protected void processPKCS12FileFormatAndAddToCertificates(
ByteArrayInputStream inputStream, ArrayList<X509Certificate> certificates)
throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException,
UnrecoverableKeyException {
KeyStore localKeyStore = KeyStore.getInstance("PKCS12");
localKeyStore.load(
inputStream, keyStorePassword == null ? null : keyStorePassword.toCharArray());
IOUtils.closeQuietly(inputStream);
Enumeration<String> aliases = localKeyStore.aliases();
// even though we are iterating over this enumeration, we
// are really expecting only one alias
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
Certificate cert = localKeyStore.getCertificate(alias);
if (cert != null && cert instanceof X509Certificate) {
X509Certificate addCert;
// check if there is private key
Key key =
localKeyStore.getKey(
alias, keyStorePassword == null ? null : keyStorePassword.toCharArray());
if (key != null && key instanceof PrivateKey) {
addCert = X509CertificateEx.fromX509Certificate((X509Certificate) cert, (PrivateKey) key);
certificates.add(addCert);
}
}
}
}
/**
* Decrypts an entity with the provided certificates' private key.
*
* @param encryptedEntity The entity that will be decrypted.
* @param decryptingCertificate The certificates whose private keys will be used to decrypt the
* message.
* @return A MimeEntity containing the decrypted part.
*/
public MimeEntity decrypt(
MimeEntity encryptedEntity, Collection<X509CertificateEx> decryptingCertificates) {
if (decryptingCertificates == null || decryptingCertificates.size() == 0) {
throw new IllegalArgumentException();
}
MimeEntity retEntity = null;
try {
if (LOGGER.isDebugEnabled()) {
byte[] encryptedContent = encryptedEntity.getContentAsBytes();
writePreDecrypt(encryptedContent);
}
SMIMEEnveloped m = new SMIMEEnveloped(encryptedEntity);
X509CertificateEx decryptCert = decryptingCertificates.iterator().next();
RecipientId recId = generateRecipientSelector(decryptCert);
RecipientInformationStore recipients = m.getRecipientInfos();
RecipientInformation recipient = recipients.get(recId);
byte[] decryptedPayload =
recipient.getContent(decryptCert.getPrivateKey(), CryptoExtensions.getJCEProviderName());
if (LOGGER.isDebugEnabled()) {
writePostDecrypt(decryptedPayload);
}
ByteArrayInputStream inStream = new ByteArrayInputStream(decryptedPayload);
retEntity = new MimeEntity(inStream);
} catch (MessagingException e) {
throw new MimeException(MimeError.InvalidMimeEntity, e);
} catch (Exception e) {
throw new MimeException(MimeError.Unexpected, e);
}
return retEntity;
}
private X509Certificate certFromData(byte[] data) {
X509Certificate retVal = null;
try {
ByteArrayInputStream bais = new ByteArrayInputStream(data);
// lets try this a as a PKCS12 data stream first
try {
KeyStore localKeyStore =
KeyStore.getInstance("PKCS12", CryptoExtensions.getJCEProviderName());
localKeyStore.load(bais, "".toCharArray());
Enumeration<String> aliases = localKeyStore.aliases();
// we are really expecting only one alias
if (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
X509Certificate cert = (X509Certificate) localKeyStore.getCertificate(alias);
// check if there is private key
Key key = localKeyStore.getKey(alias, "".toCharArray());
if (key != null && key instanceof PrivateKey) {
retVal = X509CertificateEx.fromX509Certificate(cert, (PrivateKey) key);
} else retVal = cert;
}
} catch (Exception e) {
// must not be a PKCS12 stream, go on to next step
}
if (retVal == null) {
// try X509 certificate factory next
bais.reset();
bais = new ByteArrayInputStream(data);
retVal =
(X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(bais);
}
bais.close();
} catch (Exception e) {
throw new NHINDException("Data cannot be converted to a valid X.509 Certificate", e);
}
return retVal;
}
/**
* Decrypts an entity with the provided certificate's private key.
*
* @param encryptedEntity The entity that will be decrypted.
* @param decryptingCertificate The certificate whose private key will be used to decrypt the
* message.
* @return A MimeEntity containing the decrypted part.
*/
public MimeEntity decrypt(MimeEntity encryptedEntity, X509CertificateEx decryptingCertificate) {
if (encryptedEntity == null || decryptingCertificate == null) {
throw new IllegalArgumentException();
}
if (!decryptingCertificate.hasPrivateKey()) {
throw new IllegalArgumentException("Certificate has no private key");
}
encryptedEntity.verifyContentType(SMIMEStandard.EncryptedContentTypeHeaderValue);
encryptedEntity.verifyTransferEncoding(MimeStandard.TransferEncodingBase64);
Collection<X509CertificateEx> certs = new ArrayList<X509CertificateEx>();
certs.add(decryptingCertificate);
MimeEntity retVal = this.decrypt(encryptedEntity, certs);
//
// And turn the decrypted bytes back into an entity
//
return retVal;
}
private X509Certificate certFromData(byte[] data) {
X509Certificate retVal = null;
try {
// first check for wrapped data
final CertContainer container = CertUtils.toCertContainer(data);
if (container.getWrappedKeyData() != null) {
// this is a wrapped key
// make sure we have a KeyStoreManager configured
if (this.mgr == null) {
throw new NHINDException(
AgentError.Unexpected,
"Resolved certifiate has wrapped data, but resolver has not been configured to unwrap it.");
}
// create a new wrapped certificate object
retVal =
WrappedOnDemandX509CertificateEx.fromX509Certificate(
mgr, container.getCert(), container.getWrappedKeyData());
return retVal;
}
ByteArrayInputStream bais = new ByteArrayInputStream(data);
// lets try this a as a PKCS12 data stream first
try {
KeyStore localKeyStore =
KeyStore.getInstance("PKCS12", CryptoExtensions.getJCEProviderName());
localKeyStore.load(bais, "".toCharArray());
Enumeration<String> aliases = localKeyStore.aliases();
// we are really expecting only one alias
if (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
X509Certificate cert = (X509Certificate) localKeyStore.getCertificate(alias);
// check if there is private key
Key key = localKeyStore.getKey(alias, "".toCharArray());
if (key != null && key instanceof PrivateKey) {
retVal = X509CertificateEx.fromX509Certificate(cert, (PrivateKey) key);
} else retVal = cert;
}
} catch (Exception e) {
// must not be a PKCS12 stream, go on to next step
}
if (retVal == null) {
// try X509 certificate factory next
bais.reset();
bais = new ByteArrayInputStream(data);
retVal =
(X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(bais);
}
bais.close();
} catch (Exception e) {
throw new NHINDException("Data cannot be converted to a valid X.509 Certificate", e);
}
return retVal;
}
protected SignerInformation createSignerInformation() throws Exception {
X509CertificateEx internalCert = TestUtils.getInternalCert("user1");
String testMessage = TestUtils.readResource("MultipartMimeMessage.txt");
MimeMessage entity = EntitySerializer.Default.deserialize(testMessage);
Message message = new Message(entity);
MimeEntity entityToSig = message.extractEntityForSignature(true);
byte[] messageBytes =
EntitySerializer.Default.serializeToBytes(entityToSig); // Serialize message out as
// ASCII encoded...
MimeBodyPart partToSign = null;
try {
partToSign = new MimeBodyPart(new ByteArrayInputStream(messageBytes));
} catch (Exception e) {
}
SMIMESignedGenerator gen = new SMIMESignedGenerator();
ASN1EncodableVector signedAttrs = new ASN1EncodableVector();
SMIMECapabilityVector caps = new SMIMECapabilityVector();
caps.addCapability(SMIMECapability.dES_EDE3_CBC);
caps.addCapability(SMIMECapability.rC2_CBC, 128);
caps.addCapability(SMIMECapability.dES_CBC);
caps.addCapability(new DERObjectIdentifier("1.2.840.113549.1.7.1"));
caps.addCapability(PKCSObjectIdentifiers.x509Certificate);
signedAttrs.add(new SMIMECapabilitiesAttribute(caps));
List<X509Certificate> certList = new ArrayList<X509Certificate>();
gen.addSigner(
internalCert.getPrivateKey(),
internalCert,
SMIMESignedGenerator.DIGEST_SHA1,
new AttributeTable(signedAttrs),
null);
certList.add(internalCert);
theGetCertificates = certList;
MimeMultipart retVal = null;
CertStore certsAndcrls =
CertStore.getInstance(
"Collection",
new CollectionCertStoreParameters(certList),
CryptoExtensions.getJCEProviderName());
gen.addCertificatesAndCRLs(certsAndcrls);
retVal = gen.generate(partToSign, CryptoExtensions.getJCEProviderName());
ByteArrayOutputStream oStream = new ByteArrayOutputStream();
retVal.writeTo(oStream);
oStream.flush();
byte[] serialzedBytes = oStream.toByteArray();
ByteArrayDataSource dataSource =
new ByteArrayDataSource(serialzedBytes, retVal.getContentType());
MimeMultipart verifyMM = new MimeMultipart(dataSource);
CMSSignedData signeddata =
new CMSSignedData(
new CMSProcessableBodyPartInbound(partToSign),
verifyMM.getBodyPart(1).getInputStream());
SignerInformationStore signers = signeddata.getSignerInfos();
Collection c = signers.getSigners();
Iterator it = c.iterator();
while (it.hasNext()) {
SignerInformation signer = (SignerInformation) it.next();
return signer;
}
return null;
}
