break; } } if (signingCertificateValidity == null) { LOG.warn("Signing certificate not found: " + signerId.getIssuer() + " " + signerId.getSerialNumber()); } else if (!verifySignedReferencesToSigningCertificate()) { LOG.warn("There is no valid signed reference to the signing certificate: " + signingCertificateValidity.getCertificateToken().getAbbreviation()); } return candidatesForSigningCertificate; }
From source file:net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser.java
License:BSD License
private boolean verifySigner(SignerInformation signer, X509Certificate certificate) { validationResult.rejectIfFalse(DIGEST_ALGORITHM_OID.equals(signer.getDigestAlgOID()), CMS_SIGNER_INFO_DIGEST_ALGORITHM); validationResult.rejectIfFalse(RSA_ENCRYPTION_OID.equals(signer.getEncryptionAlgOID()) || SHA256WITHRSA_ENCRYPTION_OID.equals(signer.getEncryptionAlgOID()), ENCRYPTION_ALGORITHM); if (!validationResult.rejectIfNull(signer.getSignedAttributes(), SIGNED_ATTRS_PRESENT)) { return false; }/*ww w.j a va 2 s. com*/ validationResult.rejectIfNull(signer.getSignedAttributes().get(CMSAttributes.contentType), CONTENT_TYPE_ATTR_PRESENT); validationResult.rejectIfNull(signer.getSignedAttributes().get(CMSAttributes.messageDigest), MSG_DIGEST_ATTR_PRESENT); //http://tools.ietf.org/html/rfc6488#section-2.1.6.4 //MUST include contentType and messageDigest //MAY include signingTime, binary-signing-time, or both //Other attributes MUST NOT be included //Check if the signedAttributes are allowed verifyOptionalSignedAttributes(signer); SignerId signerId = signer.getSID(); try { validationResult.rejectIfFalse(signerId.match(new JcaX509CertificateHolder(certificate)), SIGNER_ID_MATCH); } catch (CertificateEncodingException e) { throw new AbstractX509CertificateWrapperException(e); } return true; }
From source file:test.unit.be.fedict.eid.applet.service.signer.AbstractCMSSignatureServiceTest.java
License:Open Source License
@Test public void testCMSSignature() throws Exception { // setup/* w ww . jav a 2 s. co m*/ byte[] toBeSigned = "hello world".getBytes(); String signatureDescription = "Test CMS Signature"; CMSTestSignatureService signatureService = new CMSTestSignatureService(toBeSigned, signatureDescription); KeyPair keyPair = PkiTestUtils.generateKeyPair(); DateTime notBefore = new DateTime(); DateTime notAfter = notBefore.plusYears(1); X509Certificate certificate = PkiTestUtils.generateCertificate(keyPair.getPublic(), "CN=Test", notBefore, notAfter, null, keyPair.getPrivate(), true, 0, null, null, new KeyUsage(KeyUsage.nonRepudiation)); List<X509Certificate> signingCertificateChain = new LinkedList<X509Certificate>(); signingCertificateChain.add(certificate); // operate DigestInfo digestInfo = signatureService.preSign(null, signingCertificateChain, null, null, null); // verify assertNotNull(digestInfo); byte[] digestValue = digestInfo.digestValue; LOG.debug("digest value: " + Hex.encodeHexString(digestValue)); assertNotNull(digestValue); assertEquals(signatureDescription, digestInfo.description); assertEquals("SHA1", digestInfo.digestAlgo); Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPrivate()); byte[] digestInfoValue = ArrayUtils.addAll(PkiTestUtils.SHA1_DIGEST_INFO_PREFIX, digestValue); byte[] signatureValue = cipher.doFinal(digestInfoValue); LOG.debug("signature value: " + Hex.encodeHexString(signatureValue)); // operate signatureService.postSign(signatureValue, signingCertificateChain); // verify byte[] cmsSignature = signatureService.getCMSSignature(); CMSSignedData signedData = new CMSSignedData(cmsSignature); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<SignerInformation> iter = signers.getSigners().iterator(); while (iter.hasNext()) { SignerInformation signer = iter.next(); SignerId signerId = signer.getSID(); assertTrue(signerId.match(certificate)); assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME)); } byte[] data = (byte[]) signedData.getSignedContent().getContent(); assertArrayEquals(toBeSigned, data); }
From source file:test.unit.be.fedict.eid.applet.service.signer.CMSTest.java
License:Open Source License
/** * CMS signature with external data and external certificate. The CMS only * contains the signature and some certificate selector. * // w w w . j av a 2 s . c om * @throws Exception */ @Test public void testBasicCmsSignature() throws Exception { // setup KeyPair keyPair = PkiTestUtils.generateKeyPair(); DateTime notBefore = new DateTime(); DateTime notAfter = notBefore.plusMonths(1); X509Certificate certificate = generateSelfSignedCertificate(keyPair, "CN=Test", notBefore, notAfter); byte[] toBeSigned = "hello world".getBytes(); // operate CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSigner(keyPair.getPrivate(), certificate, CMSSignedDataGenerator.DIGEST_SHA1); CMSProcessable content = new CMSProcessableByteArray(toBeSigned); CMSSignedData signedData = generator.generate(content, false, (String) null); byte[] cmsSignature = signedData.getEncoded(); LOG.debug("CMS signature: " + ASN1Dump.dumpAsString(new ASN1StreamParser(cmsSignature).readObject())); // verify signedData = new CMSSignedData(content, cmsSignature); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<SignerInformation> iter = signers.getSigners().iterator(); while (iter.hasNext()) { SignerInformation signer = iter.next(); SignerId signerId = signer.getSID(); LOG.debug("signer: " + signerId); assertTrue(signerId.match(certificate)); assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME)); } LOG.debug("content type: " + signedData.getSignedContentTypeOID()); }
From source file:test.unit.be.fedict.eid.applet.service.signer.CMSTest.java
License:Open Source License
/** * CMS signature with embedded data and external certificate. The CMS only * contains the original content, signature and some certificate selector. * /*from w ww. j a v a 2 s. c o m*/ * @throws Exception */ @Test public void testCmsSignatureWithContent() throws Exception { // setup KeyPair keyPair = PkiTestUtils.generateKeyPair(); DateTime notBefore = new DateTime(); DateTime notAfter = notBefore.plusMonths(1); X509Certificate certificate = generateSelfSignedCertificate(keyPair, "CN=Test", notBefore, notAfter); byte[] toBeSigned = "hello world".getBytes(); // operate CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSigner(keyPair.getPrivate(), certificate, CMSSignedDataGenerator.DIGEST_SHA1); CMSProcessable content = new CMSProcessableByteArray(toBeSigned); CMSSignedData signedData = generator.generate(content, true, (String) null); byte[] cmsSignature = signedData.getEncoded(); LOG.debug("CMS signature: " + ASN1Dump.dumpAsString(new ASN1StreamParser(cmsSignature).readObject())); // verify signedData = new CMSSignedData(cmsSignature); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<SignerInformation> iter = signers.getSigners().iterator(); while (iter.hasNext()) { SignerInformation signer = iter.next(); SignerId signerId = signer.getSID(); LOG.debug("signer: " + signerId); assertTrue(signerId.match(certificate)); assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME)); } byte[] data = (byte[]) signedData.getSignedContent().getContent(); assertArrayEquals(toBeSigned, data); LOG.debug("content type: " + signedData.getSignedContentTypeOID()); }
From source file:test.unit.be.fedict.eid.applet.service.signer.CMSTest.java
License:Open Source License
/** * CMS signature with external data and embedded certificate. The CMS only * contains the signature, signing certificate and some certificate * selector./* w ww. ja v a 2 s. c o m*/ * * @throws Exception */ @Test public void testCmsSignatureWithCertificate() throws Exception { // setup KeyPair keyPair = PkiTestUtils.generateKeyPair(); DateTime notBefore = new DateTime(); DateTime notAfter = notBefore.plusMonths(1); X509Certificate certificate = generateSelfSignedCertificate(keyPair, "CN=Test", notBefore, notAfter); byte[] toBeSigned = "hello world".getBytes(); // operate CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); /* * addSigner requires the certificate to be able to calculate the key * selector. */ generator.addSigner(keyPair.getPrivate(), certificate, CMSSignedDataGenerator.DIGEST_SHA1); List<X509Certificate> certList = new LinkedList<X509Certificate>(); certList.add(certificate); CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)); generator.addCertificatesAndCRLs(certStore); CMSProcessable content = new CMSProcessableByteArray(toBeSigned); CMSSignedData signedData = generator.generate(content, false, (String) null); byte[] cmsSignature = signedData.getEncoded(); LOG.debug("CMS signature: " + ASN1Dump.dumpAsString(new ASN1StreamParser(cmsSignature).readObject())); // verify signedData = new CMSSignedData(content, cmsSignature); certStore = signedData.getCertificatesAndCRLs("Collection", BouncyCastleProvider.PROVIDER_NAME); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<SignerInformation> iter = signers.getSigners().iterator(); while (iter.hasNext()) { SignerInformation signer = iter.next(); SignerId signerId = signer.getSID(); LOG.debug("signer: " + signerId); assertTrue(signerId.match(certificate)); assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME)); X509Certificate storedCert = (X509Certificate) certStore.getCertificates(signerId).iterator().next(); assertEquals(certificate, storedCert); } LOG.debug("content type: " + signedData.getSignedContentTypeOID()); }
From source file:test.unit.be.fedict.eid.applet.service.signer.CMSTest.java
License:Open Source License
@Test public void testRetrieveCMSDigestValue() throws Exception { // setup//w w w . j a v a 2s.c o m KeyPair keyPair = PkiTestUtils.generateKeyPair(); DateTime notBefore = new DateTime(); DateTime notAfter = notBefore.plusMonths(1); X509Certificate certificate = generateSelfSignedCertificate(keyPair, "CN=Test", notBefore, notAfter); byte[] toBeSigned = "hello world".getBytes(); // operate CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSigner(keyPair.getPrivate(), certificate, CMSSignedDataGenerator.DIGEST_SHA1); CMSProcessable content = new CMSProcessableByteArray(toBeSigned); CMSTestProvider provider = new CMSTestProvider(); generator.generate(content, false, provider); byte[] digestValue = SHA1WithRSASignature.getDigestValue(); assertNotNull(digestValue); Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPrivate()); byte[] digestInfoValue = ArrayUtils.addAll(PkiTestUtils.SHA1_DIGEST_INFO_PREFIX, digestValue); byte[] signatureValue = cipher.doFinal(digestInfoValue); SHA1WithRSASignature.setSignatureValue(signatureValue); generator = new CMSSignedDataGenerator(); generator.addSigner(keyPair.getPrivate(), certificate, CMSSignedDataGenerator.DIGEST_SHA1); content = new CMSProcessableByteArray(toBeSigned); provider = new CMSTestProvider(); CMSSignedData signedData = generator.generate(content, false, provider); byte[] cmsSignature = signedData.getEncoded(); LOG.debug("CMS signature: " + ASN1Dump.dumpAsString(new ASN1StreamParser(cmsSignature).readObject())); // verify content = new CMSProcessableByteArray(toBeSigned); signedData = new CMSSignedData(content, cmsSignature); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<SignerInformation> iter = signers.getSigners().iterator(); while (iter.hasNext()) { SignerInformation signer = iter.next(); SignerId signerId = signer.getSID(); LOG.debug("signer: " + signerId); assertTrue(signerId.match(certificate)); assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME)); } LOG.debug("content type: " + signedData.getSignedContentTypeOID()); }