diff options
| author | Sergio Giro <sgiro@google.com> | 2015-04-21 23:20:25 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-04-21 23:20:25 +0000 |
| commit | 7f729f07947047c1ceaad8a78febacd1269a62b3 (patch) | |
| tree | 35d98bf60cbe7a6487bd0014728eb263e89004bb /bcprov/src/main/java/org/bouncycastle/jcajce | |
| parent | bf9fc13901d0666be69118222a1eb0161202af5f (diff) | |
| parent | fb93a7697b35e8a059d93e3d1776bc307981fc0e (diff) | |
| download | android_external_bouncycastle-7f729f07947047c1ceaad8a78febacd1269a62b3.tar.gz android_external_bouncycastle-7f729f07947047c1ceaad8a78febacd1269a62b3.tar.bz2 android_external_bouncycastle-7f729f07947047c1ceaad8a78febacd1269a62b3.zip | |
am fb93a769: Merge "bouncycastle: upgrade to version 1.52"
* commit 'fb93a7697b35e8a059d93e3d1776bc307981fc0e':
bouncycastle: upgrade to version 1.52
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jcajce')
41 files changed, 1511 insertions, 214 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKCS12StoreParameter.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKCS12StoreParameter.java new file mode 100644 index 0000000..b53eca5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKCS12StoreParameter.java @@ -0,0 +1,62 @@ +package org.bouncycastle.jcajce; + +import java.io.OutputStream; +import java.security.KeyStore; +import java.security.KeyStore.LoadStoreParameter; +import java.security.KeyStore.ProtectionParameter; + +/** + * LoadStoreParameter to allow for additional config with PKCS12 files. + * <p> + * Note: if you want a straight DER encoding of a PKCS#12 file you should use this. + * </p> + */ +public class PKCS12StoreParameter + implements LoadStoreParameter +{ + private final OutputStream out; + private final ProtectionParameter protectionParameter; + private final boolean forDEREncoding; + + public PKCS12StoreParameter(OutputStream out, char[] password) + { + this(out, password, false); + } + + public PKCS12StoreParameter(OutputStream out, ProtectionParameter protectionParameter) + { + this(out, protectionParameter, false); + } + + public PKCS12StoreParameter(OutputStream out, char[] password, boolean forDEREncoding) + { + this(out, new KeyStore.PasswordProtection(password), forDEREncoding); + } + + public PKCS12StoreParameter(OutputStream out, ProtectionParameter protectionParameter, boolean forDEREncoding) + { + this.out = out; + this.protectionParameter = protectionParameter; + this.forDEREncoding = forDEREncoding; + } + + public OutputStream getOutputStream() + { + return out; + } + + public ProtectionParameter getProtectionParameter() + { + return protectionParameter; + } + + /** + * Return whether the KeyStore used with this parameter should be DER encoded on saving. + * + * @return true for straight DER encoding, false otherwise, + */ + public boolean isForDEREncoding() + { + return forDEREncoding; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStore.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStore.java new file mode 100644 index 0000000..b344720 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStore.java @@ -0,0 +1,15 @@ +package org.bouncycastle.jcajce; + +import java.security.cert.CRL; +import java.util.Collection; + +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.Store; +import org.bouncycastle.util.StoreException; + +public interface PKIXCRLStore<T extends CRL> + extends Store<T> +{ + Collection<T> getMatches(Selector<T> selector) + throws StoreException; +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStoreSelector.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStoreSelector.java new file mode 100644 index 0000000..9c68433 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStoreSelector.java @@ -0,0 +1,313 @@ +package org.bouncycastle.jcajce; + +import java.math.BigInteger; +import java.security.cert.CRL; +import java.security.cert.CRLSelector; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLSelector; +import java.security.cert.X509Certificate; +import java.util.Collection; + +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.Selector; + +/** + * This class is a Selector implementation for X.509 certificate revocation + * lists. + * + * @see org.bouncycastle.util.Selector + */ +public class PKIXCRLStoreSelector<T extends CRL> + implements Selector<T> +{ + public static class Builder + { + private final CRLSelector baseSelector; + + private boolean deltaCRLIndicator = false; + private boolean completeCRLEnabled = false; + private BigInteger maxBaseCRLNumber = null; + private byte[] issuingDistributionPoint = null; + private boolean issuingDistributionPointEnabled = false; + + public Builder(CRLSelector certSelector) + { + this.baseSelector = (CRLSelector)certSelector.clone(); + } + + + /** + * If set to <code>true</code> only complete CRLs are returned. + * <p> + * {@link #setCompleteCRLEnabled(boolean)} and + * {@link #setDeltaCRLIndicatorEnabled(boolean)} excluded each other. + * + * @param completeCRLEnabled <code>true</code> if only complete CRLs + * should be returned. + */ + public Builder setCompleteCRLEnabled(boolean completeCRLEnabled) + { + this.completeCRLEnabled = completeCRLEnabled; + + return this; + } + + /** + * If this is set to <code>true</code> the CRL reported contains the delta + * CRL indicator CRL extension. + * <p> + * {@link #setCompleteCRLEnabled(boolean)} and + * {@link #setDeltaCRLIndicatorEnabled(boolean)} excluded each other. + * + * @param deltaCRLIndicator <code>true</code> if the delta CRL indicator + * extension must be in the CRL. + */ + public Builder setDeltaCRLIndicatorEnabled(boolean deltaCRLIndicator) + { + this.deltaCRLIndicator = deltaCRLIndicator; + + return this; + } + + /** + * Sets the maximum base CRL number. Setting to <code>null</code> disables + * this cheack. + * <p> + * This is only meaningful for delta CRLs. Complete CRLs must have a CRL + * number which is greater or equal than the base number of the + * corresponding CRL. + * + * @param maxBaseCRLNumber The maximum base CRL number to set. + */ + public void setMaxBaseCRLNumber(BigInteger maxBaseCRLNumber) + { + this.maxBaseCRLNumber = maxBaseCRLNumber; + } + + /** + * Enables or disables the issuing distribution point check. + * + * @param issuingDistributionPointEnabled <code>true</code> to enable the + * issuing distribution point check. + */ + public void setIssuingDistributionPointEnabled( + boolean issuingDistributionPointEnabled) + { + this.issuingDistributionPointEnabled = issuingDistributionPointEnabled; + } + + /** + * Sets the issuing distribution point. + * <p> + * The issuing distribution point extension is a CRL extension which + * identifies the scope and the distribution point of a CRL. The scope + * contains among others information about revocation reasons contained in + * the CRL. Delta CRLs and complete CRLs must have matching issuing + * distribution points. + * <p> + * The byte array is cloned to protect against subsequent modifications. + * <p> + * You must also enable or disable this criteria with + * {@link #setIssuingDistributionPointEnabled(boolean)}. + * + * @param issuingDistributionPoint The issuing distribution point to set. + * This is the DER encoded OCTET STRING extension value. + * @see #getIssuingDistributionPoint() + */ + public void setIssuingDistributionPoint(byte[] issuingDistributionPoint) + { + this.issuingDistributionPoint = Arrays.clone(issuingDistributionPoint); + } + + public PKIXCRLStoreSelector<? extends CRL> build() + { + return new PKIXCRLStoreSelector(this); + } + } + + private final CRLSelector baseSelector; + private final boolean deltaCRLIndicator; + private final boolean completeCRLEnabled; + private final BigInteger maxBaseCRLNumber; + private final byte[] issuingDistributionPoint; + private final boolean issuingDistributionPointEnabled; + + private PKIXCRLStoreSelector(Builder baseBuilder) + { + this.baseSelector = baseBuilder.baseSelector; + this.deltaCRLIndicator = baseBuilder.deltaCRLIndicator; + this.completeCRLEnabled = baseBuilder.completeCRLEnabled; + this.maxBaseCRLNumber = baseBuilder.maxBaseCRLNumber; + this.issuingDistributionPoint = baseBuilder.issuingDistributionPoint; + this.issuingDistributionPointEnabled = baseBuilder.issuingDistributionPointEnabled; + } + + + /** + * Returns if the issuing distribution point criteria should be applied. + * Defaults to <code>false</code>. + * <p> + * You may also set the issuing distribution point criteria if not a missing + * issuing distribution point should be assumed. + * + * @return Returns if the issuing distribution point check is enabled. + */ + public boolean isIssuingDistributionPointEnabled() + { + return issuingDistributionPointEnabled; + } + + + + public boolean match(CRL obj) + { + if (!(obj instanceof X509CRL)) + { + return baseSelector.match(obj); + } + + X509CRL crl = (X509CRL)obj; + ASN1Integer dci = null; + try + { + byte[] bytes = crl + .getExtensionValue(Extension.deltaCRLIndicator.getId()); + if (bytes != null) + { + dci = ASN1Integer.getInstance(ASN1OctetString.getInstance(bytes).getOctets()); + } + } + catch (Exception e) + { + return false; + } + if (isDeltaCRLIndicatorEnabled()) + { + if (dci == null) + { + return false; + } + } + if (isCompleteCRLEnabled()) + { + if (dci != null) + { + return false; + } + } + if (dci != null) + { + + if (maxBaseCRLNumber != null) + { + if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) + { + return false; + } + } + } + if (issuingDistributionPointEnabled) + { + byte[] idp = crl + .getExtensionValue(Extension.issuingDistributionPoint + .getId()); + if (issuingDistributionPoint == null) + { + if (idp != null) + { + return false; + } + } + else + { + if (!Arrays.areEqual(idp, issuingDistributionPoint)) + { + return false; + } + } + + } + return baseSelector.match(obj); + } + + /** + * Returns if this selector must match CRLs with the delta CRL indicator + * extension set. Defaults to <code>false</code>. + * + * @return Returns <code>true</code> if only CRLs with the delta CRL + * indicator extension are selected. + */ + public boolean isDeltaCRLIndicatorEnabled() + { + return deltaCRLIndicator; + } + + public Object clone() + { + return this; + } + + /** + * If <code>true</code> only complete CRLs are returned. Defaults to + * <code>false</code>. + * + * @return <code>true</code> if only complete CRLs are returned. + */ + public boolean isCompleteCRLEnabled() + { + return completeCRLEnabled; + } + + /** + * Get the maximum base CRL number. Defaults to <code>null</code>. + * + * @return Returns the maximum base CRL number. + */ + public BigInteger getMaxBaseCRLNumber() + { + return maxBaseCRLNumber; + } + + + /** + * Returns the issuing distribution point. Defaults to <code>null</code>, + * which is a missing issuing distribution point extension. + * <p> + * The internal byte array is cloned before it is returned. + * <p> + * The criteria must be enable with Builder.setIssuingDistributionPointEnabled(boolean)}. + * + * @return Returns the issuing distribution point. + */ + public byte[] getIssuingDistributionPoint() + { + return Arrays.clone(issuingDistributionPoint); + } + + public X509Certificate getCertificateChecking() + { + return ((X509CRLSelector)baseSelector).getCertificateChecking(); + } + + public static Collection<? extends CRL> getCRLs(final PKIXCRLStoreSelector selector, CertStore certStore) + throws CertStoreException + { + return certStore.getCRLs(new CRLSelector() + { + public boolean match(CRL crl) + { + return selector.match(crl); + } + + public Object clone() + { + return this; + } + }); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStore.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStore.java new file mode 100644 index 0000000..092872f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStore.java @@ -0,0 +1,15 @@ +package org.bouncycastle.jcajce; + +import java.security.cert.Certificate; +import java.util.Collection; + +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.Store; +import org.bouncycastle.util.StoreException; + +public interface PKIXCertStore<T extends Certificate> + extends Store<T> +{ + Collection<T> getMatches(Selector<T> selector) + throws StoreException; +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStoreSelector.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStoreSelector.java new file mode 100644 index 0000000..1775de7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXCertStoreSelector.java @@ -0,0 +1,67 @@ +package org.bouncycastle.jcajce; + +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.Certificate; +import java.util.Collection; + +import org.bouncycastle.util.Selector; + +/** + * This class is a Selector implementation for certificates. + * + * @see org.bouncycastle.util.Selector + */ +public class PKIXCertStoreSelector<T extends Certificate> + implements Selector<T> +{ + public static class Builder + { + private final CertSelector baseSelector; + + public Builder(CertSelector certSelector) + { + this.baseSelector = (CertSelector)certSelector.clone(); + } + + public PKIXCertStoreSelector<? extends Certificate> build() + { + return new PKIXCertStoreSelector(baseSelector); + } + } + + private final CertSelector baseSelector; + + private PKIXCertStoreSelector(CertSelector baseSelector) + { + this.baseSelector = baseSelector; + } + + public boolean match(Certificate cert) + { + return baseSelector.match(cert); + } + + public Object clone() + { + return new PKIXCertStoreSelector(baseSelector); + } + + public static Collection<? extends Certificate> getCertificates(final PKIXCertStoreSelector selector, CertStore certStore) + throws CertStoreException + { + return certStore.getCertificates(new CertSelector() + { + public boolean match(Certificate certificate) + { + return (selector == null) ? true : selector.match(certificate); + } + + public Object clone() + { + return this; + } + }); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedBuilderParameters.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedBuilderParameters.java new file mode 100644 index 0000000..3369d0d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedBuilderParameters.java @@ -0,0 +1,138 @@ +package org.bouncycastle.jcajce; + +import java.security.InvalidParameterException; +import java.security.cert.CertPathParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +/** + * This class contains extended parameters for PKIX certification path builders. + * + * @see java.security.cert.PKIXBuilderParameters + */ +public class PKIXExtendedBuilderParameters + implements CertPathParameters +{ + public static class Builder + { + private final PKIXExtendedParameters baseParameters; + + private int maxPathLength = 5; + private Set<X509Certificate> excludedCerts = new HashSet<X509Certificate>(); + + public Builder(PKIXBuilderParameters baseParameters) + { + this.baseParameters = new PKIXExtendedParameters.Builder(baseParameters).build(); + this.maxPathLength = baseParameters.getMaxPathLength(); + } + + public Builder(PKIXExtendedParameters baseParameters) + { + this.baseParameters = baseParameters; + } + + /** + * Adds excluded certificates which are not used for building a + * certification path. + * <p> + * The given set is cloned to protect it against subsequent modifications. + * + * @param excludedCerts The excluded certificates to set. + */ + public Builder addExcludedCerts(Set<X509Certificate> excludedCerts) + { + this.excludedCerts.addAll(excludedCerts); + + return this; + } + + /** + * Sets the maximum number of intermediate non-self-issued certificates in a + * certification path. The PKIX <code>CertPathBuilder</code> must not + * build paths longer then this length. + * <p> + * A value of 0 implies that the path can only contain a single certificate. + * A value of -1 does not limit the length. The default length is 5. + * + * <p> + * + * The basic constraints extension of a CA certificate overrides this value + * if smaller. + * + * @param maxPathLength the maximum number of non-self-issued intermediate + * certificates in the certification path + * @throws java.security.InvalidParameterException if <code>maxPathLength</code> is set + * to a value less than -1 + * + * @see #getMaxPathLength + */ + public Builder setMaxPathLength(int maxPathLength) + { + if (maxPathLength < -1) + { + throw new InvalidParameterException("The maximum path " + + "length parameter can not be less than -1."); + } + this.maxPathLength = maxPathLength; + + return this; + } + + public PKIXExtendedBuilderParameters build() + { + return new PKIXExtendedBuilderParameters(this); + } + } + + private final PKIXExtendedParameters baseParameters; + private final Set<X509Certificate> excludedCerts; + private final int maxPathLength; + + private PKIXExtendedBuilderParameters(Builder builder) + { + this.baseParameters = builder.baseParameters; + this.excludedCerts = Collections.unmodifiableSet(builder.excludedCerts); + this.maxPathLength = builder.maxPathLength; + } + + public PKIXExtendedParameters getBaseParameters() + { + return baseParameters; + } + + /** + * Excluded certificates are not used for building a certification path. + * <p> + * The returned set is immutable. + * + * @return Returns the excluded certificates. + */ + public Set getExcludedCerts() + { + return excludedCerts; + } + + /** + * Returns the value of the maximum number of intermediate non-self-issued + * certificates in the certification path. + * + * @return the maximum number of non-self-issued intermediate certificates + * in the certification path, or -1 if no limit exists. + */ + public int getMaxPathLength() + { + return maxPathLength; + } + + /** + * @return this object + */ + public Object clone() + { + return this; + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java new file mode 100644 index 0000000..3a86f2a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java @@ -0,0 +1,340 @@ +package org.bouncycastle.jcajce; + +import java.security.cert.CertPathParameters; +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.bouncycastle.asn1.x509.GeneralName; + +/** + * This class extends the PKIXParameters with a validity model parameter. + */ +public class PKIXExtendedParameters + implements CertPathParameters +{ + /** + * This is the default PKIX validity model. Actually there are two variants + * of this: The PKIX model and the modified PKIX model. The PKIX model + * verifies that all involved certificates must have been valid at the + * current time. The modified PKIX model verifies that all involved + * certificates were valid at the signing time. Both are indirectly choosen + * with the {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method, so this + * methods sets the Date when <em>all</em> certificates must have been + * valid. + */ + public static final int PKIX_VALIDITY_MODEL = 0; + + /** + * This model uses the following validity model. Each certificate must have + * been valid at the moment where is was used. That means the end + * certificate must have been valid at the time the signature was done. The + * CA certificate which signed the end certificate must have been valid, + * when the end certificate was signed. The CA (or Root CA) certificate must + * have been valid, when the CA certificate was signed and so on. So the + * {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method sets the time, when + * the <em>end certificate</em> must have been valid. + * <p> + * It is used e.g. + * in the German signature law. + * </p> + */ + public static final int CHAIN_VALIDITY_MODEL = 1; + + public static class Builder + { + private final PKIXParameters baseParameters; + private final Date date; + + private PKIXCertStoreSelector targetConstraints; + private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>(); + private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(); + private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>(); + private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(); + private boolean revocationEnabled; + private int validityModel = PKIX_VALIDITY_MODEL; + private boolean useDeltas = false; + private Set<TrustAnchor> trustAnchors; + + public Builder(PKIXParameters baseParameters) + { + this.baseParameters = (PKIXParameters)baseParameters.clone(); + CertSelector constraints = baseParameters.getTargetCertConstraints(); + if (constraints != null) + { + this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); + } + Date checkDate = baseParameters.getDate(); + this.date = (checkDate == null) ? new Date() : checkDate; + this.revocationEnabled = baseParameters.isRevocationEnabled(); + this.trustAnchors = baseParameters.getTrustAnchors(); + } + + public Builder(PKIXExtendedParameters baseParameters) + { + this.baseParameters = baseParameters.baseParameters; + this.date = baseParameters.date; + this.targetConstraints = baseParameters.targetConstraints; + this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores); + this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap); + this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores); + this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap); + this.useDeltas = baseParameters.useDeltas; + this.validityModel = baseParameters.validityModel; + this.revocationEnabled = baseParameters.isRevocationEnabled(); + this.trustAnchors = baseParameters.getTrustAnchors(); + } + + public Builder addCertificateStore(PKIXCertStore store) + { + extraCertStores.add(store); + + return this; + } + + public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store) + { + namedCertificateStoreMap.put(issuerAltName, store); + + return this; + } + + public Builder addCRLStore(PKIXCRLStore store) + { + extraCRLStores.add(store); + + return this; + } + + public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store) + { + namedCRLStoreMap.put(issuerAltName, store); + + return this; + } + + public Builder setTargetConstraints(PKIXCertStoreSelector selector) + { + targetConstraints = selector; + + return this; + } + + /** + * Sets if delta CRLs should be used for checking the revocation status. + * + * @param useDeltas <code>true</code> if delta CRLs should be used. + */ + public Builder setUseDeltasEnabled(boolean useDeltas) + { + this.useDeltas = useDeltas; + + return this; + } + + /** + * @param validityModel The validity model to set. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public Builder setValidityModel(int validityModel) + { + this.validityModel = validityModel; + + return this; + } + + /** + * Set the trustAnchor to be used with these parameters. + * + * @param trustAnchor the trust anchor end-entity and CRLs must be based on. + * @return the current builder. + */ + public Builder setTrustAnchor(TrustAnchor trustAnchor) + { + this.trustAnchors = Collections.singleton(trustAnchor); + + return this; + } + + /** + * Set the set of trustAnchors to be used with these parameters. + * + * @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on. + * @return the current builder. + */ + public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors) + { + this.trustAnchors = trustAnchors; + + return this; + } + + /** + * Flag whether or not revocation checking is to be enabled. + * + * @param revocationEnabled true if revocation checking to be enabled, false otherwise. + */ + public void setRevocationEnabled(boolean revocationEnabled) + { + this.revocationEnabled = revocationEnabled; + } + + public PKIXExtendedParameters build() + { + return new PKIXExtendedParameters(this); + } + } + + private final PKIXParameters baseParameters; + private final PKIXCertStoreSelector targetConstraints; + private final Date date; + private final List<PKIXCertStore> extraCertStores; + private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap; + private final List<PKIXCRLStore> extraCRLStores; + private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap; + private final boolean revocationEnabled; + private final boolean useDeltas; + private final int validityModel; + private final Set<TrustAnchor> trustAnchors; + + private PKIXExtendedParameters(Builder builder) + { + this.baseParameters = builder.baseParameters; + this.date = builder.date; + this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); + this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap)); + this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores); + this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap)); + this.targetConstraints = builder.targetConstraints; + this.revocationEnabled = builder.revocationEnabled; + this.useDeltas = builder.useDeltas; + this.validityModel = builder.validityModel; + this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors); + } + + public List<PKIXCertStore> getCertificateStores() + { + return extraCertStores; + } + + + public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap() + { + return namedCertificateStoreMap; + } + + public List<PKIXCRLStore> getCRLStores() + { + return extraCRLStores; + } + + public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap() + { + return namedCRLStoreMap; + } + + public Date getDate() + { + return new Date(date.getTime()); + } + + + + + /** + * Defaults to <code>false</code>. + * + * @return Returns if delta CRLs should be used. + */ + public boolean isUseDeltasEnabled() + { + return useDeltas; + } + + + + /** + * @return Returns the validity model. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public int getValidityModel() + { + return validityModel; + } + + public Object clone() + { + return this; + } + + /** + * Returns the required constraints on the target certificate. + * The constraints are returned as an instance of + * <code>Selector</code>. If <code>null</code>, no constraints are + * defined. + * + * @return a <code>Selector</code> specifying the constraints on the + * target certificate or attribute certificate (or <code>null</code>) + * @see PKIXCertStoreSelector + */ + public PKIXCertStoreSelector getTargetConstraints() + { + return targetConstraints; + } + + public Set getTrustAnchors() + { + return trustAnchors; + } + + public Set getInitialPolicies() + { + return baseParameters.getInitialPolicies(); + } + + public String getSigProvider() + { + return baseParameters.getSigProvider(); + } + + public boolean isExplicitPolicyRequired() + { + return baseParameters.isExplicitPolicyRequired(); + } + + public boolean isAnyPolicyInhibited() + { + return baseParameters.isAnyPolicyInhibited(); + } + + public boolean isPolicyMappingInhibited() + { + return baseParameters.isPolicyMappingInhibited(); + } + + public List getCertPathCheckers() + { + return baseParameters.getCertPathCheckers(); + } + + public List<CertStore> getCertStores() + { + return baseParameters.getCertStores(); + } + + public boolean isRevocationEnabled() + { + return revocationEnabled; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/EC.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/EC.java index bd83a8a..1266abd 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/EC.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/EC.java @@ -37,12 +37,16 @@ public class EC registerOid(provider, X9ObjectIdentifiers.dhSinglePass_stdDH_sha1kdf_scheme, "EC", new KeyFactorySpi.EC()); // BEGIN android-removed // registerOid(provider, X9ObjectIdentifiers.mqvSinglePass_sha1kdf_scheme, "ECMQV", new KeyFactorySpi.ECMQV()); + // + // // Android comment: the registration below is causing CTS tests to fail and doesn't seem + // // to be implemented by bouncycastle (so looks like an bug in bouncycastle). + // registerOidAlgorithmParameters(provider, X9ObjectIdentifiers.id_ecPublicKey, "EC"); // END android-removed - - registerOidAlgorithmParameters(provider, X9ObjectIdentifiers.id_ecPublicKey, "EC"); // TODO Should this be an alias for ECDH? - registerOidAlgorithmParameters(provider, X9ObjectIdentifiers.dhSinglePass_stdDH_sha1kdf_scheme, "EC"); // BEGIN android-removed + // // Android comment: the registration below is causing CTS tests to fail and doesn't seem + // // to be implemented by bouncycastle (so looks like an bug in bouncycastle). + // registerOidAlgorithmParameters(provider, X9ObjectIdentifiers.dhSinglePass_stdDH_sha1kdf_scheme, "EC"); // registerOidAlgorithmParameters(provider, X9ObjectIdentifiers.mqvSinglePass_sha1kdf_scheme, "EC"); // END android-removed diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/RSA.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/RSA.java index 2265199..d4046f9 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/RSA.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/RSA.java @@ -155,6 +155,12 @@ public class RSA // END android-removed provider.addAlgorithm("Alg.Alias.Signature." + OIWObjectIdentifiers.sha1WithRSA, "SHA1WITHRSA"); provider.addAlgorithm("Alg.Alias.Signature.OID." + OIWObjectIdentifiers.sha1WithRSA, "SHA1WITHRSA"); + + // BEGIN android-removed + // provider.addAlgorithm("Alg.Alias.Signature.SHA1withRSA/X9.31", "SHA1WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA1WithRSA/X9.31", "SHA1WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.SHA1WITHRSA/X9.31", PREFIX + "X931SignatureSpi$SHA1WithRSAEncryption"); + // END android-removed } addDigestSignature(provider, "SHA224", PREFIX + "DigestSignatureSpi$SHA224", PKCSObjectIdentifiers.sha224WithRSAEncryption); @@ -163,26 +169,53 @@ public class RSA addDigestSignature(provider, "SHA512", PREFIX + "DigestSignatureSpi$SHA512", PKCSObjectIdentifiers.sha512WithRSAEncryption); // BEGIN android-removed + // provider.addAlgorithm("Alg.Alias.Signature.SHA224withRSA/X9.31", "SHA224WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA224WithRSA/X9.31", "SHA224WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.SHA224WITHRSA/X9.31", PREFIX + "X931SignatureSpi$SHA224WithRSAEncryption"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA256withRSA/X9.31", "SHA256WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA256WithRSA/X9.31", "SHA256WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.SHA256WITHRSA/X9.31", PREFIX + "X931SignatureSpi$SHA256WithRSAEncryption"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA384withRSA/X9.31", "SHA384WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA384WithRSA/X9.31", "SHA384WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.SHA384WITHRSA/X9.31", PREFIX + "X931SignatureSpi$SHA384WithRSAEncryption"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA512withRSA/X9.31", "SHA512WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.SHA512WithRSA/X9.31", "SHA512WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.SHA512WITHRSA/X9.31", PREFIX + "X931SignatureSpi$SHA512WithRSAEncryption"); + // // if (provider.hasAlgorithm("MessageDigest", "RIPEMD128")) // { // addDigestSignature(provider, "RIPEMD128", PREFIX + "DigestSignatureSpi$RIPEMD128", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); // addDigestSignature(provider, "RMD128", PREFIX + "DigestSignatureSpi$RIPEMD128", null); + // provider.addAlgorithm("Alg.Alias.Signature.RIPEMD128withRSA/X9.31", "RIPEMD128WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.RIPEMD128WithRSA/X9.31", "RIPEMD128WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.RIPEMD128WITHRSA/X9.31", PREFIX + "X931SignatureSpi$RIPEMD128WithRSAEncryption"); // } - // + // // if (provider.hasAlgorithm("MessageDigest", "RIPEMD160")) // { // addDigestSignature(provider, "RIPEMD160", PREFIX + "DigestSignatureSpi$RIPEMD160", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); // addDigestSignature(provider, "RMD160", PREFIX + "DigestSignatureSpi$RIPEMD160", null); // provider.addAlgorithm("Alg.Alias.Signature.RIPEMD160WithRSA/ISO9796-2", "RIPEMD160withRSA/ISO9796-2"); // provider.addAlgorithm("Signature.RIPEMD160withRSA/ISO9796-2", PREFIX + "ISOSignatureSpi$RIPEMD160WithRSAEncryption"); + // provider.addAlgorithm("Alg.Alias.Signature.RIPEMD160withRSA/X9.31", "RIPEMD160WITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.RIPEMD160WithRSA/X9.31", "RIPEMD160WITHRSA/X9.31"); + // provider.addAlgorithm("Signature.RIPEMD160WITHRSA/X9.31", PREFIX + "X931SignatureSpi$RIPEMD160WithRSAEncryption"); // } - // + // // if (provider.hasAlgorithm("MessageDigest", "RIPEMD256")) // { // addDigestSignature(provider, "RIPEMD256", PREFIX + "DigestSignatureSpi$RIPEMD256", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); // addDigestSignature(provider, "RMD256", PREFIX + "DigestSignatureSpi$RIPEMD256", null); // } - // END android-removed + // + // if (provider.hasAlgorithm("MessageDigest", "WHIRLPOOL")) + // { + // provider.addAlgorithm("Alg.Alias.Signature.WhirlpoolWithRSA/X9.31", "WHIRLPOOLWITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.WHIRLPOOLwithRSA/X9.31", "WHIRLPOOLWITHRSA/X9.31"); + // provider.addAlgorithm("Alg.Alias.Signature.WHIRLPOOLWithRSA/X9.31", "WHIRLPOOLWITHRSA/X9.31"); + // provider.addAlgorithm("Signature.WHIRLPOOLWITHRSA/X9.31", PREFIX + "X931SignatureSpi$WhirlpoolWithRSAEncryption"); + // } + // END android-removed } private void addDigestSignature( diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/AlgorithmParameterGeneratorSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/AlgorithmParameterGeneratorSpi.java index 8bdcc55..e4c8172 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/AlgorithmParameterGeneratorSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dh/AlgorithmParameterGeneratorSpi.java @@ -10,10 +10,10 @@ import javax.crypto.spec.DHParameterSpec; import org.bouncycastle.crypto.generators.DHParametersGenerator; import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.asymmetric.util.BaseAlgorithmParameterGeneratorSpi; public class AlgorithmParameterGeneratorSpi - extends java.security.AlgorithmParameterGeneratorSpi + extends BaseAlgorithmParameterGeneratorSpi { protected SecureRandom random; protected int strength = 1024; @@ -63,7 +63,7 @@ public class AlgorithmParameterGeneratorSpi try { - params = AlgorithmParameters.getInstance("DH", BouncyCastleProvider.PROVIDER_NAME); + params = createParametersInstance("DH"); params.init(new DHParameterSpec(p.getP(), p.getG(), l)); } catch (Exception e) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParameterGeneratorSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParameterGeneratorSpi.java index d850e5d..2d7c4c5 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParameterGeneratorSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParameterGeneratorSpi.java @@ -11,10 +11,10 @@ import org.bouncycastle.crypto.digests.SHA256Digest; import org.bouncycastle.crypto.generators.DSAParametersGenerator; import org.bouncycastle.crypto.params.DSAParameterGenerationParameters; import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.asymmetric.util.BaseAlgorithmParameterGeneratorSpi; public class AlgorithmParameterGeneratorSpi - extends java.security.AlgorithmParameterGeneratorSpi + extends BaseAlgorithmParameterGeneratorSpi { protected SecureRandom random; protected int strength = 1024; @@ -90,7 +90,7 @@ public class AlgorithmParameterGeneratorSpi try { - params = AlgorithmParameters.getInstance("DSA", BouncyCastleProvider.PROVIDER_NAME); + params = createParametersInstance("DSA"); params.init(new DSAParameterSpec(p.getP(), p.getQ(), p.getG())); } catch (Exception e) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParametersSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParametersSpi.java index 61fa33c..5722479 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParametersSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/AlgorithmParametersSpi.java @@ -33,7 +33,6 @@ public class AlgorithmParametersSpi /** * Return the X.509 ASN.1 structure DSAParameter. - * <p/> * <pre> * DSAParameter ::= SEQUENCE { * prime INTEGER, -- p diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/BCECPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/BCECPrivateKey.java index 45d5b08..c9ad445 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/BCECPrivateKey.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/ec/BCECPrivateKey.java @@ -282,7 +282,8 @@ public class BCECPrivateKey */ public byte[] getEncoded() { - X962Parameters params; + X962Parameters params; + int orderBitLength; if (ecSpec instanceof ECNamedCurveSpec) { @@ -293,10 +294,12 @@ public class BCECPrivateKey } params = new X962Parameters(curveOid); + orderBitLength = ECUtil.getOrderBitLength(ecSpec.getOrder(), this.getS()); } else if (ecSpec == null) { params = new X962Parameters(DERNull.INSTANCE); + orderBitLength = ECUtil.getOrderBitLength(null, this.getS()); } else { @@ -310,6 +313,7 @@ public class BCECPrivateKey ecSpec.getCurve().getSeed()); params = new X962Parameters(ecP); + orderBitLength = ECUtil.getOrderBitLength(ecSpec.getOrder(), this.getS()); } PrivateKeyInfo info; @@ -317,11 +321,11 @@ public class BCECPrivateKey if (publicKey != null) { - keyStructure = new org.bouncycastle.asn1.sec.ECPrivateKey(this.getS(), publicKey, params); + keyStructure = new org.bouncycastle.asn1.sec.ECPrivateKey(orderBitLength, this.getS(), publicKey, params); } else { - keyStructure = new org.bouncycastle.asn1.sec.ECPrivateKey(this.getS(), params); + keyStructure = new org.bouncycastle.asn1.sec.ECPrivateKey(orderBitLength, this.getS(), params); } try diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java index dcb9c23..aceb5ee 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java @@ -35,12 +35,16 @@ import org.bouncycastle.crypto.engines.RSABlindedEngine; import org.bouncycastle.crypto.params.ParametersWithRandom; import org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi; import org.bouncycastle.jcajce.provider.util.DigestFactory; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.Strings; public class CipherSpi extends BaseCipherSpi { + private final JcaJceHelper helper = new BCJcaJceHelper(); + private AsymmetricBlockCipher cipher; private AlgorithmParameterSpec paramSpec; private AlgorithmParameters engineParams; @@ -145,7 +149,7 @@ public class CipherSpi { try { - engineParams = AlgorithmParameters.getInstance("OAEP", BouncyCastleProvider.PROVIDER_NAME); + engineParams = helper.createAlgorithmParameters("OAEP"); engineParams.init(paramSpec); } catch (Exception e) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/DigestSignatureSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/DigestSignatureSpi.java index 13f7c93..123ed41 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/DigestSignatureSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/DigestSignatureSpi.java @@ -44,6 +44,7 @@ import org.bouncycastle.crypto.digests.AndroidDigestFactory; // END android-added import org.bouncycastle.crypto.encodings.PKCS1Encoding; import org.bouncycastle.crypto.engines.RSABlindedEngine; +import org.bouncycastle.util.Arrays; public class DigestSignatureSpi extends SignatureSpi @@ -178,13 +179,7 @@ public class DigestSignatureSpi if (sig.length == expected.length) { - for (int i = 0; i < sig.length; i++) - { - if (sig[i] != expected[i]) - { - return false; - } - } + return Arrays.constantTimeAreEqual(sig, expected); } else if (sig.length == expected.length - 2) // NULL left out { @@ -194,28 +189,26 @@ public class DigestSignatureSpi expected[1] -= 2; // adjust lengths expected[3] -= 2; + int nonEqual = 0; + for (int i = 0; i < hash.length; i++) { - if (sig[sigOffset + i] != expected[expectedOffset + i]) // check hash - { - return false; - } + nonEqual |= (sig[sigOffset + i] ^ expected[expectedOffset + i]); } for (int i = 0; i < sigOffset; i++) { - if (sig[i] != expected[i]) // check header less NULL - { - return false; - } + nonEqual |= (sig[i] ^ expected[i]); // check header less NULL } + + return nonEqual == 0; } else { + Arrays.constantTimeAreEqual(expected, expected); // keep time "steady". + return false; } - - return true; } protected void engineSetParameter( diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/KeyPairGeneratorSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/KeyPairGeneratorSpi.java index c61e7cb..f779a66 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/KeyPairGeneratorSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/rsa/KeyPairGeneratorSpi.java @@ -23,7 +23,7 @@ public class KeyPairGeneratorSpi } final static BigInteger defaultPublicExponent = BigInteger.valueOf(0x10001); - final static int defaultTests = 12; + final static int defaultTests = 112; RSAKeyGenerationParameters param; RSAKeyPairGenerator engine; diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseAlgorithmParameterGeneratorSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseAlgorithmParameterGeneratorSpi.java new file mode 100644 index 0000000..d9fb3fb --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseAlgorithmParameterGeneratorSpi.java @@ -0,0 +1,25 @@ +package org.bouncycastle.jcajce.provider.asymmetric.util; + +import java.security.AlgorithmParameterGeneratorSpi; +import java.security.AlgorithmParameters; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; + +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; + +public abstract class BaseAlgorithmParameterGeneratorSpi + extends AlgorithmParameterGeneratorSpi +{ + private final JcaJceHelper helper = new BCJcaJceHelper(); + + public BaseAlgorithmParameterGeneratorSpi() + { + } + + protected final AlgorithmParameters createParametersInstance(String algorithm) + throws NoSuchAlgorithmException, NoSuchProviderException + { + return helper.createAlgorithmParameters(algorithm); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseCipherSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseCipherSpi.java index fabad43..5842b9e 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseCipherSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseCipherSpi.java @@ -27,6 +27,8 @@ import javax.crypto.spec.SecretKeySpec; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.crypto.InvalidCipherTextException; import org.bouncycastle.crypto.Wrapper; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; public abstract class BaseCipherSpi @@ -45,6 +47,7 @@ public abstract class BaseCipherSpi // END android-removed }; + private final JcaJceHelper helper = new BCJcaJceHelper(); protected AlgorithmParameters engineParams = null; @@ -84,6 +87,12 @@ public abstract class BaseCipherSpi return null; } + protected final AlgorithmParameters createParametersInstance(String algorithm) + throws NoSuchAlgorithmException, NoSuchProviderException + { + return helper.createAlgorithmParameters(algorithm); + } + protected void engineSetMode( String mode) throws NoSuchAlgorithmException @@ -190,7 +199,7 @@ public abstract class BaseCipherSpi { try { - KeyFactory kf = KeyFactory.getInstance(wrappedKeyAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + KeyFactory kf = helper.createKeyFactory(wrappedKeyAlgorithm); if (wrappedKeyType == Cipher.PUBLIC_KEY) { @@ -201,17 +210,17 @@ public abstract class BaseCipherSpi return kf.generatePrivate(new PKCS8EncodedKeySpec(encoded)); } } - catch (NoSuchProviderException e) + catch (NoSuchAlgorithmException e) { throw new InvalidKeyException("Unknown key type " + e.getMessage()); } - catch (NoSuchAlgorithmException e) + catch (InvalidKeySpecException e) { throw new InvalidKeyException("Unknown key type " + e.getMessage()); } - catch (InvalidKeySpecException e2) + catch (NoSuchProviderException e) { - throw new InvalidKeyException("Unknown key type " + e2.getMessage()); + throw new InvalidKeyException("Unknown key type " + e.getMessage()); } throw new InvalidKeyException("Unknown key type " + wrappedKeyType); diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/ECUtil.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/ECUtil.java index 06a93e5..b8ef398 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/ECUtil.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/ECUtil.java @@ -1,5 +1,6 @@ package org.bouncycastle.jcajce.provider.asymmetric.util; +import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.PrivateKey; import java.security.PublicKey; @@ -16,6 +17,7 @@ import org.bouncycastle.asn1.sec.SECNamedCurves; // END android-removed import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x9.X962NamedCurves; +import org.bouncycastle.asn1.x9.X962Parameters; import org.bouncycastle.asn1.x9.X9ECParameters; import org.bouncycastle.crypto.ec.CustomNamedCurves; import org.bouncycastle.crypto.params.AsymmetricKeyParameter; @@ -218,6 +220,25 @@ public class ECUtil throw new InvalidKeyException("can't identify EC private key."); } + public static int getOrderBitLength(BigInteger order, BigInteger privateValue) + { + if (order == null) // implicitly CA + { + ECParameterSpec implicitCA = BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa(); + + if (implicitCA == null) + { + return privateValue.bitLength(); // a guess but better than an exception! + } + + return implicitCA.getN().bitLength(); + } + else + { + return order.bitLength(); + } + } + public static ASN1ObjectIdentifier getNamedCurveOid( String name) { diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PEMUtil.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PEMUtil.java index e4aaf30..8116f29 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PEMUtil.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PEMUtil.java @@ -6,7 +6,7 @@ import java.io.InputStream; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.util.encoders.Base64; -public class PEMUtil +class PEMUtil { private final String _header1; private final String _header2; diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PKIXCertPath.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PKIXCertPath.java index 9b14731..8bb4c3a 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PKIXCertPath.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/PKIXCertPath.java @@ -34,7 +34,8 @@ import org.bouncycastle.asn1.DERSet; import org.bouncycastle.asn1.pkcs.ContentInfo; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.SignedData; -import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.util.io.pem.PemObject; // BEGIN android-removed // import org.bouncycastle.util.io.pem.PemWriter; @@ -47,6 +48,8 @@ import org.bouncycastle.util.io.pem.PemObject; public class PKIXCertPath extends CertPath { + private final JcaJceHelper helper = new BCJcaJceHelper(); + static final List certPathEncodings; static @@ -184,7 +187,7 @@ public class PKIXCertPath } Enumeration e = ((ASN1Sequence)derObject).getObjects(); certificates = new ArrayList(); - CertificateFactory certFactory = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); + CertificateFactory certFactory = helper.createCertificateFactory("X.509"); while (e.hasMoreElements()) { ASN1Encodable element = (ASN1Encodable)e.nextElement(); @@ -197,7 +200,7 @@ public class PKIXCertPath { inStream = new BufferedInputStream(inStream); certificates = new ArrayList(); - CertificateFactory certFactory= CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); + CertificateFactory certFactory= helper.createCertificateFactory("X.509"); Certificate cert; while ((cert = certFactory.generateCertificate(inStream)) != null) { @@ -217,7 +220,7 @@ public class PKIXCertPath { throw new CertificateException("BouncyCastle provider not found while trying to get a CertificateFactory:\n" + ex.toString()); } - + this.certificates = sortCerts(certificates); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLEntryObject.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLEntryObject.java index 32e595c..0b53bd3 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLEntryObject.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLEntryObject.java @@ -23,7 +23,6 @@ import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.asn1.x509.TBSCertList; -import org.bouncycastle.asn1.x509.X509Extension; /** * The following extensions are listed in RFC 2459 as relevant to CRL Entries @@ -31,7 +30,7 @@ import org.bouncycastle.asn1.x509.X509Extension; * ReasonCode Hode Instruction Code Invalidity Date Certificate Issuer * (critical) */ -public class X509CRLEntryObject extends X509CRLEntry +class X509CRLEntryObject extends X509CRLEntry { private TBSCertList.CRLEntry c; @@ -285,11 +284,11 @@ public class X509CRLEntryObject extends X509CRLEntry buf.append(" critical(").append(ext.isCritical()).append(") "); try { - if (oid.equals(X509Extension.reasonCode)) + if (oid.equals(Extension.reasonCode)) { buf.append(CRLReason.getInstance(ASN1Enumerated.getInstance(dIn.readObject()))).append(nl); } - else if (oid.equals(X509Extension.certificateIssuer)) + else if (oid.equals(Extension.certificateIssuer)) { buf.append("Certificate issuer: ").append(GeneralNames.getInstance(dIn.readObject())).append(nl); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.java index c7d0402..cd877d0 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLObject.java @@ -42,7 +42,6 @@ import org.bouncycastle.asn1.x509.IssuingDistributionPoint; import org.bouncycastle.asn1.x509.TBSCertList; import org.bouncycastle.jce.X509Principal; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.jce.provider.RFC3280CertPathUtilities; import org.bouncycastle.util.encoders.Hex; /** @@ -54,7 +53,7 @@ import org.bouncycastle.util.encoders.Hex; * Delta CRL Indicator (critical) * Issuing Distribution Point (critical) */ -public class X509CRLObject +class X509CRLObject extends X509CRL { private CertificateList c; @@ -120,8 +119,8 @@ public class X509CRLObject return false; } - extns.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); - extns.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); + extns.remove(Extension.issuingDistributionPoint.getId()); + extns.remove(Extension.deltaCRLIndicator.getId()); return !extns.isEmpty(); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java index 6604b4a..3157ea6 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java @@ -9,9 +9,7 @@ import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Principal; -import java.security.Provider; import java.security.PublicKey; -import java.security.Security; import java.security.Signature; import java.security.SignatureException; import java.security.cert.Certificate; @@ -64,7 +62,6 @@ import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrie import org.bouncycastle.jce.X509Principal; import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.jce.provider.RFC3280CertPathUtilities; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.Integers; import org.bouncycastle.util.encoders.Hex; @@ -241,37 +238,11 @@ class X509CertificateObject /** * return a more "meaningful" representation for the signature algorithm used in - * the certficate. + * the certificate. */ public String getSigAlgName() { - Provider prov = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); - - if (prov != null) - { - String algName = prov.getProperty("Alg.Alias.Signature." + this.getSigAlgOID()); - - if (algName != null) - { - return algName; - } - } - - Provider[] provs = Security.getProviders(); - - // - // search every provider looking for a real algorithm - // - for (int i = 0; i != provs.length; i++) - { - String algName = provs[i].getProperty("Alg.Alias.Signature." + this.getSigAlgOID()); - if (algName != null) - { - return algName; - } - } - - return this.getSigAlgOID(); + return X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); } /** @@ -525,19 +496,18 @@ class X509CertificateObject while (e.hasMoreElements()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); - String oidId = oid.getId(); - - if (oidId.equals(RFC3280CertPathUtilities.KEY_USAGE) - || oidId.equals(RFC3280CertPathUtilities.CERTIFICATE_POLICIES) - || oidId.equals(RFC3280CertPathUtilities.POLICY_MAPPINGS) - || oidId.equals(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY) - || oidId.equals(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS) - || oidId.equals(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT) - || oidId.equals(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR) - || oidId.equals(RFC3280CertPathUtilities.POLICY_CONSTRAINTS) - || oidId.equals(RFC3280CertPathUtilities.BASIC_CONSTRAINTS) - || oidId.equals(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME) - || oidId.equals(RFC3280CertPathUtilities.NAME_CONSTRAINTS)) + + if (oid.equals(Extension.keyUsage) + || oid.equals(Extension.certificatePolicies) + || oid.equals(Extension.policyMappings) + || oid.equals(Extension.inhibitAnyPolicy) + || oid.equals(Extension.cRLDistributionPoints) + || oid.equals(Extension.issuingDistributionPoint) + || oid.equals(Extension.deltaCRLIndicator) + || oid.equals(Extension.policyConstraints) + || oid.equals(Extension.basicConstraints) + || oid.equals(Extension.subjectAlternativeName) + || oid.equals(Extension.nameConstraints)) { continue; } @@ -786,7 +756,16 @@ class X509CertificateObject InvalidKeyException, NoSuchProviderException, SignatureException { String sigName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); - Signature signature = Signature.getInstance(sigName, sigProvider); + Signature signature; + + if (sigProvider != null) + { + signature = Signature.getInstance(sigName, sigProvider); + } + else + { + signature = Signature.getInstance(sigName); + } checkSignature(key, signature); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509SignatureUtil.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509SignatureUtil.java index a6959ba..61b0545 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509SignatureUtil.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509SignatureUtil.java @@ -5,6 +5,8 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.security.Security; import java.security.Signature; import java.security.SignatureException; import java.security.spec.PSSParameterSpec; @@ -26,6 +28,7 @@ import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; // END android-removed import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; class X509SignatureUtil { @@ -84,6 +87,32 @@ class X509SignatureUtil } } + Provider prov = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); + + if (prov != null) + { + String algName = prov.getProperty("Alg.Alias.Signature." + sigAlgId.getAlgorithm().getId()); + + if (algName != null) + { + return algName; + } + } + + Provider[] provs = Security.getProviders(); + + // + // search every provider looking for a real algorithm + // + for (int i = 0; i != provs.length; i++) + { + String algName = provs[i].getProperty("Alg.Alias.Signature." + sigAlgId.getAlgorithm().getId()); + if (algName != null) + { + return algName; + } + } + return sigAlgId.getAlgorithm().getId(); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/PKCS12StoreParameter.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/PKCS12StoreParameter.java index 36a32b1..7d0b203 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/PKCS12StoreParameter.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/PKCS12StoreParameter.java @@ -2,50 +2,31 @@ package org.bouncycastle.jcajce.provider.config; import java.io.OutputStream; import java.security.KeyStore; -import java.security.KeyStore.LoadStoreParameter; import java.security.KeyStore.ProtectionParameter; +/** + * @deprecated use org.bouncycastle.jcajce.PKCS12StoreParameter + */ public class PKCS12StoreParameter - implements LoadStoreParameter + extends org.bouncycastle.jcajce.PKCS12StoreParameter { - private final OutputStream out; - private final ProtectionParameter protectionParameter; - private final boolean forDEREncoding; - public PKCS12StoreParameter(OutputStream out, char[] password) { - this(out, password, false); + super(out, password, false); } public PKCS12StoreParameter(OutputStream out, ProtectionParameter protectionParameter) { - this(out, protectionParameter, false); + super(out, protectionParameter, false); } public PKCS12StoreParameter(OutputStream out, char[] password, boolean forDEREncoding) { - this(out, new KeyStore.PasswordProtection(password), forDEREncoding); + super(out, new KeyStore.PasswordProtection(password), forDEREncoding); } public PKCS12StoreParameter(OutputStream out, ProtectionParameter protectionParameter, boolean forDEREncoding) { - this.out = out; - this.protectionParameter = protectionParameter; - this.forDEREncoding = forDEREncoding; - } - - public OutputStream getOutputStream() - { - return out; - } - - public ProtectionParameter getProtectionParameter() - { - return protectionParameter; - } - - public boolean isForDEREncoding() - { - return forDEREncoding; + super(out, protectionParameter, forDEREncoding); } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/bc/BcKeyStoreSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/bc/BcKeyStoreSpi.java index ea89261..0640669 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/bc/BcKeyStoreSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/bc/BcKeyStoreSpi.java @@ -14,8 +14,10 @@ import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; +import java.security.Provider; import java.security.PublicKey; import java.security.SecureRandom; +import java.security.Security; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; @@ -46,6 +48,8 @@ import org.bouncycastle.crypto.io.DigestOutputStream; import org.bouncycastle.crypto.io.MacInputStream; import org.bouncycastle.crypto.io.MacOutputStream; import org.bouncycastle.crypto.macs.HMac; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.interfaces.BCKeyStore; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.Arrays; @@ -88,6 +92,8 @@ public class BcKeyStoreSpi protected int version; + private final JcaJceHelper helper = new BCJcaJceHelper(); + public BcKeyStoreSpi(int version) { this.version = version; @@ -361,7 +367,7 @@ public class BcKeyStoreSpi try { - CertificateFactory cFact = CertificateFactory.getInstance(type, BouncyCastleProvider.PROVIDER_NAME); + CertificateFactory cFact = helper.createCertificateFactory(type); ByteArrayInputStream bIn = new ByteArrayInputStream(cEnc); return cFact.generateCertificate(bIn); @@ -436,11 +442,11 @@ public class BcKeyStoreSpi switch (keyType) { case KEY_PRIVATE: - return KeyFactory.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME).generatePrivate(spec); + return helper.createKeyFactory(algorithm).generatePrivate(spec); case KEY_PUBLIC: - return KeyFactory.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME).generatePublic(spec); + return helper.createKeyFactory(algorithm).generatePublic(spec); case KEY_SECRET: - return SecretKeyFactory.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME).generateSecret(spec); + return helper.createSecretKeyFactory(algorithm).generateSecret(spec); default: throw new IOException("Key type " + keyType + " not recognised!"); } @@ -462,10 +468,10 @@ public class BcKeyStoreSpi try { PBEKeySpec pbeSpec = new PBEKeySpec(password); - SecretKeyFactory keyFact = SecretKeyFactory.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME); + SecretKeyFactory keyFact = helper.createSecretKeyFactory(algorithm); PBEParameterSpec defParams = new PBEParameterSpec(salt, iterationCount); - Cipher cipher = Cipher.getInstance(algorithm, BouncyCastleProvider.PROVIDER_NAME); + Cipher cipher = helper.createCipher(algorithm); cipher.init(mode, keyFact.generateSecret(pbeSpec), defParams); @@ -1041,6 +1047,18 @@ public class BcKeyStoreSpi } } + static Provider getBouncyCastleProvider() + { + if (Security.getProvider("BC") != null) + { + return Security.getProvider("BC"); + } + else + { + return new BouncyCastleProvider(); + } + } + public static class Std extends BcKeyStoreSpi { diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java index f986734..53548f0 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java @@ -15,6 +15,7 @@ import java.security.KeyStore.ProtectionParameter; import java.security.KeyStoreException; import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; import java.security.Principal; import java.security.PrivateKey; import java.security.Provider; @@ -88,12 +89,14 @@ import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; import org.bouncycastle.crypto.Digest; import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.jcajce.provider.config.PKCS12StoreParameter; +import org.bouncycastle.jcajce.PKCS12StoreParameter; import org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; // BEGIN android-removed // import org.bouncycastle.jcajce.spec.GOST28147ParameterSpec; // END android-removed import org.bouncycastle.jcajce.spec.PBKDF2KeySpec; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.interfaces.BCKeyStore; import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -107,10 +110,11 @@ public class PKCS12KeyStoreSpi extends KeyStoreSpi implements PKCSObjectIdentifiers, X509ObjectIdentifiers, BCKeyStore { + private final JcaJceHelper helper = new BCJcaJceHelper(); + private static final int SALT_SIZE = 20; private static final int MIN_ITERATIONS = 1024; - private static final Provider bcProvider = new BouncyCastleProvider(); private static final DefaultSecretKeyProvider keySizeProvider = new DefaultSecretKeyProvider(); private IgnoresCaseHashtable keys = new IgnoresCaseHashtable(); @@ -605,8 +609,8 @@ public class PKCS12KeyStoreSpi PBEKeySpec pbeSpec = new PBEKeySpec(password); PrivateKey out; - SecretKeyFactory keyFact = SecretKeyFactory.getInstance( - algorithm.getId(), bcProvider); + SecretKeyFactory keyFact = helper.createSecretKeyFactory( + algorithm.getId()); PBEParameterSpec defParams = new PBEParameterSpec( pbeParams.getIV(), pbeParams.getIterations().intValue()); @@ -615,7 +619,7 @@ public class PKCS12KeyStoreSpi ((BCPBEKey)k).setTryWrongPKCS12Zero(wrongPKCS12Zero); - Cipher cipher = Cipher.getInstance(algorithm.getId(), bcProvider); + Cipher cipher = helper.createCipher(algorithm.getId()); cipher.init(Cipher.UNWRAP_MODE, k, defParams); @@ -651,13 +655,12 @@ public class PKCS12KeyStoreSpi try { - SecretKeyFactory keyFact = SecretKeyFactory.getInstance( - algorithm, bcProvider); + SecretKeyFactory keyFact = helper.createSecretKeyFactory(algorithm); PBEParameterSpec defParams = new PBEParameterSpec( pbeParams.getIV(), pbeParams.getIterations().intValue()); - Cipher cipher = Cipher.getInstance(algorithm, bcProvider); + Cipher cipher = helper.createCipher(algorithm); cipher.init(Cipher.WRAP_MODE, keyFact.generateSecret(pbeSpec), defParams); @@ -689,7 +692,7 @@ public class PKCS12KeyStoreSpi try { - SecretKeyFactory keyFact = SecretKeyFactory.getInstance(algorithm.getId(), bcProvider); + SecretKeyFactory keyFact = helper.createSecretKeyFactory(algorithm.getId()); PBEParameterSpec defParams = new PBEParameterSpec( pbeParams.getIV(), pbeParams.getIterations().intValue()); @@ -697,7 +700,7 @@ public class PKCS12KeyStoreSpi key.setTryWrongPKCS12Zero(wrongPKCS12Zero); - Cipher cipher = Cipher.getInstance(algorithm.getId(), bcProvider); + Cipher cipher = helper.createCipher(algorithm.getId()); cipher.init(mode, key, defParams); return cipher.doFinal(data); @@ -727,13 +730,13 @@ public class PKCS12KeyStoreSpi } private Cipher createCipher(int mode, char[] password, AlgorithmIdentifier algId) - throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException + throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, NoSuchProviderException { PBES2Parameters alg = PBES2Parameters.getInstance(algId.getParameters()); PBKDF2Params func = PBKDF2Params.getInstance(alg.getKeyDerivationFunc().getParameters()); AlgorithmIdentifier encScheme = AlgorithmIdentifier.getInstance(alg.getEncryptionScheme()); - SecretKeyFactory keyFact = SecretKeyFactory.getInstance(alg.getKeyDerivationFunc().getAlgorithm().getId(), bcProvider); + SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); SecretKey key; if (func.isDefaultPrf()) @@ -1654,7 +1657,7 @@ public class PKCS12KeyStoreSpi asn1Out.writeObject(pfx); } - private static byte[] calculatePbeMac( + private byte[] calculatePbeMac( ASN1ObjectIdentifier oid, byte[] salt, int itCount, @@ -1663,13 +1666,13 @@ public class PKCS12KeyStoreSpi byte[] data) throws Exception { - SecretKeyFactory keyFact = SecretKeyFactory.getInstance(oid.getId(), bcProvider); + SecretKeyFactory keyFact = helper.createSecretKeyFactory(oid.getId()); PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount); PBEKeySpec pbeSpec = new PBEKeySpec(password); BCPBEKey key = (BCPBEKey)keyFact.generateSecret(pbeSpec); key.setTryWrongPKCS12Zero(wrongPkcs12Zero); - Mac mac = Mac.getInstance(oid.getId(), bcProvider); + Mac mac = helper.createMac(oid.getId()); mac.init(key, defParams); mac.update(data); return mac.doFinal(); @@ -1680,20 +1683,19 @@ public class PKCS12KeyStoreSpi { public BCPKCS12KeyStore() { - super(bcProvider, pbeWithSHAAnd3_KeyTripleDES_CBC, pbeWithSHAAnd40BitRC2_CBC); + super(new BouncyCastleProvider(), pbeWithSHAAnd3_KeyTripleDES_CBC, pbeWithSHAAnd40BitRC2_CBC); } } - // BEGIN android-removed // public static class BCPKCS12KeyStore3DES // extends PKCS12KeyStoreSpi // { // public BCPKCS12KeyStore3DES() // { - // super(bcProvider, pbeWithSHAAnd3_KeyTripleDES_CBC, pbeWithSHAAnd3_KeyTripleDES_CBC); + // super(new BouncyCastleProvider(), pbeWithSHAAnd3_KeyTripleDES_CBC, pbeWithSHAAnd3_KeyTripleDES_CBC); // } // } - // + // // public static class DefPKCS12KeyStore // extends PKCS12KeyStoreSpi // { @@ -1702,7 +1704,7 @@ public class PKCS12KeyStoreSpi // super(null, pbeWithSHAAnd3_KeyTripleDES_CBC, pbeWithSHAAnd40BitRC2_CBC); // } // } - // + // // public static class DefPKCS12KeyStore3DES // extends PKCS12KeyStoreSpi // { diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java index 55f5ace..630a3ca 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java @@ -16,6 +16,9 @@ import java.security.spec.InvalidParameterSpecException; // END android-removed import org.bouncycastle.asn1.bc.BCObjectIdentifiers; +// BEGIN android-removed +// import org.bouncycastle.asn1.cms.CCMParameters; +// END android-removed import org.bouncycastle.asn1.cms.GCMParameters; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.crypto.BlockCipher; @@ -31,6 +34,9 @@ import org.bouncycastle.crypto.engines.AESWrapEngine; // import org.bouncycastle.crypto.macs.GMac; // END android-removed import org.bouncycastle.crypto.modes.CBCBlockCipher; +// BEGIN android-removed +// import org.bouncycastle.crypto.modes.CCMBlockCipher; +// END android-removed import org.bouncycastle.crypto.modes.CFBBlockCipher; import org.bouncycastle.crypto.modes.GCMBlockCipher; import org.bouncycastle.crypto.modes.OFBBlockCipher; @@ -48,9 +54,6 @@ import org.bouncycastle.jcajce.provider.symmetric.util.BaseWrapCipher; import org.bouncycastle.jcajce.provider.symmetric.util.BlockCipherProvider; import org.bouncycastle.jcajce.provider.symmetric.util.IvAlgorithmParameters; import org.bouncycastle.jcajce.provider.symmetric.util.PBESecretKeyFactory; -// BEGIN android-removed -// import org.bouncycastle.jce.provider.BouncyCastleProvider; -// END android-removed import org.bouncycastle.util.Integers; public final class AES @@ -113,6 +116,15 @@ public final class AES } // BEGIN android-removed + // static public class CCM + // extends BaseBlockCipher + // { + // public CCM() + // { + // super(new CCMBlockCipher(new AESFastEngine())); + // } + // } + // // public static class AESCMAC // extends BaseMac // { @@ -369,7 +381,7 @@ public final class AES // // try // { - // params = AlgorithmParameters.getInstance("AES", BouncyCastleProvider.PROVIDER_NAME); + // params = createParametersInstance("AES"); // params.init(new IvParameterSpec(iv)); // } // catch (Exception e) @@ -380,6 +392,82 @@ public final class AES // return params; // } // } + // + // public static class AlgParamGenCCM + // extends BaseAlgorithmParameterGenerator + // { + // protected void engineInit( + // AlgorithmParameterSpec genParamSpec, + // SecureRandom random) + // throws InvalidAlgorithmParameterException + // { + // throw new InvalidAlgorithmParameterException("No supported AlgorithmParameterSpec for AES parameter generation."); + // } + // + // protected AlgorithmParameters engineGenerateParameters() + // { + // byte[] iv = new byte[12]; + // + // if (random == null) + // { + // random = new SecureRandom(); + // } + // + // random.nextBytes(iv); + // + // AlgorithmParameters params; + // + // try + // { + // params = createParametersInstance("CCM"); + // params.init(new CCMParameters(iv, 12).getEncoded()); + // } + // catch (Exception e) + // { + // throw new RuntimeException(e.getMessage()); + // } + // + // return params; + // } + // } + // + // public static class AlgParamGenGCM + // extends BaseAlgorithmParameterGenerator + // { + // protected void engineInit( + // AlgorithmParameterSpec genParamSpec, + // SecureRandom random) + // throws InvalidAlgorithmParameterException + // { + // throw new InvalidAlgorithmParameterException("No supported AlgorithmParameterSpec for AES parameter generation."); + // } + // + // protected AlgorithmParameters engineGenerateParameters() + // { + // byte[] nonce = new byte[12]; + // + // if (random == null) + // { + // random = new SecureRandom(); + // } + // + // random.nextBytes(nonce); + // + // AlgorithmParameters params; + // + // try + // { + // params = createParametersInstance("GCM"); + // params.init(new GCMParameters(nonce, 12).getEncoded()); + // } + // catch (Exception e) + // { + // throw new RuntimeException(e.getMessage()); + // } + // + // return params; + // } + // } // END android-removed public static class AlgParams @@ -406,8 +494,7 @@ public final class AES Method tLen = gcmSpecClass.getDeclaredMethod("getTLen", new Class[0]); Method iv= gcmSpecClass.getDeclaredMethod("getIV", new Class[0]); - - gcmParams = new GCMParameters((byte[])iv.invoke(paramSpec, new Object[0]), ((Integer)tLen.invoke(paramSpec, new Object[0])).intValue()); + gcmParams = new GCMParameters((byte[])iv.invoke(paramSpec, new Object[0]), ((Integer)tLen.invoke(paramSpec, new Object[0])).intValue() / 8); } catch (Exception e) { @@ -464,7 +551,7 @@ public final class AES { Constructor constructor = gcmSpecClass.getConstructor(new Class[] { Integer.TYPE, byte[].class }); - return (AlgorithmParameterSpec)constructor.newInstance(new Object[] { Integers.valueOf(gcmParams.getIcvLen()), gcmParams.getNonce() }); + return (AlgorithmParameterSpec)constructor.newInstance(new Object[] { Integers.valueOf(gcmParams.getIcvLen() * 8), gcmParams.getNonce() }); } catch (NoSuchMethodException e) { @@ -480,6 +567,83 @@ public final class AES } } + // BEGIN android-removed + // public static class AlgParamsCCM + // extends BaseAlgorithmParameters + // { + // private CCMParameters ccmParams; + // + // protected void engineInit(AlgorithmParameterSpec paramSpec) + // throws InvalidParameterSpecException + // { + // throw new InvalidParameterSpecException("No supported AlgorithmParameterSpec for AES parameter generation."); + // } + // + // protected void engineInit(byte[] params) + // throws IOException + // { + // ccmParams = CCMParameters.getInstance(params); + // } + // + // protected void engineInit(byte[] params, String format) + // throws IOException + // { + // if (!isASN1FormatString(format)) + // { + // throw new IOException("unknown format specified"); + // } + // + // ccmParams = CCMParameters.getInstance(params); + // } + // + // protected byte[] engineGetEncoded() + // throws IOException + // { + // return ccmParams.getEncoded(); + // } + // + // protected byte[] engineGetEncoded(String format) + // throws IOException + // { + // if (!isASN1FormatString(format)) + // { + // throw new IOException("unknown format specified"); + // } + // + // return ccmParams.getEncoded(); + // } + // + // protected String engineToString() + // { + // return "CCM"; + // } + // + // protected AlgorithmParameterSpec localEngineGetParameterSpec(Class paramSpec) + // throws InvalidParameterSpecException + // { + // if (gcmSpecClass != null) + // { + // try + // { + // Constructor constructor = gcmSpecClass.getConstructor(new Class[] { Integer.TYPE, byte[].class }); + // + // return (AlgorithmParameterSpec)constructor.newInstance(new Object[] { Integers.valueOf(ccmParams.getIcvLen() * 8), ccmParams.getNonce() }); + // } + // catch (NoSuchMethodException e) + // { + // throw new InvalidParameterSpecException("no constructor found!"); // should never happen + // } + // catch (Exception e) + // { + // throw new InvalidParameterSpecException("construction failed: " + e.getMessage()); // should never happen + // } + // } + // + // throw new InvalidParameterSpecException("unknown parameter spec: " + paramSpec.getName()); + // } + // } + // END android-removed + public static class Mappings extends SymmetricAlgorithmProvider { @@ -512,8 +676,12 @@ public final class AES provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes128_GCM, "GCM"); provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes192_GCM, "GCM"); provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes256_GCM, "GCM"); - // BEGIN android-removed + // provider.addAlgorithm("AlgorithmParameters.CCM", PREFIX + "$AlgParamsCCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes128_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes192_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameters." + NISTObjectIdentifiers.id_aes256_CCM, "CCM"); + // // provider.addAlgorithm("AlgorithmParameterGenerator.AES", PREFIX + "$AlgParamGen"); // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + wrongAES128, "AES"); // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + wrongAES192, "AES"); @@ -549,6 +717,21 @@ public final class AES // BEGIN android-removed // provider.addAlgorithm("Cipher.AESRFC3211WRAP", PREFIX + "$RFC3211Wrap"); // provider.addAlgorithm("Cipher.AESRFC5649WRAP", PREFIX + "$RFC5649Wrap"); + // + // provider.addAlgorithm("AlgorithmParameterGenerator.CCM", PREFIX + "$AlgParamGenCCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes128_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes192_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes256_CCM, "CCM"); + // + // provider.addAlgorithm("Cipher.CCM", PREFIX + "$CCM"); + // provider.addAlgorithm("Alg.Alias.Cipher." + NISTObjectIdentifiers.id_aes128_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.Cipher." + NISTObjectIdentifiers.id_aes192_CCM, "CCM"); + // provider.addAlgorithm("Alg.Alias.Cipher." + NISTObjectIdentifiers.id_aes256_CCM, "CCM"); + // + // provider.addAlgorithm("AlgorithmParameterGenerator.GCM", PREFIX + "$AlgParamGenGCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes128_GCM, "GCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes192_GCM, "GCM"); + // provider.addAlgorithm("Alg.Alias.AlgorithmParameterGenerator." + NISTObjectIdentifiers.id_aes256_GCM, "GCM"); // END android-removed provider.addAlgorithm("Cipher.GCM", PREFIX + "$GCM"); @@ -577,7 +760,13 @@ public final class AES // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes128_wrap, PREFIX + "$KeyGen128"); // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes192_wrap, PREFIX + "$KeyGen192"); // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes256_wrap, PREFIX + "$KeyGen256"); - // + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes128_GCM, PREFIX + "$KeyGen128"); + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes192_GCM, PREFIX + "$KeyGen192"); + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes256_GCM, PREFIX + "$KeyGen256"); + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes128_CCM, PREFIX + "$KeyGen128"); + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes192_CCM, PREFIX + "$KeyGen192"); + // provider.addAlgorithm("KeyGenerator." + NISTObjectIdentifiers.id_aes256_CCM, PREFIX + "$KeyGen256"); + // // provider.addAlgorithm("Mac.AESCMAC", PREFIX + "$AESCMAC"); // END android-removed diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DES.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DES.java index 6d5c5e8..b4c7c06 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DES.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DES.java @@ -44,7 +44,6 @@ import org.bouncycastle.jcajce.provider.symmetric.util.BaseSecretKeyFactory; import org.bouncycastle.jcajce.provider.symmetric.util.BaseWrapCipher; import org.bouncycastle.jcajce.provider.symmetric.util.PBE; import org.bouncycastle.jcajce.provider.util.AlgorithmProvider; -import org.bouncycastle.jce.provider.BouncyCastleProvider; public final class DES { @@ -187,7 +186,7 @@ public final class DES try { - params = AlgorithmParameters.getInstance("DES", BouncyCastleProvider.PROVIDER_NAME); + params = createParametersInstance("DES"); params.init(new IvParameterSpec(iv)); } catch (Exception e) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DESede.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DESede.java index 6b9b6d6..7b3addd 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DESede.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/DESede.java @@ -43,7 +43,6 @@ import org.bouncycastle.jcajce.provider.symmetric.util.BaseMac; import org.bouncycastle.jcajce.provider.symmetric.util.BaseSecretKeyFactory; import org.bouncycastle.jcajce.provider.symmetric.util.BaseWrapCipher; import org.bouncycastle.jcajce.provider.util.AlgorithmProvider; -import org.bouncycastle.jce.provider.BouncyCastleProvider; public final class DESede { @@ -270,30 +269,30 @@ public final class DESede // { // throw new InvalidAlgorithmParameterException("No supported AlgorithmParameterSpec for DES parameter generation."); // } - // + // protected AlgorithmParameters engineGenerateParameters() // { // byte[] iv = new byte[8]; - // + // if (random == null) // { // random = new SecureRandom(); // } - // + // random.nextBytes(iv); - // + // AlgorithmParameters params; - // + // try // { - // params = AlgorithmParameters.getInstance("DES", BouncyCastleProvider.PROVIDER_NAME); + // params = createParametersInstance("DES"); // params.init(new IvParameterSpec(iv)); // } // catch (Exception e) // { // throw new RuntimeException(e.getMessage()); // } - // + // return params; // } // } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/RC2.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/RC2.java index 09426b2..4056aa7 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/RC2.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/RC2.java @@ -36,10 +36,7 @@ import org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher; // END android-removed import org.bouncycastle.jcajce.provider.symmetric.util.PBESecretKeyFactory; import org.bouncycastle.jcajce.provider.util.AlgorithmProvider; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -// BEGIN android-removed -// import org.bouncycastle.util.Arrays; -// END android-removed +import org.bouncycastle.util.Arrays; public final class RC2 { @@ -218,7 +215,7 @@ public final class RC2 // extends BaseAlgorithmParameterGenerator // { // RC2ParameterSpec spec = null; - // + // // protected void engineInit( // AlgorithmParameterSpec genParamSpec, // SecureRandom random) @@ -229,28 +226,28 @@ public final class RC2 // spec = (RC2ParameterSpec)genParamSpec; // return; // } - // + // // throw new InvalidAlgorithmParameterException("No supported AlgorithmParameterSpec for RC2 parameter generation."); // } - // + // // protected AlgorithmParameters engineGenerateParameters() // { // AlgorithmParameters params; - // + // // if (spec == null) // { // byte[] iv = new byte[8]; - // + // // if (random == null) // { // random = new SecureRandom(); // } - // + // // random.nextBytes(iv); - // + // // try // { - // params = AlgorithmParameters.getInstance("RC2", BouncyCastleProvider.PROVIDER_NAME); + // params = createParametersInstance("RC2"); // params.init(new IvParameterSpec(iv)); // } // catch (Exception e) @@ -262,7 +259,7 @@ public final class RC2 // { // try // { - // params = AlgorithmParameters.getInstance("RC2", BouncyCastleProvider.PROVIDER_NAME); + // params = createParametersInstance("RC2"); // params.init(spec); // } // catch (Exception e) @@ -270,11 +267,11 @@ public final class RC2 // throw new RuntimeException(e.getMessage()); // } // } - // + // // return params; // } // } - // + // // public static class KeyGenerator // extends BaseKeyGenerator // { @@ -283,7 +280,7 @@ public final class RC2 // super("RC2", 128, new CipherKeyGenerator()); // } // } - // + // // public static class AlgParams // extends BaseAlgorithmParameters // { @@ -305,7 +302,7 @@ public final class RC2 // 0x64, 0x6d, 0x7a, 0xd4, 0x10, 0x81, 0x44, 0xef, 0x49, 0xd6, 0xae, 0x2e, 0xdd, 0x76, 0x5c, 0x2f, // 0xa7, 0x1c, 0xc9, 0x09, 0x69, 0x9a, 0x83, 0xcf, 0x29, 0x39, 0xb9, 0xe9, 0x4c, 0xff, 0x43, 0xab // }; - // + // // private static final short[] ekb = { // 0x5d, 0xbe, 0x9b, 0x8b, 0x11, 0x99, 0x6e, 0x4d, 0x59, 0xf3, 0x85, 0xa6, 0x3f, 0xb7, 0x83, 0xc5, // 0xe4, 0x73, 0x6b, 0x3a, 0x68, 0x5a, 0xc0, 0x47, 0xa0, 0x64, 0x34, 0x0c, 0xf1, 0xd0, 0x52, 0xa5, @@ -324,15 +321,15 @@ public final class RC2 // 0xbd, 0x22, 0xbf, 0x9f, 0x7e, 0xa9, 0x51, 0x4b, 0x4c, 0xfb, 0x02, 0xd3, 0x70, 0x86, 0x31, 0xe7, // 0x3b, 0x05, 0x03, 0x54, 0x60, 0x48, 0x65, 0x18, 0xd2, 0xcd, 0x5f, 0x32, 0x88, 0x0e, 0x35, 0xfd // }; - // + // // private byte[] iv; // private int parameterVersion = 58; - // + // // protected byte[] engineGetEncoded() // { // return Arrays.clone(iv); // } - // + // // protected byte[] engineGetEncoded( // String format) // throws IOException @@ -348,15 +345,15 @@ public final class RC2 // return new RC2CBCParameter(parameterVersion, engineGetEncoded()).getEncoded(); // } // } - // + // // if (format.equals("RAW")) // { // return engineGetEncoded(); // } - // + // // return null; // } - // + // // protected AlgorithmParameterSpec localEngineGetParameterSpec( // Class paramSpec) // throws InvalidParameterSpecException @@ -375,15 +372,15 @@ public final class RC2 // } // } // } - // + // // if (paramSpec == IvParameterSpec.class) // { // return new IvParameterSpec(iv); // } - // + // // throw new InvalidParameterSpecException("unknown parameter spec passed to RC2 parameters object."); // } - // + // // protected void engineInit( // AlgorithmParameterSpec paramSpec) // throws InvalidParameterSpecException @@ -406,7 +403,7 @@ public final class RC2 // parameterVersion = effKeyBits; // } // } - // + // // this.iv = ((RC2ParameterSpec)paramSpec).getIV(); // } // else @@ -414,14 +411,14 @@ public final class RC2 // throw new InvalidParameterSpecException("IvParameterSpec or RC2ParameterSpec required to initialise a RC2 parameters algorithm parameters object"); // } // } - // + // // protected void engineInit( // byte[] params) // throws IOException // { // this.iv = Arrays.clone(params); // } - // + // // protected void engineInit( // byte[] params, // String format) @@ -430,26 +427,26 @@ public final class RC2 // if (this.isASN1FormatString(format)) // { // RC2CBCParameter p = RC2CBCParameter.getInstance(ASN1Primitive.fromByteArray(params)); - // + // // if (p.getRC2ParameterVersion() != null) // { // parameterVersion = p.getRC2ParameterVersion().intValue(); // } - // + // // iv = p.getIV(); - // + // // return; // } - // + // // if (format.equals("RAW")) // { // engineInit(params); // return; // } - // + // // throw new IOException("Unknown parameters format in IV parameters object"); // } - // + // // protected String engineToString() // { // return "RC2 Parameters"; diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseAlgorithmParameterGenerator.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseAlgorithmParameterGenerator.java index 63d6548..296d692 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseAlgorithmParameterGenerator.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseAlgorithmParameterGenerator.java @@ -1,14 +1,32 @@ package org.bouncycastle.jcajce.provider.symmetric.util; import java.security.AlgorithmParameterGeneratorSpi; +import java.security.AlgorithmParameters; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; import java.security.SecureRandom; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; + public abstract class BaseAlgorithmParameterGenerator extends AlgorithmParameterGeneratorSpi { + private final JcaJceHelper helper = new BCJcaJceHelper(); + protected SecureRandom random; protected int strength = 1024; + public BaseAlgorithmParameterGenerator() + { + } + + protected final AlgorithmParameters createParametersInstance(String algorithm) + throws NoSuchAlgorithmException, NoSuchProviderException + { + return helper.createAlgorithmParameters(algorithm); + } + protected void engineInit( int strength, SecureRandom random) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java index faf31b3..0e933b7 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java @@ -207,7 +207,7 @@ public class BaseBlockCipher { try { - engineParams = AlgorithmParameters.getInstance(pbeAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + engineParams = createParametersInstance(pbeAlgorithm); engineParams.init(pbeSpec); } catch (Exception e) @@ -226,7 +226,7 @@ public class BaseBlockCipher try { - engineParams = AlgorithmParameters.getInstance(name, BouncyCastleProvider.PROVIDER_NAME); + engineParams = createParametersInstance(name); engineParams.init(ivParam.getIV()); } catch (Exception e) @@ -238,7 +238,7 @@ public class BaseBlockCipher { try { - engineParams = AlgorithmParameters.getInstance("GCM", BouncyCastleProvider.PROVIDER_NAME); + engineParams = createParametersInstance("GCM"); engineParams.init(new GCMParameters(aeadParams.getNonce(), aeadParams.getMacSize()).getEncoded()); } catch (Exception e) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseStreamCipher.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseStreamCipher.java index b37a9fe..fba61b8 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseStreamCipher.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseStreamCipher.java @@ -5,6 +5,7 @@ import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.InvalidParameterException; import java.security.Key; +import java.security.Provider; import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; @@ -89,7 +90,7 @@ public class BaseStreamCipher { try { - AlgorithmParameters engineParams = AlgorithmParameters.getInstance(pbeAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + AlgorithmParameters engineParams = createParametersInstance(pbeAlgorithm); engineParams.init(pbeSpec); return engineParams; diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseWrapCipher.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseWrapCipher.java index 5be73e5..a26d980 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseWrapCipher.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseWrapCipher.java @@ -8,7 +8,9 @@ import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; +import java.security.Provider; import java.security.SecureRandom; +import java.security.Security; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; @@ -35,6 +37,8 @@ import org.bouncycastle.crypto.Wrapper; import org.bouncycastle.crypto.params.KeyParameter; import org.bouncycastle.crypto.params.ParametersWithIV; import org.bouncycastle.crypto.params.ParametersWithRandom; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; public abstract class BaseWrapCipher @@ -66,6 +70,8 @@ public abstract class BaseWrapCipher private int ivSize; private byte[] iv; + private final JcaJceHelper helper = new BCJcaJceHelper(); + protected BaseWrapCipher() { } @@ -111,6 +117,12 @@ public abstract class BaseWrapCipher return null; } + protected final AlgorithmParameters createParametersInstance(String algorithm) + throws NoSuchAlgorithmException, NoSuchProviderException + { + return helper.createAlgorithmParameters(algorithm); + } + protected void engineSetMode( String mode) throws NoSuchAlgorithmException @@ -374,7 +386,7 @@ public abstract class BaseWrapCipher { try { - KeyFactory kf = KeyFactory.getInstance(wrappedKeyAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + KeyFactory kf = helper.createKeyFactory(wrappedKeyAlgorithm); if (wrappedKeyType == Cipher.PUBLIC_KEY) { diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java new file mode 100644 index 0000000..4008761 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -0,0 +1,30 @@ +package org.bouncycastle.jcajce.util; + +import java.security.Provider; +import java.security.Security; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +/** + * A JCA/JCE helper that refers to the BC provider for all it's needs. + */ +public class BCJcaJceHelper + extends ProviderJcaJceHelper +{ + private static Provider getBouncyCastleProvider() + { + if (Security.getProvider("BC") != null) + { + return Security.getProvider("BC"); + } + else + { + return new BouncyCastleProvider(); + } + } + + public BCJcaJceHelper() + { + super(getBouncyCastleProvider()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/DefaultJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/DefaultJcaJceHelper.java index 43a97f3..27ca55a 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/DefaultJcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/DefaultJcaJceHelper.java @@ -92,7 +92,7 @@ public class DefaultJcaJceHelper } public CertificateFactory createCertificateFactory(String algorithm) - throws NoSuchAlgorithmException, CertificateException + throws CertificateException { return CertificateFactory.getInstance(algorithm); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/JcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/JcaJceHelper.java index f5da335..7a78193 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/JcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/JcaJceHelper.java @@ -58,5 +58,5 @@ public interface JcaJceHelper throws NoSuchAlgorithmException, NoSuchProviderException; CertificateFactory createCertificateFactory(String algorithm) - throws NoSuchAlgorithmException, NoSuchProviderException, CertificateException; + throws NoSuchProviderException, CertificateException; } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/NamedJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/NamedJcaJceHelper.java index ebbfacc..280539d 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/NamedJcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/NamedJcaJceHelper.java @@ -99,7 +99,7 @@ public class NamedJcaJceHelper } public CertificateFactory createCertificateFactory(String algorithm) - throws NoSuchAlgorithmException, CertificateException, NoSuchProviderException + throws CertificateException, NoSuchProviderException { return CertificateFactory.getInstance(algorithm, providerName); } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/ProviderJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/ProviderJcaJceHelper.java index fad1048..fb4b9a7 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/ProviderJcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/ProviderJcaJceHelper.java @@ -99,7 +99,7 @@ public class ProviderJcaJceHelper } public CertificateFactory createCertificateFactory(String algorithm) - throws NoSuchAlgorithmException, CertificateException + throws CertificateException { return CertificateFactory.getInstance(algorithm, provider); } |