List of usage examples for org.bouncycastle.cms SignerInformation verify
public boolean verify(SignerInformationVerifier verifier) throws CMSException
From source file:be.e_contract.mycarenet.certra.CertRAClient.java
License:Open Source License
private byte[] getCmsData(byte[] cms) throws Exception { CMSSignedData cmsSignedData = new CMSSignedData(cms); SignerInformationStore signers = cmsSignedData.getSignerInfos(); SignerInformation signer = (SignerInformation) signers.getSigners().iterator().next(); SignerId signerId = signer.getSID(); Store certificateStore = cmsSignedData.getCertificates(); Collection<X509CertificateHolder> certificateCollection = certificateStore.getMatches(signerId); X509CertificateHolder certificateHolder = certificateCollection.iterator().next(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificateHolder.getEncoded())); // we trust SSL here, no need for explicit verification of CMS signing // certificate LOG.debug("CMS signing certificate subject: " + certificate.getSubjectX500Principal()); SignerInformationVerifier signerInformationVerifier = new JcaSimpleSignerInfoVerifierBuilder() .build(certificate);// w ww . j a v a 2s . c o m boolean signatureResult = signer.verify(signerInformationVerifier); if (false == signatureResult) { throw new SecurityException("woops"); } CMSTypedData signedContent = cmsSignedData.getSignedContent(); byte[] responseData = (byte[]) signedContent.getContent(); return responseData; }
From source file:be.e_contract.mycarenet.etee.EncryptionToken.java
License:Open Source License
private X509Certificate parseEncryptionCertificate(byte[] encodedEncryptionToken) throws CMSException, CertificateException, IOException, OperatorCreationException { CMSSignedData cmsSignedData = new CMSSignedData(encodedEncryptionToken); // get signer identifier SignerInformationStore signers = cmsSignedData.getSignerInfos(); SignerInformation signer = (SignerInformation) signers.getSigners().iterator().next(); SignerId signerId = signer.getSID(); // get signer certificate Store certificateStore = cmsSignedData.getCertificates(); LOG.debug("certificate store type: " + certificateStore.getClass().getName()); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> signingCertificateCollection = certificateStore.getMatches(signerId); X509CertificateHolder signingCertificateHolder = signingCertificateCollection.iterator().next(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate signingCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(signingCertificateHolder.getEncoded())); LOG.debug("signing certificate: " + signingCertificate.getSubjectX500Principal()); // verify CMS signature SignerInformationVerifier signerInformationVerifier = new JcaSimpleSignerInfoVerifierBuilder() .build(signingCertificate);//from w w w . j a va 2 s .c o m boolean signatureResult = signer.verify(signerInformationVerifier); if (false == signatureResult) { throw new SecurityException("ETK signature invalid"); } // get encryption certificate CMSTypedData signedContent = cmsSignedData.getSignedContent(); byte[] data = (byte[]) signedContent.getContent(); X509Certificate encryptionCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(data)); LOG.debug("all available certificates:"); logCertificates(certificateStore, null); // get authentication certificate CustomSelector authenticationSelector = new CustomSelector(); authenticationSelector.setSubject(encryptionCertificate.getIssuerX500Principal()); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> authenticationCertificates = certificateStore .getMatches(authenticationSelector); if (authenticationCertificates.size() != 1) { LOG.debug("no authentication certificate match"); } X509CertificateHolder authenticationCertificateHolder = authenticationCertificates.iterator().next(); this.authenticationCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(authenticationCertificateHolder.getEncoded())); verifyProxyCertificate(encryptionCertificate, this.authenticationCertificate); return encryptionCertificate; }
From source file:be.e_contract.mycarenet.etee.Unsealer.java
License:Open Source License
private byte[] getVerifiedContent(byte[] cmsData) throws CertificateException, CMSException, IOException, OperatorCreationException { CMSSignedData cmsSignedData = new CMSSignedData(cmsData); SignerInformationStore signers = cmsSignedData.getSignerInfos(); SignerInformation signer = (SignerInformation) signers.getSigners().iterator().next(); SignerId signerId = signer.getSID(); Store certificateStore = cmsSignedData.getCertificates(); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> certificateCollection = certificateStore.getMatches(signerId); if (null == this.senderCertificate) { if (certificateCollection.isEmpty()) { throw new SecurityException("no sender certificate present"); }// ww w .j ava2 s . c om X509CertificateHolder certificateHolder = certificateCollection.iterator().next(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificateHolder.getEncoded())); this.senderCertificate = certificate; LOG.debug("signer certificate subject: " + certificate.getSubjectX500Principal()); } /* * By reusing the sender certificate we have the guarantee that the * outer signature and inner signature share the same origin. */ SignerInformationVerifier signerInformationVerifier = new JcaSimpleSignerInfoVerifierBuilder() .build(this.senderCertificate); boolean signatureResult = signer.verify(signerInformationVerifier); if (false == signatureResult) { throw new SecurityException("woops"); } CMSTypedData signedContent = cmsSignedData.getSignedContent(); byte[] data = (byte[]) signedContent.getContent(); return data; }
From source file:br.gov.jfrj.siga.cd.AssinaturaDigital.java
License:Open Source License
@SuppressWarnings("unchecked") protected static String validarAssinaturaCMS(byte[] digest, String digestAlgorithm, byte[] assinatura, Date dtAssinatura) throws InvalidKeyException, SecurityException, CRLException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, AplicacaoException, ChainValidationException, IOException, Exception { final CMSSignedData s; if (digest != null) { Map<String, byte[]> map = new HashMap<String, byte[]>(); map.put(digestAlgorithm, digest); s = new CMSSignedData(map, assinatura); } else {/* w w w . j a v a 2s. c om*/ s = new CMSSignedData(assinatura); } Store certs = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection<SignerInformation> c = signers.getSigners(); Iterator<SignerInformation> it = c.iterator(); X509CertificateHolder firstSignerCert = null; while (it.hasNext()) { SignerInformation signer = it.next(); Collection<X509CertificateHolder> certCollection = certs.getMatches(signer.getSID()); Iterator<X509CertificateHolder> certIt = certCollection.iterator(); X509CertificateHolder cert = certIt.next(); if (firstSignerCert == null) firstSignerCert = cert; if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) throw new Exception("Assinatura invlida!"); System.out.println("\nSigner Info: \n"); System.out.println("Is Signature Valid? true"); System.out.println("Digest: " + asHex(signer.getContentDigest())); System.out.println("Enc Alg Oid: " + signer.getEncryptionAlgOID()); System.out.println("Digest Alg Oid: " + signer.getDigestAlgOID()); System.out.println("Signature: " + asHex(signer.getSignature())); } // X509Certificate[] cadeiaTotal = montarCadeiaOrdenadaECompleta((Collection<X509Certificate>) (certs.getCertificates(null))); X509Certificate[] cadeiaTotal = montarCadeiaOrdenadaECompleta(certs.getMatches(null)); List<X509CRLObject> crls = new ArrayList<>(); if (certs.getMatches(null) != null) { Enumeration ec = ASN1Set.getInstance(certs.getMatches(null)).getObjects(); while (ec.hasMoreElements()) { crls.add(new X509CRLObject(CertificateList.getInstance(ec.nextElement()))); } } final X509ChainValidator cadeia = new X509ChainValidator(cadeiaTotal, /* trustedAnchors */new HashSet(FachadaDeCertificadosAC.getTrustAnchors()), crls.toArray(new X509CRLObject[0])); cadeia.checkCRL(true); try { cadeia.validateChain(dtAssinatura); } catch (Exception e1) { if (e1.getMessage().endsWith("Validation time is in future.")) { String s1 = e1.getMessage() + " Current date: [" + new Date().toString() + "]. Record date: [" + dtAssinatura + "]. LCRs' dates ["; for (X509CRLObject crl : (Collection<X509CRLObject>) certs.getMatches(null)) { String s2 = crl.getIssuerX500Principal().getName(); s2 = s2.split(",")[0]; s1 += s2 + " (" + crl.getThisUpdate() + " - " + crl.getNextUpdate() + ") "; } s1 += "]"; throw new AplicacaoException(s1, 0, e1); } else throw e1; } // String s1 = firstSignerCert.getSubjectDN().getName(); String s1 = firstSignerCert.getSubject().toString(); s1 = obterNomeExibicao(s1); return s1; }
From source file:br.gov.jfrj.siga.cd.AssinaturaDigital.java
License:Open Source License
@SuppressWarnings("unchecked") public static String validarAssinaturaPKCS7(final byte[] digest, final String digestAlgorithm, final byte[] assinatura, Date dtAssinatura, boolean verificarLCRs) throws InvalidKeyException, SecurityException, CRLException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, AplicacaoException, ChainValidationException, IOException, Exception { Map<String, byte[]> map = new HashMap<String, byte[]>(); map.put(digestAlgorithm, digest);/*from ww w . j ava 2 s. co m*/ final CMSSignedData signedData = new CMSSignedData(map, assinatura); Store certs = signedData.getCertificates(); SignerInformationStore signers = signedData.getSignerInfos(); Collection<SignerInformation> c = signers.getSigners(); Iterator<SignerInformation> it = c.iterator(); String sCN = ""; while (it.hasNext()) { SignerInformation signer = it.next(); Collection<X509CertificateHolder> certCollection = certs.getMatches(signer.getSID()); @SuppressWarnings("unused") String ss = signer.getDigestAlgOID(); @SuppressWarnings("unused") String sss = signer.getDigestAlgorithmID().getObjectId().getId(); Iterator<X509CertificateHolder> certIt = certCollection.iterator(); X509CertificateHolder certHolder = certIt.next(); X509Certificate cert = AssinaturaDigital.getX509Certificate(certHolder); if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder))) throw new Exception("Assinatura invlida!"); X509Certificate[] cadeiaTotal = montarCadeiaOrdenadaECompleta(certCollection); final X509ChainValidator cadeia = new X509ChainValidator(cadeiaTotal, /* trustedAnchors */new HashSet(FachadaDeCertificadosAC.getTrustAnchors()), null); cadeia.checkCRL(verificarLCRs); cadeia.validateChain(dtAssinatura); String s2 = cert.getSubjectDN().getName(); s2 = obterNomeExibicao(s2); if (sCN.length() != 0) sCN += ", "; sCN += s2; } return sCN.length() == 0 ? null : sCN; }
From source file:br.ufpb.dicomflow.integrationAPI.mail.impl.SMTPServiceExtractor.java
License:Open Source License
/** * verify the signature (assuming the cert is contained in the message) *//*w w w . j av a2 s . co m*/ private boolean verify(SMIMESigned s) throws Exception { // // extract the information to verify the signatures. // // // certificates and crls passed in the signature - this must happen before // s.getSignerInfos() // Store certs = s.getCertificates(); // // SignerInfo blocks which contain the signatures // SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); // // check each signer // while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certs.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509Certificate cert = new JcaX509CertificateConverter() .getCertificate((X509CertificateHolder) certIt.next()); // // verify that the sign is correct and that it was generated // when the certificate was current // if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))) { return true; } else { return false; } } return false; }
From source file:ch.cyberduck.core.aquaticprime.ReceiptVerifier.java
License:Open Source License
@Override public boolean verify() { try {// w ww .j ava 2s . c o m // For additional security, you may verify the fingerprint of the root CA and the OIDs of the // intermediate CA and signing certificate. The OID in the Certificate Policies Extension of the // intermediate CA is (1 2 840 113635 100 5 6 1), and the Marker OID of the signing certificate // is (1 2 840 113635 100 6 11 1). final CMSSignedData s = new CMSSignedData(new FileInputStream(file.getAbsolute())); Store certs = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); for (SignerInformation signer : (Iterable<SignerInformation>) signers.getSigners()) { final Collection<X509CertificateHolder> matches = certs.getMatches(signer.getSID()); for (X509CertificateHolder holder : matches) { if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder() .setProvider(new BouncyCastleProvider()).build(holder))) { return false; } } } // Extract the receipt attributes final CMSProcessable signedContent = s.getSignedContent(); byte[] originalContent = (byte[]) signedContent.getContent(); final ASN1Primitive asn = ASN1Primitive.fromByteArray(originalContent); byte[] opaque = null; String bundleIdentifier = null; String bundleVersion = null; byte[] hash = null; if (asn instanceof ASN1Set) { // 2 Bundle identifier Interpret as an ASN.1 UTF8STRING. // 3 Application version Interpret as an ASN.1 UTF8STRING. // 4 Opaque value Interpret as a series of bytes. // 5 SHA-1 hash Interpret as a 20-byte SHA-1 digest value. final ASN1Set set = (ASN1Set) asn; final Enumeration enumeration = set.getObjects(); while (enumeration.hasMoreElements()) { Object next = enumeration.nextElement(); if (next instanceof DLSequence) { DLSequence sequence = (DLSequence) next; ASN1Encodable type = sequence.getObjectAt(0); if (type instanceof ASN1Integer) { if (((ASN1Integer) type).getValue().intValue() == 2) { final ASN1Encodable value = sequence.getObjectAt(2); if (value instanceof DEROctetString) { bundleIdentifier = new String(((DEROctetString) value).getOctets(), "UTF-8"); } } else if (((ASN1Integer) type).getValue().intValue() == 3) { final ASN1Encodable value = sequence.getObjectAt(2); if (value instanceof DEROctetString) { bundleVersion = new String(((DEROctetString) value).getOctets(), "UTF-8"); } } else if (((ASN1Integer) type).getValue().intValue() == 4) { final ASN1Encodable value = sequence.getObjectAt(2); if (value instanceof DEROctetString) { opaque = ((DEROctetString) value).getOctets(); } } else if (((ASN1Integer) type).getValue().intValue() == 5) { final ASN1Encodable value = sequence.getObjectAt(2); if (value instanceof DEROctetString) { hash = ((DEROctetString) value).getOctets(); } } } } } } else { log.error(String.format("Expected set of attributes for %s", asn)); return false; } if (!StringUtils.equals(PreferencesFactory.get().getDefault("application.identifier"), StringUtils.trim(bundleIdentifier))) { log.error(String.format("Bundle identifier %s in ASN set does not match", bundleIdentifier)); return false; } if (!StringUtils.equals(PreferencesFactory.get().getDefault("application.version"), StringUtils.trim(bundleVersion))) { log.warn(String.format("Bundle version %s in ASN set does not match", bundleVersion)); } final NetworkInterface en0 = NetworkInterface.getByName("en0"); if (null == en0) { // Interface is not found when link is down #fail log.warn("No network interface en0"); return true; } else { final byte[] mac = en0.getHardwareAddress(); if (null == mac) { log.error("Cannot determine MAC address"); // Continue without validation return true; } final String hex = Hex.encodeHexString(mac); if (log.isDebugEnabled()) { log.debug(String.format("Interface en0 %s", hex)); } // Compute the hash of the GUID final MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.update(mac); if (null == opaque) { log.error(String.format("Missing opaque string in ASN.1 set %s", asn)); return false; } digest.update(opaque); if (null == bundleIdentifier) { log.error(String.format("Missing bundle identifier in ASN.1 set %s", asn)); return false; } digest.update(bundleIdentifier.getBytes(Charset.forName("UTF-8"))); final byte[] result = digest.digest(); if (Arrays.equals(result, hash)) { if (log.isInfoEnabled()) { log.info(String.format("Valid receipt for GUID %s", hex)); } guid = hex; return true; } else { log.error(String.format("Failed verification. Hash with GUID %s does not match hash in receipt", hex)); return false; } } } catch (IOException e) { log.error("Receipt validation error", e); // Shutdown if receipt is not valid return false; } catch (GeneralSecurityException e) { log.error("Receipt validation error", e); // Shutdown if receipt is not valid return false; } catch (SecurityException e) { log.error("Receipt validation error", e); // Shutdown if receipt is not valid return false; } catch (CMSException e) { log.error("Receipt validation error", e); // Shutdown if receipt is not valid return false; } catch (Exception e) { log.error("Unknown receipt validation error", e); return true; } }
From source file:com.blackberry.bidhelper.BidCertificateVerifierAndroid.java
License:Apache License
@Override public boolean verifyReport(byte[] tzReport, byte[] signature) throws CertificateException { if (this.bidCert == null) { throw new IllegalStateException("Certificate not yet set"); }//from w w w . j a v a 2 s . co m try { CMSSignedData cms = new CMSSignedData(new CMSProcessableByteArray(tzReport), signature); Store certStore = cms.getCertificates(); SignerInformationStore signers = cms.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); if (c.size() != 1) { return false; } while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); // If there is no certificate part of the signature then the report may have been created before // the certificate was cut. if (certCollection.size() == 0) { return signer .verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(this.bidCert)); } X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next(); X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHolder); return signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)); } } catch (CMSException e) { throw new CertificateException(e.toString()); } catch (OperatorCreationException oce) { throw new CertificateException(oce.toString()); } catch (Exception ex) { throw ex; } return false; }
From source file:com.guardtime.ksi.trust.CMSSignatureVerifier.java
License:Apache License
private void verifyCmsSignerInfo(SignerInformation signerInfo, X509CertificateHolder certHolder) throws InvalidCmsSignatureException { try {//from w w w . ja v a2 s. c o m SignerInformationVerifier signerInformationVerifier = new JcaSimpleSignerInfoVerifierBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certHolder); if (!signerInfo.verify(signerInformationVerifier)) { LOGGER.warn( "Signer certificate verification failure. Signer info is {}, and certificate subjectDN is {}", signerInfo, certHolder.getSubject()); throw new InvalidCmsSignatureException("Signature verification failure"); } } catch (CMSException e) { throw new InvalidCmsSignatureException("Invalid CMS signature. " + e.getMessage(), e); } catch (OperatorCreationException e) { throw new InvalidCmsSignatureException("CMS signature validation failed. " + e.getMessage(), e); } catch (CertificateException e) { throw new InvalidCmsSignatureException("CMS signature validation failed. " + e.getMessage(), e); } }
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static boolean validatePKCS7Signature(String data, String signature, PublicKey publicKey) { try {//w w w.j a v a 2 s .co m SignerInformationStore signerStore = null; try (InputStream sigIs = new ByteArrayInputStream( Base64.decode(signature.getBytes(StandardCharsets.UTF_8)))) { CMSProcessable content = new CMSProcessableByteArray(data.getBytes(StandardCharsets.UTF_8)); CMSSignedData signedData = new CMSSignedData(content, sigIs); signerStore = signedData.getSignerInfos(); } Collection<SignerInformation> signers = signerStore.getSigners(); Iterator<SignerInformation> it = signers.iterator(); SignerInformationVerifier infoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .setProvider(BC_PROVIDER).build(publicKey); while (it.hasNext()) { SignerInformation signerInfo = (SignerInformation) it.next(); if (signerInfo.verify(infoVerifier)) { return true; } } } catch (CMSException ex) { LOG.error("validatePKCS7Signature: unable to initialize CMSSignedData object: " + ex.getMessage()); throw new CryptoException(ex); } catch (OperatorCreationException ex) { LOG.error( "validatePKCS7Signature: Caught OperatorCreationException when creating JcaSimpleSignerInfoVerifierBuilder: " + ex.getMessage()); throw new CryptoException(ex); } catch (IOException ex) { LOG.error("validatePKCS7Signature: Caught IOException when closing InputStream: " + ex.getMessage()); throw new CryptoException(ex); } catch (Exception ex) { LOG.error("validatePKCS7Signature: unable to validate signature: " + ex.getMessage()); throw new CryptoException(ex.getMessage()); } return false; }