List of usage examples for org.bouncycastle.cms SignerInfoGeneratorBuilder SignerInfoGeneratorBuilder
public SignerInfoGeneratorBuilder(DigestCalculatorProvider digestProvider)
From source file:org.dihedron.crypto.operations.sign.pkcs7.PKCS7Signer.java
License:Open Source License
/** * Constructor.//from w w w. j a v a 2 s . c o m * * @param alias * the alias of the certificate to be used for signing. * @param keyring * the key ring containing the private key used for signing. * @param provider * the security provider backing up the key ring functionalities. * @param algorithm * the digest and encryption algorithm combination used to create the * signature. * @throws CryptoException * if any among alias, key ring and provider is null. * @throws KeyStoreException * @throws CertificateEncodingException * @throws CertificateNotYetValidException * @throws CertificateExpiredException */ public PKCS7Signer(String alias, KeyRing keyring, Provider provider, SignatureAlgorithm algorithm) throws CryptoException, KeyStoreException, CertificateEncodingException, CertificateNotYetValidException, CertificateExpiredException { super(alias, keyring, provider); logger.debug("creating PKCS#7 signer with '{}' signature algorithm", algorithm); try { logger.info("signing with alias '{}'", alias); // retrieve key and certificate Key key = keyring.getPrivateKey(alias); X509Certificate x509certificate = (X509Certificate) keyring.getCertificate(alias); // this may throw a CertificateExpiredException or CertificateNotYetValidException x509certificate.checkValidity(); logger.info("certificate is valid at current date"); // TODO: check CRL logger.info("certificate is active at current date (CRL check successful)"); // prepare the certificates store List<Certificate> certificates = new ArrayList<>(); certificates.add(x509certificate); Store store = new JcaCertStore(certificates); logger.info("certificate store is ready"); ContentSigner signer = new JcaContentSignerBuilder(algorithm.toBouncyCastleCode()) .setProvider((provider instanceof AutoCloseableProvider) ? ((AutoCloseableProvider) provider).getWrappedProvider() : provider) .build((PrivateKey) key); DigestCalculatorProvider digest = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(); SignerInfoGenerator signerinfo = new SignerInfoGeneratorBuilder(digest).setDirectSignature(false) // include signed attributes; if true it signs data only .setSignedAttributeGenerator( new PKCS7AttributeTableGenerator(algorithm.getDigestAlgorithm(), x509certificate)) // this generates the attributes that will be signed along with the data .build(signer, new JcaX509CertificateHolder(x509certificate)); // and then we build the generator logger.info("signer info generator is ready"); generator = new CMSSignedDataStreamGenerator(); generator.addSignerInfoGenerator(signerinfo); generator.addCertificates(store); //generator.addCRLs(crlStore); logger.debug("signed data stream generator for PKCS#7 is ready"); } catch (OperatorCreationException e) { logger.error("error creating operator", e); throw new CryptoException("error creating signing operator (BouncyCastle)", e); } catch (CertificateEncodingException e) { logger.error("invalid certificate encoding", e); throw e; } catch (CertificateExpiredException e) { logger.error("expired certificate", e); throw e; } catch (CertificateNotYetValidException e) { logger.error("certificate is not yet valid (may still need to be activated?)", e); throw e; } catch (CMSException e) { logger.error("error adding certificates to signature generator", e); throw new CryptoException("CMS error", e); } }
From source file:org.dihedron.crypto.operations.sign.pkcs7.PKCS7SigningStream.java
License:Open Source License
/** * Constructor./* w w w. j a v a2s . co m*/ * * @param output * the output stream to which data will be eventually written. * @param configurator * the output signing stream configurator. * @throws CryptoException * if any of the input parameters is null. * @throws CertificateNotYetValidException * @throws CertificateExpiredException * @throws GeneralSecurityException */ public PKCS7SigningStream(OutputStream output, SigningStreamConfigurator configurator) throws CryptoException, CertificateExpiredException, CertificateNotYetValidException, CertificateEncodingException, GeneralSecurityException { super(output, configurator); logger.info( "creating PKCS#7 signing filter output stream with '{}' signature algorithm, using certificate alias '{}'", configurator.getAlgorithm(), configurator.getAlias()); try { logger.info("signing with alias '{}'", configurator.getAlias()); // retrieve key, certificate and provider (for simplicity) Key key = configurator.getPrivateKey(); X509Certificate x509certificate = configurator.getCertificate(); Provider provider = configurator.getProvider(); SignatureAlgorithm algorithm = configurator.getAlgorithm(); // prepare the certificates store List<Certificate> certificates = new ArrayList<>(); certificates.add(x509certificate); Store store = new JcaCertStore(certificates); logger.info("certificate store is ready"); ContentSigner signer = new JcaContentSignerBuilder(algorithm.toBouncyCastleCode()) .setProvider((provider instanceof AutoCloseableProvider) ? ((AutoCloseableProvider) provider).getWrappedProvider() : provider) .build((PrivateKey) key); DigestCalculatorProvider digest = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(); SignerInfoGenerator signerinfo = new SignerInfoGeneratorBuilder(digest).setDirectSignature(false) // include signed attributes; if true it signs data only .setSignedAttributeGenerator( new PKCS7AttributeTableGenerator(algorithm.getDigestAlgorithm(), x509certificate)) // this generates the attributes that will be signed along with the data .build(signer, new JcaX509CertificateHolder(x509certificate)); // and then we build the generator logger.info("signer info generator is ready"); generator = new CMSSignedDataStreamGenerator(); generator.addSignerInfoGenerator(signerinfo); generator.addCertificates(store); //generator.addCRLs(crlStore); logger.debug("signed data stream generator for PKCS#7 is ready"); stream = generator.open(output, configurator.isEncapsulateData()); } catch (OperatorCreationException e) { logger.error("error creating operator", e); throw new CryptoException("error creating signing operator (BouncyCastle)", e); } catch (CertificateEncodingException e) { logger.error("invalid certificate encoding", e); throw e; } catch (CMSException e) { logger.error("error adding certificates to signature generator", e); throw new CryptoException("CMS error", e); } catch (IOException e) { logger.error("error establishing signature generator wrapper around output stream", e); throw new CryptoException("Error establishing signature generator wrapper around output stream", e); } }
From source file:org.jscep.server.ScepServlet.java
License:Open Source License
private void doGetNextCaCert(final HttpServletRequest req, final HttpServletResponse res) throws Exception { res.setHeader("Content-Type", "application/x-x509-next-ca-cert"); List<X509Certificate> certs = getNextCaCertificate(req.getParameter(MSG_PARAM)); if (certs.size() == 0) { res.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED, "GetNextCACert Not Supported"); } else {/*from w w w . j av a 2 s.c om*/ CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); JcaCertStore store; try { store = new JcaCertStore(certs); } catch (CertificateEncodingException e) { IOException ioe = new IOException(); ioe.initCause(e); throw ioe; } generator.addCertificates(store); DigestCalculatorProvider digestProvider = new JcaDigestCalculatorProviderBuilder().build(); SignerInfoGeneratorBuilder infoGenBuilder = new SignerInfoGeneratorBuilder(digestProvider); X509CertificateHolder certHolder = new X509CertificateHolder(getRecipient().getEncoded()); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(getRecipientKey()); SignerInfoGenerator infoGen = infoGenBuilder.build(contentSigner, certHolder); generator.addSignerInfoGenerator(infoGen); CMSSignedData degenerateSd = generator.generate(new CMSAbsentContent()); byte[] bytes = degenerateSd.getEncoded(); res.getOutputStream().write(bytes); res.getOutputStream().close(); } }
From source file:org.opendaylight.snbi.southplugin.CertificateMgmt.java
License:Open Source License
public static byte[] sign(Certificate cert, KeyPair pair) { ContentSigner signGen = null;//from w w w . jav a 2s.c o m X509CertificateHolder certHolder = new X509CertificateHolder(cert); try { signGen = new JcaContentSignerBuilder(CertManagerConstants.CERT_ALGORITHM.SHA1withRSA.toString()) .setProvider(CertManagerConstants.BC).build(pair.getPrivate()); } catch (OperatorCreationException e) { e.printStackTrace(); return null; } CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); try { gen.addSignerInfoGenerator( new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider()).build(signGen, certHolder)); } catch (OperatorCreationException e) { e.printStackTrace(); return null; } return certHolder.getSignature(); }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSigner.java
License:Open Source License
/** * The main method performing the actual timestamp operation. * Expects the signRequest to be a GenericSignRequest contining a * TimeStampRequest//from w w w . j a v a2s. com * * @param signRequest * @param requestContext * @return the sign response * @see org.signserver.server.IProcessable#processData(org.signserver.common.ProcessRequest, org.signserver.common.RequestContext) */ public ProcessResponse processData(final ProcessRequest signRequest, final RequestContext requestContext) throws IllegalRequestException, CryptoTokenOfflineException, SignServerException { // Log values final LogMap logMap = LogMap.getInstance(requestContext); try { final ISignRequest sReq = (ISignRequest) signRequest; final byte[] requestbytes = (byte[]) sReq.getRequestData(); if (requestbytes == null || requestbytes.length == 0) { LOG.error("Request must contain data"); throw new IllegalRequestException("Request must contain data"); } // Check that the request contains a valid TimeStampRequest object. if (!(signRequest instanceof GenericSignRequest)) { final IllegalRequestException exception = new IllegalRequestException( "Recieved request wasn't an expected GenericSignRequest. "); LOG.error("Received request wasn't an expected GenericSignRequest"); throw exception; } if (!((sReq.getRequestData() instanceof TimeStampRequest) || (sReq.getRequestData() instanceof byte[]))) { final IllegalRequestException exception = new IllegalRequestException( "Recieved request data wasn't an expected TimeStampRequest. "); LOG.error("Received request data wasn't an expected TimeStampRequest"); throw exception; } if (!validChain) { LOG.error("Certificate chain not correctly configured"); throw new CryptoTokenOfflineException("Certificate chain not correctly configured"); } ASN1Primitive asn1obj = ASN1Primitive.fromByteArray(Base64.decode(requestbytes)); ASN1Sequence asn1seq = ASN1Sequence.getInstance(asn1obj); if (asn1seq.size() != 2) { LOG.error("Wrong structure, should be an ASN1Sequence with 2 elements"); throw new IllegalRequestException("Wrong structure, should be an ASN1Sequence with 2 elements"); } ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1seq.getObjectAt(0)); ASN1Sequence asn1seq1 = ASN1Sequence.getInstance(asn1seq.getObjectAt(1)); final ContentInfo ci = new ContentInfo(asn1seq1); if (!oid.getId().equals(msOID)) { LOG.error("Invalid OID in request: " + oid.getId()); throw new IllegalRequestException("Invalid OID in request: " + oid.getId()); } if (asn1seq1.size() != 2) { LOG.error( "Wrong structure, should be an ASN1Sequence with 2 elements as the value of element 0 in the outer ASN1Sequence"); throw new IllegalRequestException( "Wrong structure, should be an ASN1Sequence with 2 elements as the value of element 0 in the outer ASN1Sequence"); } oid = ASN1ObjectIdentifier.getInstance(asn1seq1.getObjectAt(0)); if (!oid.getId().equals(dataOID)) { throw new IllegalRequestException("Wrong contentType OID: " + oid.getId()); } ASN1TaggedObject tag = ASN1TaggedObject.getInstance(asn1seq1.getObjectAt(1)); if (tag.getTagNo() != 0) { throw new IllegalRequestException("Wrong tag no (should be 0): " + tag.getTagNo()); } ASN1OctetString octets = ASN1OctetString.getInstance(tag.getObject()); byte[] content = octets.getOctets(); final ITimeSource timeSrc; final Date date; byte[] der; ICryptoInstance crypto = null; try { crypto = acquireCryptoInstance(ICryptoToken.PURPOSE_SIGN, signRequest, requestContext); // get signing cert certificate chain and private key List<Certificate> certList = this.getSigningCertificateChain(crypto); if (certList == null) { throw new SignServerException("Null certificate chain. This signer needs a certificate."); } Certificate[] certs = (Certificate[]) certList.toArray(new Certificate[certList.size()]); // Sign X509Certificate x509cert = (X509Certificate) certs[0]; timeSrc = getTimeSource(); if (LOG.isDebugEnabled()) { LOG.debug("TimeSource: " + timeSrc.getClass().getName()); } date = timeSrc.getGenTime(); if (date == null) { throw new ServiceUnavailableException("Time source is not available"); } ASN1EncodableVector signedAttributes = new ASN1EncodableVector(); signedAttributes.add(new Attribute(CMSAttributes.signingTime, new DERSet(new Time(date)))); if (includeSigningCertificateAttribute) { try { final DERInteger serial = new DERInteger(x509cert.getSerialNumber()); final X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded()); final X500Name issuer = certHolder.getIssuer(); final GeneralName name = new GeneralName(issuer); final GeneralNames names = new GeneralNames(name); final IssuerSerial is = new IssuerSerial(names, ASN1Integer.getInstance(serial)); final ESSCertID essCertid = new ESSCertID( MessageDigest.getInstance("SHA-1").digest(x509cert.getEncoded()), is); signedAttributes.add(new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(new SigningCertificate(essCertid)))); } catch (NoSuchAlgorithmException e) { LOG.error("Can't find SHA-1 implementation: " + e.getMessage()); throw new SignServerException("Can't find SHA-1 implementation", e); } } AttributeTable signedAttributesTable = new AttributeTable(signedAttributes); DefaultSignedAttributeTableGenerator signedAttributeGenerator = new DefaultSignedAttributeTableGenerator( signedAttributesTable); final String provider = cryptoToken.getProvider(ICryptoToken.PROVIDERUSAGE_SIGN); SignerInfoGeneratorBuilder signerInfoBuilder = new SignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()); signerInfoBuilder.setSignedAttributeGenerator(signedAttributeGenerator); JcaContentSignerBuilder contentSigner = new JcaContentSignerBuilder(signatureAlgo); contentSigner.setProvider(provider); final SignerInfoGenerator sig = signerInfoBuilder.build(contentSigner.build(crypto.getPrivateKey()), new X509CertificateHolder(x509cert.getEncoded())); JcaCertStore cs = new JcaCertStore(certList); CMSTypedData cmspba = new CMSProcessableByteArray(content); CMSSignedData cmssd = MSAuthCodeCMSUtils.generate(cmspba, true, Arrays.asList(sig), MSAuthCodeCMSUtils.getCertificatesFromStore(cs), Collections.emptyList(), ci); der = ASN1Primitive.fromByteArray(cmssd.getEncoded()).getEncoded(); } finally { releaseCryptoInstance(crypto, requestContext); } // Log values logMap.put(ITimeStampLogger.LOG_TSA_TIME, String.valueOf(date.getTime())); logMap.put(ITimeStampLogger.LOG_TSA_TIMESOURCE, timeSrc.getClass().getSimpleName()); final String archiveId = createArchiveId(requestbytes, (String) requestContext.get(RequestContext.TRANSACTION_ID)); final GenericSignResponse signResponse; byte[] signedbytes = Base64.encode(der, false); logMap.put(ITimeStampLogger.LOG_TSA_TIMESTAMPRESPONSE_ENCODED, new String(signedbytes)); final Collection<? extends Archivable> archivables = Arrays.asList( new DefaultArchivable(Archivable.TYPE_REQUEST, REQUEST_CONTENT_TYPE, requestbytes, archiveId), new DefaultArchivable(Archivable.TYPE_RESPONSE, RESPONSE_CONTENT_TYPE, signedbytes, archiveId)); if (signRequest instanceof GenericServletRequest) { signResponse = new GenericServletResponse(sReq.getRequestID(), signedbytes, getSigningCertificate(signRequest, requestContext), archiveId, archivables, RESPONSE_CONTENT_TYPE); } else { signResponse = new GenericSignResponse(sReq.getRequestID(), signedbytes, getSigningCertificate(signRequest, requestContext), archiveId, archivables); } // The client can be charged for the request requestContext.setRequestFulfilledByWorker(true); return signResponse; } catch (IOException e) { final IllegalRequestException exception = new IllegalRequestException("IOException: " + e.getMessage(), e); LOG.error("IOException: ", e); logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, exception.getMessage()); throw exception; } catch (CMSException e) { final SignServerException exception = new SignServerException(e.getMessage(), e); LOG.error("CMSException: ", e); logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, exception.getMessage()); throw exception; } catch (OperatorCreationException e) { final SignServerException exception = new SignServerException(e.getMessage(), e); LOG.error("OperatorCreationException: ", e); logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, exception.getMessage()); throw exception; } catch (CertificateEncodingException e) { final SignServerException exception = new SignServerException(e.getMessage(), e); LOG.error("CertificateEncodingException: ", e); logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, exception.getMessage()); throw exception; } catch (ArrayIndexOutOfBoundsException e) { // the BC base64 decoder doesn't check the the base64 input length... final IllegalRequestException exception = new IllegalRequestException( "ArrayIndexOutOfBoundsException: " + e.getMessage(), e); LOG.error("ArrayIndexOutOfBoundsException: ", e); logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, exception.getMessage()); throw exception; } }
From source file:org.xwiki.crypto.signer.internal.cms.DefaultCMSSignedDataGenerator.java
License:Open Source License
@Override public byte[] generate(byte[] data, CMSSignedDataGeneratorParameters parameters, boolean embedData) throws GeneralSecurityException { CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); Collection<CMSSignerInfo> signersInfo = parameters.getSignatures(); if (!signersInfo.isEmpty()) { // Add existing signatures List<SignerInformation> signers = new ArrayList<SignerInformation>(parameters.getSignatures().size()); for (CMSSignerInfo signerInfo : parameters.getSignatures()) { if (!(signerInfo instanceof BcCMSSignerInfo)) { throw new GeneralSecurityException( "Incompatible pre-calculated signature for this signed data " + "generator"); }//w w w . ja v a 2s . co m signers.add(((BcCMSSignerInfo) signerInfo).getSignerInfo()); } generator.addSigners(new SignerInformationStore(signers)); } try { // Add new signers Collection<CertifyingSigner> signers = parameters.getSigners(); for (CertifyingSigner signer : signers) { if (signer.getAlgorithmIdentifier() == null) { throw new GeneralSecurityException( "Incompatible signer for this signed data generator for subject " + signer.getCertifier().getSubject().getName()); } generator.addSignerInfoGenerator( new SignerInfoGeneratorBuilder((DigestCalculatorProvider) this.digestProvider).build(signer, BcUtils.getX509CertificateHolder(signer.getCertifier()))); } // Add certificates for (CertifiedPublicKey certifiedPublicKey : parameters.getCertificates()) { generator.addCertificate(BcUtils.getX509CertificateHolder(certifiedPublicKey)); } return generator.generate(new CMSProcessableByteArray(data), embedData).getEncoded(); } catch (CMSException e) { throw new GeneralSecurityException("Unable to generate CMS signature", e); } catch (OperatorCreationException e) { throw new GeneralSecurityException("Unable to prepare signers", e); } catch (IOException e) { throw new GeneralSecurityException("Unable to encode signed data", e); } }