예제 #1
0
  /** create a private key from the given public key info object. */
  static PrivateKey createPrivateKeyFromPrivateKeyInfo(PrivateKeyInfo info) {
    DERObjectIdentifier algOid = info.getAlgorithmId().getObjectId();

    if (RSAUtil.isRsaOid(algOid)) {
      return new JCERSAPrivateCrtKey(info);
    } else if (algOid.equals(PKCSObjectIdentifiers.dhKeyAgreement)) {
      return new JCEDHPrivateKey(info);
    }
    // BEGIN android-removed
    // else if (algOid.equals(OIWObjectIdentifiers.elGamalAlgorithm))
    // {
    //       return new JCEElGamalPrivateKey(info);
    // }
    // END android-removed
    else if (algOid.equals(X9ObjectIdentifiers.id_dsa)) {
      return new JDKDSAPrivateKey(info);
    }
    // BEGIN android-removed
    // else if (algOid.equals(X9ObjectIdentifiers.id_ecPublicKey))
    // {
    //       return new JCEECPrivateKey(info);
    // }
    // else if (algOid.equals(CryptoProObjectIdentifiers.gostR3410_94))
    // {
    //       return new JDKGOST3410PrivateKey(info);
    // }
    // else if (algOid.equals(CryptoProObjectIdentifiers.gostR3410_2001))
    // {
    //       return new JCEECPrivateKey(info);
    // }
    // END android-removed
    else {
      throw new RuntimeException("algorithm identifier " + algOid + " in key not recognised");
    }
  }
예제 #2
0
  /**
   * Constructor from a table of attributes with ordering.
   *
   * <p>it's is assumed the table contains OID/String pairs, and the contents of the table are
   * copied into an internal table as part of the construction process. The ordering vector should
   * contain the OIDs in the order they are meant to be encoded or printed in toString.
   *
   * <p>The passed in converter will be used to convert the strings into their ASN.1 counterparts.
   */
  public X509Name(Vector ordering, Hashtable attributes, X509NameEntryConverter converter) {
    this.converter = converter;

    if (ordering != null) {
      for (int i = 0; i != ordering.size(); i++) {
        this.ordering.addElement(ordering.elementAt(i));
        this.added.addElement(FALSE);
      }
    } else {
      Enumeration e = attributes.keys();

      while (e.hasMoreElements()) {
        this.ordering.addElement(e.nextElement());
        this.added.addElement(FALSE);
      }
    }

    for (int i = 0; i != this.ordering.size(); i++) {
      DERObjectIdentifier oid = (DERObjectIdentifier) this.ordering.elementAt(i);

      if (attributes.get(oid) == null) {
        throw new IllegalArgumentException(
            "No attribute for object id - " + oid.getId() + " - passed to distinguished name");
      }

      this.values.addElement(attributes.get(oid)); // copy the hash table
    }
  }
  public VomsAttributeCertificateInfo(final ASN1Sequence seq) throws ProblemException {

    super(seq);

    ASN1Sequence attributes = getAttributes();

    for (int i = 0; i < attributes.size(); i++) {

      ASN1Sequence attribute = (ASN1Sequence) attributes.getObjectAt(i);
      DERObjectIdentifier id = (DERObjectIdentifier) attribute.getObjectAt(0);

      if (VomsCredentialInfo.VOMS_ATTR_OID.equals(id.getId())) {

        DERSet set = (DERSet) attribute.getObjectAt(1);

        for (int j = 0; j < set.size(); j++) {

          IetfAttrSyntax attr = new IetfAttrSyntax((ASN1Sequence) set.getObjectAt(j));
          ASN1Sequence paSeq = (ASN1Sequence) attr.getPolicyAuthority().getDERObject();
          GeneralName paGName = GeneralName.getInstance(paSeq.getObjectAt(0));
          String paString = ((DERIA5String) paGName.getName()).getString();

          int sep = paString.indexOf("://"); // $NON-NLS-1$
          if (sep != -1) {
            this.voNames.add(paString.substring(0, sep));
          }

          for (Object attrValue : attr.getValues()) {
            String fqanString = new String(((ASN1OctetString) attrValue).getOctets());
            this.fqans.add(FullyQualifiedAttributeName.getFqan(fqanString));
          }
        }
      }
    }
  }
예제 #4
0
  /**
   * @param inOrder if true the order of both X509 names must be the same, as well as the values
   *     associated with each element.
   */
  public boolean equals(Object obj, boolean inOrder) {
    if (!inOrder) {
      return this.equals(obj);
    }

    if (obj == this) {
      return true;
    }

    if (!(obj instanceof X509Name || obj instanceof ASN1Sequence)) {
      return false;
    }

    DERObject derO = ((DEREncodable) obj).getDERObject();

    if (this.getDERObject().equals(derO)) {
      return true;
    }

    X509Name other;

    try {
      other = X509Name.getInstance(obj);
    } catch (IllegalArgumentException e) {
      return false;
    }

    int orderingSize = ordering.size();

    if (orderingSize != other.ordering.size()) {
      return false;
    }

    for (int i = 0; i < orderingSize; i++) {
      DERObjectIdentifier oid = (DERObjectIdentifier) ordering.elementAt(i);
      DERObjectIdentifier oOid = (DERObjectIdentifier) other.ordering.elementAt(i);

      if (oid.equals(oOid)) {
        String value = (String) values.elementAt(i);
        String oValue = (String) other.values.elementAt(i);

        if (!equivalentStrings(value, oValue)) {
          return false;
        }
      } else {
        return false;
      }
    }

    return true;
  }
  /**
   * Apply default coversion for the given value depending on the oid and the character range of the
   * value.
   *
   * @param oid the object identifier for the DN entry
   * @param value the value associated with it
   * @return the ASN.1 equivalent for the string value.
   */
  public DERObject getConvertedValue(DERObjectIdentifier oid, String value) {
    if (value.length() != 0 && value.charAt(0) == '#') {
      try {
        return convertHexEncoded(value, 1);
      } catch (IOException e) {
        throw new RuntimeException("can't recode value for oid " + oid.getId());
      }
    } else {
      if (value.length() != 0 && value.charAt(0) == '\\') {
        value = value.substring(1);
      }
      if (oid.equals(X509Name.EmailAddress) || oid.equals(X509Name.DC)) {
        return new DERIA5String(value);
      } else if (oid.equals(
          X509Name.DATE_OF_BIRTH)) // accept time string as well as # (for compatibility)
      {
        return new DERGeneralizedTime(value);
      } else if (oid.equals(X509Name.C)
          || oid.equals(X509Name.SN)
          || oid.equals(X509Name.DN_QUALIFIER)
          || oid.equals(X509Name.TELEPHONE_NUMBER)) {
        return new DERPrintableString(value);
      }
    }

    return new DERUTF8String(value);
  }
  /**
   * decrypt the content and return an input stream.
   *
   * @deprecated use getContentStream(Recipient)
   */
  public CMSTypedStream getContentStream(Key key, Provider prov) throws CMSException {
    try {
      CMSEnvelopedHelper helper = CMSEnvelopedHelper.INSTANCE;
      AlgorithmIdentifier kekAlg =
          AlgorithmIdentifier.getInstance(info.getKeyEncryptionAlgorithm());
      ASN1Sequence kekAlgParams = (ASN1Sequence) kekAlg.getParameters();
      String kekAlgName = DERObjectIdentifier.getInstance(kekAlgParams.getObjectAt(0)).getId();
      String wrapAlgName = helper.getRFC3211WrapperName(kekAlgName);

      Cipher keyCipher = helper.createSymmetricCipher(wrapAlgName, prov);
      IvParameterSpec ivSpec =
          new IvParameterSpec(ASN1OctetString.getInstance(kekAlgParams.getObjectAt(1)).getOctets());
      keyCipher.init(
          Cipher.UNWRAP_MODE,
          new SecretKeySpec(((CMSPBEKey) key).getEncoded(kekAlgName), kekAlgName),
          ivSpec);

      Key sKey =
          keyCipher.unwrap(
              info.getEncryptedKey().getOctets(), getContentAlgorithmName(), Cipher.SECRET_KEY);

      return getContentFromSessionKey(sKey, prov);
    } catch (NoSuchAlgorithmException e) {
      throw new CMSException("can't find algorithm.", e);
    } catch (InvalidKeyException e) {
      throw new CMSException("key invalid in message.", e);
    } catch (NoSuchPaddingException e) {
      throw new CMSException("required padding not supported.", e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new CMSException("invalid iv.", e);
    }
  }
예제 #7
0
  private void appendValue(
      StringBuffer buf, Hashtable oidSymbols, DERObjectIdentifier oid, String value) {
    String sym = (String) oidSymbols.get(oid);

    if (sym != null) {
      buf.append(sym);
    } else {
      buf.append(oid.getId());
    }

    buf.append('=');

    int index = buf.length();

    buf.append(value);

    int end = buf.length();

    while (index != end) {
      if ((buf.charAt(index) == ',')
          || (buf.charAt(index) == '"')
          || (buf.charAt(index) == '\\')
          || (buf.charAt(index) == '+')
          || (buf.charAt(index) == '<')
          || (buf.charAt(index) == '>')
          || (buf.charAt(index) == ';')) {
        buf.insert(index, "\\");
        index++;
        end++;
      }

      index++;
    }
  }
예제 #8
0
  /**
   * Constructor from ASN1Sequence
   *
   * <p>the principal will be a list of constructed sets, each containing an (OID, String) pair.
   */
  public X509Name(ASN1Sequence seq) {
    this.seq = seq;

    Enumeration e = seq.getObjects();

    while (e.hasMoreElements()) {
      ASN1Set set = ASN1Set.getInstance(e.nextElement());

      for (int i = 0; i < set.size(); i++) {
        ASN1Sequence s = ASN1Sequence.getInstance(set.getObjectAt(i));

        if (s.size() != 2) {
          throw new IllegalArgumentException("badly sized pair");
        }

        ordering.addElement(DERObjectIdentifier.getInstance(s.getObjectAt(0)));

        DEREncodable value = s.getObjectAt(1);
        if (value instanceof DERString) {
          values.addElement(((DERString) value).getString());
        } else {
          values.addElement("#" + bytesToString(Hex.encode(value.getDERObject().getDEREncoded())));
        }
        added.addElement((i != 0) ? TRUE : FALSE); // to allow earlier JDK compatibility
      }
    }
  }
  protected static void processCertD1ii(
      int index, List[] policyNodes, DERObjectIdentifier _poid, Set _pq) {
    List policyNodeVec = policyNodes[index - 1];

    for (int j = 0; j < policyNodeVec.size(); j++) {
      PKIXPolicyNode _node = (PKIXPolicyNode) policyNodeVec.get(j);

      if (ANY_POLICY.equals(_node.getValidPolicy())) {
        Set _childExpectedPolicies = new HashSet();
        _childExpectedPolicies.add(_poid.getId());

        PKIXPolicyNode _child =
            new PKIXPolicyNode(
                new ArrayList(), index, _childExpectedPolicies, _node, _pq, _poid.getId(), false);
        _node.addChild(_child);
        policyNodes[index].add(_child);
        return;
      }
    }
  }
  private Set getExtensionOIDs(boolean critical) {
    X509Extensions extensions = cert.getAcinfo().getExtensions();

    if (extensions != null) {
      Set set = new HashSet();
      Enumeration e = extensions.oids();

      while (e.hasMoreElements()) {
        DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
        X509Extension ext = extensions.getExtension(oid);

        if (ext.isCritical() == critical) {
          set.add(oid.getId());
        }
      }

      return set;
    }

    return null;
  }
예제 #11
0
 private static boolean certHasPolicy(X509Certificate cert, String sOid) {
   try {
     if (m_logger.isDebugEnabled())
       m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
     ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
     ASN1InputStream aIn = new ASN1InputStream(bIn);
     ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
     X509CertificateStructure obj = new X509CertificateStructure(seq);
     TBSCertificateStructure tbsCert = obj.getTBSCertificate();
     if (tbsCert.getVersion() == 3) {
       X509Extensions ext = tbsCert.getExtensions();
       if (ext != null) {
         Enumeration en = ext.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
           X509Extension extVal = ext.getExtension(oid);
           ASN1OctetString oct = extVal.getValue();
           ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
           // if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
           // X509Extension.certificatePolicies
           if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
             // X509Extension.certificatePolicies
             ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
             for (int i = 0; i != cp.size(); i++) {
               PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
               DERObjectIdentifier dOid = pol.getPolicyIdentifier();
               String soid2 = dOid.getId();
               if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
               if (soid2.startsWith(sOid)) return true;
             }
           }
         }
       }
     }
   } catch (Exception ex) {
     m_logger.error("Error reading cert policies: " + ex);
   }
   return false;
 }
  protected static boolean processCertD1i(
      int index, List[] policyNodes, DERObjectIdentifier pOid, Set pq) {
    List policyNodeVec = policyNodes[index - 1];

    for (int j = 0; j < policyNodeVec.size(); j++) {
      PKIXPolicyNode node = (PKIXPolicyNode) policyNodeVec.get(j);
      Set expectedPolicies = node.getExpectedPolicies();

      if (expectedPolicies.contains(pOid.getId())) {
        Set childExpectedPolicies = new HashSet();
        childExpectedPolicies.add(pOid.getId());

        PKIXPolicyNode child =
            new PKIXPolicyNode(
                new ArrayList(), index, childExpectedPolicies, node, pq, pOid.getId(), false);
        node.addChild(child);
        policyNodes[index].add(child);

        return true;
      }
    }

    return false;
  }
예제 #13
0
  /**
   * generate an X509 CRL, based on the current issuer and subject, using the passed in provider for
   * the signing.
   */
  public X509CRL generateX509CRL(PrivateKey key, String provider, SecureRandom random)
      throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException {
    Signature sig = null;

    try {
      sig = Signature.getInstance(sigOID.getId(), provider);
    } catch (NoSuchAlgorithmException ex) {
      try {
        sig = Signature.getInstance(signatureAlgorithm, provider);
      } catch (NoSuchAlgorithmException e) {
        throw new SecurityException("exception creating signature: " + e.toString());
      }
    }

    if (random != null) {
      sig.initSign(key, random);
    } else {
      sig.initSign(key);
    }

    if (extensions != null) {
      tbsGen.setExtensions(new X509Extensions(extOrdering, extensions));
    }

    TBSCertList tbsCrl = tbsGen.generateTBSCertList();

    try {
      ByteArrayOutputStream bOut = new ByteArrayOutputStream();
      DEROutputStream dOut = new DEROutputStream(bOut);

      dOut.writeObject(tbsCrl);

      sig.update(bOut.toByteArray());
    } catch (Exception e) {
      throw new SecurityException("exception encoding TBS cert - " + e);
    }

    // Construct the CRL
    ASN1EncodableVector v = new ASN1EncodableVector();

    v.add(tbsCrl);
    v.add(sigAlgId);
    v.add(new DERBitString(sig.sign()));

    return new X509CRLObject(new CertificateList(new DERSequence(v)));
  }
  protected RecipientOperator getRecipientOperator(Recipient recipient)
      throws CMSException, IOException {
    PasswordRecipient pbeRecipient = (PasswordRecipient) recipient;
    AlgorithmIdentifier kekAlg = AlgorithmIdentifier.getInstance(info.getKeyEncryptionAlgorithm());
    ASN1Sequence kekAlgParams = (ASN1Sequence) kekAlg.getParameters();
    DERObjectIdentifier kekAlgName = DERObjectIdentifier.getInstance(kekAlgParams.getObjectAt(0));
    PBKDF2Params params =
        PBKDF2Params.getInstance(info.getKeyDerivationAlgorithm().getParameters());

    byte[] derivedKey;
    int keySize = ((Integer) KEYSIZES.get(kekAlgName)).intValue();

    if (pbeRecipient.getPasswordConversionScheme() == PasswordRecipient.PKCS5_SCHEME2) {
      PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator();

      gen.init(
          PBEParametersGenerator.PKCS5PasswordToBytes(pbeRecipient.getPassword()),
          params.getSalt(),
          params.getIterationCount().intValue());

      derivedKey = ((KeyParameter) gen.generateDerivedParameters(keySize)).getKey();
    } else {
      PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator();

      gen.init(
          PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(pbeRecipient.getPassword()),
          params.getSalt(),
          params.getIterationCount().intValue());

      derivedKey = ((KeyParameter) gen.generateDerivedParameters(keySize)).getKey();
    }

    return pbeRecipient.getRecipientOperator(
        AlgorithmIdentifier.getInstance(kekAlg.getParameters()),
        messageAlgorithm,
        derivedKey,
        info.getEncryptedKey().getOctets());
  }
  public SemanticsInformation(ASN1Sequence seq) {
    Enumeration e = seq.getObjects();
    if (seq.size() < 1) {
      throw new IllegalArgumentException("no objects in SemanticsInformation");
    }

    Object object = e.nextElement();
    if (object instanceof DERObjectIdentifier) {
      semanticsIdentifier = DERObjectIdentifier.getInstance(object);
      if (e.hasMoreElements()) {
        object = e.nextElement();
      } else {
        object = null;
      }
    }

    if (object != null) {
      ASN1Sequence generalNameSeq = ASN1Sequence.getInstance(object);
      nameRegistrationAuthorities = new GeneralName[generalNameSeq.size()];
      for (int i = 0; i < generalNameSeq.size(); i++) {
        nameRegistrationAuthorities[i] = GeneralName.getInstance(generalNameSeq.getObjectAt(i));
      }
    }
  }
예제 #16
0
  /** @deprecated */
  private boolean doVerify(PublicKey key, Provider sigProvider)
      throws CMSException, NoSuchAlgorithmException {
    String digestName = CMSSignedHelper.INSTANCE.getDigestAlgName(this.getDigestAlgOID());
    String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
    String signatureName = digestName + "with" + encName;
    Signature sig = CMSSignedHelper.INSTANCE.getSignatureInstance(signatureName, sigProvider);
    MessageDigest digest = CMSSignedHelper.INSTANCE.getDigestInstance(digestName, sigProvider);

    // TODO [BJA-109] Note: PSSParameterSpec requires JDK1.4+
    /*
            try
            {
                DERObjectIdentifier sigAlgOID = encryptionAlgorithm.getObjectId();
                DEREncodable sigParams = this.encryptionAlgorithm.getParameters();
                if (sigAlgOID.equals(PKCSObjectIdentifiers.id_RSASSA_PSS))
                {
                    // RFC 4056
                    // When the id-RSASSA-PSS algorithm identifier is used for a signature,
                    // the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS-params.
                    if (sigParams == null)
                    {
                        throw new CMSException(
                            "RSASSA-PSS signature must specify algorithm parameters");
                    }

                    AlgorithmParameters params = AlgorithmParameters.getInstance(
                        sigAlgOID.getId(), sig.getProvider().getName());
                    params.init(sigParams.getDERObject().getEncoded(), "ASN.1");

                    PSSParameterSpec spec = (PSSParameterSpec)params.getParameterSpec(PSSParameterSpec.class);
                    sig.setParameter(spec);
                }
                else
                {
                    // TODO Are there other signature algorithms that provide parameters?
                    if (sigParams != null)
                    {
                        throw new CMSException("unrecognised signature parameters provided");
                    }
                }
            }
            catch (IOException e)
            {
                throw new CMSException("error encoding signature parameters.", e);
            }
            catch (InvalidAlgorithmParameterException e)
            {
                throw new CMSException("error setting signature parameters.", e);
            }
            catch (InvalidParameterSpecException e)
            {
                throw new CMSException("error processing signature parameters.", e);
            }
    */

    try {
      if (digestCalculator != null) {
        resultDigest = digestCalculator.getDigest();
      } else {
        if (content != null) {
          content.write(new DigOutputStream(digest));
        } else if (signedAttributeSet == null) {
          // TODO Get rid of this exception and just treat content==null as empty not missing?
          throw new CMSException("data not encapsulated in signature - use detached constructor.");
        }

        resultDigest = digest.digest();
      }
    } catch (IOException e) {
      throw new CMSException("can't process mime object to create signature.", e);
    }

    // RFC 3852 11.1 Check the content-type attribute is correct
    {
      DERObject validContentType =
          getSingleValuedSignedAttribute(CMSAttributes.contentType, "content-type");
      if (validContentType == null) {
        if (!isCounterSignature && signedAttributeSet != null) {
          throw new CMSException(
              "The content-type attribute type MUST be present whenever signed attributes are present in signed-data");
        }
      } else {
        if (isCounterSignature) {
          throw new CMSException(
              "[For counter signatures,] the signedAttributes field MUST NOT contain a content-type attribute");
        }

        if (!(validContentType instanceof DERObjectIdentifier)) {
          throw new CMSException(
              "content-type attribute value not of ASN.1 type 'OBJECT IDENTIFIER'");
        }

        DERObjectIdentifier signedContentType = (DERObjectIdentifier) validContentType;

        if (!signedContentType.equals(contentType)) {
          throw new CMSException("content-type attribute value does not match eContentType");
        }
      }
    }

    // RFC 3852 11.2 Check the message-digest attribute is correct
    {
      DERObject validMessageDigest =
          getSingleValuedSignedAttribute(CMSAttributes.messageDigest, "message-digest");
      if (validMessageDigest == null) {
        if (signedAttributeSet != null) {
          throw new CMSException(
              "the message-digest signed attribute type MUST be present when there are any signed attributes present");
        }
      } else {
        if (!(validMessageDigest instanceof ASN1OctetString)) {
          throw new CMSException("message-digest attribute value not of ASN.1 type 'OCTET STRING'");
        }

        ASN1OctetString signedMessageDigest = (ASN1OctetString) validMessageDigest;

        if (!Arrays.constantTimeAreEqual(resultDigest, signedMessageDigest.getOctets())) {
          throw new CMSSignerDigestMismatchException(
              "message-digest attribute value does not match calculated value");
        }
      }
    }

    // RFC 3852 11.4 Validate countersignature attribute(s)
    {
      AttributeTable signedAttrTable = this.getSignedAttributes();
      if (signedAttrTable != null
          && signedAttrTable.getAll(CMSAttributes.counterSignature).size() > 0) {
        throw new CMSException("A countersignature attribute MUST NOT be a signed attribute");
      }

      AttributeTable unsignedAttrTable = this.getUnsignedAttributes();
      if (unsignedAttrTable != null) {
        ASN1EncodableVector csAttrs = unsignedAttrTable.getAll(CMSAttributes.counterSignature);
        for (int i = 0; i < csAttrs.size(); ++i) {
          Attribute csAttr = (Attribute) csAttrs.get(i);
          if (csAttr.getAttrValues().size() < 1) {
            throw new CMSException(
                "A countersignature attribute MUST contain at least one AttributeValue");
          }

          // Note: We don't recursively validate the countersignature value
        }
      }
    }

    try {
      sig.initVerify(key);

      if (signedAttributeSet == null) {
        if (digestCalculator != null) {
          // need to decrypt signature and check message bytes
          return verifyDigest(resultDigest, key, this.getSignature(), sigProvider);
        } else if (content != null) {
          // TODO Use raw signature of the hash value instead
          content.write(new SigOutputStream(sig));
        }
      } else {
        sig.update(this.getEncodedSignedAttributes());
      }

      return sig.verify(this.getSignature());
    } catch (InvalidKeyException e) {
      throw new CMSException("key not appropriate to signature in message.", e);
    } catch (IOException e) {
      throw new CMSException("can't process mime object to create signature.", e);
    } catch (SignatureException e) {
      throw new CMSException("invalid signature format in message: " + e.getMessage(), e);
    }
  }
예제 #17
0
  /** test for equality - note: case is ignored. */
  public boolean equals(Object obj) {
    if (obj == this) {
      return true;
    }

    if (!(obj instanceof X509Name || obj instanceof ASN1Sequence)) {
      return false;
    }

    DERObject derO = ((DEREncodable) obj).getDERObject();

    if (this.getDERObject().equals(derO)) {
      return true;
    }

    X509Name other;

    try {
      other = X509Name.getInstance(obj);
    } catch (IllegalArgumentException e) {
      return false;
    }

    int orderingSize = ordering.size();

    if (orderingSize != other.ordering.size()) {
      return false;
    }

    boolean[] indexes = new boolean[orderingSize];
    int start, end, delta;

    if (ordering.elementAt(0).equals(other.ordering.elementAt(0))) // guess forward
    {
      start = 0;
      end = orderingSize;
      delta = 1;
    } else // guess reversed - most common problem
    {
      start = orderingSize - 1;
      end = -1;
      delta = -1;
    }

    for (int i = start; i != end; i += delta) {
      boolean found = false;
      DERObjectIdentifier oid = (DERObjectIdentifier) ordering.elementAt(i);
      String value = (String) values.elementAt(i);

      for (int j = 0; j < orderingSize; j++) {
        if (indexes[j]) {
          continue;
        }

        DERObjectIdentifier oOid = (DERObjectIdentifier) other.ordering.elementAt(j);

        if (oid.equals(oOid)) {
          String oValue = (String) other.values.elementAt(j);

          if (equivalentStrings(value, oValue)) {
            indexes[j] = true;
            found = true;
            break;
          }
        }
      }

      if (!found) {
        return false;
      }
    }

    return true;
  }
예제 #18
0
  private void testECDSA239bitBinary(String algorithm, DERObjectIdentifier oid) throws Exception {
    BigInteger r =
        new BigInteger("21596333210419611985018340039034612628818151486841789642455876922391552");
    BigInteger s =
        new BigInteger("197030374000731686738334997654997227052849804072198819102649413465737174");

    byte[] kData =
        BigIntegers.asUnsignedByteArray(
            new BigInteger(
                "171278725565216523967285789236956265265265235675811949404040041670216363"));

    SecureRandom k = new FixedSecureRandom(kData);

    ECCurve curve =
        new ECCurve.F2m(
            239, // m
            36, // k
            new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a
            new BigInteger(
                "790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b

    ECParameterSpec params =
        new ECParameterSpec(
            curve,
            curve.decodePoint(
                Hex.decode(
                    "0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G
            new BigInteger(
                "220855883097298041197912187592864814557886993776713230936715041207411783"), // n
            BigInteger.valueOf(4)); // h

    ECPrivateKeySpec priKeySpec =
        new ECPrivateKeySpec(
            new BigInteger(
                "145642755521911534651321230007534120304391871461646461466464667494947990"), // d
            params);

    ECPublicKeySpec pubKeySpec =
        new ECPublicKeySpec(
            curve.decodePoint(
                Hex.decode(
                    "045894609CCECF9A92533F630DE713A958E96C97CCB8F5ABB5A688A238DEED6DC2D9D0C94EBFB7D526BA6A61764175B99CB6011E2047F9F067293F57F5")), // Q
            params);

    Signature sgr = Signature.getInstance(algorithm, "BC");
    KeyFactory f = KeyFactory.getInstance("ECDSA", "BC");
    PrivateKey sKey = f.generatePrivate(priKeySpec);
    PublicKey vKey = f.generatePublic(pubKeySpec);
    byte[] message = new byte[] {(byte) 'a', (byte) 'b', (byte) 'c'};

    sgr.initSign(sKey, k);

    sgr.update(message);

    byte[] sigBytes = sgr.sign();

    sgr = Signature.getInstance(oid.getId(), "BC");

    sgr.initVerify(vKey);

    sgr.update(message);

    if (!sgr.verify(sigBytes)) {
      fail("239 Bit EC RIPEMD160 verification failed");
    }
  }
예제 #19
0
  private boolean doVerify(SignerInformationVerifier verifier) throws CMSException {
    String digestName = CMSSignedHelper.INSTANCE.getDigestAlgName(this.getDigestAlgOID());
    String encName = CMSSignedHelper.INSTANCE.getEncryptionAlgName(this.getEncryptionAlgOID());
    String signatureName = digestName + "with" + encName;

    try {
      if (digestCalculator != null) {
        resultDigest = digestCalculator.getDigest();
      } else {
        DigestCalculator calc = verifier.getDigestCalculator(this.getDigestAlgorithmID());
        if (content != null) {
          OutputStream digOut = calc.getOutputStream();

          content.write(digOut);

          digOut.close();
        } else if (signedAttributeSet == null) {
          // TODO Get rid of this exception and just treat content==null as empty not missing?
          throw new CMSException("data not encapsulated in signature - use detached constructor.");
        }

        resultDigest = calc.getDigest();
      }
    } catch (IOException e) {
      throw new CMSException("can't process mime object to create signature.", e);
    } catch (NoSuchAlgorithmException e) {
      throw new CMSException("can't find algorithm: " + e.getMessage(), e);
    } catch (OperatorCreationException e) {
      throw new CMSException("can't create digest calculator: " + e.getMessage(), e);
    }

    // RFC 3852 11.1 Check the content-type attribute is correct
    {
      DERObject validContentType =
          getSingleValuedSignedAttribute(CMSAttributes.contentType, "content-type");
      if (validContentType == null) {
        if (!isCounterSignature && signedAttributeSet != null) {
          throw new CMSException(
              "The content-type attribute type MUST be present whenever signed attributes are present in signed-data");
        }
      } else {
        if (isCounterSignature) {
          throw new CMSException(
              "[For counter signatures,] the signedAttributes field MUST NOT contain a content-type attribute");
        }

        if (!(validContentType instanceof DERObjectIdentifier)) {
          throw new CMSException(
              "content-type attribute value not of ASN.1 type 'OBJECT IDENTIFIER'");
        }

        DERObjectIdentifier signedContentType = (DERObjectIdentifier) validContentType;

        if (!signedContentType.equals(contentType)) {
          throw new CMSException("content-type attribute value does not match eContentType");
        }
      }
    }

    // RFC 3852 11.2 Check the message-digest attribute is correct
    {
      DERObject validMessageDigest =
          getSingleValuedSignedAttribute(CMSAttributes.messageDigest, "message-digest");
      if (validMessageDigest == null) {
        if (signedAttributeSet != null) {
          throw new CMSException(
              "the message-digest signed attribute type MUST be present when there are any signed attributes present");
        }
      } else {
        if (!(validMessageDigest instanceof ASN1OctetString)) {
          throw new CMSException("message-digest attribute value not of ASN.1 type 'OCTET STRING'");
        }

        ASN1OctetString signedMessageDigest = (ASN1OctetString) validMessageDigest;

        if (!Arrays.constantTimeAreEqual(resultDigest, signedMessageDigest.getOctets())) {
          throw new CMSSignerDigestMismatchException(
              "message-digest attribute value does not match calculated value");
        }
      }
    }

    // RFC 3852 11.4 Validate countersignature attribute(s)
    {
      AttributeTable signedAttrTable = this.getSignedAttributes();
      if (signedAttrTable != null
          && signedAttrTable.getAll(CMSAttributes.counterSignature).size() > 0) {
        throw new CMSException("A countersignature attribute MUST NOT be a signed attribute");
      }

      AttributeTable unsignedAttrTable = this.getUnsignedAttributes();
      if (unsignedAttrTable != null) {
        ASN1EncodableVector csAttrs = unsignedAttrTable.getAll(CMSAttributes.counterSignature);
        for (int i = 0; i < csAttrs.size(); ++i) {
          Attribute csAttr = (Attribute) csAttrs.get(i);
          if (csAttr.getAttrValues().size() < 1) {
            throw new CMSException(
                "A countersignature attribute MUST contain at least one AttributeValue");
          }

          // Note: We don't recursively validate the countersignature value
        }
      }
    }

    try {
      ContentVerifier contentVerifier =
          verifier.getContentVerifier(sigAlgFinder.find(signatureName));
      OutputStream sigOut = contentVerifier.getOutputStream();

      if (signedAttributeSet == null) {
        if (digestCalculator != null) {
          if (contentVerifier instanceof RawContentVerifier) {
            RawContentVerifier rawVerifier = (RawContentVerifier) contentVerifier;

            if (encName.equals("RSA")) {
              DigestInfo digInfo = new DigestInfo(digestAlgorithm, resultDigest);

              return rawVerifier.verify(digInfo.getDEREncoded(), this.getSignature());
            }

            return rawVerifier.verify(resultDigest, this.getSignature());
          }

          throw new CMSException("verifier unable to process raw signature");
        } else if (content != null) {
          // TODO Use raw signature of the hash value instead
          content.write(sigOut);
        }
      } else {
        sigOut.write(this.getEncodedSignedAttributes());
      }

      sigOut.close();

      return contentVerifier.verify(this.getSignature());
    } catch (IOException e) {
      throw new CMSException("can't process mime object to create signature.", e);
    } catch (OperatorCreationException e) {
      throw new CMSException("can't create content verifier: " + e.getMessage(), e);
    }
  }
예제 #20
0
 static boolean isPKCS12(DERObjectIdentifier algOid) {
   return algOid.getId().startsWith(PKCSObjectIdentifiers.pkcs_12PbeIds.getId());
 }